[Samba] Stumbling blocks moving to NTLMv2

[Quinn Fissler]

Hi folks,

I have been asked to force NTLMv2 logins to avoid use of LM hashes.

To meet the requirement I added some lines to the smb.conf in [Global] (we
only have that section anyway - this is purely for domain authentication
with an ldap backend):

   client lanman auth = no
   client NTLMv2 auth = yes
   lanman auth = no
   min protocol = LANMAN2
   ntlm auth = no

This seemed to work - users could log in and doing a tcpdump showed that the
dialogue was different with NTLMSSP appearing.

There was a problem though: Citrix users got locking out, so I changed a
registry setting on all Windows PCs and the Citrix server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel
was set to 3  and the Citrix machine rebooted.

We found that it didn't help with the citrix problem so we reverted the
samba change.
All back to normal - Citrix users are happy.

Later, we found that some new Laptops couldn't join the domain - reverting
the samba change made that work too.

Hunting around for info has proved fruitless so far.

The problem is that the change is required.

Does anyone have experience of this?

Or know of any useful docs?

mtia

Q


FYI
Samba 3.0.23c
Clients are a Win 2003 Server with Citrix and some XP Pro desktops
(including some laptops).
RHEL AS 4u5

smb.conf:
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = MYCO
        netbios name = MYCO-PDC
        server string = Samba Server
        interfaces = bond0
        passdb backend = ldapsam:"ldaps://pri-ldap:636"
        passwd program = /usr/sbin/ldap_userPassword_change %u
        passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*Result**Success****
        check password script = /sbin/crackcheck -c -d
/usr/lib/cracklib_dict
        unix password sync = Yes
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 2
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 100000
        min protocol = LANMAN2
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        show add printer wizard = No
        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
        delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g'
'%u'
        add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%m"
        logon path = ""
        logon home = ""
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=rdn,dc=myco,dc=co,dc=uk
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=myco,dc=co,dc=uk
        ldap user suffix = ou=Users
        idmap backend = ldap:ldaps://pri-ldap:636
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        max print jobs = 0