Samba4 NTLMv2 negotiation

Andrew Bartlett abartlet at
Mon Jun 27 21:53:47 GMT 2005

On Mon, 2005-06-27 at 10:42 -0700, Matt Cobb wrote:
> Is there a way to get Samba4 client/client libs to first negotiate/try
> ntlmv2, then drop down to the less secure protocols if the other side
> does not support ntlmv2?  Looks like the only way to make ntlmv2 happen
> is to have "client ntlmv2 auth = yes" turned on in smb.conf.  However
> this may not work against older clients such as win9x.  Something like
> client ntlmv2 auth = auto or client auth = {ntlmv2, ntlmv1, clear}??

I've considered doing this, but there are a number of points of pain in
such an approach.

The biggest problem is that if the NTLMv2 login fails, all we get back
is LOGON_FAILURE, which would also increment a bad password counter.
This means that for every bad password, we would login twice, and for a
system where we have a systemic NTLMv2 failure (it is more prone to
failure than NTLM, due to the inclusion of the username/domain in the
response) we would always cause failed logins.

Much as I would love to have an 'automatic' way to handle NTLMv2, I
don't want to go down that route.

A different kettle of fish however is the NTLM2 modified response (part
of NTLM2 session security), where in NTLMSSP we negotiate not to send
the LM password, and to send a client challenge to make up part of the
otherwise unmodified NTLM response.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list