I have been trying to get an XP machine to logon to a samba (2.2.4-3) installation for the past week. I am using local logons for the samba server and having it prompt me for a username and password (silly I know) when I access the samba box. I just kept getting a logon dialog box back with the "domain\username and the password" back. I searched for a solution and found the registry mods that are commonly suggested but with little success. I had noticed a message in the "system log" on the XP machine the error messages below generated by the LsaSrv (Local Security Authority Server's) process. LOG MESSAGES: The Security System detected an attempted downgrade attack for server cifs/Bncsrvweb02. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)". and The Security System could not establish a secured connection with the server cifs/Bncsrvweb02. No authentication protocol was available. So I ran C:\WINNT\SYSTEM32\gpedit.msc from "start -> run -> cmd" and found that the following key was set to "Send NTLMv2 response only\refuse LM & NTLM". Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security:Lan Manager Authentication level I changed it to "Send LM & NTLM responses" opened a cmd prompt "start -> run -> cmd" and ran gpupdate and tried to access the share again and I was finally able to logon to the Samba server. I changed it back to the original setting and duplicated the original error message and once again could not connect to the samba share, so Im reasonably sure that was my issue. This may be an obvious fix but I could not find it on the message list so I thought I would post it before someone else ran into this issue and lost sleep over it like I did. FYI: The problem occurred after a security audit which led to a tighter implementation of Group Policies for the 2K Domain. Rob H. r.hilligoss@base-net.com IT Security Analyst Base-Net Corporation http://www.bnservice.com
Andrew Bartlett
2003-Feb-23 22:20 UTC
[Samba] XP logon to Samba in a AD Domain environment
On Mon, 2003-02-24 at 08:08, sme_stuff wrote:> I have been trying to get an XP machine to logon to a samba (2.2.4-3) > installation for the past week. I am using local logons for the samba > server and having it prompt me for a username and password (silly I > know) when I access the samba box. I just kept getting a logon dialog > box back with the "domain\username and the password" back. I searched > for a solution and found the registry mods that are commonly suggested > but with little success. I had noticed a message in the "system log" > on the XP machine the error messages below generated by the LsaSrv > (Local Security Authority Server's) process. > > LOG MESSAGES: > The Security System detected an attempted downgrade attack for server > cifs/Bncsrvweb02. The failure code from authentication protocol > Kerberos was "There are currently no logon servers available to > service the logon request. (0xc000005e)". > > and > > The Security System could not establish a secured connection with the > server cifs/Bncsrvweb02. No authentication protocol was available.If this machine was in a domain, then this would all 'just work', as Windows will send not only the 'NTLMv2' response, but also the 'LMv2' response - which 'looks' like a pretty standard logon attempt to Samba, and is passed right along. In any case, NTLMv2 is fully supported in Samba HEAD/3.0, with some particular fixes for local accounts in current CVS, but not in alpha releases yet (will appear in alpha22). Samba 3.0 also supports kerberos and Active Directory domain membership, which is *much* better than NTLM, if you can get it to work. (MS will silently downgrade to NTLM if things are not exactly right.) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030224/b7696a2a/attachment.bin