[Samba] Strong Session Key and XP
anthony.linux at gmail.com
Sat Mar 19 15:26:09 GMT 2005
I just finished debugging a Samba installation with Windows XP, and
thought I'd share some findings.
Thanks to MS screwing up our perfectly stable Windows 2000 network
with the release of SP4 (which our security people demanded we install
to stay current), we decided to upgrade to Windows XP Pro SP1 on the 8
computer lab windows machines.
The crux of the problem was that SP4 for win2k disabled some important
windows audit features (logoff and password change for starters). So
to meet the security requirements, we upgraded.
On the first machine I tried, the XP box joined the samba domain with
no problems. I'm running one of the later 3.x releases of Samba with
an OpenLDAP backend, using SMBLDAP perl scripts for account
maintenance. It's worked near flawlessly for 8 months now.
Then I tried to apply our standard security template. This is where
the problem started. Now I could mount shares as administrator, but
no users could log on. I got the domain could not be found error at
the login screen.
I figured it was probably the NTLMv2 requirement that the template
enforces (v2 only, deny all others). So I configured the server to
lanman auth=no and ntlm auth=no, which should force only NTLMv2.
Still didn't work.
I did a diff of the default Win XP security settings and what was
applied by the template. Found the culprit: Domain Member -- Require
Strong (Windows 2000 or later) Session Key: Enabled.
Once I disabled that, it worked fine. Users could login now, no problems.
So, I wanted to share that tidbit, in case anyone else is having this problem.
Also, I was wondering if Samba can satisfy this security setting?
That is, keep the Strong Session Key enabled on the XP workstation and
configure the server to comply? I'm worried that my security people
won't like me deviating from their default template -- but if it's the
only way to make it work, then so be it.
More information about the samba