Web lists-archives.com

Re: [Samba] Samba4 server is not accessible for logon from Windows 2008R2 SP1.




2017-11-21 0:17 GMT+03:00 Rowland Penny <rpenny@xxxxxxxxx>:

> On Mon, 20 Nov 2017 22:45:08 +0300
> "CpServiceSPb . via samba" <samba@xxxxxxxxxxxxxxx> wrote:
>
> > I discovered the situation.
> > When attempting to logon from Windows 2008R2 to Samba4 is made we can
> > see in Samba smbd log the following important for understanding the
> > situation lines:
> >
> > [2017/11/20 13:25:52.040094,  2, pid=7100, effective(0, 0), real(0,
> > 0)] ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
> >   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user
> > <username> [2017/11/20 13:25:52.040110,  3, pid=7100, effective(0,
> > 0), real(0, 0)] ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
> >   ntlm_password_check: NEITHER LanMan nor NT password supplied for
> > user <username>
> >
> > It tell us that Samba4 doesn't wany to accept NTLMv1 authentication.
> >
> > So, it is easy to solve (as was in my case) .
> > You should put to smb.conf to
> > [general] section the followng line:
> > ntlm auth = yes
> >
> >
> > also I set max protocol = SMB3
> > but I think that it is not important for this case.
> >
> > After changing smb.conf restarting of Samba4 services are necessary.
> >
> > So I can mark the topic as Solved !
>
> The correct cure is to make your 2008R2 use NTLMv2 instead of NTLMv1
> Or rather, find out why your 2008R2 server isn't using NTLMv2 by
> default.
>
> The default for 'ntlm auth' was changed from 'yes' to 'no' for a reason.
>
> Rowland
>

I make agree with your statements, thatit would be better to use NTLMv2
instead of NTLMv1.
I made additional discovering included Sammba4 and Windows 2008R2 settings
and got working interaction between Samba4 and Windows 2008R2 using NTLMv2
from Windows side.
The following parameters have to be set to the followong values:
Samba4 side - smd.conf -> [Global] section -> ntlm auth = no or remove ntlm
auth at all
Windows 2008R2 side - either Local Policies -> Security Options -> "Network
Security: LAN Manager authentication level" = "Send NTLMv2 response only.
Refuse LM & NTLM" or
registry->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
= 5,
if there is no LmCompatibilityLevel at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,
create it with REG_DWORD type.

Then restart Samba4 and reboot Windows 2008R2.

May be this put to Samba4 docs or faq ?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba