Vista(by default NTLMv2) - Samba Security = domain,
connection from vista failed
gomathi palanimuthu
gomathi82 at gmail.com
Tue Feb 6 03:14:34 GMT 2007
Hi,
The error i got in vista is STATUS_LOGON_FAILURE. Even with correct
credentials, vista couldnt get authenticated against domain controller via
samba.
I have tried forcing ntlmv2 only in 2003 domain controller too.
*Also, by default samba3.0.23b or samba3.0.23d respond to ntlmv2
connection?? or i shud configure samba accordingly(ie. by setting lanman
auth = no, ntlm auth = no, client NTLMv2 auth = no) to support ntlmv2
connection???*
Attached the non-working ethereal packets info. in which NTLMSSP_AUTH is
failing with the mentioned parameters.
I think some smb.conf parameters are missing. Please correct if i am wrong.
No. Time Source Destination Protocol
Info
57 17.516407 172.16.101.198 172.16.102.81 SMB
Session Setup AndX Request, NTLMSSP_AUTH, User: w2k3r2\gomathi2
Frame 57 (518 bytes on wire, 518 bytes captured)
Arrival Time: Feb 5, 2007 17:58:29.209664000
Time delta from previous packet: 0.000371000 seconds
Time since reference or first frame: 17.516407000 seconds
Frame Number: 57
Packet Length: 518 bytes
Capture Length: 518 bytes
Protocols in frame: eth:ip:tcp:nbss:smb:gss-api:spnego:ntlmssp
Ethernet II, Src: 172.16.101.198 (00:0b:97:96:1e:73), Dst:
172.16.102.81(00:0f:ea:37:d4:cf)
Destination: 172.16.102.81 (00:0f:ea:37:d4:cf)
Source: 172.16.101.198 (00:0b:97:96:1e:73)
Type: IP (0x0800)
Internet Protocol, Src: 172.16.101.198 (172.16.101.198), Dst: 172.16.102.81(
172.16.102.81)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 504
Identification: 0x5b4a (23370)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x797d [correct]
Good: True
Bad : False
Source: 172.16.101.198 (172.16.101.198)
Destination: 172.16.102.81 (172.16.102.81)
Transmission Control Protocol, Src Port: 49657 (49657), Dst Port:
microsoft-ds (445), Seq: 291, Ack: 428, Len: 464
Source port: 49657 (49657)
Destination port: microsoft-ds (445)
Sequence number: 291 (relative sequence number)
Next sequence number: 755 (relative sequence number)
Acknowledgement number: 428 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65024 (scaled)
Checksum: 0x7c57 [correct]
SEQ/ACK analysis
This is an ACK to the segment in frame: 56
The RTT to ACK the segment was: 0.000371000 seconds
NetBIOS Session Service
Message Type: Session message
Length: 460
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
Response in: 59
SMB Command: Session Setup AndX (0x73)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been
posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
Flags2: 0xc807
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error
codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if
execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended
security negotiation is supported
.... .... .0.. .... = Long Names Used: Path names in request are
not long file names
.... .... .... .1.. = Security Signatures: Security signatures
are supported
.... .... .... ..1. = Extended Attributes: Extended attributes
are supported
.... .... .... ...1 = Long Names Allowed: Long file names are
allowed in the response
Process ID High: 0
Signature: 4253525350594C20
Reserved: 0000
Tree ID: 65535
Process ID: 65279
User ID: 100
Multiplex ID: 128
Session Setup AndX Request (0x73)
Word Count (WCT): 12
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Max Buffer: 16644
Max Mpx Count: 50
VC Number: 0
Session Key: 0x00000000
Security Blob Length: 396
Reserved: 00000000
Capabilities: 0xa00000d4
.... .... .... .... .... .... .... ...0 = Raw Mode: Read Raw and
Write Raw are not supported
.... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and
Write Mpx are not supported
.... .... .... .... .... .... .... .1.. = Unicode: Unicode
