Authenticating XP clients with NTLMv2 against NT PDC via samba:
mb-tmp-fnzon.bet at gromit.dyndns.org
Fri Feb 18 17:16:50 GMT 2005
I'm trying to authenticate Windows clients via samba 3.0.10 against an NT4
(SP6a) PDC to access samba's shares. I'm using these settings in smb.conf:
security = domain
password server = ente
This works fine with NT4 clients - their user's passwords are checked
properly, no matter whether the clients are members of the PDC's domain or
If I try to connect to the same shares from XP clients from a foreign AD, I
only get this in samba's logfile:
[2005/02/18 14:36:31, 0] auth/auth_domain.c:domain_client_validate(199)
domain_client_validate: unable to validate password for user buck in
domain ART to Domain controller \\ENTE. Error was NT_STATUS_WRONG_PASSWORD.
Connecting from the same XP clients directly to shares on the PDC works
fine, though. The XP clients have LMCompatibilityLevel=3 in their registry.
Removing that setting allows them to connect via samba, but unfortunately,
that's not an option.
Googling found a thread from Nov 2003 which seems to describe the same
However, the patch posted there no longer applies, so I assume that this
has been fixed in the meatime. Can somebody confirm that my setup is
supposed to work with 3.0.10?
In case there's still somebody reading ;-) , I had a quick look at the data
passed to domain_client_validate() both in the NT and XP case. The
plaintext strings in user_info (domain, user name etc.) look reaonable in
both cases. The major difference seems to be the length of nt_resp (24 for
NT, 164 for XP), which, if I understood correctly, is caused by NTLMv2 vs.
no NTLMv2. If somebody needs more information, please ask - I can easily
get at that data with gdb, but not being a samba expert, it's difficult for
me to interpret it or to know what to look for.
More information about the samba-technical