Deprecation is different from removal. Microsoft phases out technologies incrementally. Impact will differ depending on context.
Ending the use of NTLM has been a huge ask from our security community as it will strengthen authentication. NTLM is being deprecated, meaning that, while supported, it is no longer under active feature development.
Active directory:
- A lot of AD domains will keep NTLM auth on SMB servers available for some time to come. Kerberos authentication is already used by default when SMB clients communicate with TrueNAS. New AD domains deployed with NTLM disabled will probably face many interesting challenges related to legacy devices that only support NTLM auth. NTLM authentication is basically passed from file server to domain controller and if it’s not supported there, then authentication will fail. That said, this is a kind of normal situation for administrators to deal with. Admins should be taking active steps to track down what devices and clients are using NTLM authentication and replace / fix them.
LDAP:
- Legacy samba schema. We are removing support for this starting in 24.10 (Electric Eel). Admins will have to migrate to either FreeIPA or Active Directory. This is a more immediate concern for TrueNAS users who have ignored our UI warnings for the past two to three years
Admins in this situation should plan on migration within the next 12 months or so.
Local user accounts:
- There are ongoing upstream efforts in respective communities. We will incorporate IAKERB + local KDC as it becomes available, but there is nothing to be overly concerned about for the moment. Once again, deprecation is not the same as removal of support.
In general terms, this will be no different than other cases where we have handled deprecation of legacy technologies. Eventually once local kerberos authentication is fully-validated and been through a few release cycles we will by default turn off NTLM authentication for local accounts (like we did with NTLMv1 and SMB1).