17

I have a samba server setup for some time now. It is a Hardware NAS - which unfortunately does not provide access to the Samba logs. (the exact model of the NAS is called Addonics NAS Adapter )

I also have a Windows Vista and a Windows XP machine - from both I am able to map \\192.168.0.20\Smd with no errors ( net use l: \\192.168.0.20\Smd works, after asking for my username and password).

I also bought a brand new computer, with Windows 7, and when I try to execute the same exact net use command on it - using the exact same username/password pair, I get a "The specified network password is not correct." message. I also tried mapping from the Windows explorer menu, and got the same error.

I synchronized the clocks of the two machines, tried again... and yet the same error persists.

So what is really surprising here is that mapping works from WindowXP and Windows Vista machines, but fails from a Windows7 machine using the exact same command and username/password - Anyone has any idea of what could be causing this or how to solve the problem? Thanks

Joshua
  • 1,546
  • 1
  • 13
  • 16
Win7 Home User
  • 173
  • 1
  • 1
  • 5

6 Answers6

19

Dominic D's explanation of what is going on is correct: Vista, Windows7, and Windows2008 r2 use NTLMv2 by default. Older implementations of Samba don't support this and will return a password failure. Fortunately you can tell Vista and Windows 7 (and I presume Server 2k8) to use the v1 protocol if the v2 is not available.

These are my notes for Vista, they worked for Windows 7 Pro 64-bit.

  1. Start -> run -> secpol.msc
  2. Local Policies -> Security Options -> Network Security: LAN Manager Authentication
  3. Change NTVLM2 responses only to LM and NTLM - use NTLMV2 session security if negotiated

If you are stuck with a Vista Home, there is no secpol.msc. Instead:

  1. Start -> Run -> regedit
  2. navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. for LmCompatibilityLevel, change the '3' to a '1'
  4. Rebooting might be necessary at this point.
David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
  • 2
    Thank you very much! I created a new LmCompatibilityLevel entry under the place you indicated (it was missing) as a REG_DWORD with a value of 1, and after a reboot I was able to mount the share under Windows7! I now have a bizarre problem where all folders appear as invisible when under the mapped drive when in a cmd.exe Window (again, on Windows7-only) - but I can live with this (I just hope Cygwin works properly... installing now). – Win7 Home User Dec 08 '09 at 12:16
  • 1
    Future readers: it is in your best interest to do whatever is feasible to encourage the vendor to update their Samba, because Windows password storage schemes prior to NTLMv2 are significantly easier to crack. http://www.lbl.gov/cyber/systems/lanman.html has a clear explanation. – Royce Williams Nov 18 '12 at 22:59
  • Did exactly the same as "Win7 Home User" and it worked on my Win 10 home x64 – lowtech May 23 '16 at 12:58
12

Windows7 and Windows2008 r2 use NTLMv2 by default. Older implementations of Samba don't support this and will return a password failure.

We had this exact same problem on our NAS.

Two solutions

  1. Bug your NAS vendor to update their implementation (we've just received a patch).
  2. Push a policy change either via GPO or via Local Policy. The setting you need to modify is: Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: LAN Manager authentication level. Set it to Send LM & NTLM - use NTLMv2 session security if negotiated. This gives you the best of both worlds, better security if supported, fall back if not. This should be the default Windows7/Windows2008r2 option IMO, but for whatever reason it isn't.
Dominic D
  • 1,376
  • 9
  • 10
  • Thanks for the response - updating the firmware of the NAS did *not* work, unfortunately, but with the tip by David Mackintosh I was able to change the auth settings. – Win7 Home User Dec 08 '09 at 12:17
0

This is probably not it, but you can try disabling SMB2 on the Windows 7 machine. SMB2 was introduced with Windows Vista so if the Vista machine works I would think the 7 machine would work as well, but it won't hurt to try it.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • I tried that. Disabled SMB2 using the commands (I am using === as a separator): === sc config lanmanworkstation depend= bowser/mrxsmb10/nsi === sc config mrxsmb20 start= disabled === but it didn't work (even after a reboot). – Win7 Home User Dec 07 '09 at 21:58
0

I hesitate to post this as an answer, because it's so flimsy, but this may be a purely Win7 Home thing that people using pro or ultimate editions wouldn't see. I remember reading something about homegroups - and they may have limited functionality or a change in syntax?

You may want to check with superuser.com if only because they may have more experience with the home version. (Home version may also mean the question belongs on SU, but I feel like the votes should decide that... seems a bit gray-area to just mod it over).

Are you able to pull up the share by sticking \192.168.0.20\Smd in the run box?

Kara Marfia
  • 7,892
  • 5
  • 32
  • 56
  • Pro and Ultimate wouldn't handle networking differently than Home, but it could be a change to the networking in Windows 7 that caused the incompatibility. – Garrett Dec 07 '09 at 20:56
  • Thanks for the responses - David Mackintosh gave a tip that solved the problem! – Win7 Home User Dec 08 '09 at 12:18
  • 1
    @Garrett - well, I guess you can't join Home to a domain? But good to know it's unchanged otherwise. – Kara Marfia Dec 08 '09 at 12:24
  • Right, no domain joins and some other things like being a Remote Desktop destination, bitlocker, etc... but if they both do something, they do it the same way. – Garrett Dec 08 '09 at 21:02
0

It could be an issue with requirements of NTLM. I've read some people have to do the following to get their Win 7 box to work with samba.

Control Panel - Administrative Tools - Local Security Policy

Local Policies - Security Options

Network security: LAN Manager authentication level

Send LM & NTLM responses

Minimum session security for NTLM SSP

Disable Require 128-bit encryption

Community
  • 1
Mr Furious
  • 801
  • 1
  • 6
  • 14
  • I wasn't able to find a "Local Security Policy" menu - maybe because my Windows is Home? At any case, the closest I found to this was this option: File sharing connections Windows 7 uses 128-bit encryption to help protect file sharing connections. Some devices don't support 128-bit encryption and must use 40- or 56-bit encryption. [ ] Use 128-bit encryption to help protect file sharing connections (recommended) [ ] Enable file sharing for devices that use 40- or 56-bit encryption I enabled the second option, but nothing seems to change (even after a reboot). – Win7 Home User Dec 07 '09 at 21:41
  • Hrrm...I dont have a copy of Windows 7 Home Premium to verify but according to http://social.answers.microsoft.com/Forums/en-US/w7security/thread/0c8300d0-1d23-4de0-9b37-935c01a7d17a it's not available in that version of windows. I have no idea how you can modify those settings without it. – Dominic D Dec 07 '09 at 21:46
-1

You need to use double leading backslashes in your UNC paths.

Like this: net use I: \\192.168.0.20\Smd

nrgyz
  • 550
  • 2
  • 9