[Samba] NTLMv2 - wrong password with samba?

Bob Bostwick BobB at digitechsystems.com
Tue Jul 26 19:59:18 GMT 2005 

I've got the exact same problem... samba-3.0.14a-1

# ntlm_auth --username=myuser--domain=mydomain
password:
NT_STATUS_OK: Success (0x0)
# ntlm_auth--username=myuser--domain=mydomain--diagnostics
password:
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)
Wrong Password (0xc000006a)

Also running "net ads user -U myuser" returns...
myuser's password:
USER1
USER2
USER3

Instead of 

MYDOMAIN\USER1
MYDOMAIN\USER2
MYDOMAIN\USER3
... not sure if that matters or not.  Everything else seems to work.
I'm using ADS to authenticate SSH to test it and that works..

#tail -5 /var/log/messages
Jul 26 14:14:27 raidzone pam_winbind[19357]: user 'dsibobb' granted
access
Jul 26 14:26:37 raidzone net: [2005/07/26 14:26:37, 0]
libads/kerberos.c:ads_kinit_password(146)
Jul 26 14:26:37 raidzone net:   kerberos_kinit_password
root at DSI.DIGITECHSYSTEMS.COM failed: Client not found in Kerberos
database
Jul 26 14:26:37 raidzone net: [2005/07/26 14:26:37, 0]
utils/net_ads.c:ads_startup(191)
Jul 26 14:26:37 raidzone net:   ads_connect: Client not found in
Kerberos database


The first part of this is from a successful SSH login with ADS
credentials.  The rest if from
"ntlm_auth--username=myuser--domain=mydomain--diagnostics"



		I have samba 3.0.14-5 installed (installed via Fedora
Core 4's Yum)
		I have enabled "client NTLMv2 auth = yes" in smb.conf
		When I run "ntlm_auth --username=user --domain=MYDOM" it
connects fine
		(change user and MYDOM to be my user and my domain)
		When I run "ntlm_auth --username=user --domain=MYDOM
--diagnostics" it
		fails on all tests with "wrong password" which is
incorrect, I know
		its the right password, I was very careful with it and
have reset it
		to make sure
		This is connecting to a 2003 active directory domain, I
have
		successfully joined the machine to the domain and am
able to get a
		list of users and groups without issue

		Here is the output of "ntlm_auth --username=user
--domain=MYDOM --diagnostics"
		I have sanatized it to use "user" and "MYDOM"

		[root at redguard samba]# ntlm_auth --username=user
--domain=MYDOM --diagnostics
		password:
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test NTLMv2 failed!
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test NTLMv2 and LMv2 failed!
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test LMv2 failed!
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test NTLMv2 and LMv2, LMv2 broken failed!
		Wrong Password (0xc000006a)
		Wrong Password (0xc000006a)
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test Plaintext failed!
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test Plaintext LM broken failed!
		Wrong Password (0xc000006a)
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test Plaintext NT only failed!
		Wrong Password (0xc000006a)
		[2005/07/26 09:24:27, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(594)
		  Test Plaintext LM only failed!
		[root at redguard samba]#

		My smb.conf has the following in it that I have added
		[global]

		   workgroup = MYDOM
		   realm = MYDOM.ORG
		   security = ads
		   client NTLMv2 auth = yes

		Is there perhaps some setting I need to set in windows
AD to allow me
		to connect this way (such as enabling remote access) or
something on
		the samba side that I missed?

		Any advice is greatly appreciated,
		Thanks
		Tim
		-- 
		To unsubscribe from this list go to the following URL
and read the
		instructions:  https://lists.samba.org/mailma
n/listinfo/samba

More information about the samba mailing list