Bug 12473 - "ntlm auth = no" and "LmCompatibilityLevel=1" don't work together
Summary: "ntlm auth = no" and "LmCompatibilityLevel=1" don't work together
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.5.2
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-12-20 10:13 UTC by Ilya Basin
Modified: 2016-12-20 11:31 UTC (History)
1 user (show)

See Also:

my smb.conf (9.77 KB, text/plain)
2016-12-20 10:19 UTC, Ilya Basin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ilya Basin 2016-12-20 10:13:23 UTC
I have a Windows 7 client (in domain) and a modern Samba server on Archlinux on a VM. And we also have other really old samba servers in our intranet. I set `LmCompatibilityLevel=1` to be able to connect to those old servers. After a recent update to Samba 4.5.2 I was unable to connect to my share:

    > net use \\\il 123 /user:x\il
    System error 86 has occurred.
    The specified network password is not correct.

and the samba client log contains the words:

    ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user

Looks like I was using NTLMv1 the whole time: before "4.5.2" the config parameter "ntlm auth" was "yes" by default. Now it's "no".

I found two workarounds that worked:

- Turning it back to "yes" in my smb.conf.
- setting LmCompatibilityLevel=3 and restarting the NetLogon windows service.

The 1st workaround makes it insecure, I guess, and the 2nd one makes it impossible to use the old samba servers I mentioned.

Technet says about LmCompatibilityLevel=1:

> Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it.

Is it a lie? If not, then why there's no attempt to use NTLMv2? I think it's a samba bug and it's easy to reproduce it.
Comment 1 Ilya Basin 2016-12-20 10:19:31 UTC
Created attachment 12774 [details]
my smb.conf
Comment 2 Stefan Metzmacher 2016-12-20 11:15:45 UTC
(In reply to Ilya Basin from comment #0)

As far as I know "NTLMv2 session security" is not the same as
NTLMv2 authentication. Using NTLMv1 with "NTLMv2 session security"
just means that the resulting session key is constructed differently,
but the client still provides the NTLMv1 response.

I'm sorry but there's nothing we can do if windows doesn't allow
different settings per server/connection.
Comment 3 Ilya Basin 2016-12-20 11:22:23 UTC
Do you mean that when a windows client with LmCompatibilityLevel=1 connects to a windows server, it's insecure?
Comment 4 Stefan Metzmacher 2016-12-20 11:31:51 UTC
(In reply to Ilya Basin from comment #3)

Yes, it's the same.