[Samba] XP logon to Samba in a AD Domain environment

Andrew Bartlett abartlet at samba.org
Sun Feb 23 22:20:45 GMT 2003 

On Mon, 2003-02-24 at 08:08, sme_stuff wrote:
> I have been trying to get an XP machine to logon to a samba (2.2.4-3) 
> installation for the past week. I am using local logons for the samba
> server and having it prompt me for a username and password (silly I
> know) when I access the samba box.  I just kept getting a logon dialog
> box back with the "domain\username and the password" back. I searched
> for a solution and found the registry mods that are commonly suggested
> but with little success. I had noticed a message in the "system log"
> on the XP machine the error messages below generated by the LsaSrv
> (Local Security Authority Server's) process.
> 
> LOG MESSAGES:
> The Security System detected an attempted downgrade attack for server 
> cifs/Bncsrvweb02. The failure code from authentication protocol
> Kerberos was "There are currently no logon servers available to
> service the logon request. (0xc000005e)".
> 
> and
> 
> The Security System could not establish a secured connection with the
> server cifs/Bncsrvweb02. No authentication protocol was available.

If this machine was in a domain, then this would all 'just work', as
Windows will send not only the 'NTLMv2' response, but also the 'LMv2'
response - which 'looks' like a pretty standard logon attempt to Samba,
and is passed right along.

In any case, NTLMv2 is fully supported in Samba HEAD/3.0, with some
particular fixes for local accounts in current CVS, but not in alpha
releases yet (will appear in alpha22).

Samba 3.0 also supports kerberos and Active Directory domain membership,
which is *much* better than NTLM, if you can get it to work.  (MS will
silently downgrade to NTLM if things are not exactly right.)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030224/b7696a2a/attachment.bin

More information about the samba mailing list