similar to: Samba 3.6.6 authentication

There are roughly 20 DC's, spread across multiple different physical locations. It is indeed a replication issue. All of them are windows and we can get authenticated by any of them, randomly. Don't ask me why... they're managed by the "windows' guys"... I've already tried all sorts of possible combinations for the various NTLM-related parameters and it always fail

All, I need to force XP clients to use NTLMv2 when mapping to samba 3.6.12. My config is: ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No lanman auth = No XP systems can still map shares with the above config. If I add: max protocol = SMB2 min protocol = SMB2 W7 systems map shares, XP systems cannot map shares even if I change LAN Manager

This issue right here told me exactly what I needed to understand this authentication process:https://pagure.io/SSSD/sssd/issue/3228 - The client talks to the DC to try and get a cifs ticket for my samba server's princpal name;- In case the client can't get the ticket for any reason, it falls back to NTLM <- windows client decision, nothing can be done about it by Samba/SSSD; Once I

I must be missing something- Are these Windows clients?  Or are these Linux clients authenticating against Samba ? if they were linux clients then yes I could see sssd or other authentication components besides winbind coming into play. And in that case yes you would have sssd work with winbind to enable caching of credentials. Is the event log entry below from the server ?   Is it from

How is your sssd settup (sssd.conf) configured? When someone connects via samba, the underlying linux/unix file system routines need to have some what of understanding the windows users and groups.   This isn't for authentication  but is instead to make sure that the file permissions can be managed and enforced. My experience - at least when I had classic domain Samba controllers-  was

The domain controler is Windows. The file Server is Linux/Samba. The clients are Windows. I've tested the access on a dozen different windows machines. Three of them used NTLM and failed. All the others used kerberos and succeeded. They're all in the same network, same domain. Maybe it's the windows version? But they're all Window 8 or 10, not a great deal of a difference between

Single DC? If a single DC then there should not be any replication issues - that would only be between domain controllers and the event logs would indicate that.   I have 2 Windows DC's with a mix of Samba member servers. As far as I know, the domain member does not need client NTLM auth to be enabled to talk to the DC but I am not 100% sure.  You may want to try reenabling it and

Hi Edouard, > I set a samba share (4.8.1) on a linux (centos 7) as server member ; > authentication is done against a AD win 2012 R2 server through winbind. > > I thought authentication was using kerberos, but I checked log and found : > > Auth: [SMB2,(null)] user [MYDOMAIN]\[mydomainuser] at [mar., 11 juin 2019 > 10:21:42.000927 -03] with [NTLMv2] status [NT_STATUS_OK]

> On 10/02/17 17:16, ToddAndMargo via samba wrote: >> Hi All, >> >> Server: >>    Fedora 26 >>    samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >>    XP Pro SP3 >> >> >> I set all five of my customer XP workstations to >> >> Send NTLMv2 response only\\refuse LM and NTLM >> >> and turned off

Hello, everyone, I'm trying to mount a CIFS share served by Samba using mount.cifs with NTLMv2 authentication. According to 'man mount.cifs' the option "sec=ntlmv2" should be supported, but it keeps giving me "mount error(22): Invalid argument". The Samba server enforces the use of NTLMv2. When allowing for NTLMv1 on both sides everything works just fine. The

Whenever a client uses kerberos as authentication, it succeeds. Whenever a client uses NTLM as authentication, it fails (logs bellow) since SSSD can't support NTLM. Thus my question: what can I do to prevent NTLM from being used?? [2018/10/09 17:49:29.507046,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)  check_ntlm_password:  Authentication for user [MYUSER] -> [MYUSER] FAILED

Hi Rowland. Very good point (man smb.conf) - I found out that, if I have the line " client NTLMv2 auth = yes" then I don't need any other setting. Also, the Min Protocol is for the sharing purposes, not authentication. So, I am deleting the "min protocol" entry and keeping the "client NTLMv2 auth=yes". I am also using SPNEGO, which is required in this case.

Hi Rowland, Thanks for replying. On Wed, 20 Apr 2016, Rowland Penny wrote: > On Wed, 20 Apr 2016, G.W. Haywood wrote: >> [2016/04/20 20:31:30.288745, 0] Could not fetch our SID - did we join? >> [2016/04/20 20:31:30.288774, 0] unable to initialize domain list > > Can you post your smb.conf ? Not all of it I'm afraid, but hopefully here are the relevant bits.

How old is the scanner ?   Did you check for a firmware update for it?    NTLM has been around for so long that it is hard to imagine anything that has to have LANMAN support. On 10/02/17 19:08, ToddAndMargo via samba wrote: >> On 10/02/17 17:16, ToddAndMargo via samba wrote: >>> Hi All, >>> >>> Server: >>>    Fedora 26 >>>   

lanman should always be disabled.  use "testparm -v" to make sure the settings are applied as you expect.  With different samba versions, the defaults may change. I don't think you can disable ntlmv1 but leave ntlmv2 enabled.  I could be wrong.          NTLMv2 is stronger.     And I think clients will negotiate the strongest common protocol.      If you are in a small network

Hi All, Server: Fedora 26 samba-4.6.8-0.fc26.x86_64 Workstations (5 of them): XP Pro SP3 I set all five of my customer XP workstations to Send NTLMv2 response only\\refuse LM and NTLM and turned off (smb.conf) lanman auth = yes ntlm auth = yes And had to turn it right back on as the customer's Xerox Workcentre 3550 multifunction printer scanner requires it What are

All, I'm trying to build Samba 3.6.12 on Solaris 8 sparc using studio 12. Is this the correct forum to ask questions? This is my first build so any tips/tricks are appreciated. What are the prerequisites to get samba to compile so that it will join an AD domain? TIA, -Kevin

Hi, I am using squid+ntlm-helper+samba+winbindd. Squid mailing list told me to try this one. When using the setting "Send NTLMv2 Response only" on my windows VISTA machines I get this error message in my logs. winbindd_pam_auth_crap: invalid password length. As soon as I change the setting to "Send NTLMv2 if negotiated" it works. Samba v3.2.5 Winbindd v3.2.5 Squid

On Sun, 24 Jun 2018 20:32:20 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote: > Hi Rowland, > Thanks Much for the help, as usual! > > About Kerberos: Yes, I have implemented Kerberos and NTLM. I need > both working. About winbindd_privileged: Not sure what you mean with > " I think you might want to check that again, the >

Hai, I see: create_local_token failed: NT_STATUS_INVALID_PARAMETER_MIX So i suggest, remove these 3 first. That's my first bet to change. > > ??????? client ntlmv2 auth = yes > > ??????? ntlm auth = mschapv2-and-ntlmv2-only > > ??????? restrict anonymous = 2 Try again, when smbd starts, only add: ntlm auth = mschapv2-and-ntlmv2-only Greetz, Louis >