[Samba] NTLMv2 configuration problems
jamurph
tony_murphy at yahoo.com
Wed Mar 7 11:57:46 GMT 2007
I'm running Centos 4.3 and Samba 3.0.24. I have an OpenLDAP backend. I have
successfully got a Windows Domain to work, Windows XP -> Samba -> OpenLDAP.
I can add machines to the domain and I can login and change passwords. The
trouble is that I'm using NTLM and have been told that I must upgrade to
NTLMv2, but I'm having great difficulty doing so.
I have existing NTLM users. I want to disable the use of NTLM, so I ran
secpol.msc and changed the LAN Manager Authentication Level to:
"Send NTLMv2 response only \ refuse LM and NTLM passwords"
I change smb.conf to include:
ntlm auth = no
client ntlmv2 auth = yes
client lanman auth = no
lanman auth = no
min protocol = NT1
I restarted the PC and Samba
However, I can still login users which have NTLM hash passwords, is this
right? I don't think so. Does samba cache machine settings anywhere? I know
Samba works, I'm missing some configuration, I just don't know what it is
When I run smbpasswd, it seems to create NTLM hashed passwords? Should it
only create NTLMv2 passwords if I set client ntlmv2 auth = yes?
I created new users and I have stored an NTLMv2 hashed password in
sambaNTPassword, I'm assuming NTLMv2 passwords need to be stored in this
attribute as I don't see an alternative?
When I try to login to a user account with an NTLMv2 hashed password, I get
invalid password, but I think I've calculated the hash correctly, looking in
LDAP, I stored a 16bytes HEX String ( sambaNTPassword:
47E53AD35D61DE8F419F272FFBC4F175 ). The password check is failing in
ntlm_password_check (libsmb/ntlm_check.c). I've marked where the password
check is failing in bold,
NTSTATUS ntlm_password_check(....)
{
static const unsigned char zeros[8];
if (nt_pw == NULL) {
DEBUG(3,("ntlm_password_check: NO NT password stored for
user %s.\n",
username));
}
if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) {
if (nt_interactive_pwd->length != 16) {
DEBUG(3,("ntlm_password_check: Interactive logon:
Invalid NT password length (%d) supplied for user %s\n",
(int)nt_interactive_pwd->length,
username));
return NT_STATUS_WRONG_PASSWORD;
}
if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) {
if (user_sess_key) {
*user_sess_key = data_blob(NULL, 16);
SMBsesskeygen_ntv1(nt_pw, NULL,
user_sess_key->data);
}
return NT_STATUS_OK;
} else {
DEBUG(3,("ntlm_password_check: Interactive logon: NT
password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
I can see that the code to check ntlmv2 password comes later
if (smb_pwd_check_ntlmv2( nt_response,
nt_pw, challenge,
client_username,
client_domain,
False,
user_sess_key)) {
return NT_STATUS_OK;
}
---------------------------------------------
SMB.CONF---------------------------------------
[global]
workgroup = DEV
netbios name = DEV-PDC
security = user
server string = Samba Server
log level = 3
syslog = 0
log file = /var/log/samba/%m.log
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon home = ""
logon path = ""
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
encrypt passwords = Yes
ldap passwd sync = Yes
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*Result**Success****
pam password change = yes
check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict
passdb backend = ldapsam:"ldap://ldap-1"
ntlm auth = no
client ntlmv2 auth = yes
client lanman auth = no
lanman auth = no
min protocol = NT1
ldap admin dn = cn=Manager,dc=example,dc=org
# ldap delete dn = no
ldap suffix = dc=example,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = ldap:"ldap://ldap-1"
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
------------ LOG FILE -------------------
[2007/03/07 11:12:16, 3] smbd/oplock.c:init_oplocks(862)
open_oplock_ipc: initializing messages.
[2007/03/07 11:12:16, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260)
Linux kernel oplocks enabled
[2007/03/07 11:12:16, 3] smbd/process.c:process_smb(1110)
Transaction 0 of length 72
[2007/03/07 11:12:16, 2] smbd/reply.c:reply_special(496)
netbios connect: name1=DEV-PDC name2=VM-WARE-TM1
[2007/03/07 11:12:16, 2] smbd/reply.c:reply_special(503)
netbios connect: local=dev-pdc remote=vm-ware-tm1, name type = 0
[2007/03/07 11:12:25, 3] smbd/oplock.c:init_oplocks(862)
open_oplock_ipc: initializing messages.
