Hello everybody.
After upgrading a Samba server running FreeBSD 10.2-RELEASE-p18 to 13.1-RELEASE-p5, which forced an upgrade of our 9 year old Samba setup (3.6 configured as NT4 PDC) to either 4.12 or 4.13 (the only two versions available as packages), our Windows clients stopped working: logins, connection to shares, and domain joining were not possible anymore.
So after a long day of investigation, we found out that both Samba 4.12 & 4.13 (under FreeBSD 13.1) perform NTLM authentication if a different fashion than Samba 3.6 did, and I would like to share the details in case somebody else faces this issue.
The message logged by Samba every time the before mentioned operations failed was:
Our smb.conf did not include the
Interestingly enough, the solution that worked for us for those under the two versions of Samba is different.
For Samba 4.12, adding
to
Moments of happiness during this 2023 to you all.
After upgrading a Samba server running FreeBSD 10.2-RELEASE-p18 to 13.1-RELEASE-p5, which forced an upgrade of our 9 year old Samba setup (3.6 configured as NT4 PDC) to either 4.12 or 4.13 (the only two versions available as packages), our Windows clients stopped working: logins, connection to shares, and domain joining were not possible anymore.
So after a long day of investigation, we found out that both Samba 4.12 & 4.13 (under FreeBSD 13.1) perform NTLM authentication if a different fashion than Samba 3.6 did, and I would like to share the details in case somebody else faces this issue.
The message logged by Samba every time the before mentioned operations failed was:
Code:
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user xxxx:Our smb.conf did not include the
ntlm auth parameter, and so even when documented to default to ntlmv2-only, our server was performing just NTMLv1 and not sending a response to authentication requests (at least this is my beleif given that further authentications requests were not logged and Windows clients would hang for a few seconds before giving up).Interestingly enough, the solution that worked for us for those under the two versions of Samba is different.
For Samba 4.12, adding
ntlm auth = yes solved the issue by having Samba ignore NTMLv1 requests altogether (as confirmed by the logs) and thus our Windows 7 & 10 clients successfully authenticated.ntlm aut just did not work under Samba 4.13. No matter which value was assigned to it (only yes and ntlmv2-only were tested) Samba received NTMLv1 requests only (and denied them). For some obscure reason, Windows did not send further NTML requests (I was expecting v2), at least Samba did not logged any. So our solution was to modify on each Windows client:
Code:
HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel3 in order to disable NTLM v1. Again, this was verified under Windows 7 & 10 only (today we will test this on a Windows XP client).Moments of happiness during this 2023 to you all.