[Samba] NTLMSSP(NTLMv2) problems after PDC reboot
Warren Beldad
advisory22 at gmail.com
Mon Jun 6 04:04:46 GMT 2005
Hi all,
In my win2k ADS server(mixed mode), I have set the LAN Manager
authentication level to Send NTLMv2 response only\refuse LM & NTLM. In
the registry, i also set
HKLM\System\CurrentControlSet\Control\Lsa|lmcompatibilitylevel -->
level 5 (accepts only NTLMv2). Similarly, i also set
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinClientSec -->
0x00080000(NTLMv2 Session security)
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinServerSec -->
0x00080000(NTLMv2 Session security)
In my smb.conf, I added
client NTLMv2 auth = yes
lanman auth = no
ntlm auth = no
I have waited for about 5 minutes just to be sure that all setting may
take effect.
After 5 min, I join the domain thru "net rpc join -w domainname". I
was able to join and there seems to have no problem.
I executed winbindd
wbinfo -t, wbinfo -u, wbinfo -g ---everything is ok
ntlm_auth --username --> OK successfull
getent passwd --ok
Now I reboot my ADS server, (I have also deleted my samba computer
name in the Active Directory users and computers)
After reboot, I join again but this time it fails. The message is
"Unable to join domain 2K-ADS"
May someone please help me on how to deal with this...
the result for net rpc join -w domainname -d 3 is listed below. I also
attached my smb.conf.
[2006/06/07 11:55:55, 3] param/loadparm.c:lp_load(3907)
lp_load: refreshing parameters
[2006/06/07 11:55:55, 3] param/loadparm.c:init_globals(1321)
Initialising global parameters
[2006/06/07 11:55:55, 3] param/params.c:pm_process(573)
params.c:pm_process() - Processing configuration file
"/etc/sysconfig/sambad/smb.conf"
[2006/06/07 11:55:55, 3] param/loadparm.c:do_section(3409)
Processing section "[global]"
Module '/usr/local/lib/charset/CP850.so' loaded
added interface ip=192.168.100.226 bcast=192.168.100.255 nmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name 2k-ads<0x1b>
resolve_wins: Attempting wins lookup for name 2k-ads<0x1b>
resolve_wins: WINS server resolution selected and no WINS servers listed.
name_resolve_bcast: Attempting broadcast lookup for name 2k-ads<0x1b>
Got a positive name query response from 192.168.100.224 ( 192.168.100.224 )
Connecting to host=2000SERV
Connecting to 192.168.100.224 at port 445
failed session setup with NT_STATUS_ACCESS_DENIED
Cannot connect to server (anonymously). Error was NT_STATUS_ACCESS_DENIED
Connecting to host=2000SERV
Connecting to 192.168.100.224 at port 445
Doing spnego session setup (blob length=87)
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=2000serv$@2K-ADS.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x40890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x40080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x40080215
lsa_io_sec_qos: length c does not match size 8
Connecting to host=2000SERV
Connecting to 192.168.100.224 at port 445
failed session setup with NT_STATUS_ACCESS_DENIED
Cannot connect to server (anonymously). Error was NT_STATUS_ACCESS_DENIED
Unable to join domain 2K-ADS.
return code = 1
[global]
workgroup = 2K-ADS
realm = 2K-ADS.COM
netbios name = :-))
server string = sample PDC mixed mode
security = DOMAIN
smb passwd file = /etc/sysconfig/sambad/smbpasswd
guest account = ftp
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 1
log file = /var/log/samba
max log size = 500
debug timestamp = No
socket options = TCP_NODELAY SO_RCVBUF=8760 SO_SNDBUF=8760
os level = 8
idmap uid = 20000-30000
idmap gid = 20000-30000
template homedir = /mnt/temp/home/%D/%U
template shell = /bin/bash
winbind cache time = 15
strict allocate = Yes
[homes]
comment = %u's personal share folder
read only = No
browseable = No
More information about the samba
mailing list