[jcifs] Re: NTLM HTTP Filter Does Not Work With SMB Signing

Fri Jun 2 19:21:27 GMT 2006

(please reply-all to the list to aid in troubleshooting)

If they are being reset it is probably pushed out via a policy
(likewise with lmcompatibility).  Try setting the values, closing
regedit, and going back in to view them.

Not sure why it seems to be working on your box; I can attest that it
does not work with these settings in our environment.  here is more
details:

http://lists.samba.org/archive/jcifs/2004-August/003947.html

if you make the jcifs patch you would still need to tweak the
lmcompatibility registry (as with lmcompatibility < 3 it uses NTLMv1,
and the flag changes the responses in a way incompatible with jcifs...
"NTLM2 session response" apparently).  But with lmcompatibility 3+ it
uses full NTLMv2 with jcifs has LMv2 compatibility with.

Try seeing if you can zero out or delete
NtlmMinClientSec/NtlmMinServerSec on someone else's box and if you are
able to access it.

On 6/2/06, Dane Henry <danehenry at gmail.com> wrote:
> Setting the 2 values to 0 didn't do anything, but I think it should be noted
> that when I restarted the machine, the values were reset to what I
> previously wrote. I re-set them to 0 and did it again, still to no avail.
> Right now, my lmcompatability is set to 1. I've tried modifying that in the
> past only to have it do the same thing that it did to NtlmMinClientSec and
> NtlmMinServerSec.
>
> So should I then modify the getDefaultFlags method in
> jcifs.ntlmssp.Type2Message?
>
> Thanks for all your help and quick replies.
>
> Dane
>
>
> On 6/2/06, Richard Caper <rcaper at gmail.com> wrote:
> > On 6/2/06, Dane Henry <danehenry at gmail.com> wrote:
> > > Both of the values are: 0x20080030 (537395248)
> > >
> > >
> >
> > I can almost guarantee this is the issue.  This is documented here:
> >
> >
> http://technet2.microsoft.com/WindowsServer/en/Library/42986e7d-3468-4000-aed0-2fe1bc94548d1033.mspx
> >
> > This means your client requires that NTLM negotiates 128-bit
> > encryption, NTLMv2 session security, confidentiality, and integrity.
> > Try setting those values to 0x00000000 and try again.  If it works,
> > this is your issue.
> >
> > In that case you will probably need to change this on all of your
> > clients.  If this is not possible, you can modify the getDefaultFlags
> > method in jcifs.ntlmssp.Type2Message and add the following at the end
> > (right before the "return flags"):
> >
> >     flags |= NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL |
> >             NTLMSSP_NEGOTIATE_128 |
> NTLMSSP_NEGOTIATE_NTLM2;
> >
> > This will cause jCIFS to indicate to the browser that it supports
> > these options.  However, with the NTLMv2 flag set (0x00080000) you may
> > still need to tweak another registry setting to actually get this to
> > work:
> >
> >
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel
> >
> >
> > What is that set to on your machine?
> >
>
>