[Samba] NTLMv2, Samba, and Squid

mups.cp mups.cp at gmail.com
Sat Sep 8 15:35:20 GMT 2007 

If you'd like force NTLMv2 authentication these settings in your
smb.conf could help:
ntlm auth = Yes
client NTLMv2 auth = Yes
min protocol = LANMAN2
max protocol = NT1

I also put these:
client lanman auth = No
client plaintext auth = No
use spnego = Yes
client use spnego = Yes

For the client part if you want there are these Microsoft articles for
Windows 95/98/NT that works in XP too, so I think that also works for
Winows Vista:
http://support.microsoft.com/?scid=kb%3Ben-us%3B239869&x=14&y=10
http://support.microsoft.com/?scid=kb%3Ben-us%3B147706&x=15&y=10

Even on XP clients I prefer strictly force NTLMv2.


On 9/7/07, Darren Maskowitz <squitz at gmail.com> wrote:
> Here is the problem: I'm setting up a new squid proxy server with
> authentication via Samba and NTLM because the old one died suddenly.
> The new one is up and running and i have it working; mostly. The
> kicker is the 2 employees testing Vista (myself and my supervisor)
> could not authenticate against the server. I say could because through
> a variety of testing and some lucky reading I found the cause of the
> problem to be that by default Windows Vista uses NTLMv2 only, and when
> I change the setting to LM & NTLM using NTLMv2 for negotiation it all
> works. The old proxy server allowed us ot authenticate using NTLMv2,
> and that is the goal of this question: what am I missing in my
> configuration? Here's a dump of smb.conf taken via a testparm:
>
> [global]
>        workgroup = EDMCOMPUTRONIX
>        realm = COMPUTRONIX.COM
>        server string = CX Canada's SQUID Web Proxy
>        security = ADS
>        password server = 206.75.5.19
>        log file = /var/log/samba/%m.log
>        max log size = 500
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        preferred master = No
>        domain master = No
>        dns proxy = No
>        idmap uid = 16777216-33554431
>        idmap gid = 16777216-33554431
>        winbind separator = +
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind use default domain = Yes
>
> [test]
>        path = /testshare
>        guest ok = Yes
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list