NTLMv2 in NTLMSSP does not work

Andrew Bartlett abartlet at samba.org
Mon May 19 00:32:54 GMT 2003


On Sat, 2003-05-17 at 10:06, Chere Zhou wrote:
> Hi, Andrew & Samba Team,
> 
> I remember you know a lot about NTLMSSP and NTLMv2.  It does not seem to work 
> looking at the network trace.  I thought NTLMv2 is supported.  

On it's own, it is supported :-)

> I have Samba 3.0 joined a win2k domain, and a client WinXP box configured to 
> do NTLMv2 only.   
> 
> Ok, here is how it goes.  I set on the XP client
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
> "lmcompatibilitylevel"=dword:00000003
> I can successfully connect to a samba share.  However, looking at the network 
> trace, it goes like
> 	client say: ntlm=1, ntlmv2=1, etc...
> 	server:      ntlm=1, ntlmv2=0, ntlm challenge = blah
> 	client say:  ntlm=1, ntlmv2=0, security blob = blah
> 	server:       success.
> 
> If I also set on the XP client 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
> "NtlmMinClientSec"=dword:00080000
> which means "the connection does not succeed if NTLM 2 session security is 
> not negotiated" according to Microsoft kb239869, I got 'the network request 
> is not supported.' at the XP client.  Network trace looks like
> 	client say: ntlm=1, ntlmv2=1, etc...
> 	server:      ntlm=1, ntlmv2=0, ntlm challenge = blah
> 	client say:  ntlm=1, ntlmv2=1, 
> 	server:       ntlm=1, ntlmv2=0, ntlm challenge = blah
> Then the client just gives back the not supported error.
> 
> I can provide the actual traces if whoever want to have a look.  Joining an 
> ADS or NT4 domain does not make a difference.  I need this to work.  If you 
> do not have time to do this, please give me a hint of where to look.  Thanks 
> a lot.

I've not had a chance to look at this - but I suspect it's the NTLMv2
session security that's causing the problem.  This might imply SMB
signing, which we don't support. In particular, we know very little
about the NTLMSSP variant of SMB signing :-(

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030519/cced3118/attachment.bin


More information about the samba-technical mailing list