I'm running Centos 4.3 and Samba 3.0.24. I have an OpenLDAP backend. I have successfully got a Windows Domain to work, Windows XP -> Samba -> OpenLDAP. I can add machines to the domain and I can login and change passwords. The trouble is that I'm using NTLM and have been told that I must upgrade to NTLMv2, but I'm having great difficulty doing so.
I have existing NTLM users. I want to disable the use of NTLM, so I ran secpol.msc and changed the LAN Manager Authentication Level to: "Send NTLMv2 response only \ refuse LM and NTLM passwords" I change smb.conf to include: ntlm auth = no client ntlmv2 auth = yes client lanman auth = no lanman auth = no min protocol = NT1 I restarted the PC and Samba However, I can still login users which have NTLM hash passwords, is this right? I don't think so. Does samba cache machine settings anywhere? I know Samba works, I'm missing some configuration, I just don't know what it is When I run smbpasswd, it seems to create NTLM hashed passwords? Should it only create NTLMv2 passwords if I set client ntlmv2 auth = yes? I created new users and I have stored an NTLMv2 hashed password in sambaNTPassword, I'm assuming NTLMv2 passwords need to be stored in this attribute as I don't see an alternative? When I try to login to a user account with an NTLMv2 hashed password, I get invalid password, but I think I've calculated the hash correctly, looking in LDAP, I stored a 16bytes HEX String ( sambaNTPassword: 47E53AD35D61DE8F419F272FFBC4F175 ). The password check is failing in ntlm_password_check (libsmb/ntlm_check.c). I've marked where the password check is failing in bold, NTSTATUS ntlm_password_check(....) { static const unsigned char zeros[8]; if (nt_pw == NULL) { DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", username)); } if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) { if (nt_interactive_pwd->length != 16) { DEBUG(3,("ntlm_password_check: Interactive logon: Invalid NT password length (%d) supplied for user %s\n", (int)nt_interactive_pwd->length, username)); return NT_STATUS_WRONG_PASSWORD; } if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) { if (user_sess_key) { *user_sess_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data); } return NT_STATUS_OK; } else { DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", username)); return NT_STATUS_WRONG_PASSWORD; } I can see that the code to check ntlmv2 password comes later if (smb_pwd_check_ntlmv2( nt_response, nt_pw, challenge, client_username, client_domain, False, user_sess_key)) { return NT_STATUS_OK; } --------------------------------------------- SMB.CONF--------------------------------------- [global] workgroup = DEV netbios name = DEV-PDC security = user server string = Samba Server log level = 3 syslog = 0 log file = /var/log/samba/%m.log max log size = 100000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon home = "" logon path = "" domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes encrypt passwords = Yes ldap passwd sync = Yes passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success**** pam password change = yes check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict passdb backend = ldapsam:"ldap://ldap-1" ntlm auth = no client ntlmv2 auth = yes client lanman auth = no lanman auth = no min protocol = NT1 ldap admin dn = cn=Manager,dc=example,dc=org # ldap delete dn = no ldap suffix = dc=example,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:"ldap://ldap-1" add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no ------------ LOG FILE ------------------- [2007/03/07 11:12:16, 3] smbd/oplock.c:init_oplocks(862) open_oplock_ipc: initializing messages. [2007/03/07 11:12:16, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260) Linux kernel oplocks enabled [2007/03/07 11:12:16, 3] smbd/process.c:process_smb(1110) Transaction 0 of length 72 [2007/03/07 11:12:16, 2] smbd/reply.c:reply_special(496) netbios connect: name1=DEV-PDC name2=VM-WARE-TM1 [2007/03/07 11:12:16, 2] smbd/reply.c:reply_special(503) netbios connect: local=dev-pdc remote=vm-ware-tm1, name type = 0 [2007/03/07 11:12:25, 3] smbd/oplock.c:init_oplocks(862) open_oplock_ipc: initializing messages. [2007/03/07 11:12:25, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260) Linux kernel oplocks enabled [2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110) Transaction 0 of length 137 [2007/03/07 11:12:25, 3] smbd/process.c:switch_message(914) switch message SMBnegprot (pid 3150) conn 0x0 [2007/03/07 11:12:25, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [PC NETWORK PROGRAM 1.0] [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [LANMAN1.0] [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [Windows for Workgroups 3.1a] [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [LM1.2X002] [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [LANMAN2.1] [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [NT LM 