NTLMv2 patch which went into SAMBA_3_0 on September, 6th, influences mixed mode domain join resulting in inability to join Samba 3.0 to it. during 'net rpc join' we try both variants of join -- the old one and the new one -- and both fail: one with NT_STATUS_NO_SAM_ACCOUNT and another is with NT_STATUS_WRONG_PASSWORD in an attempt to change password for newly created machine account. When I remove this patch and set client ntlmv2 auth = False join happens successfully. Native mode and NT4 domain joins work with and without this patch. It is only mixed mode W2K join that fails.
This looks like the result of incorect 'sealing' of the proposed password in the join process. I suspect we are using the 'incorrect' session key, and I'm investigating what the correct one would be.
This looks like an NTLMSSP issue, rather than an NTLMv2 issue. I have a patch that seems to resolve the situation, and as a bonus appears to match the win2k traces I have.
Created attachment 139 [details] Always negotiate to 'sign' in NTLMSSP for SMB connections. This patch matches the win2k negotiation flags by always negotiating to sign. This seems to 'open up' the session key for use.
Ok, I've done testing on this and it definately fixes the problem of joining mixed-mode domains. The problem is what effect it will have elsewhere.... Hmmmm. Andrew, can you comment ? Jeremy.
Applied a similar version of this patch. Should be fixed. Needs testing ! Jeremy.
*** Bug 367 has been marked as a duplicate of this bug. ***
*** Bug 467 has been marked as a duplicate of this bug. ***
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.