strings are supported
.... .... .... .... .... .... .... 0... = Large Files: Large
files are not supported
.... .... .... .... .... .... ...1 .... = NT SMBs: NT SMBs are
supported
.... .... .... .... .... .... ..0. .... = RPC Remote APIs: RPC
remote APIs are not supported
.... .... .... .... .... .... .1.. .... = NT Status Codes: NT
status codes are supported
.... .... .... .... .... .... 1... .... = Level 2 Oplocks: Level
2 oplocks are supported
.... .... .... .... .... ...0 .... .... = Lock and Read: Lock
and Read is not supported
.... .... .... .... .... ..0. .... .... = NT Find: NT Find is
not supported
.... .... .... .... ...0 .... .... .... = Dfs: Dfs is not
supported
.... .... .... .... ..0. .... .... .... = Infolevel Passthru: NT
information level request passthrough is not supported
.... .... .... .... .0.. .... .... .... = Large ReadX: Large
Read andX is not supported
.... .... .... .... 0... .... .... .... = Large WriteX: Large
Write andX is not supported
.... .... 0... .... .... .... .... .... = UNIX: UNIX extensions
are not supported
.... ..0. .... .... .... .... .... .... = Reserved: Reserved
..1. .... .... .... .... .... .... .... = Bulk Transfer: Bulk
Read and Bulk Write are supported
.0.. .... .... .... .... .... .... .... = Compressed Data:
Compressed data transfer is not supported
1... .... .... .... .... .... .... .... = Extended Security:
Extended security exchanges are supported
Byte Count (BCC): 401
Security Blob: A182018830820184A28201800482017C4E544C4D53535000...
GSS-API Generic Security Service Application Program Interface
SPNEGO
negTokenTarg
responseToken:
4E544C4D53535000030000001800180086000000CE00CE00...
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response:
8BF69F58DA96C80F1AC85053EACC97BC69249322FC269C74
Length: 24
Maxlen: 24
Offset: 134
NTLM Response:
346888112DE38B2766DAE7C9FC60A1790101000000000000...
Length: 206
Maxlen: 206
Offset: 158
NTLMv2 Response:
346888112DE38B2766DAE7C9FC60A1790101000000000000...
HMAC: 346888112DE38B2766DAE7C9FC60A179
Header: 0x00000101
Reserved: 0x00000000
Time: Feb 5, 2007 17:58:29.210178000
Client challenge: 69249322FC269C74
Unknown: 0x00000000
Name: NetBIOS domain name, W2K3R2
Name type: NetBIOS domain name (2)
Name len: 12
Name: W2K3R2
Name: NetBIOS host name, GOMS4
Name type: NetBIOS host name (1)
Name len: 10
Name: GOMS4
Name: DNS domain name, localdomain
Name type: DNS domain name (4)
Name len: 22
Name: localdomain
Name: DNS host name,
localhost.localdomain
Name type: DNS host name (3)
Name len: 42
Name: localhost.localdomain
Name: Unknown, 0
On 2/5/07, gomathi palanimuthu <gomathi82 at gmail.com> wrote:
>
> Hi ,
>
>
> I've been testing out Windows Vista Enterprise today. It defaults to only
> using NTLMV2 authentication.
>
> I'm testing with Samba 3.0.23b which is configured to security = domain
>
> The password server is a Windows Server 2003 domain controller. I've
> joined Samba to the domain.
>
> I simply can't get Vista to connect unless I change its security policy to
> "send NTLM/NTLMV1 use NTLMV2 if negotiated". Then it connects just fine.
>
> But Vista should work with its default of 'only NTLMV2', right??
>
> I have tried by configuring smb.conf with following parameters:
>
> *client NTLMv2 auth = yes*
> *client lanman auth = no*
> *ntlm auth = no*
> *lanman auth = no* (Read from lists.org that if we set ntlm auth as well
> as lanman auth to 'no', samba will default to NTLMv2 security support).
> But, still connection is not working from Vista.
>
> Is there any configuration parameters missed out for this particular type
> of security??
>
> Please help in getting the solution if you've faced the same issue.
>
> Thanks in Advance
> Gomathi (Wipro)
>
>
>
More information about the samba-technical
mailing list