Samba Netlogon 128bit

Ben Christenbury (FEDERAL) benchri at
Wed Nov 4 08:16:24 MST 2009

Please answer directly as I am not on the alias, as I found the posting by accident ands this is time critical.
From: Ben Christenbury (FEDERAL)
Sent: Wednesday, November 04, 2009 10:01 AM
To: 'samba-technical at'
Cc: Ben Christenbury (FEDERAL)
Subject: RE: Samba Netlogon 128bit

Please excuse the interruption of your day to this massive list but I have a technical follow-up to the posting below.
My question is in which distribution available currently or planned could our mutual customer use that would support 138bit encryption for net logon to establish a secure channel for Samba servers that are a member of a windows 2008 domain.   Note as below posted on the Samba support webpages below Windows Domain must downgrade to NT Crypto (<128bit) in order to allow Samba servers to join a domain.   Please note in the Federal Practice which I serve, DISA and NIST prohibit this so the Microsoft recommended solution is to upgrade Samba to a version that meets this requirement.   Since this request come to us frequently as all federal agencies scramble to meet these requirements, I would like to Document which version meet this requirement.
Thanks in advance for your time and consideration of this request.

On Wed, 2008-01-23 at 13:21 -0800, Jeremy Allison wrote:

> On Wed, Jan 23, 2008 at 01:16:36PM -0800, Matt Geddes wrote:

> > On Jan 23, 2008 12:59 PM, Jeremy Allison <jra at<>> wrote:

> >

> > > This looks good to me. I'm forward porting to 3.2.x and

> > > Jerry has promised to test (I'm in OOXML-hell right now :-).

> >

> > No problems. Apologies for it being against an older sourcebase, but

> > the patch should apply pretty cleanly to 3.2.x.

> >

> > Incidentally, looking at the neg_flags vs 2K8 problems that have been

> > floating around, there's a new registry entry in Windows 2008 Server

> > that causes lsass.exe to skip the check it does for

> > NETLOGON_NEG_128BIT. Set the following to a non-zero value on the DCs

> > and stop/start netlogon and you can join NT 4 and Samba 3 without any

> > of those pesky NetrServerAuthenticate2-returning-0xc0000388 problems:

> >

> > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AllowNT4Crypto

> >

> > It's a 32-bit DWORD.


> Thanks for that, but we'll just ensure we do the 128bit crypto :-).

It's still probably worth documenting for people that have to use older

versions of samba for a while.

Thanks Matt.

Yep. For those early adopters that'll install 2K8 when released, but

still use some distro-packaged version of Samba from 18 months ago.


Do you have enough info to document it, or is there something more I

can grab for you? Did you want me to scribble something down or create

a .reg file or something?



It would be useful if you had time to create a patch against our docs,

that state what we discussed, including the fact this will be fixed and

unnecessary for 3.2.x



Simo Sorce

Samba Team GPL Compliance Officer <simo at<>>

Senior Software Engineer at Red Hat Inc. <ssorce at<>>

Simo Sorce

Samba Team GPL Compliance Officer <simo at<>>

Senior Software Engineer at Red Hat Inc. <ssorce at<>>

Ben Christenbury
MICROSOFT DSE Federal Civilian Enterprise Services
This E-mail and any of its attachments may contain Microsoft proprietary information, which is privileged, confidential, or subject to copyright belonging to Microsoft Corporation. This E-mail is intended solely for the internal use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.

More information about the samba-technical mailing list