[Samba] Samba 3.6.5 not working with EMC server that only supports NTLM

[Andrew Bartlett]

On Mon, 2013-10-28 at 19:04 +0000, Tompkins, Michael wrote:
> Samba 3.6.5 client does not train down to plain NTLM if there is no
> "client ntlmv2 auth = no" statement in the smb.conf file. If the
> server is configured for just plain NTLM (not NTLMv2), the client will
> receive a login error, without the smb.conf statement. I know that
> smbclient 3.6.5 defaults to "client ntlmv2 auth = yes", but the lack
> of it should be able to login as just NTLM. This is to a EMC server.

It is not possible to 'train down' to plain NTLM, without:
 - intorucing all the security problems using NTLMv2 was designed to
avoid
and
 - increasing the server-side bad password count by two for each failed
login

Additionally, Windows clients have defaulted to NTLMv2 for quite some
time now.  They would fail in the same way, unless there is an
additional factor, which is how you should investigate this.  Do you
have other options such as 'client use spnego = false' set, that might
be another difference with the presumably working Windows clients?

As a start, get a comparative set of network traces between working
Windows and failing Samba, and use as close to default set of smb.conf
options as possible. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org