samba - Nov 2017 - Samba4 server is not accessible for logon from Windows 2008R2 SP1.

I discovered the situation.
When attempting to logon from Windows 2008R2 to Samba4 is made we can see
in Samba smbd log the following important for understanding the situation
lines:

[2017/11/20 13:25:52.040094,  2, pid=7100, effective(0, 0), real(0, 0)]
../libcli/auth/ntlm_check.c:430(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user <username>
[2017/11/20 13:25:52.040110,  3, pid=7100, effective(0, 0), real(0, 0)]
../libcli/auth/ntlm_check.c:437(ntlm_password_check)
  ntlm_password_check: NEITHER LanMan nor NT password supplied for user
<username>

It tell us that Samba4 doesn't wany to accept NTLMv1 authentication.

So, it is easy to solve (as was in my case) .
You should put to smb.conf to
[general] section the followng line:
ntlm auth = yes


also I set max protocol = SMB3
but I think that it is not important for this case.

After changing smb.conf restarting of Samba4 services are necessary.

So I can mark the topic as Solved !





2017-11-19 17:47 GMT+03:00 CpServiceSPb . <cpservicespb at gmail.com>:
> There is Samba4 4.7.2 acting as standalone server on Ubuntu 14.04.x64.
> Also there is Windwos 2008R2 SP1 acting as DC in the same network.
> And also Windows XP/7 are in this network.
> Logon to Samba4 is accessible from Windows XP and Windowx 7 but not
> accessible from Windos 2008R2.
> As logon to Windows clients is accessible from Windows 2008R2.
> Username and password is asked by Samba and provided from Windows 2008R2
> during logon to Samba4 server but it asks username/password again and again
> and not accept provided one.
> That is logon is unsuccessfull.
> The same situation was with Samba4 beginning from 450 version.
> Regarding versions prior, don' t remember exactly.
> What is the way to solve issue ?
>
>
>

On Mon, 20 Nov 2017 22:45:08 +0300
"CpServiceSPb . via samba" <samba at lists.samba.org> wrote:
> I discovered the situation.
> When attempting to logon from Windows 2008R2 to Samba4 is made we can
> see in Samba smbd log the following important for understanding the
> situation lines:
> 
> [2017/11/20 13:25:52.040094,  2, pid=7100, effective(0, 0), real(0,
> 0)] ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
>   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user
> <username> [2017/11/20 13:25:52.040110,  3, pid=7100, effective(0,
> 0), real(0, 0)] ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
>   ntlm_password_check: NEITHER LanMan nor NT password supplied for
> user <username>
> 
> It tell us that Samba4 doesn't wany to accept NTLMv1 authentication.
> 
> So, it is easy to solve (as was in my case) .
> You should put to smb.conf to
> [general] section the followng line:
> ntlm auth = yes
> 
> 
> also I set max protocol = SMB3
> but I think that it is not important for this case.
> 
> After changing smb.conf restarting of Samba4 services are necessary.
> 
> So I can mark the topic as Solved !
The correct cure is to make your 2008R2 use NTLMv2 instead of NTLMv1
Or rather, find out why your 2008R2 server isn't using NTLMv2 by
default.

The default for 'ntlm auth' was changed from 'yes' to
'no' for a reason.

Rowland

2017-11-21 0:17 GMT+03:00 Rowland Penny <rpenny at samba.org>:
> On Mon, 20 Nov 2017 22:45:08 +0300
> "CpServiceSPb . via samba" <samba at lists.samba.org>
wrote:
>
> > I discovered the situation.
> > When attempting to logon from Windows 2008R2 to Samba4 is made we can
> > see in Samba smbd log the following important for understanding the
> > situation lines:
> >
> > [2017/11/20 13:25:52.040094,  2, pid=7100, effective(0, 0), real(0,
> > 0)] ../libcli/auth/ntlm_check.c:430(ntlm_password_check)
> >   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user
> > <username> [2017/11/20 13:25:52.040110,  3, pid=7100,
effective(0,
> > 0), real(0, 0)] ../libcli/auth/ntlm_check.c:437(ntlm_password_check)
> >   ntlm_password_check: NEITHER LanMan nor NT password supplied for
> > user <username>
> >
> > It tell us that Samba4 doesn't wany to accept NTLMv1
authentication.
> >
> > So, it is easy to solve (as was in my case) .
> > You should put to smb.conf to
> > [general] section the followng line:
> > ntlm auth = yes
> >
> >
> > also I set max protocol = SMB3
> > but I think that it is not important for this case.
> >
> > After changing smb.conf restarting of Samba4 services are necessary.
> >
> > So I can mark the topic as Solved !
>
> The correct cure is to make your 2008R2 use NTLMv2 instead of NTLMv1
> Or rather, find out why your 2008R2 server isn't using NTLMv2 by
> default.
>
> The default for 'ntlm auth' was changed from 'yes' to
'no' for a reason.
>
> Rowland
>
I make agree with your statements, thatit would be better to use NTLMv2
instead of NTLMv1.
I made additional discovering included Sammba4 and Windows 2008R2 settings
and got working interaction between Samba4 and Windows 2008R2 using NTLMv2
from Windows side.
The following parameters have to be set to the followong values:
Samba4 side - smd.conf -> [Global] section -> ntlm auth = no or remove
ntlm
auth at all
Windows 2008R2 side - either Local Policies -> Security Options ->
"Network
Security: LAN Manager authentication level" = "Send NTLMv2 response
only.
Refuse LM & NTLM" or
registry->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
= 5,
if there is no LmCompatibilityLevel at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,
create it with REG_DWORD type.

Then restart Samba4 and reboot Windows 2008R2.

May be this put to Samba4 docs or faq ?