Bug 6204 - Enforced NTLMv2 causes smbclient authentication to fail
Enforced NTLMv2 causes smbclient authentication to fail
Status: RESOLVED INVALID
Product: Samba 3.3
Classification: Unclassified
Component: Client tools
3.3.2
x86 Windows 2003
: P3 major
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-21 14:06 UTC by voiperster
Modified: 2009-09-02 17:07 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description voiperster 2009-03-21 14:06:51 UTC
If NTLMv2 is enforced by LMCompatibilityLevel set to 5, and client ntlmv2 auth = yes has not been set (default is Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as we can't tell that the server supports it. */) then Samba will not authenticate.

INFO: Current debug levels:
  all: True/5
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
  dmapi: False/0
  registry: False/0
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = TESTDOMAIN
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = ads
doing parameter realm = TESTDOMAIN.COM
doing parameter encrypt passwords = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter winbind separator = /
doing parameter winbind nested groups = yes
doing parameter winbind refresh tickets = true
doing parameter winbind nss info = rfc2307
doing parameter use kerberos keytab = yes
doing parameter idmap config TESTDOMAIN : backend = ad
doing parameter idmap config TESTDOMAIN : range = 10000-999999
doing parameter idmap config TESTDOMAIN : schema_mode = rfc2307
doing parameter winbind offline logon = yes
doing parameter template homedir = /home/%U
pm_process() returned Yes
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=X bcast=X:ffff:ffff:ffff:ffff netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=X bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.7 bcast=192.168.0.255 netmask=255.255.255.0
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="EL5"
Client started (version 3.3.2).
Opening cache file at /var/lib/samba/gencache.tdb
tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
sitename_fetch: Returning sitename for TESTDOMAIN.COM: "SITE1"
no entry for dc1#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name dc1<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
resolve_wins: Attempting wins lookup for name dc1<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name dc1<0x20>
namecache_store: storing 1 address for dc1#20: 192.168.0.4
Connecting to 192.168.0.4 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option TCP_KEEPCNT = 9
socket option TCP_KEEPIDLE = 7200
socket option TCP_KEEPINTVL = 75
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 16384
socket option SO_RCVBUF = 87380
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
 session request ok
size=175
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=32067
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    9 (0x9)
smb_vwv[ 1]=12807 (0x3207)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   17 (0x11)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=    0 (0x0)
smb_vwv[ 8]=    0 (0x0)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=  499 (0x1F3)
smb_vwv[11]=12416 (0x3080)
smb_vwv[12]=13890 (0x3642)
smb_vwv[13]=27340 (0x6ACC)
smb_vwv[14]=51622 (0xC9A6)
smb_vwv[15]=41985 (0xA401)
smb_vwv[16]=    1 (0x1)
smb_bcc=106
size=175
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=32067
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    9 (0x9)
smb_vwv[ 1]=12807 (0x3207)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   17 (0x11)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=    0 (0x0)
smb_vwv[ 8]=    0 (0x0)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=  499 (0x1F3)
smb_vwv[11]=12416 (0x3080)
smb_vwv[12]=13890 (0x3642)
smb_vwv[13]=27340 (0x6ACC)
smb_vwv[14]=51622 (0xC9A6)
smb_vwv[15]=41985 (0xA401)
smb_vwv[16]=    1 (0x1)
smb_bcc=106
Doing spnego session setup (blob length=106)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=dc1$@TESTDOMAIN.COM
size=410
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51205
smb_tid=0
smb_pid=32067
smb_uid=55296
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=  410 (0x19A)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  227 (0xE3)
smb_bcc=367
size=410
smb_com=0x73
smb_rcls=22
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51205
smb_tid=0
smb_pid=32067
smb_uid=55296
smb_mid=2
smt_wct=4
smb_vwv[ 0]=  255 (0xFF)
smb_vwv[ 1]=  410 (0x19A)
smb_vwv[ 2]=    0 (0x0)
smb_vwv[ 3]=  227 (0xE3)
smb_bcc=367
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_VERSION
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP challenge set by NTLM2
challenge is:
[000] DB DB CB 5D EC FE A9 86                           ...]....
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51205
smb_tid=0
smb_pid=32067
smb_uid=55296
smb_mid=3
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51205
smb_tid=0
smb_pid=32067
smb_uid=55296
smb_mid=3
smt_wct=0
smb_bcc=0
SPNEGO login failed: Logon failure
Comment 1 Michael Adam 2009-05-17 18:08:00 UTC
Yes, right, if you want samba as a client, to use NTLMv2 authentication, you need to set "client ntlmv2 auth = yes" in smb.conf.

Sorry, but I don't see the bug here.

Michael
Comment 2 Guenther Deschner 2009-09-02 17:07:39 UTC
Yes, this not a bug. The only chance we could automatically set the correct client side ntlmv2 auth while being a member in AD would be via Group Policy. This would be an enhancement though. Closing as not a bug.