Hi folks, I have been asked to force NTLMv2 logins to avoid use of LM hashes.
To meet the requirement I added some lines to the smb.conf in [Global] (we only have that section anyway - this is purely for domain authentication with an ldap backend): client lanman auth = no client NTLMv2 auth = yes lanman auth = no min protocol = LANMAN2 ntlm auth = no This seemed to work - users could log in and doing a tcpdump showed that the dialogue was different with NTLMSSP appearing. There was a problem though: Citrix users got locking out, so I changed a registry setting on all Windows PCs and the Citrix server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel was set to 3 and the Citrix machine rebooted. We found that it didn't help with the citrix problem so we reverted the samba change. All back to normal - Citrix users are happy. Later, we found that some new Laptops couldn't join the domain - reverting the samba change made that work too. Hunting around for info has proved fruitless so far. The problem is that the change is required. Does anyone have experience of this? Or know of any useful docs? mtia Q FYI Samba 3.0.23c Clients are a Win 2003 Server with Citrix and some XP Pro desktops (including some laptops). RHEL AS 4u5 smb.conf: [global] dos charset = 850 unix charset = ISO8859-1 workgroup = MYCO netbios name = MYCO-PDC server string = Samba Server interfaces = bond0 passdb backend = ldapsam:"ldaps://pri-ldap:636" passwd program = /usr/sbin/ldap_userPassword_change %u passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *Result**Success**** check password script = /sbin/crackcheck -c -d /usr/lib/cracklib_dict unix password sync = Yes lanman auth = No ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 2 syslog = 0 log file = /var/log/samba/%m.log max log size = 100000 min protocol = LANMAN2 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No printcap name = /dev/null disable spoolss = Yes show add printer wizard = No add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u' add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w "%m" logon path = "" logon home = "" domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=rdn,dc=myco,dc=co,dc=uk ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=myco,dc=co,dc=uk ldap user suffix = ou=Users idmap backend = ldap:ldaps://pri-ldap:636 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 max print jobs = 0 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba