LM Compatibility Level

Andrew Bartlett abartlet at samba.org
Thu May 22 06:58:55 GMT 2008

On Wed, 2008-05-21 at 10:25 -0700, John Ackart wrote:
> A quote from this article:
> http://technet2.microsoft.com/windowsserver/en/library/878d2bbf-fa00-4e5a-bd63-781d17cdd3471033.mspx?mfr=true
> suggests that you can set LM compatibility level to 4 just for the IAS 
> server. Specifically, the article says:
> "Servers running IAS (or RADIUS) and Routing and Remote Access use 
> NTLMv1 to authenticate their clients' domain credentials. This means 
> domain controllers that need to authenticate those clients cannot be 
> configured to accept only NTLMv2 authentication. However, starting with 
> Windows Server 2003 SP1, it is possible for a domain controller to 
> accept NTLMv1 from servers running IAS and remote access service but 
> NTLMv2-only for all other authentication requests."
> Does anyone know the mechanism used to achieve this.

The machine running winbind (and passing along NTLMv1 requests as
NTLMv2) must additionally specify a bit in the SamLogon request to the

This is documented in the WSPP docs (somewhere - I did find it!).

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080522/18e29720/attachment.bin

More information about the samba-technical mailing list