samba - Nov 2007 - force ntlm

Hi

We have a problem with the one way trusts between the DEV and PROD
domains (Windows 2003). Microsoft told me to use NTLM instead of
kerberos.

Is there a way to force samba to use NTLM (or NTLMv2) instead of kerberos?

Regards
Urs

Urs Golla wrote:
> 
> Is there a way to force samba to use NTLM (or NTLMv2) instead of kerberos?
> 
While the man page doesn't explicitly say that NTLM is used instead of 
kerberos; I believe the intent of this setting is to have samba talk 
with AD using only NT4 domain member style communications (RPC and NTLM) 
and not ADS style communications (LDAP and kerberos).  It's worth trying 
if you haven't already.

 From man smb.conf:

winbind rpc only (G)

     Setting this parameter to yes forces winbindd to use RPC instead of 
LDAP to retrieve information from Domain Controllers.

     Default: winbind rpc only = no

Neal

Hi Neal

I get "Unknown parameter encountered: "winbind rpc only""

I have samba 3.0.26.a-35


cheers
Urs

On 11/16/07, Neal A. Lucier <nlucier@math.purdue.edu>
wrote:
> Urs Golla wrote:
> >
> > Is there a way to force samba to use NTLM (or NTLMv2) instead of
kerberos?
> >
>
> While the man page doesn't explicitly say that NTLM is used instead of
> kerberos; I believe the intent of this setting is to have samba talk
> with AD using only NT4 domain member style communications (RPC and NTLM)
> and not ADS style communications (LDAP and kerberos).  It's worth
trying
> if you haven't already.
>
>  From man smb.conf:
>
> winbind rpc only (G)
>
>     Setting this parameter to yes forces winbindd to use RPC instead of
> LDAP to retrieve information from Domain Controllers.
>
>     Default: winbind rpc only = no
>

Hi

Thanks for your advice, but it is still using kerbers (--> Server not
found in Kerberos database).

My smb.conf looks like that:

[global]
        workgroup = DOMAINA
        realm = DOMAIN.BLA.BLUB
        server string = Samba Server
        security = ADS
        auth methods = winbind
        password server = server1, server2
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        preferred master = No
        dns proxy = No
        wins server = x.x.x.x
        idmap backend = ad
        idmap uid = 500-33554431
        idmap gid = 500-33554431
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307




On Nov 19, 2007 11:00 AM, Warren Beldad <advisory22@gmail.com>
wrote:
> Hi,
>
> use the parameter "client ntlmv2 auth", by default it is set to
no.
> If enabled, samba will sent only NTLMv2 responses.
> please have a look on its man page...
>
> thanks,
> warren
>
>
> On Nov 19, 2007 4:49 PM, Urs Golla <urs.golla@gmail.com> wrote:
> > Is there really no way to tell winbind to use ntlm for "security
> > ads" with samba 3.0.26? The man pages say that it should work
like
> > that... wrong information in the man pages?
> >
> > cheers
> > urs
> >
> >
> > On 11/18/07, Neal A. Lucier <nlucier@math.purdue.edu> wrote:
> > > The parameter/feature is being introduced in 3.2.0, sorry I
thought it
> > > came with 3.0.26.
> > >
> > > Neal
> > >
> > > Urs Golla wrote:
> > > > Hi Neal
> > > >
> > > > I get "Unknown parameter encountered: "winbind rpc
only""
> > > >
> > > > I have samba 3.0.26.a-35
> > > >
> > > >
> > > > cheers
> > > > Urs
> > > >
> > > > On 11/16/07, Neal A. Lucier <nlucier@math.purdue.edu>
wrote:
> > > >> Urs Golla wrote:
> > > >>> Is there a way to force samba to use NTLM (or
NTLMv2) instead of kerberos?
> > > >>>
> > > >> While the man page doesn't explicitly say that NTLM
is used instead of
> > > >> kerberos; I believe the intent of this setting is to
have samba talk
> > > >> with AD using only NT4 domain member style
communications (RPC and NTLM)
> > > >> and not ADS style communications (LDAP and kerberos). 
It's worth trying
> > > >> if you haven't already.
> > > >>
> > > >>  From man smb.conf:
> > > >>
> > > >> winbind rpc only (G)
> > > >>
> > > >>     Setting this parameter to yes forces winbindd to use
RPC instead of
> > > >> LDAP to retrieve information from Domain Controllers.
> > > >>
> > > >>     Default: winbind rpc only = no
> > > >>
> > >
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
>

Am Donnerstag, den 13.12.2007, 16:38 +0100 schrieb Urs
Golla:
> Hi
> 
> Thanks for your advice, but it is still using kerbers (--> Server not
> found in Kerberos database).
I had this Porblem a few minutes ago. (with kerberos authenticated
login)

Have a look at /etc/krb5.keytab

I moved it away and login worked...

(I did not read the thread, just this message)

Regards
Sebastian Ries

-- 
------------------------------------------------------------
DT Netsolution GmbH -  Talaeckerstr. 30 -  D-70437 Stuttgart
Tel: +49-711-849910-36               Fax: +49-711-849910-936
WEB: http://www.dtnet.de/     email: Sebastian.Ries@dtnet.de