similar to: smbclient NT_STATUS_NTLM_BLOCKED

On Fri, 3 Nov 2023 12:27:57 +0100 cYuSeDfZfb cYuSeDfZfb via samba <samba at lists.samba.org> wrote: > Hi, > > I have configured my (RHEL9) standalone samba server with "ntlm auth = > disabled" because we understand that ntlm should be disabled nowadays. > > However, we can no longer use smbclient (4.17) to connect to that > server, as: > > session

Ok, I finally could try it out, and it seems to actually work, but You need samba 4.7 on all machines, not only AD, but also server with freeradius. I didn't get a chance to test it locally, that is samba AD + freeradius on the same server. Setup: 4.7.6 AD server and 4.6.2 samba member + freeradius didn't work (got simple "nt_status_wrong_password") but: 4.7.6 AD and 4.7.1

On Thu, 21 Sep 2017 12:40:57 -0400 lingpanda101 via samba <samba at lists.samba.org> wrote: > > > I'm not understanding the change to 'ntlm auth' parameter. It's says > default is now ntlmv2-only as a value.  So this takes the place of > 'ntlm auth = no'(ie. ntlm auth = ntlmv2-only)? Using the value of > 'yes' is OK(ie. ntlm auth = yes)? 

Hello Andrew, Do you plan to release the patch for "ntlm auth = mschapv2-only" option soon ? We need this on order to use freeradius in a "more safe" scenario than with "ntlm auth = yes" Best Regard, Lulzim KELMENI Direction des Systèmes d'Information Mairie de Saint-Ouen Le 08/06/2017 21:36, Andrew Bartlett via samba a écrit : > On Thu, 2017-06-08 at

On 21/09/2022 08:32, Thomas Stephen Lee wrote: > Hi, > > Is > https://sigs.centos.org/kmods/ > a part of RHEL 9? > If yes, what is the repository name? > If not, when can we expect it to be included? > > Thanks > > --- > Lee No, it's not part of RHEL9 , and it's built and maintained by the Kmods SIG (see https://sigs.centos.org/kmods/) as a

> > It might help if you told us how Extreme advised you to configure it. https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-set-internal-RADIUS-server-on-WiNG-with-LDAP-based-authentication http://www.michaelfmcnamara.com/files/motorola/WING5X_How_To_Active_Directory_Authentication_Rev_B.pdf https://www.manualslib.com/manual/1150860/Motorola-Wing-5-7-1.html

On Fri, 26 Jan 2024 22:22:49 -0500 Mark Foley via samba <samba at lists.samba.org> wrote: > On Wed Jan 24 05:03:25 2024 Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > > On Tue, 23 Jan 2024 17:07:35 -0500 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > On Mon Jan 22 11:00:59 2024 Mark Foley via samba

I discovered the situation. When attempting to logon from Windows 2008R2 to Samba4 is made we can see in Samba smbd log the following important for understanding the situation lines: [2017/11/20 13:25:52.040094, 2, pid=7100, effective(0, 0), real(0, 0)] ../libcli/auth/ntlm_check.c:430(ntlm_password_check) ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user <username> [2017/11/20

Hello, I can definately confirm that it's working. My basic setup is: 1) Samba 4.7.6 AD DC (2 of them), compiled from source, on centos 7 2) Freeradius 3.0.13 + samba 4.6.2 as domain member, packages straight from centos repo. // I  tested also on freeradius 3.0.14 and samba 4.7.x smb.conf on the DC is pretty basic, most important is obviously in [globall]:         ntlm auth =

Also I just facepalmed, as I double checked smb.conf right after sending mail, and in samba 4.7 there are new options available for "ntlm auth", as stated in docs: |mschapv2-and-ntlmv2-only| - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the |ntlm_auth| tool). So that is is I suppose that special "flag" that is used by

Hello Helper, i found this bug report: https://bugzilla.samba.org/show_bug.cgi?id=12252 At this time i have a samba 4.1.6 Domain Controller and Freeradius-Server. The authentication works pretty well in 4.1.6. Now I built a new Domain Controller from source, version 4.5.0. The configuration like 4.1.6, but now I have an authentication issue. There is no helpfull information in freeradius log

ok, tested it, and it works. so to summarize: on samba ad 4.7.x  in smb.conf "ntlm auth" is set to "mschapv2-and-ntlmv2-only" fr + samba domain member (4.6 and 4.7) in mods-available/mschap you have to add to ntlm_auth --allow-mschapv2 to the whole string OR just use winbind method, which sets correct flag without explicitly adding it. with those settings ntlmv1 is blocked

Hello, i set up a squid proxy that should authenticate users against a samba PDC using winbind. It works fine as long i allow ntlmv1: on the PDC: ntlm auth = yes lanman auth = no client ntlmv2 auth = yes If i restrict the domains authentication method to ntlmv2 - that's what i want - with these settings: ntlm auth = no lanman auth = no client

Are there multiple ways that Windows clients encrypt passwords? I'm seeing different behavior between two clients. On one, I can access a Samba share just fine. On the other, using the same username and password to access the same share, I get "incorrect password." Looking for the difference in Samba debug traces, I find it comes down to this: smb_password_ok: Checking SMB

Hi there, I'm trying to get FreeRADIUS to authenticate against my Samba DC. It's Samba 4.7.6-ubuntu running on Ubuntu 18 (kernel version 4.15.0-66-generic). It came nicely packaged with Zentyal, which provides a nice GUI for managing a domain, as well as a CA and lots of cool small features. That same Zentyal also includes support for FreeRADIUS (3.0.16). This is my smb.conf:

I have a server which we use for backing up files. Noticed there was an upgrade available to 18.04.1. Now I cannot connect to from my win7 machine to the Ubuntu share. Any thoughts on what would have changed??? Tom

On 27-01-2024 11:56, Rowland Penny via samba wrote: > On Fri, 26 Jan 2024 22:22:49 -0500 > Mark Foley via samba<samba at lists.samba.org> wrote: > >> On Wed Jan 24 05:03:25 2024 Rowland Penny via samba >> <samba at lists.samba.org> wrote: >>> On Tue, 23 Jan 2024 17:07:35 -0500 >>> Mark Foley via samba<samba at lists.samba.org> wrote:

hai,   Please keep it mailing to the list, this way is shows up of others also. A workaround for disabling SMBv1, you can make your server less secure but thats not what i would do. Setting these to enable NTLM v1 again. lanman auth = yes ntlm auth = yes raw NTLMv2 auth = yes I think also this is more a question for the free raduis list, but i would to for a ldap(s) setup. just dont mixup

Hi All, Server: Fedora 26 samba-4.6.8-0.fc26.x86_64 Workstations (5 of them): XP Pro SP3 I set all five of my customer XP workstations to Send NTLMv2 response only\\refuse LM and NTLM and turned off (smb.conf) lanman auth = yes ntlm auth = yes And had to turn it right back on as the customer's Xerox Workcentre 3550 multifunction printer scanner requires it What are

I set up winbind on one box successfully. Now a friend told me that it might be better to use ActiveDirectoriy (the PDC and all other servers are win2000). What is the difference in both approaches? which is 'better'? I feel that ldap is the more general and cleaner solution. Is that true? My windows-admins will get rid of wins soon. does winbind rely on wins? can libnss-ldap also create