[Samba] question about ntlm

L.P.H. van Belle belle at bazuin.nl
Wed Feb 15 14:24:28 UTC 2017



Since im still having problems reading the man smb.conf about the NTLM settings, im asking here.

How do i allow NTLM auth for my proxy. 


I have been playing around with : 


        client NTLMv2 auth

        raw NTLMv2 auth

        ntlm auth

        lanman auth


i’ve added the proxy user to the winbind_privileged group. 

and did set the needed rights. 

chgrp winbindd_priv /var/lib/samba/winbindd_privileged/

adduser proxy winbindd_priv


Im trying to keep as much as possible to the default settings. 

Im testing the following. 


ntlm_auth --request-nt-key --username=someTestUser

ntlm_auth --request-lm-key --username=someTestUser

ntlm_auth --username=someTestUser --ntlmv2

ntlm_auth --username=someTestUser –lanman

ntlm_auth --username=someTestUser --krb5auth=someTestUser

ntlm_auth --diagnostics --username=someTestUser

wbinfo -a someTestUser

wbinfo --krb5auth=someTestUser

wbinfo --krb5auth='NTDOM\someTestUser'

wbinfo --krb5auth='someTestUser@ INTERNAL.DOMAIN.TLD’



Situation .

Samba AD DC. 4.5.3

Config : ( left out the shares, the question is about auth ) 


        workgroup = NTDOM

        realm = INTERNAL.DOMAIN.TLD

        netbios name = DC1

        server role = active directory domain controller

        server services = -dns

        interfaces =

        bind interfaces only = yes

        time server = yes

        idmap_ldb:use rfc2307 = yes

        winbind nss info = rfc2307

        winbind expand groups = 4

        template shell = /bin/bash

        template homedir = /home/users/%U

        tls enabled = yes


My client setup. 

Samba member 4.5.5  ( and testing 4.5.3 also ) 


    workgroup = NTDOM

    security = ads


    netbios name = PROXY2

    preferred master = no

    domain master = no

    host msdfs = no

    interfaces =

    bind interfaces only = yes

    dns proxy = yes

    tls enabled = yes

    idmap config *:backend = tdb

    idmap config *:range = 2000-9999

    idmap config NTDOM : backend = ad

    idmap config NTDOM : schema_mode = rfc2307

    idmap config NTDOM : range = 10000-3999999

    dedicated keytab file = /etc/krb5.keytab

    kerberos method = secrets and keytab

    winbind refresh tickets = yes

    winbind nss info = rfc2307

    winbind trusted domains only = no

    winbind offline logon = yes

    winbind expand groups = 4



Now im asking, where do we set what to make this work. 


When i set in my proxy smb.conf 

    lanman auth = yes

    raw NTLMv2 auth = yes

    ntlm auth = yes

im getting the same results as with above but =no 


and im testing: 


wbinfo -a "NTDOM\someTestUser"

Enter NTDOM\someTestUser's password:

plaintext password authentication succeeded

Enter NTDOM\someTestUser's password:

challenge/response password authentication failed

wbcAuthenticateUserEx(NTDOM\someTestUser): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)

error message was: Wrong Password

Could not authenticate user NTDOM\someTestUser with challenge/response

And same result for : wbinfo -a  someTestUser at ROTTERDAM.BAZUIN.NL


If a default setting is like :  client plaintext auth = no 

why do i get : plaintext password authentication succeeded


What is missing in my setup? Or do i have to setup a less secure AD DC to make this work? 

Im still having a hard time to figure out if a setting is ADDC or member only and man smb.conf isnt telling me what i need to know.


so i dont get it.  :-((  Help :-)) 


Any assistance here is very welkom.  ;-) 








More information about the samba mailing list