The Samba-Bugzilla – Bug 1419
lmcompatibility setting in WinXP / SAMBA 3.x logon problem
Last modified: 2004-06-03 06:38:27 UTC
Suppose I set the Samba "lanman auth" and "ntlm auth" to NO.
Only NTLMv2 will be permitted, which is what we want.
Suppose now that on my WinXP SP1 computer I set this value:
lmcompatibilitylevel=dword:00000003 (or 4 or 5)
This should prevent me from using LM or NTLM from my XP box.
I'd expect that this would work with Samba, particularly if
I've explicitly shut off "lanman auth" and "ntlm auth".
However, I won't be able to logon to Samba, and Samba's
smbd.log file will show messages like this:
[2004/06/02 13:02:09, 1] auth/auth_server.c:check_smbserver_security(363)
password server my.DC.address rejected the password
If I change the lmcompatibilitylevel setting back to 0,1, or 2,
logons are no problem.
I want to say that as long as NTLMv2 is being negotiated,
there's no problem. The trouble is that we want to enforce
a high setting (3/4/5) of the lmcompatibilitylevel value for
our clients, and we can't do that if Samba isn't happy with
the higher values.
Your password server is rejecting the password, this is not Samba's problem.
NTLMv2 and 'secruity=server' is probably a dodgy idea anyway...
Don't use 'security=server', use 'security=domain' or 'security=ads'.