I just finished debugging a Samba installation with Windows XP, and thought I'd share some findings.
Thanks to MS screwing up our perfectly stable Windows 2000 network with the release of SP4 (which our security people demanded we install to stay current), we decided to upgrade to Windows XP Pro SP1 on the 8 computer lab windows machines. The crux of the problem was that SP4 for win2k disabled some important windows audit features (logoff and password change for starters). So to meet the security requirements, we upgraded. On the first machine I tried, the XP box joined the samba domain with no problems. I'm running one of the later 3.x releases of Samba with an OpenLDAP backend, using SMBLDAP perl scripts for account maintenance. It's worked near flawlessly for 8 months now. Then I tried to apply our standard security template. This is where the problem started. Now I could mount shares as administrator, but no users could log on. I got the domain could not be found error at the login screen. I figured it was probably the NTLMv2 requirement that the template enforces (v2 only, deny all others). So I configured the server to lanman auth=no and ntlm auth=no, which should force only NTLMv2. Still didn't work. I did a diff of the default Win XP security settings and what was applied by the template. Found the culprit: Domain Member -- Require Strong (Windows 2000 or later) Session Key: Enabled. Once I disabled that, it worked fine. Users could login now, no problems. So, I wanted to share that tidbit, in case anyone else is having this problem. Also, I was wondering if Samba can satisfy this security setting? That is, keep the Strong Session Key enabled on the XP workstation and configure the server to comply? I'm worried that my security people won't like me deviating from their default template -- but if it's the only way to make it work, then so be it. Thanks, Anthony -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba