[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth

Rowland Penny rpenny at samba.org
Mon Jun 12 15:52:40 UTC 2017


On Mon, 12 Jun 2017 13:56:14 +0000
David Herselman via samba <samba at lists.samba.org> wrote:

> Hi everyone,
> 
> We just upgraded Samba from 4.4.5 to 4.6.5 and appear to be
> experiencing a problem with authentication, when the RPC domain is
> not supplied as part of the username.
> 

'winbind use default domain = yes' doesn't work on a DC

I think your main problem can be explained by this extract from the
release notes for 4.5.0:

NTLMv1 authentication disabled by default
-----------------------------------------

In order to improve security we have changed
the default value for the "ntlm auth" option from
"yes" to "no". This may have impact on very old
clients which doesn't support NTLMv2 yet.

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

By default, Samba will only allow NTLMv2 via NTLMSSP now,
as we have the following default "lanman auth = no",
"ntlm auth = no" and "raw NTLMv2 auth = no".

Rowland



More information about the samba mailing list