But how can I make sure that NTLM(SSP) will never be used??

I’ve set up Samba with SSSD and everything Works fine... except for a few Windows machines which every now and then happen to send NTLM authentication flags to the Samba server, which happily forwards them. And then the authentication fails because SSSD doesn’t support NTLM.

I’ve tried all sorts of parameters combination on smb.conf, but I didn’t find a way to completely refuse NTLM authentication on the Samba server, and force the client to use another authentication method (kerberos).