[Samba] Samba 4 Domain Provisioning

Jacques Serfontein jacques.serfontein at gmail.com
Mon Nov 17 08:39:00 MST 2014


I have been having issues with NTLMv2 on newly provisioned domains, using
Samba 4.1 from backports on Debian Wheezy.

Everything seems to be working fine, except for NTLMv2 authentication with
Squid and "ntlm_auth" on newer Windows versions.

If I set "Lmcompatibility" down on the Windows PCs, then authentication
works, but that is temporary workaround at best.

I have tried installing and reinstalling on numerous VMs, trying to isolate
the cause, but to no avail, and I know the config is working, since copying
a previously provisioned domain (/etc/samba/smb.conf + /var/lib/samba) to
the new server works as expected.

Increasing the log level yields to following:

schannel_fetch_session_key_tdb: restored schannel info key
schannel_store_session_key_tdb: stored schannel info with key
auth_check_password_send: Checking password for unmapped user
auth_check_password_send: mapped user is: [DOMAIN]\[Administrator]@[PC001]
ntlm_password_check: NTLMv2 password check failed
ntlm_password_check: Lanman passwords NOT PERMITTED for user Administrator
ntlm_password_check: LM password, NT MD4 password in LM field and LMv2
failed for user Administrator
auth_check_password_recv: sam_ignoredomain authentication for user

Any help would be greatly appreciated, since I have run out of ideas...


More information about the samba mailing list