Bug 1419 - lmcompatibility setting in WinXP / SAMBA 3.x logon problem
lmcompatibility setting in WinXP / SAMBA 3.x logon problem
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool
3.0.4
Sparc Windows XP
: P3 normal
: none
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-02 10:28 UTC by Jeffrey J Basista
Modified: 2004-06-03 06:38 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeffrey J Basista 2004-06-02 10:28:40 UTC
Suppose I set the Samba "lanman auth" and "ntlm auth" to NO.
Only NTLMv2 will be permitted, which is what we want.

Suppose now that on my WinXP SP1 computer I set this value:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
     lmcompatibilitylevel=dword:00000003  (or 4 or 5)

This should prevent me from using LM or NTLM from my XP box.
I'd expect that this would work with Samba, particularly if
I've explicitly shut off "lanman auth" and "ntlm auth".

However, I won't be able to logon to Samba, and Samba's
smbd.log file will show messages like this:

[2004/06/02 13:02:09, 1] auth/auth_server.c:check_smbserver_security(363)
  password server my.DC.address rejected the password

If I change the lmcompatibilitylevel setting back to 0,1, or 2,
logons are no problem.

I want to say that as long as NTLMv2 is being negotiated,
there's no problem.  The trouble is that we want to enforce
a high setting (3/4/5) of the lmcompatibilitylevel value for
our clients, and we can't do that if Samba isn't happy with
the higher values.
Comment 1 Andrew Bartlett 2004-06-03 06:38:27 UTC
Your password server is rejecting the password, this is not Samba's problem. 
NTLMv2 and 'secruity=server' is probably a dodgy idea anyway...

Don't use 'security=server', use 'security=domain' or 'security=ads'.