[Samba] Samba 4.14.5 NTLMv1

Perttu Aaltonen perttu.aaltonen at mac.com
Tue Jan 18 15:37:48 UTC 2022 

> On 18. Jan 2022, at 17.12, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> On Tue, 2022-01-18 at 16:54 +0200, Perttu Aaltonen via samba wrote:
>>> On 18. Jan 2022, at 16.43, Rowland Penny via samba <
>>> samba at lists.samba.org> wrote:
>>> 
>>> On Tue, 2022-01-18 at 16:34 +0200, Perttu Aaltonen via samba wrote:
>>>> 
>>>> I had this same problem a while back when connecting from
>>>> Supermicro
>>>> IPMI interface. The workaround was to use UPN in the form of 
>>>> user.account at domain.com. Is this possible in your clients? You
>>>> can
>>>> find my posts from last March in the list archives.
>>>> 
>>>> I never found any smb.conf setting that would make this work
>>>> again.
>>>> Did you upgrade your base OS as well? In my testing this stopped
>>>> working after upgrading from Ubuntu 18 to 20. Perhaps the
>>>> packages
>>>> are compiled differently or there’s some incompatibility between
>>>> later Samba and Ubuntu builds.
>>>> 
>>>> -Perttu
>>> 
>>> I don't remember this being asked on here, but the problem was
>>> probably
>>> down to 18.04 using Samba 4.7.6 (which had 'CORE' as the minimum
>>> protocol) and 20.04 using 4.11.x (which had 'SMB2' as the minimum
>>> protocol). There is also the fact that from Samba 4.8.0 , winbind
>>> must
>>> be running on a domain computer.
>>> 
>>> Rowland
>>> 
>> 
>> It’s in the archives with the subject "winbind use default domain
>> problem after upgrade”. I was using Louis’ packages and winbind
>> running on the same domain member machine. Back then I was upgrading
>> from 4.10.5 to 4.13.2 but to me it looked like Ubuntu version was the
>> reason more than anything changing in Samba specifically.
>> 
>> AFAIR I tested many versions between 4.10 and 4.13 to find where it
>> broke, but I could only reproduce it with an upgrade to Ubuntu 20,
>> not with any specific Samba update.
>> 
>> -Perttu
> 
> Found the thread and I will hazard a guess. By using user at DOMAIN.COM <mailto:user at DOMAIN.COM>
> you are using kerberos, but the other username variants ('user', 'DOMAIN\user') use NTLM, by default, Samba 4.7.6 used NTLMv1 by default and 4.11.0 didn't. Your Supermicro thing only uses NTLMv1 which is turned off on the later Samba version, so it can only work via kerberos.
> 
> Rowland

What would be the settings to enable NTLMv1, ‘server min protocol = NT1’?. I had this set on the member file server, but not on the DC so perhaps that’s why it failed. Although the DC was a much older version where NTLMv1 should've still be enabled, so a compatibility issue is possible.

I’m not sure the OP has the same problem as I had since running 'wbinfo -a  DOMAINUSER%password —ntlmv1’ worked for him but not for me on the domain member.

-Perttu

More information about the samba mailing list