0.12] [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_nt1(357) using SPNEGO [2007/03/07 11:12:25, 3] smbd/negprot.c:reply_negprot(580) Selected protocol NT LM 0.12 [2007/03/07 11:12:25, 3] smbd/oplock.c:init_oplocks(862) open_oplock_ipc: initializing messages. [2007/03/07 11:12:25, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(260) Linux kernel oplocks enabled [2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110) Transaction 0 of length 72 [2007/03/07 11:12:25, 2] smbd/reply.c:reply_special(496) netbios connect: name1=DEV-PDC name2=VM-WARE-TM1 [2007/03/07 11:12:25, 2] smbd/reply.c:reply_special(503) netbios connect: local=dev-pdc remote=vm-ware-tm1, name type = 0 [2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110) Transaction 1 of length 240 [2007/03/07 11:12:25, 3] smbd/process.c:switch_message(914) switch message SMBsesssetupX (pid 3150) conn 0x0 [2007/03/07 11:12:25, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849) wct=12 flg2=0xc807 [2007/03/07 11:12:25, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660) Doing spnego session setup [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_spnego_negotiate(551) Got OID 1 3 6 1 4 1 311 2 2 10 [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_spnego_negotiate(554) Got secblob of size 40 [2007/03/07 11:12:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xe2088297 [2007/03/07 11:12:25, 3] smbd/process.c:process_smb(1110) Transaction 2 of length 284 [2007/03/07 11:12:25, 3] smbd/process.c:switch_message(914) switch message SMBsesssetupX (pid 3150) conn 0x0 [2007/03/07 11:12:25, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849) wct=12 flg2=0xc807 [2007/03/07 11:12:25, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660) Doing spnego session setup [2007/03/07 11:12:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/03/07 11:12:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672) Got user=[] domain=[] workstation=[VM-WARE-TM1] len1=1 len2=0 ------------- Client machine LOG file extract ------------------- [2007/03/07 11:56:58, 3] passdb/secrets.c:secrets_store_schannel_session_info(995) secrets_store_schannel_session_info: stored schannel info with key SECRETS/SCHANNEL/VM-WARE-TM1 [2007/03/07 11:56:58, 3] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(840) SAM Logon (Interactive). Domain:[DEV]. User:[EMAIL PROTECTED] Requested Domain:[DEV] [2007/03/07 11:56:58, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2007/03/07 11:56:58, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2007/03/07 11:56:58, 3] smbd/sec_ctx.c:push_sec_ctx(208) [2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) init_sam_from_ldap: Entry found for user: ntlmh [2007/03/07 11:56:58, 0] passdb/pdb_ldap.c:init_sam_from_ldap(817) init_sam_from_ldap: Failed to get password history for user ntlmh [2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) init_group_from_ldap: Entry found for group: 513 [2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) init_group_from_ldap: Entry found for group: 513 [2007/03/07 11:56:58, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015) fetch gid from cache 513 -> S-1-5-21-3509805487-1978983965-2064741474-513 [2007/03/07 11:56:58, 3] libsmb/ntlm_check.c:ntlm_password_check(207) ntlm_password_check: Interactive logon: NT password check failed for user ntlmh [2007/03/07 11:56:58, 3] smbd/uid.c:push_conn_ctx(345) [2007/03/07 11:56:58, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) init_ldap_from_sam: Setting entry for user: ntlmh [2007/03/07 11:56:58, 3] passdb/pdb_ldap.c:init_ldap_from_sam(1212) updating bad password fields, policy=3, count=1, time=1173268618 [2007/03/07 11:56:58, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [DEV] was for this SAM. [2007/03/07 11:56:58, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [ntlmh] -> [ntlmh] FAILED with error NT_STATUS_WRONG_PASSWORD [2007/03/07 11:56:58, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(529) [2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(551) Got OID 1 3 6 1 4 1 311 2 2 10 [2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(554) Got secblob of size 40 [2007/03/07 11:56:58, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xe2088297 [2007/03/07 11:56:58, 3] smbd/process.c:process_smb(1110) Transaction 10 of length 284 [2007/03/07 11:56:58, 3] smbd/process.c:switch_message(914) switch message SMBsesssetupX (pid 5338) conn 0x0 [2007/03/07 11:56:58, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849) wct=12 flg2=0xc807 [2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660) Doing spnego session setup [2007/03/07 11:56:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/03/07 11:56:58, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672) .. Any help would be much appreciated, Tony -- View this message in context: http://www.nabble.com/NTLMv2-configuration-problems-tf3361654.html#a9351505 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba