Bug 11932 - NTLM authentication fails from non-AD client to Active Directory
Summary: NTLM authentication fails from non-AD client to Active Directory
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.3
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-23 15:29 UTC by t.mainka
Modified: 2016-05-23 19:55 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description t.mainka 2016-05-23 15:29:35 UTC
We have a 4.4.3 Samba server on a RHEL 6 machine which is part of an Active Directory. Everything works when users authenticate with Kerberos tickets, but we have some older clients (Win 7) that are not part of this Active Directory.

These clients could authenticate in earlier Samba releases to the Samba server, but in 4.4.3 the authentication fails via NTLMSSP to the Active Directory server:

  session setup failed: NT_STATUS_NOT_SUPPORTED 

Which generates this snippet in the logfile:
[2016/05/23 11:42:28.768543,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
[2016/05/23 11:42:28.768560,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2016/05/23 11:42:28.768569,  5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
  check lock order 1 for /var/samba/locks/smbXsrv_session_global.tdb
[2016/05/23 11:42:28.768588,  5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
  release lock order 1 for /var/samba/locks/smbXsrv_session_global.tdb
[2016/05/23 11:42:28.768608,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(276) cmd=115 (SMBsesssetupX) NT_STATUS_NOT_SUPPORTED


What works is an Samba 4.4.2 server with the following option:

  client ipc max protocol = NT1 


However, this does not work anymore with Samba 4.4.3