[Samba] invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER

Boris S. ml16 at bst.myftp.info
Fri Nov 4 18:43:25 UTC 2016 

Answering my own question:

I "fixed" it with forcing Windows 7 clients to use LM/NTLM.

using gpedit.msc -> Local Computer Policy - Computer Configuration - 
Windows Settings - Security Settings - Local Policies - Security Options
Changing "LAN Manager authentication level" to "send LM & NTLM responses"
https://social.technet.microsoft.com/Forums/windows/en-US/aca3e2d0-6d43-431f-bbba-3c01aea6d5a6/changing-authentication-level?forum=w7itpronetworking 


So it seems that all current Samba versions doesn't support a classic 
domain (PDC) to use NTLMv2
although it was possible until Samba 4.2.11.

Boris



Am 24.10.2016 um 19:03 schrieb Boris S. via samba:
>
> Hello,
>
> since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no 
> longer authenticate
> when I access any share.
> After that I even upgraded to Samba 4.4.5 but still get the same error:
>
>
> [2016/10/15 04:42:19.786198,  2] 
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [xx] -> [xx] -> [xx] 
> succeeded
> [2016/10/15 04:42:19.789933,  1] 
> ../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
>   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx] 
> domain=[XXXXXXX] workstation=[XXXXX]
> [2016/10/15 04:42:19.789982,  1] ../lib/util/util.c:559(dump_data)
>   [0000] 97 BD D0 A6 D7 16 E4 0A   59 33 62 ED CC 6A 35 04 ........ 
> Y3b..j5.
> [2016/10/15 04:42:19.790035,  1] ../lib/util/util.c:559(dump_data)
>   [0000] F2 85 BB 00 46 11 89 C4   84 E3 2C 4C 5D FA F4 6A ....F... 
> ..,L]..j
> [2016/10/15 04:42:19.790095,  2] 
> ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_INVALID_PARAMETER
>
>
> Server: FreeBSD 10.3/64 bit
> Clients: Windows 7 64bit
>
> When I downgrade to 4.2.11 everything works again.
> An upgrade to DC is currently not an option so I need to stick to 
> NT4 PDC for a while.
>
> I duplicated the whole server to a VM, so I could test anything and 
> wouldn't harm the production server.
>
> Any idea what might the cause?
> Do you need more Information?
>
>
>
>
> My smb.conf:
>
> [global]
>
>    workgroup = XXXXXXX
>    netbios name = SERVER
>    unix password sync = false
>    max log size = 100
>    unix extensions = no
>    log level = 2 vfs:2
>    map to guest = Bad User
>    server max protocol = smb2
>    server min protocol = smb2
>    passdb backend = tdbsam
>    unix charset = ISO8859-1
>    dos charset = CP1252
>    bind interfaces only = yes
>    hosts allow = 192.168.255. 127.
>    acl allow execute always = True
>    load printers = no
>    log file = /var/log/samba4/log.%m
>    log level = 2
>    security = user
>    encrypt passwords = yes
>    interfaces = em0, lo0
>    local master = yes
>    os level = 65
>    domain master = yes
>    preferred master = yes
>    domain logons = yes
>    wins support = yes
>    wins proxy = yes
>    dns proxy = no
>
>
>
>

More information about the samba mailing list