[Samba] NTLMv2 passthrough auth fails on XP

Aaron J. Zirbes ajz at cccs.umn.edu
Fri Jan 28 20:25:40 GMT 2005

I have an interesting situation.  I'm not sure if Samba doesn't support 
this, or if I have something setup wrong.

All Linux/BSD machines: Samba 3.0.10

Windows XP cannot connect to a Samba Server when the Samba server is a 
member of a Samba Domain, and authentication is restricted to NTLMv2 
_IF_ The Windows XP machine has the following Security Policy turned on:

Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients/servers
	Require NTLMv2 session security

I would have laid this to rest, _EXCEPT_ that this setting does not harm 
the connections to the PDC running Samba as well.  The Windows XP can 
login to the domain, and browse shares on the Samba PDC, but it cannot 
coonnect to Samba Member servers authenticating through the PDC via 
security = server AND password server = *.

When I turn off this Windows XP setting, everything works fine.

This option does not exist in <= Windows 2000, therefore Windows 2000/NT 
is not affected.

PDC and MEMBER have the following vital information in smb.conf

# require NTLMv2
encrypt passwords = yes
ntlm auth = no
lanman auth = no
client lanman auth = no
client ntlmv2 auth = yes
client plaintext auth = no

MEMBER is set to
security = server
password server = *

Aaron Zirbes
Systems Administrator
Environmental Health Sciences
University of Minnesota

More information about the samba mailing list