Bug 1419 - lmcompatibility setting in WinXP / SAMBA 3.x logon problem
Summary: lmcompatibility setting in WinXP / SAMBA 3.x logon problem
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool (show other bugs)
Version: 3.0.4
Hardware: Sparc Windows XP
: P3 normal
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2004-06-02 10:28 UTC by Jeffrey J Basista
Modified: 2004-06-03 06:38 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jeffrey J Basista 2004-06-02 10:28:40 UTC
Suppose I set the Samba "lanman auth" and "ntlm auth" to NO.
Only NTLMv2 will be permitted, which is what we want.

Suppose now that on my WinXP SP1 computer I set this value:
     lmcompatibilitylevel=dword:00000003  (or 4 or 5)

This should prevent me from using LM or NTLM from my XP box.
I'd expect that this would work with Samba, particularly if
I've explicitly shut off "lanman auth" and "ntlm auth".

However, I won't be able to logon to Samba, and Samba's
smbd.log file will show messages like this:

[2004/06/02 13:02:09, 1] auth/auth_server.c:check_smbserver_security(363)
  password server my.DC.address rejected the password

If I change the lmcompatibilitylevel setting back to 0,1, or 2,
logons are no problem.

I want to say that as long as NTLMv2 is being negotiated,
there's no problem.  The trouble is that we want to enforce
a high setting (3/4/5) of the lmcompatibilitylevel value for
our clients, and we can't do that if Samba isn't happy with
the higher values.
Comment 1 Andrew Bartlett 2004-06-03 06:38:27 UTC
Your password server is rejecting the password, this is not Samba's problem. 
NTLMv2 and 'secruity=server' is probably a dodgy idea anyway...

Don't use 'security=server', use 'security=domain' or 'security=ads'.