[Samba] Stumbling blocks moving to NTLMv2
qfissler at gmail.com
Tue Sep 25 16:37:51 GMT 2007
I have been asked to force NTLMv2 logins to avoid use of LM hashes.
To meet the requirement I added some lines to the smb.conf in [Global] (we
only have that section anyway - this is purely for domain authentication
with an ldap backend):
client lanman auth = no
client NTLMv2 auth = yes
lanman auth = no
min protocol = LANMAN2
ntlm auth = no
This seemed to work - users could log in and doing a tcpdump showed that the
dialogue was different with NTLMSSP appearing.
There was a problem though: Citrix users got locking out, so I changed a
registry setting on all Windows PCs and the Citrix server:
was set to 3 and the Citrix machine rebooted.
We found that it didn't help with the citrix problem so we reverted the
All back to normal - Citrix users are happy.
Later, we found that some new Laptops couldn't join the domain - reverting
the samba change made that work too.
Hunting around for info has proved fruitless so far.
The problem is that the change is required.
Does anyone have experience of this?
Or know of any useful docs?
Clients are a Win 2003 Server with Citrix and some XP Pro desktops
(including some laptops).
RHEL AS 4u5
dos charset = 850
unix charset = ISO8859-1
workgroup = MYCO
netbios name = MYCO-PDC
server string = Samba Server
interfaces = bond0
passdb backend = ldapsam:"ldaps://pri-ldap:636"
passwd program = /usr/sbin/ldap_userPassword_change %u
passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
check password script = /sbin/crackcheck -c -d
unix password sync = Yes
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 2
syslog = 0
log file = /var/log/samba/%m.log
max log size = 100000
min protocol = LANMAN2
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
printcap name = /dev/null
disable spoolss = Yes
show add printer wizard = No
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g'
add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%m"
logon path = ""
logon home = ""
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=rdn,dc=myco,dc=co,dc=uk
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=myco,dc=co,dc=uk
ldap user suffix = ou=Users
idmap backend = ldap:ldaps://pri-ldap:636
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
max print jobs = 0
More information about the samba