[Samba] invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
ml16 at bst.myftp.info
Fri Nov 4 18:43:25 UTC 2016
Answering my own question:
I "fixed" it with forcing Windows 7 clients to use LM/NTLM.
using gpedit.msc -> Local Computer Policy - Computer Configuration -
Windows Settings - Security Settings - Local Policies - Security Options
Changing "LAN Manager authentication level" to "send LM & NTLM responses"
So it seems that all current Samba versions doesn't support a classic
domain (PDC) to use NTLMv2
although it was possible until Samba 4.2.11.
Am 24.10.2016 um 19:03 schrieb Boris S. via samba:
> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no
> longer authenticate
> when I access any share.
> After that I even upgraded to Samba 4.4.5 but still get the same error:
> [2016/10/15 04:42:19.786198, 2]
> check_ntlm_password: authentication for user [xx] -> [xx] -> [xx]
> [2016/10/15 04:42:19.789933, 1]
> ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx]
> domain=[XXXXXXX] workstation=[XXXXX]
> [2016/10/15 04:42:19.789982, 1] ../lib/util/util.c:559(dump_data)
>  97 BD D0 A6 D7 16 E4 0A 59 33 62 ED CC 6A 35 04 ........
> [2016/10/15 04:42:19.790035, 1] ../lib/util/util.c:559(dump_data)
>  F2 85 BB 00 46 11 89 C4 84 E3 2C 4C 5D FA F4 6A ....F...
> [2016/10/15 04:42:19.790095, 2]
> SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
> Server: FreeBSD 10.3/64 bit
> Clients: Windows 7 64bit
> When I downgrade to 4.2.11 everything works again.
> An upgrade to DC is currently not an option so I need to stick to
> NT4 PDC for a while.
> I duplicated the whole server to a VM, so I could test anything and
> wouldn't harm the production server.
> Any idea what might the cause?
> Do you need more Information?
> My smb.conf:
> workgroup = XXXXXXX
> netbios name = SERVER
> unix password sync = false
> max log size = 100
> unix extensions = no
> log level = 2 vfs:2
> map to guest = Bad User
> server max protocol = smb2
> server min protocol = smb2
> passdb backend = tdbsam
> unix charset = ISO8859-1
> dos charset = CP1252
> bind interfaces only = yes
> hosts allow = 192.168.255. 127.
> acl allow execute always = True
> load printers = no
> log file = /var/log/samba4/log.%m
> log level = 2
> security = user
> encrypt passwords = yes
> interfaces = em0, lo0
> local master = yes
> os level = 65
> domain master = yes
> preferred master = yes
> domain logons = yes
> wins support = yes
> wins proxy = yes
> dns proxy = no
More information about the samba