Bryan Henderson <bryanh <at> giraffe-data.com> writes:
>
> Are there multiple ways that Windows clients encrypt passwords?
With more tracing and web searching, I found the answer: yes. But not in
the way the Samba log messages suggest.
The client can do at least 3 forms of authentication: original Lanman, NTLM
Version 1, and NTLM Version 2.
> I'm seeing
> different behavior between two clients. ...
> The only relevant difference I can think of between the systems is that
the> working system is Windows XP and the failing one is Windows 7.
That was the difference. Windows XP by default does NTLMv1, while Windows
7 does NTLMv2. Astonishingly, the client does not ask the server if it
knows NTLMv2 before using it. My old Samba server does not.
The structure of Samba made it impossible to tell from the log messages
that this was the problem. Samba did notice that what was supposed to be
an NTLMv1 challenge response wasn't one; where the log messages showed it
validating an NTLMv1 response, it was really, by design, validating the
Lanman response field from the same message, as an NTLMv1 response, which
of course failed.
I found out that manipulating the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel
on the Windows 7 client makes it use NTLMv1, and it then works as well as
Windows XP..