[Samba] NTLMSSP(NTLMv2) problems after PDC reboot

Warren Beldad advisory22 at gmail.com
Mon Jun 6 04:04:46 GMT 2005

Hi all,

In my win2k ADS server(mixed mode), I have set the LAN Manager
authentication level to Send NTLMv2 response only\refuse LM & NTLM. In
the registry, i also set
HKLM\System\CurrentControlSet\Control\Lsa|lmcompatibilitylevel -->
level 5 (accepts only NTLMv2). Similarly, i also set
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinClientSec -->
0x00080000(NTLMv2 Session security)
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinServerSec -->
0x00080000(NTLMv2 Session security)
In my smb.conf, I added
client NTLMv2 auth = yes
lanman auth = no
ntlm auth = no

I have waited for about 5 minutes just to be sure that all setting may
take effect.
After 5 min, I join the domain thru "net rpc join -w domainname". I
was able to join and there seems to have no problem.
I executed winbindd
wbinfo -t, wbinfo -u, wbinfo -g ---everything is ok
ntlm_auth --username --> OK successfull
getent passwd --ok

Now I reboot my ADS server, (I have also deleted my samba computer
name in the Active Directory users and computers)
After reboot, I join again but this time it fails. The message is
"Unable to join domain 2K-ADS"

May someone please help me on how to deal with this...
the result for net rpc join -w domainname -d 3 is listed below. I also
attached my smb.conf.

[2006/06/07 11:55:55, 3] param/loadparm.c:lp_load(3907)
  lp_load: refreshing parameters
[2006/06/07 11:55:55, 3] param/loadparm.c:init_globals(1321)
  Initialising global parameters
[2006/06/07 11:55:55, 3] param/params.c:pm_process(573)
  params.c:pm_process() - Processing configuration file
[2006/06/07 11:55:55, 3] param/loadparm.c:do_section(3409)
  Processing section "[global]"
Module '/usr/local/lib/charset/CP850.so' loaded
added interface ip= bcast= nmask=
resolve_lmhosts: Attempting lmhosts lookup for name 2k-ads<0x1b>
resolve_wins: Attempting wins lookup for name 2k-ads<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
name_resolve_bcast: Attempting broadcast lookup for name 2k-ads<0x1b>
Got a positive name query response from ( )
Connecting to host=2000SERV
Connecting to at port 445
failed session setup with NT_STATUS_ACCESS_DENIED
Cannot connect to server (anonymously).  Error was NT_STATUS_ACCESS_DENIED
Connecting to host=2000SERV
Connecting to at port 445
Doing spnego session setup (blob length=87)
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=2000serv$@2K-ADS.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x40890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x40080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x40080215
lsa_io_sec_qos: length c does not match size 8
Connecting to host=2000SERV
Connecting to at port 445
failed session setup with NT_STATUS_ACCESS_DENIED
Cannot connect to server (anonymously).  Error was NT_STATUS_ACCESS_DENIED
Unable to join domain 2K-ADS.
return code = 1

        workgroup = 2K-ADS
        realm = 2K-ADS.COM
        netbios name = :-))
        server string = sample PDC mixed mode
        security = DOMAIN
        smb passwd file = /etc/sysconfig/sambad/smbpasswd
        guest account = ftp
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 1
        log file = /var/log/samba
        max log size = 500
        debug timestamp = No
        socket options = TCP_NODELAY SO_RCVBUF=8760 SO_SNDBUF=8760
        os level = 8
        idmap uid = 20000-30000
        idmap gid = 20000-30000
        template homedir = /mnt/temp/home/%D/%U
        template shell = /bin/bash
        winbind cache time = 15
        strict allocate = Yes

        comment = %u's personal share folder
        read only = No
        browseable = No

More information about the samba mailing list