[Samba] Samba 3.0.2a - Erroneously rejects NTLMv2 but accepts NTLM

Thu Apr 22 14:45:55 GMT 2004

Andrew,

Could you please elaborate on your ACCESS_DENIED/viud comment?  Does "odd"
mean my answers don't make sense or does it mean that the behavior is not
supposed to happen like this? (or both)

Also, am I correct in assuming that your suggestion to try w/ 3.0.3rc1 mean=
s
that:
a) My setup looks OK
and/or
b) 3.0.2a has some known issues?

If 3.0.2a is suspected or known to exhibit this problem, I'd be happy to
plough through another source build but it's a big enough effort that I'd
really like to solve the problem w/ the current production release if at al=
l
possible.

As soon as I get your reply, I'll build up the test scenario.

Adrian

Message from "Andrew Bartlett" <abartlet at samba.org> , received on 4/22/04
1:50 AM:

> On Sat, 2004-04-17 at 03:31, Adrian Newby wrote:
>> Hello experts,
>>=20
>> I=A9=F6ll try and keep this brief but detailed (if that=A9=F6s possible.).  I=A9=F6m=
 sure
>> I
>> don=A9=F6t understand the technologies sufficiently but I believe I=A9=F6m seein=
g
>> counter-intuitive behavior with my Samba 3 setup.  What I want is nice,
>> tight Win 2K3 security.  What I=A9=F6ve got is ADS integration, including do=
main
>> user authentication using winbind, but I can=A9=F6t get the security level r=
ight.
>>=20
>> Problem summary:
>> ----------------------
>> Samba 3.0.2a on Solaris 9 is configured with ADS security.
>> Lanman and NTLM authentication is prohibited.
>> Clients requesting NTLMv2 authentication result in NT_STATUS_ACCESS_DENI=
ED,
>> even though the log suggests authentication is successful.
>> Clients requesting NTLM authentication are accepted and authenticated.
>> Also, cannot establish initial SMB session when packet signing enforced.
>> (log not provided)
>=20
> Try all this with a current subversion checkout, or 3.0.3rc1.
>=20
> The ACCESS_DENIED is because the tree connect appears not to have a
> valid vuid (the token returned by a session setup), which is most odd..
>=20
> Andrew Bartlett

---------------------------------

Adrian Newby
Chief Technology Officer
Prudent Rx Inc.
100 Corporate Pointe, Suite 395
Culver City, CA 90230

P: +1 (310)642-1700 x124
F: +1 (310)642-1701
e: anewby at prudentrx.com

**Notice of Confidentiality**
The information contained in this e-mail message is intended only for the
use of the individual or entity named above. If the reader of this message
is not the intended recipient, you are hereby notified that any
dissemination, distribution, or copy of the communication is prohibited.