Windows clients support all three, as do recent Linux kernels. I don't know of any modern client that does not support NTLMv2, although Kerberos is slightly less common.
The major difference between NTLM and Kerberos is:
NTLM is a challenge-response mechanism that works with just passwords. So it can be used between any two hosts as long as the client knows the password that the server wants.
Kerberos is ticket-based; the client gets a login ticket from a central KDC and presents it to the server. This needs a Kerberos realm to be set up – in case of CIFS it's usually an Active Directory domain – and the realm's KDC hosted somewhere.
(Mac OS X – which used to prefer the AFP protocol over CIFS – actually manages to use Kerberos between two peers, using autogenerated realm names, but neither Windows nor Linux support the same.)
However:
The security of NTLM version 1 is very close to that of just sending the password in plain. NTLMv2 improves this somewhat, although I'm not sure how much.
Meanwhile, Kerberos 5 is considered very secure, and is used by Active Directory, FreeIPA, and various other Unix directory service software.
Unfortunately, Kerberos takes some time to set up, and Windows clients only support it properly (i.e. without spending 3 days) when both the client and server belong to an AD domain.
Soo you will have to choose NTLMv2 for now. It's what standalone Windows machines use by default, anyway. (The default in modern Linux kernels is sec=ntlmssp
; I am not entirely sure how it differs from ntlmv2
, though I know the differences do not have any security impact.)