[Samba] use spnego question - samba 47 to samba48 migration

Kontrol-Suporte suporte at kontrolsecurity.com.br
Mon Jun 25 22:51:21 UTC 2018

Hi Rowland.

Very good point (man smb.conf) - I found out that, if I have the line " client NTLMv2 auth = yes" then I don't need any other setting. Also, the Min Protocol is for the sharing purposes, not authentication.
So, I am deleting the "min protocol" entry and keeping the "client NTLMv2 auth=yes".
I am also using SPNEGO, which is required in this case.

After all these changes the samba48 is now working fine (Kerberos and NTLMv2) with SQUID.

Many Thanks!! I appreciate it!


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Monday, June 25, 2018 4:44 AM
To: samba at lists.samba.org
Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration

On Sun, 24 Jun 2018 20:32:20 -0300
Kontrol-Suporte via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> Thanks Much for the help, as usual!
> About Kerberos: Yes, I have implemented Kerberos and NTLM. I need both 
> working. About winbindd_privileged:  Not sure what you mean with " I 
> think you might want to check that again, the 'winbindd_privileged' 
> dir went away quite some time ago." Shouldn't that folder be there 
> anymore? Everytime I install Samba47 or 48 it creates the folder with 
> the "pipe" inside of it. I just needed to change the 
> permissions/ownership to the folder. Isn't Ok to use that way anymore?

I was convinced that it had been removed, but no, it is still there, so yes you can still use it.

> About Lanman2:  Hummm... now you got me confused. I could swear that 
> option was to force ntlm v2 as minimum. The idea is to force NTLM v2 
> as minimum protocol. Should I use option "smb2" instead?

Try reading 'man smb.conf' where you will find this:

Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.

If you want to enforce NTLMv2, then either do not have an 'ntlm auth'
line in smb.conf, or use this instead:

ntlm auth = mschapv2-and-ntlmv2-only


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list