Can Samba 3.0 do raw NTLMSSP?

Michael B Allen ioplex at
Mon Dec 8 19:28:39 GMT 2008

On Mon, Dec 8, 2008 at 1:46 PM, Jeremy Allison <jra at> wrote:
> On Sat, Dec 06, 2008 at 05:14:36PM -0500, Michael B Allen wrote:
>> On Sat, Dec 6, 2008 at 3:52 PM, Jeremy Allison <jra at> wrote:
>> > On Sat, Dec 06, 2008 at 03:22:22PM -0500, Michael B Allen wrote:
>> >> Hi,
>> >>
>> >> Can Samba 3.0 do raw NTLMSSP without SPNEGO?
>> >>
>> >> We just implemented NTLMv2 in JCIFS and we have extended security
>> >> turned on by default now. But JCIFS is failing with Samba 3.0 now
>> >> because it the raw NTLMSSP Type1Message blob is being rejected with
>> >
>> > Hmmm, I thought we did that.
>> >
>> >> Does a more recent version of Samba 3.0 support raw NTLMSSP?
>> >
>> > What version are you trying against ? We're currently
>> > at 3.2.5 you know, not 3.0.anything ?
>> Yeah, I know - 3.2.x works fine. It's just 3.0.x that looks like it
>> doesn't like raw NTLMSSP. If I hack all of the the flags and such to
>> make the Type1Message look exactly like the SPNEGO-wrapped equivalent
>> Type1Message sent by smbclient, it still fails. So the only difference
>> looks like SPNEGO.
>> If you're not sure, then I'll recommend that the customer try to
>> upgrade to the latest 3.0 and see if that makes any difference.
> Which 3.0.x is the customer using ? If we've already fixed
> it in 3.2.x then I'd suggest they upgrade to that instead.

I don't know. They know 3.2.x works. I'm not sure how much the
customer (actually the customer's customer) really cares. I think if
the server was really that important they would probably have more
current versions of things.

It doesn't really matter. I don't see them having me add SPNEGO to
JCIFS just to support a version of Samba that doesn't appear to be
used a whole lot.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the samba-technical mailing list