Discussion:
Vista(by default NTLMv2) - Samba Security = domain, connection from vista failed
(too old to reply)
gomathi palanimuthu
2007-02-05 17:19:05 UTC
Permalink
Hi ,


I've been testing out Windows Vista Enterprise today. It defaults to only
using NTLMV2 authentication.

I'm testing with Samba 3.0.23b which is configured to security = domain

The password server is a Windows Server 2003 domain controller. I've joined
Samba to the domain.

I simply can't get Vista to connect unless I change its security policy to
"send NTLM/NTLMV1 use NTLMV2 if negotiated". Then it connects just fine.

But Vista should work with its default of 'only NTLMV2', right??

I have tried by configuring smb.conf with following parameters:

*client NTLMv2 auth = yes*
*client lanman auth = no*
*ntlm auth = no*
*lanman auth = no* (Read from lists.org that if we set ntlm auth as well as
lanman auth to 'no', samba will default to NTLMv2 security support).
But, still connection is not working from Vista.

Is there any configuration parameters missed out for this particular type of
security??

Please help in getting the solution if you've faced the same issue.

Thanks in Advance
Gomathi (Wipro)
Kai Blin
2007-02-05 19:18:09 UTC
Permalink
Post by gomathi palanimuthu
I've been testing out Windows Vista Enterprise today. It defaults to only
using NTLMV2 authentication.
[...]
Post by gomathi palanimuthu
*client NTLMv2 auth = yes*
*client lanman auth = no*
*ntlm auth = no*
*lanman auth = no* (Read from lists.org that if we set ntlm auth as well as
lanman auth to 'no', samba will default to NTLMv2 security support).
But, still connection is not working from Vista.
Are you sure the "ntlm auth = no" is correct? I'm not running a windows domain
myself, so I can't check but in any case samba should correctly negotiate
NTLMv2 if the other side requests this. Speaking as someone who has little
clue about running samba and quite some idea how the samba ntlm code works,
I'm sure samba tries to do NTLMv2 authentication initially.
Post by gomathi palanimuthu
Is there any configuration parameters missed out for this particular type
of security??
Unless someone can offer additional config parameters I have no idea about, I
guess we would be interested in a network capture of a non-working and a
working authentication attempt.

Of course I'm not a samba dev, so those more familiar with all this might have
a way better solution.

Cheers,
Kai
--
Kai Blin, <kai Dot blin At gmail Dot com>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070205/7b0205f2/attachment.bin
gomathi palanimuthu
2007-02-06 09:15:08 UTC
Permalink
This post might be inappropriate. Click to display it.
Andrew Bartlett
2007-02-06 09:19:51 UTC
Permalink
Post by gomathi palanimuthu
Hi,
The error i got in vista is STATUS_LOGON_FAILURE. Even with correct
credentials, vista couldnt get authenticated against domain controller via
samba.
Are you calling Samba by the same name it is registered with the DC as?
Post by gomathi palanimuthu
I have tried forcing ntlmv2 only in 2003 domain controller too.
*Also, by default samba3.0.23b or samba3.0.23d respond to ntlmv2
connection?? or i shud configure samba accordingly(ie. by setting lanman
auth = no, ntlm auth = no, client NTLMv2 auth = no) to support ntlmv2
connection???*
Samba accepts NTLMv2 by default.

Not relevant to why the server fails to accept NTLMv2, but why are you
turning 'client ntlmv2 auth = no'?
Post by gomathi palanimuthu
Attached the non-working ethereal packets info. in which NTLMSSP_AUTH is
failing with the mentioned parameters.
I think some smb.conf parameters are missing. Please correct if i am wrong.
By ethereal (now wireshark) trace, we meant the pcap format packet
capture, not the text...

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070206/2987be8c/attachment.bin
gomathi palanimuthu
2007-02-06 14:22:19 UTC
Permalink
Are you calling Samba by the same name it is registered with the DC as?

yes, with the same name whatever registered with DC, i am trying to connect
from vista (not a member of DC).

