samba - Sep 2007 - Stumbling blocks moving to NTLMv2

Hi folks,

I have been asked to force NTLMv2 logins to avoid use of LM hashes.

To meet the requirement I added some lines to the smb.conf in [Global] (we
only have that section anyway - this is purely for domain authentication
with an ldap backend):

   client lanman auth = no
   client NTLMv2 auth = yes
   lanman auth = no
   min protocol = LANMAN2
   ntlm auth = no

This seemed to work - users could log in and doing a tcpdump showed that the
dialogue was different with NTLMSSP appearing.

There was a problem though: Citrix users got locking out, so I changed a
registry setting on all Windows PCs and the Citrix server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lmcompatibilitylevel
was set to 3  and the Citrix machine rebooted.

We found that it didn't help with the citrix problem so we reverted the
samba change.
All back to normal - Citrix users are happy.

Later, we found that some new Laptops couldn't join the domain - reverting
the samba change made that work too.

Hunting around for info has proved fruitless so far.

The problem is that the change is required.

Does anyone have experience of this?

Or know of any useful docs?

mtia

Q


FYI
Samba 3.0.23c
Clients are a Win 2003 Server with Citrix and some XP Pro desktops
(including some laptops).
RHEL AS 4u5

smb.conf:
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = MYCO
        netbios name = MYCO-PDC
        server string = Samba Server
        interfaces = bond0
        passdb backend = ldapsam:"ldaps://pri-ldap:636"
        passwd program = /usr/sbin/ldap_userPassword_change %u
        passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*Result**Success****
        check password script = /sbin/crackcheck -c -d
/usr/lib/cracklib_dict
        unix password sync = Yes
        lanman auth = No
        ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 2
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 100000
        min protocol = LANMAN2
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        show add printer wizard = No
        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
        delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m
"%u"
"%g"
        delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g
'%g'
'%u'
        add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 1 -w
"%m"
        logon path = ""
        logon home = ""
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=rdn,dc=myco,dc=co,dc=uk
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=myco,dc=co,dc=uk
        ldap user suffix = ou=Users
        idmap backend = ldap:ldaps://pri-ldap:636
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        max print jobs = 0

Is there a type in this text?
(from
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html)

NTLMv2 Security

  	To configure NTLMv2 authentication, the following registry keys are
worth knowing about:

 				[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
		"lmcompatibilitylevel"=dword:00000003
		
 	The value 0x00000003 means to send NTLMv2 response only. Clients
will use NTLMv2 authentication; 	use NTLMv2 session security if the
server supports it. Domain controllers accept LM, 	NTLM, and NTLMv2
authentication.

 				[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
		"NtlmMinClientSec"=dword:00080000
		

 	The value 0x00080000 means permit only NTLMv2 session security. If
either NtlmMinClientSec or 	NtlmMinServerSec is set to 0x00080000, the
connection will fail if NTLMv2 	session security is negotiated.

I mean typO 8-)

On 25/09/2007, Quinn Fissler <qfissler@gmail.com>
wrote:
> Is there a type in this text?
> (from
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html)
>
> NTLMv2 Security
>
>         To configure NTLMv2 authentication, the following registry keys are
> worth knowing about:
>
>                                
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
>                 "lmcompatibilitylevel"=dword:00000003
>
>         The value 0x00000003 means to send NTLMv2 response only. Clients
> will use NTLMv2 authentication;         use NTLMv2 session security if the
> server supports it. Domain controllers accept LM,       NTLM, and NTLMv2
> authentication.
>
>                                
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
>                 "NtlmMinClientSec"=dword:00080000
>
>
>         The value 0x00080000 means permit only NTLMv2 session security. If
> either NtlmMinClientSec or      NtlmMinServerSec is set to 0x00080000, the
> connection will fail if NTLMv2  session security is negotiated.
>