[Samba] XP logon to Samba in a AD Domain environment
sme_stuff
rob at bncontact.com
Sun Feb 23 21:08:24 GMT 2003
I have been trying to get an XP machine to logon to a samba (2.2.4-3) installation for the past week. I am using local logons for the samba server and having it prompt me for a username and password (silly I know) when I access the samba box. I just kept getting a logon dialog box back with the "domain\username and the password" back. I searched for a solution and found the registry mods that are commonly suggested but with little success. I had noticed a message in the "system log" on the XP machine the error messages below generated by the LsaSrv (Local Security Authority Server's) process.
LOG MESSAGES:
The Security System detected an attempted downgrade attack for server cifs/Bncsrvweb02. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
and
The Security System could not establish a secured connection with the server cifs/Bncsrvweb02. No authentication protocol was available.
So I ran C:\WINNT\SYSTEM32\gpedit.msc from "start -> run -> cmd" and found that the following key was set to "Send NTLMv2 response only\refuse LM & NTLM".
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security:Lan Manager Authentication level
I changed it to "Send LM & NTLM responses" opened a cmd prompt "start -> run -> cmd" and ran gpupdate and tried to access the share again and I was finally able to logon to the Samba server. I changed it back to the original setting and duplicated the original error message and once again could not connect to the samba share, so Im reasonably sure that was my issue.
This may be an obvious fix but I could not find it on the message list so I thought I would post it before someone else ran into this issue and lost sleep over it like I did. FYI: The problem occurred after a security audit which led to a tighter implementation of Group Policies for the 2K Domain.
Rob H.
r.hilligoss at base-net.com
IT Security Analyst
Base-Net Corporation
http://www.bnservice.com
More information about the samba
mailing list