[Samba] invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER

Boris S. ml16 at bst.myftp.info
Sun Oct 16 14:40:36 UTC 2016 

Hello,

since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no longer 
authenticate
when I access any share.
After that I even upgraded to Samba 4.4.5 but still get the same error:


[2016/10/15 04:42:19.786198,  2] 
../source3/auth/auth.c:305(auth_check_ntlm_password)
   check_ntlm_password:  authentication for user [xx] -> [xx] -> [xx] 
succeeded
[2016/10/15 04:42:19.789933,  1] 
../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx] 
domain=[XXXXXXX] workstation=[XXXXX]
[2016/10/15 04:42:19.789982,  1] ../lib/util/util.c:559(dump_data)
   [0000] 97 BD D0 A6 D7 16 E4 0A   59 33 62 ED CC 6A 35 04 ........ 
Y3b..j5.
[2016/10/15 04:42:19.790035,  1] ../lib/util/util.c:559(dump_data)
   [0000] F2 85 BB 00 46 11 89 C4   84 E3 2C 4C 5D FA F4 6A ....F... 
..,L]..j
[2016/10/15 04:42:19.790095,  2] 
../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_INVALID_PARAMETER


Server: FreeBSD 10.3/64 bit
Clients: Windows 7 64bit

When I downgrade to 4.2.11 everything works again.
An upgrade to DC is currently not an option so I need to stick to NT4 
PDC for a while.

I duplicated the whole server to a VM, so I could test anything and 
wouldn't harm the production server.



My smb.conf:

[global]

    workgroup = XXXXXXX
    netbios name = SERVER
    unix password sync = false
    max log size = 100
    unix extensions = no
    log level = 2 vfs:2
    map to guest = Bad User
    server max protocol = smb2
    server min protocol = smb2
    passdb backend = tdbsam
    unix charset = ISO8859-1
    dos charset = CP1252
    bind interfaces only = yes
    hosts allow = 192.168.255. 127.
    acl allow execute always = True
    load printers = no
    log file = /var/log/samba4/log.%m
    log level = 2
    security = user
    encrypt passwords = yes
    interfaces = em0, lo0
    local master = yes
    os level = 65
    domain master = yes
    preferred master = yes
    domain logons = yes
    wins support = yes
    wins proxy = yes
    dns proxy = no

More information about the samba mailing list