[2007/03/07 11:12:25, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260)
Linux kernel oplocks enabled
[2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110)
Transaction 0 of length 137
[2007/03/07 11:12:25, 3] smbd/process.c:switch_message(914)
switch message SMBnegprot (pid 3150) conn 0x0
[2007/03/07 11:12:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487)
Requested protocol [LANMAN1.0]
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487)
Requested protocol [Windows for Workgroups 3.1a]
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487)
Requested protocol [LM1.2X002]
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487)
Requested protocol [LANMAN2.1]
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487)
Requested protocol [NT LM 0.12]
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_nt1(357)
using SPNEGO
[2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(580)
Selected protocol NT LM 0.12
[2007/03/07 11:12:25, 3] smbd/oplock.c:init_oplocks(862)
open_oplock_ipc: initializing messages.
[2007/03/07 11:12:25, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260)
Linux kernel oplocks enabled
[2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110)
Transaction 0 of length 72
[2007/03/07 11:12:25, 2] smbd/reply.c:reply_special(496)
netbios connect: name1=DEV-PDC name2=VM-WARE-TM1
[2007/03/07 11:12:25, 2] smbd/reply.c:reply_special(503)
netbios connect: local=dev-pdc remote=vm-ware-tm1, name type = 0
[2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110)
Transaction 1 of length 240
[2007/03/07 11:12:25, 3] smbd/process.c:switch_message(914)
switch message SMBsesssetupX (pid 3150) conn 0x0
[2007/03/07 11:12:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849)
wct=12 flg2=0xc807
[2007/03/07 11:12:25, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660)
Doing spnego session setup
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_spnego_negotiate(551)
Got OID 1 3 6 1 4 1 311 2 2 10
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_spnego_negotiate(554)
Got secblob of size 40
[2007/03/07 11:12:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xe2088297
[2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110)
Transaction 2 of length 284
[2007/03/07 11:12:25, 3] smbd/process.c:switch_message(914)
switch message SMBsesssetupX (pid 3150) conn 0x0
[2007/03/07 11:12:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849)
wct=12 flg2=0xc807
[2007/03/07 11:12:25, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660)
Doing spnego session setup
[2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/03/07 11:12:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
Got user=[] domain=[] workstation=[VM-WARE-TM1] len1=1 len2=0
------------- Client machine LOG file extract -------------------
[2007/03/07 11:56:58, 3]
passdb/secrets.c:secrets_store_schannel_session_info(995)
secrets_store_schannel_session_info: stored schannel info with key
SECRETS/SCHANNEL/VM-WARE-TM1
[2007/03/07 11:56:58, 3]
rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(840)
SAM Logon (Interactive). Domain:[DEV]. User:[ntlmh at VM-WARE-TM1] Requested
Domain:[DEV]
[2007/03/07 11:56:58, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user
[DEV]\[ntlmh]@[VM-WARE-TM1] with the new password interface
[2007/03/07 11:56:58, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [DEV]\[ntlmh]@[VM-WARE-TM1]
[2007/03/07 11:56:58, 3] smbd/sec_ctx.c:push_sec_ctx(208)
[2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: ntlmh
[2007/03/07 11:56:58, 0] passdb/pdb_ldap.c:init_sam_from_ldap(817)
init_sam_from_ldap: Failed to get password history for user ntlmh
[2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/03/07 11:56:58, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
fetch gid from cache 513 -> S-1-5-21-3509805487-1978983965-2064741474-513
[2007/03/07 11:56:58, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
ntlm_password_check: Interactive logon: NT password check failed for user
ntlmh
[2007/03/07 11:56:58, 3] smbd/uid.c:push_conn_ctx(345)
[2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965)
init_ldap_from_sam: Setting entry for user: ntlmh
[2007/03/07 11:56:58, 3] passdb/pdb_ldap.c:init_ldap_from_sam(1212)
updating bad password fields, policy=3, count=1, time=1173268618
[2007/03/07 11:56:58, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [DEV] was for
this SAM.
[2007/03/07 11:56:58, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [ntlmh] -> [ntlmh] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2007/03/07 11:56:58, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(529)
[2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(551)
Got OID 1 3 6 1 4 1 311 2 2 10
[2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(554)
Got secblob of size 40
[2007/03/07 11:56:58, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xe2088297
[2007/03/07 11:56:58, 3] smbd/process.c:process_smb(1110)
Transaction 10 of length 284
[2007/03/07 11:56:58, 3] smbd/process.c:switch_message(914)
switch message SMBsesssetupX (pid 5338) conn 0x0
[2007/03/07 11:56:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849)
wct=12 flg2=0xc807
[2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660)
Doing spnego session setup
[2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/03/07 11:56:58, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
..
Any help would be much appreciated,
Tony
--
View this message in context: http://www.nabble.com/NTLMv2-configuration-problems-tf3361654.html#a9351505
Sent from the Samba - General mailing list archive at Nabble.com.
More information about the samba
mailing list