NTLMv2 in NTLMSSP does not work

Chere Zhou qzhou at isilon.com
Mon May 19 18:22:05 GMT 2003 

Then how do I use NTLMv2 without NTLMSSP?  Is there any samba configure 
options that turn off NTLMSSP?

Chere


On Sunday 18 May 2003 05:32 pm, Andrew Bartlett wrote:
> On Sat, 2003-05-17 at 10:06, Chere Zhou wrote:
> > Hi, Andrew & Samba Team,
> >
> > I remember you know a lot about NTLMSSP and NTLMv2.  It does not seem to
> > work looking at the network trace.  I thought NTLMv2 is supported.
>
> On it's own, it is supported :-)
>
> > I have Samba 3.0 joined a win2k domain, and a client WinXP box configured
> > to do NTLMv2 only.
> >
> > Ok, here is how it goes.  I set on the XP client
> > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
> > "lmcompatibilitylevel"=dword:00000003
> > I can successfully connect to a samba share.  However, looking at the
> > network trace, it goes like
> > 	client say: ntlm=1, ntlmv2=1, etc...
> > 	server:      ntlm=1, ntlmv2=0, ntlm challenge = blah
> > 	client say:  ntlm=1, ntlmv2=0, security blob = blah
> > 	server:       success.
> >
> > If I also set on the XP client
> > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
> > "NtlmMinClientSec"=dword:00080000
> > which means "the connection does not succeed if NTLM 2 session security
> > is not negotiated" according to Microsoft kb239869, I got 'the network
> > request is not supported.' at the XP client.  Network trace looks like
> > 	client say: ntlm=1, ntlmv2=1, etc...
> > 	server:      ntlm=1, ntlmv2=0, ntlm challenge = blah
> > 	client say:  ntlm=1, ntlmv2=1,
> > 	server:       ntlm=1, ntlmv2=0, ntlm challenge = blah
> > Then the client just gives back the not supported error.
> >
> > I can provide the actual traces if whoever want to have a look.  Joining
> > an ADS or NT4 domain does not make a difference.  I need this to work. 
> > If you do not have time to do this, please give me a hint of where to
> > look.  Thanks a lot.
>
> I've not had a chance to look at this - but I suspect it's the NTLMv2
> session security that's causing the problem.  This might imply SMB
> signing, which we don't support. In particular, we know very little
> about the NTLMSSP variant of SMB signing :-(
>
> Andrew Bartlett

More information about the samba-technical mailing list