[Samba] ntlm

Rowland penny rpenny at samba.org
Thu Jun 25 16:21:32 UTC 2020


On 25/06/2020 16:56, Greg Marshall via samba wrote:
> Hello experts/users,
>
> We have a samba server in ubuntu 18.04 LTS with version.
>
> apt-cache policy samba
> samba:
>    Installed: 2:4.7.6+dfsg~ubuntu-0ubuntu2.16
>    Candidate: 2:4.7.6+dfsg~ubuntu-0ubuntu2.16
>
> All is fine and great. Except one (internet disabled) windows 7
> professional PC (sorry we still need to run it for a scientific tool)
> cannot connect unless I put "ntlm auth = yes" in smb.conf
>
> Funnily other (no internet) windows 7 clients work OK.
> I have two questions
>
> 1. What need to be changed in registry of this not working windows 7
> client.  (It was a preinstalled machine from vendor - we cannot
> reinstall).
>
> 2. BTW is this ntlm auth = yes can anyway cause wannacry type issues?
> Many thanks
> greg
>
> smb.conf
>
> [global]
>     server string = SPR Server
>     server role = standalone server
>     bind interfaces only = yes
>     interfaces = lo eno1
>     disable netbios = no
>     max log size = 1000
>     log level = 1
>     security = user
>     server role = standalone server
>     passdb backend = tdbsam
>     obey pam restrictions = no
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     pam password change = yes
>     map to guest = Bad User
>     client min protocol = SMB2
>   ntlm auth = yes
> vfs objects = catia fruit streams_xattr
> fruit:aapl = yes
> fruit:encoding = native
> fruit:locking = none
> fruit:metadata = stream
> fruit:resource = file
>
OK, add 'server min protocol = SMB2' to smb.conf, remove the ntlm auth 
line and restart Samba, at this point, your Samba machine will no longer 
be using SMBv1.

Now go to the Win 7 machine and open the registry editor.

Navigate to HKLM\System\CurrentControlSet\control\LSA.

Click on LSA

You should see LMCompatibilityLevel in the right window pane, if you 
don't: choose 'Edit' > New > REG_DWORD. Replace "New Value #1" with 
"LMCompatibilityLevel".

Double-click on LMCompatibilityLevel in the right window pane. Enter "5"

You should now be using NTLMv2 everywhere.

At this point, you may wish to consider turning nmbd off on the Samba 
server, it will not be doing much now.

Rowland





More information about the samba mailing list