1. Connection from vista(non-member of DC) - failed -i added domain username
to smbpasswd file also.
2. Connection from vista(member of DC) - success . I think this is becos i
added domain username entry to unix smbpasswd file . So, connection got
succeeded.
Also, in vista i disabled firewall.
Here is my smb.conf file. Please correct if anything wrong. It will be
helpful even a small clue is given by someone.
[global]
#unix charset = LOCALE
workgroup = W2K3R2
netbios name = goms7
#realm = W2K3R2.LOCAL
encrypt passwords = yes
server string = Samba 3.0.23b
security = DOMAIN
password server = 172.16.140.210
auth methods = ntdomain
#wins server = 10.8.8.45
#wins support = yes
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/%m
max log size = 100
local master = no
stat cache = no
kernel oplocks = no
oplocks = no
level2oplocks = no
printcap name = CUPS
#winbind use default domain = yes
#ldap ssl = no
#idmap uid = 10000-20000
#idmap gid = 20001-30000
#winbind enum users = yes
#winbind enum groups = yes
#template shell = /bin/bash
#winbind separator = +
#winbind cache time = 120
printing = cups
map to guest = Never
use spnego = yes
client use spnego = no
server signing = yes
client signing = yes
max connections = 10

Not relevant to why the server fails to accept NTLMv2, but why are you
turning 'client ntlmv2 auth = no'?
------------ I removed this entry from smb.conf, but still not working.
Post by Andrew Bartlett
Post by gomathi palanimuthu
Hi,
The error i got in vista is STATUS_LOGON_FAILURE. Even with correct
credentials, vista couldnt get authenticated against domain controller
via
Post by gomathi palanimuthu
samba.
Are you calling Samba by the same name it is registered with the DC as?
Post by gomathi palanimuthu
I have tried forcing ntlmv2 only in 2003 domain controller too.
*Also, by default samba3.0.23b or samba3.0.23d respond to ntlmv2
connection?? or i shud configure samba accordingly(ie. by setting lanman
auth = no, ntlm auth = no, client NTLMv2 auth = no) to support ntlmv2
connection???*
Samba accepts NTLMv2 by default.
Not relevant to why the server fails to accept NTLMv2, but why are you
turning 'client ntlmv2 auth = no'?
Post by gomathi palanimuthu
Attached the non-working ethereal packets info. in which NTLMSSP_AUTH is
failing with the mentioned parameters.
I think some smb.conf parameters are missing. Please correct if i am
wrong.
By ethereal (now wireshark) trace, we meant the pcap format packet
capture, not the text...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vista_samba3.0.23bconn.cap
Type: application/octet-stream
Size: 7894 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070206/e84f7ff0/vista_samba3.0.23bconn.obj
Kai Blin
2007-02-06 15:04:45 UTC
Permalink
Post by gomathi palanimuthu
1. Connection from vista(non-member of DC) - failed -i added domain
username to smbpasswd file also.
2. Connection from vista(member of DC) - success . I think this is becos i
added domain username entry to unix smbpasswd file . So, connection got
succeeded.
As I said, I don't know much about using Samba. What I do know is that the
NTLM handshake does negotiate NTLMv2. So the error you're seeing is not
because Samba does not handle NTLMv2.

Cheers,
Kai
--
Kai Blin, <kai Dot blin At gmail Dot com>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070206/9cc24326/attachment.bin
Lamar.Saxon at americredit.com ()
2007-02-06 19:32:55 UTC
Permalink
Our Windows network has been set to only use NTLMv2 for security. I
made the following changes to my smb.conf and we have been working fine:

client schannel = Auto
server schannel = Auto

lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No

HTH,
Lamar

-----Original Message-----
From: Kai Blin [mailto:***@gmail.com]
Sent: Monday, February 05, 2007 7:16 AM
To: samba-***@lists.samba.org
Cc: ***@wipro.com
Subject: Re: Vista(by default NTLMv2) - Samba Security =
domain,connection from vista failed
Post by gomathi palanimuthu
I've been testing out Windows Vista Enterprise today. It defaults to
only
Post by gomathi palanimuthu
using NTLMV2 authentication.
[...]
Post by gomathi palanimuthu
*client NTLMv2 auth = yes*
*client lanman auth = no*
*ntlm auth = no*
*lanman auth = no* (Read from lists.org that if we set ntlm auth as
well as
Post by gomathi palanimuthu
lanman auth to 'no', samba will default to NTLMv2 security support).
But, still connection is not working from Vista.
Are you sure the "ntlm auth = no" is correct? I'm not running a windows
domain
myself, so I can't check but in any case samba should correctly
negotiate
NTLMv2 if the other side requests this. Speaking as someone who has
little
clue about running samba and quite some idea how the samba ntlm code
works,
I'm sure samba tries to do NTLMv2 authentication initially.
Post by gomathi palanimuthu
Is there any configuration parameters missed out for this particular
type
Post by gomathi palanimuthu
of security??
Unless someone can offer additional config parameters I have no idea
about, I
guess we would be interested in a network capture of a non-working and a

working authentication attempt.

Of course I'm not a samba dev, so those more familiar with all this
might have
a way better solution.

Cheers,
Kai
--
Kai Blin, <kai Dot blin At gmail Dot com>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
--
Will code for cotton.


Privileged and Confidential. This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail. You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.
Continue reading on narkive:
Loading...