Find the answer to your Linux question:
Results 1 to 2 of 2
Hi Folks, How do I make ntlmv2 and 128 bit encryption work with Samba. I.e. I have a Win 2008/Win7/Vista box with standard settings i.e. forced using ntlmv2 and 128 ...
  1. 02-07-2011 #1
    dyn_ares
    dyn_ares is offline
    Just Joined!
    Join Date
    Feb 2011
    Posts
    4

    Samba ntlmv2 and 128bit -- how to make it work

    Hi Folks,

    How do I make ntlmv2 and 128 bit encryption work with Samba. I.e. I have a Win 2008/Win7/Vista box with standard settings i.e. forced using ntlmv2 and 128 bit encruption that I want to connect to a Linux server running Samba (RHEL6 in this case)..

    Now if you google you it says Samba should support ntlmv2 with settings like this:

    lanman auth = no
    ntlm auth = no
    client lanman auth = no
    client ntlmv2 auth = yes

    However even with 128 bit encryption turned off on the Win box it still doesn't work. We use "security = server". Is it maybe a requirement that we need to use security domain instead for ntlmv2 to work?

    Reading further in man smb.conf.5 "client ntlmv2 auth = yes" is "This parameter determines whether or not smbclient will attempt to authenticate itself to servers using the NTLMv2 encrypted password response." so clearly it's not affecting our samba server.

    Reading even further in man smb.conf.5 it says "If this option (lanman auth), and ntlm auth are both disabled, then only NTLMv2 logins will be permited". Why is it then that you need to force NTLM auth in Win2008?

    Ah found the answer:

    NTLMv2 is only compatible with "security=domain". This means that even if you set "lanman auth=no", and "ntlm auth=no" it will still only auth with NTLM... Here is the Q from Andrew Bartlett * "Use 'security=domain'. NTLM2 session security is not compatible with 'security=server'."

    In order to use "security=domain" you need to use the net command to join the windows domain and for that you will need the AD administrator account password which you will most likely not have.

    However the question still reminds if you would to join the domain would the NTLMv2 work over 128 bit encystations or would you need to disable that one still?

    Cheers Dyna
    Reply With Quote Reply With Quote
  2. 02-07-2011 #2
    HROAdmin26
    HROAdmin26 is offline
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,695
    Samba 3.4.7 (Ubuntu Server LTS 10.04) + security=ADS and joined to a Win2003 domain...

    Win7 and Win2008R2 clients can connect to a Samba share *without* modifying the LANManager permissions on the clients.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...