[Samba] Samba 4.14.5 NTLMv1

Rowland Penny rpenny at samba.org
Tue Jan 18 15:12:42 UTC 2022 

On Tue, 2022-01-18 at 16:54 +0200, Perttu Aaltonen via samba wrote:
> > On 18. Jan 2022, at 16.43, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> > 
> > On Tue, 2022-01-18 at 16:34 +0200, Perttu Aaltonen via samba wrote:
> > > 
> > > I had this same problem a while back when connecting from
> > > Supermicro
> > > IPMI interface. The workaround was to use UPN in the form of 
> > > user.account at domain.com. Is this possible in your clients? You
> > > can
> > > find my posts from last March in the list archives.
> > > 
> > > I never found any smb.conf setting that would make this work
> > > again.
> > > Did you upgrade your base OS as well? In my testing this stopped
> > > working after upgrading from Ubuntu 18 to 20. Perhaps the
> > > packages
> > > are compiled differently or there’s some incompatibility between
> > > later Samba and Ubuntu builds.
> > > 
> > > -Perttu
> > 
> > I don't remember this being asked on here, but the problem was
> > probably
> > down to 18.04 using Samba 4.7.6 (which had 'CORE' as the minimum
> > protocol) and 20.04 using 4.11.x (which had 'SMB2' as the minimum
> > protocol). There is also the fact that from Samba 4.8.0 , winbind
> > must
> > be running on a domain computer.
> > 
> > Rowland
> > 
> 
> It’s in the archives with the subject "winbind use default domain
> problem after upgrade”. I was using Louis’ packages and winbind
> running on the same domain member machine. Back then I was upgrading
> from 4.10.5 to 4.13.2 but to me it looked like Ubuntu version was the
> reason more than anything changing in Samba specifically.
> 
> AFAIR I tested many versions between 4.10 and 4.13 to find where it
> broke, but I could only reproduce it with an upgrade to Ubuntu 20,
> not with any specific Samba update.
> 
> -Perttu

Found the thread and I will hazard a guess. By using user at DOMAIN.COM
you are using kerberos, but the other username variants ('user', 'DOMAIN\user') use NTLM, by default, Samba 4.7.6 used NTLMv1 by default and 4.11.0 didn't. Your Supermicro thing only uses NTLMv1 which is turned off on the later Samba version, so it can only work via kerberos.

Rowland

More information about the samba mailing list