[Samba] NTLMv2 configuration problems

Andrew Bartlett abartlet at samba.org
Wed Mar 7 21:43:36 GMT 2007


On Wed, 2007-03-07 at 03:57 -0800, jamurph wrote:
> I'm running Centos 4.3 and Samba 3.0.24. I have an OpenLDAP backend. I have
> successfully got a Windows Domain to work, Windows XP -> Samba -> OpenLDAP.
> I can add machines to the domain and I can login and change passwords. The
> trouble is that I'm using NTLM and have been told that I must upgrade to
> NTLMv2, but I'm having great difficulty doing so.
> 
> I have existing NTLM users. I want to disable the use of NTLM, so I ran
> secpol.msc and changed the LAN Manager Authentication Level to:
> 
>   "Send NTLMv2 response only \ refuse LM and NTLM passwords"
> 
> I change smb.conf to include:
>     ntlm auth = no
>     client ntlmv2 auth = yes
>     client lanman auth = no
>     lanman auth = no
>     min protocol = NT1
> 
> I restarted the PC and Samba
> 
> However, I can still login users which have NTLM hash passwords, is this
> right? I don't think so. Does samba cache machine settings anywhere? I know
> Samba works, I'm missing some configuration, I just don't know what it is
> 
> When I run smbpasswd, it seems to create NTLM hashed passwords? Should it
> only create NTLMv2 passwords if I set client ntlmv2 auth = yes?
> 
> I created new users and I have stored an NTLMv2 hashed password in
> sambaNTPassword, I'm assuming NTLMv2 passwords need to be stored in this
> attribute as I don't see an alternative?

The server stores the same password hash for NTLMv2 as NTLM.  The
difference is how the challenge-response is calculated.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070308/a9081d03/attachment.bin


More information about the samba mailing list