I’m a home user and although I’m a little late to reading the news on it, I’m just wondering what might be involved in future when Microsoft follows through and completely removes NTLM support from Windows clients.
I know TrueNAS supports Kerberos already, but it looks a lot more complex and IMO a bit intimidating for someone who has never touched Active Directory or similar systems before.
Are there plans for TrueNAS to make Kerberos more ‘turn key friendly’ for people with simple SMB file sharing needs like me?
If this is NTLM v1 that is turned off by default in Windows / TrueNAS, etc. then I say good riddance.
I maintain a SMB server with NTLM here just for my Sonos system since Sonos never upgraded the network stack beyond SMB1 despite being offered help by the official MS Samba team. So a pi hosts that content while my NAS uses SMB2+
You really do not want to enable SMB1 on your TrueNAS unless you are absolutely certain that no one in your home network may be doing something naughty. Since NTLM / SMB1 are global settings, enabling them will weaken the security of every SMB share on your NAS.
I would not do that if you care about your data.
I use NTLM v2 and the minimum SMB level on my network is SMB2, although all the devices I care about can use SMB3.
NTLM in its entirety (v1 and v2) has been officially deprecated.
All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows.
Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.
After reading a bit more, it looks like NTLM will still be available as a fallback when Negotiate/Kerberos isn’t available, but who knows how long the fallback feature will remain.
It’s not like the writing hasn’t been on the wall for a very long time. The only reason that NTLM v1 was not banned a long time ago was all the IOT and like devices implementing a minimal SMB stack.
While iXsystems has NTLM V1 / SMB1 turned off by default, it can be enabled - likely to satisfy that itch despite the known issues.
MS transitioned two decades ago to Kerberos and the servers will still allow NTLM for the time being as a fallback despite all the documented relay attack issues.
It is entirely likely that some NTLM-dependent cruft is still floating around enterprises and government installations but I’d hope it would be minimal by now.
1 Like
Deprecation is different from removal. Microsoft phases out technologies incrementally. Impact will differ depending on context.
Ending the use of NTLM has been a huge ask from our security community as it will strengthen authentication. NTLM is being deprecated, meaning that, while supported, it is no longer under active feature development.
Active directory:
- A lot of AD domains will keep NTLM auth on SMB servers available for some time to come. Kerberos authentication is already used by default when SMB clients communicate with TrueNAS. New AD domains deployed with NTLM disabled will probably face many interesting challenges related to legacy devices that only support NTLM auth. NTLM authentication is basically passed from file server to domain controller and if it’s not supported there, then authentication will fail. That said, this is a kind of normal situation for administrators to deal with. Admins should be taking active steps to track down what devices and clients are using NTLM authentication and replace / fix them.
LDAP:
- Legacy samba schema. We are removing support for this starting in 24.10 (Electric Eel). Admins will have to migrate to either FreeIPA or Active Directory. This is a more immediate concern for TrueNAS users who have ignored our UI warnings for the past two to three years
Admins in this situation should plan on migration within the next 12 months or so.
Local user accounts:
- There are ongoing upstream efforts in respective communities. We will incorporate IAKERB + local KDC as it becomes available, but there is nothing to be overly concerned about for the moment. Once again, deprecation is not the same as removal of support.
In general terms, this will be no different than other cases where we have handled deprecation of legacy technologies. Eventually once local kerberos authentication is fully-validated and been through a few release cycles we will by default turn off NTLM authentication for local accounts (like we did with NTLMv1 and SMB1).
2 Likes
Thanks for the clarification. That gives me (and others I’m sure) peace of mind.
