LM Compatibility Level
Andrew Bartlett
abartlet at samba.org
Thu May 22 06:58:55 GMT 2008
On Wed, 2008-05-21 at 10:25 -0700, John Ackart wrote:
> A quote from this article:
> http://technet2.microsoft.com/windowsserver/en/library/878d2bbf-fa00-4e5a-bd63-781d17cdd3471033.mspx?mfr=true
>
> suggests that you can set LM compatibility level to 4 just for the IAS
> server. Specifically, the article says:
>
> "Servers running IAS (or RADIUS) and Routing and Remote Access use
> NTLMv1 to authenticate their clients' domain credentials. This means
> domain controllers that need to authenticate those clients cannot be
> configured to accept only NTLMv2 authentication. However, starting with
> Windows Server 2003 SP1, it is possible for a domain controller to
> accept NTLMv1 from servers running IAS and remote access service but
> NTLMv2-only for all other authentication requests."
>
> Does anyone know the mechanism used to achieve this.
The machine running winbind (and passing along NTLMv1 requests as
NTLMv2) must additionally specify a bit in the SamLogon request to the
DC.
This is documented in the WSPP docs (somewhere - I did find it!).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080522/18e29720/attachment.bin
More information about the samba-technical
mailing list