FW: [Samba] NTLMv2 in Samba 3.0

Thu Nov 6 12:29:08 GMT 2003

Stefan Metzmacher wrote:

> Chu, Dan [IT] wrote:
>
>> Dear Samba Gurus,
>> I posted below question yesterday to the general audience without 
>> getting any feedback. Hope some of you could shed a light here as we 
>> are required to use NTLMv2 for Samba user authentication.
>> Thanks a lot in advance.
>> Dan
>> -----Original Message-----
>> From: Chu, Dan [IT] Sent: Thursday, October 23, 2003 4:54 PM
>> To: 'samba at lists.samba.org'
>> Subject: [Samba] NTLMv2 in Samba 3.0
>>
>>
>> Hello,
>> Has anyone successfully configured Samba 3.0 to authenticate using 
>> NTLMv2
>> only? I have below entry in smb.conf:
>> password server = <domain controller>
>>
>> to use domain controller for user authentication and DC is configured 
>> with
>> Level 5 - DC refuses LM and NTLM authentication (accepts only 
>> NTLMv2). So
>> far I got: "System error 1326 has occurred.
>> Logon failure: unknown user name or bad password." errors.
>> I am not sure what option(s) to use in the smb.conf file to make it 
>> work. My
>> understanding is that Samba 3.0 defaults to NTLMv2 if password server is
>> configured to accept NTLMv2.
>> Thanks a lot in advance.
>> Dan  
>>
> I don't know if this is related to this problem, but I noticed that
>
> my win XP box doesn't connect to a samba 3.0.0 server if I set the regkey
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
> "lmcompatibilitylevel"=dword:00000000
>
> to 3,4 or 5 I got an error on the client "Server doesn't support this 
> feature" or something like that...
>
> 0|LM- und NTLM-Anworten senden
> 1|LM- und NTLM-Antworten senden (NTLMv2-Sitzungssicherheit verwenden, 
> wenn ausgehandelt)
> 2|Nur NTLM-Antworten senden
> 3|Nur NTLMv2-Antworten senden
> 4|Nur NTLMv2-Antworten senden\LM verweigern
> 5|Nur NTLMv2-Antworten senden\LM & NTLM verweigern
>
> If I apply this patch it works, but then it doesn't work with the 
> settings 0,1,2...

This is because we doesn't support NTLM2 Session Response.with value '1'
http://davenport.sourceforge.net/ntlm.html#theNtlm2SessionResponse

>
> Does anyone knows how a windows server does this?
>
> maybe a 'server NTLMv2' options is needed for this...
>
> Index: libsmb/ntlmssp.c
> ===================================================================
> RCS file: /cvsroot/samba/source/libsmb/ntlmssp.c,v
> retrieving revision 1.4.2.23
> diff -u -r1.4.2.23 ntlmssp.c
> --- libsmb/ntlmssp.c    16 Sep 2003 01:27:46 -0000      1.4.2.23
> +++ libsmb/ntlmssp.c    6 Nov 2003 12:02:46 -0000
> @@ -159,8 +159,9 @@
>           return the flags we want. Obviously this is not correct */
>
>        chal_flags =
> -               NTLMSSP_NEGOTIATE_128 |
> -               NTLMSSP_NEGOTIATE_NTLM;
> +               NTLMSSP_NEGOTIATE_128 |
> +               NTLMSSP_NEGOTIATE_NTLM |
> +               NTLMSSP_NEGOTIATE_NTLM2;
>
>        if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
>                chal_flags |= NTLMSSP_NEGOTIATE_UNICODE;
>
>
>