[Samba] invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
Boris S.
ml16 at bst.myftp.info
Fri Nov 4 18:43:25 UTC 2016
Answering my own question:
I "fixed" it with forcing Windows 7 clients to use LM/NTLM.
using gpedit.msc -> Local Computer Policy - Computer Configuration -
Windows Settings - Security Settings - Local Policies - Security Options
Changing "LAN Manager authentication level" to "send LM & NTLM responses"
https://social.technet.microsoft.com/Forums/windows/en-US/aca3e2d0-6d43-431f-bbba-3c01aea6d5a6/changing-authentication-level?forum=w7itpronetworking
So it seems that all current Samba versions doesn't support a classic
domain (PDC) to use NTLMv2
although it was possible until Samba 4.2.11.
Boris
Am 24.10.2016 um 19:03 schrieb Boris S. via samba:
>
> Hello,
>
> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no
> longer authenticate
> when I access any share.
> After that I even upgraded to Samba 4.4.5 but still get the same error:
>
>
> [2016/10/15 04:42:19.786198, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [xx] -> [xx] -> [xx]
> succeeded
> [2016/10/15 04:42:19.789933, 1]
> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
> ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx]
> domain=[XXXXXXX] workstation=[XXXXX]
> [2016/10/15 04:42:19.789982, 1] ../lib/util/util.c:559(dump_data)
> [0000] 97 BD D0 A6 D7 16 E4 0A 59 33 62 ED CC 6A 35 04 ........
> Y3b..j5.
> [2016/10/15 04:42:19.790035, 1] ../lib/util/util.c:559(dump_data)
> [0000] F2 85 BB 00 46 11 89 C4 84 E3 2C 4C 5D FA F4 6A ....F...
> ..,L]..j
> [2016/10/15 04:42:19.790095, 2]
> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
>
>
> Server: FreeBSD 10.3/64 bit
> Clients: Windows 7 64bit
>
> When I downgrade to 4.2.11 everything works again.
> An upgrade to DC is currently not an option so I need to stick to
> NT4 PDC for a while.
>
> I duplicated the whole server to a VM, so I could test anything and
> wouldn't harm the production server.
>
> Any idea what might the cause?
> Do you need more Information?
>
>
>
>
> My smb.conf:
>
> [global]
>
> workgroup = XXXXXXX
> netbios name = SERVER
> unix password sync = false
> max log size = 100
> unix extensions = no
> log level = 2 vfs:2
> map to guest = Bad User
> server max protocol = smb2
> server min protocol = smb2
> passdb backend = tdbsam
> unix charset = ISO8859-1
> dos charset = CP1252
> bind interfaces only = yes
> hosts allow = 192.168.255. 127.
> acl allow execute always = True
> load printers = no
> log file = /var/log/samba4/log.%m
> log level = 2
> security = user
> encrypt passwords = yes
> interfaces = em0, lo0
> local master = yes
> os level = 65
> domain master = yes
> preferred master = yes
> domain logons = yes
> wins support = yes
> wins proxy = yes
> dns proxy = no
>
>
>
>
More information about the samba
mailing list