[Samba] Vista, NTLMV2, security = domain

Schaefer Jr, Thomas R. tom at umsl.edu
Sat Feb 24 03:25:39 GMT 2007

Arggh, I put 3.0.24, built with all the Vista patches as well, into
production tonight, running winbindd, since winbindd was the solution to
getting Vista clients to work with their default security settings.

Discovered a problem, my "add user script" parameter is never executed.
I stopped winbindd, now my add user script runs but I'm back to the
problem of Vista not working with its defaults, I can't win.

I did some Googling, I get it, IF I've configured nsswitch to use
winbind then all the users automatically exist, add user script never
gets called, its meant to be that way.

Fine.  But, I'm not using winbindd with nsswitch, I'm just using it in
proxy mode solely so my Vista clients will work by default.  I want
local user accounts on my Samba server.

If what I'm attempting to do is wrong then the following portion of the
"Samba by Example" guide is wrong too, step 3 tells you to be sure and
run winbindd, the example smb.conf includes an add user script..
Should I file a bug report?  

Tom Schaefer

Procedure 7.3. Configuration Using Local Accounts Only


      Using your favorite text editor, create the smb.conf file so it
has the contents shown in ???.

      The system is ready to join the domain. Execute the following:

      net rpc join -U root%not24get
      Joined domain MEGANET2.

      This indicates that the domain join succeed.

      Be sure to run all three Samba daemons: smbd, nmbd, winbindd.

      The Samba member server of a Windows NT4 domain is ready for use. 

Example 7.6. Samba Domain Member Server Using Local Accounts smb.conf
File for NT4 Domain
# Global parameters
unix charset = LOCALE
workgroup = MEGANET3
netbios name = BSDBOX
security = DOMAIN
username map = /etc/samba/smbusers
log level = 1
syslog = 0
add user script = /usr/sbin/useradd -m '%u'
add machine script = /usr/sbin/useradd -M '%u'
add group script = /usr/sbin/groupadd '%g'
log file = /var/log/samba/%m
max log size = 0
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
wins server =
printer admin = root
hosts allow = 192.168.2., 192.168.3., 127.
printing = cups
comment = Home Directories
valid users = %S
read only = No
browseable = No
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
comment = Printer Drivers
path = /var/lib/samba/drivers
admin users = root, Administrator
write list = root

-----Original Message-----
From: Schaefer Jr, Thomas R. 
Sent: Tuesday, February 06, 2007 12:04 PM
To: Schaefer Jr, Thomas R.; 'samba at lists.samba.org'
Subject: RE: [Samba] Vista, NTLMV2, security = domain

I eventually hit upon the solution.. run winbindd.  Barely even have to
alter my smb.conf, just run winbindd.  It runs in proxy mode.  The one
smb.conf impact was with the valid users parameter:

Now for an entry like this in smb.conf..

valid users = schaefert, plantr

I've either got to make it

valid users = ourdomain\schaefert, ourdomain\plantr

Or, the other solution I came up with is leave the valid users entries
in smb.conf as they are but include entries like the following in the
username map..

schaefert = ourdomain\schaefert
plantr = ourdomain\plantr

-----Original Message-----
From: samba-bounces+tom=umsl.edu at lists.samba.org
[mailto:samba-bounces+tom=umsl.edu at lists.samba.org] On Behalf Of
Schaefer Jr, Thomas R.
Sent: Monday, January 29, 2007 6:21 PM
To: samba at lists.samba.org
Subject: [Samba] Vista, NTLMV2, security = domain

Hi folks,

I've been testing out Windows Vista Enterprise today.  It defaults to
only using NTLMV2 authentication.

I'm testing with Samba 3.0.23d running on Sparc/Solaris 8.  Samba is
configured with

security = domain

The password server is a Windows Server 2003 domain controller.  I've
joined Samba to the domain.

I simply can't get Vista to connect unless I change its security policy
to "send NTLM/NTLMV1 use NTLMV2 if negotiated".  Then it connects just

But Vista should work with its default of only NTLMV2, right??  There's
not some known bug, or some inherent limitation that prevents NTLMV2
authentication when your Samba server is configured as security =
domain, correct??

Thanks in advance,
Tom Schaefer

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list