6

Trying to connect to Samba shares on a Linux host with a Windows 10 client, even after setting the client Security Policy to allow non-NTLMv2 authentication, the client still gives errors like "The specified password is not correct." when using valid account credentials.

It sounds like most systems can support NTLMv2 authentication, so I'd like to just enable it on my Samba host and no longer worry about supporting the older protocols. It sounds like Samba defaults to having the NTLMv2 option, but, what parameters do I need to set to satisfy Windows (i.e. use NTLMv2 only)?

palswim
  • 422
  • 2
  • 5
  • 22

3 Answers3

13

Supposedly, Samba's defaults match the following values, but I had to set them explicitly:

lanman auth = no
ntlm auth = yes
client lanman auth = no
palswim
  • 422
  • 2
  • 5
  • 22
  • Ran into the same issue using samba 4.8.5. Your solution still works. Thank you! – Lectrode Sep 26 '18 at 00:25
  • 7
    Upon further investigation, it looks like `ntlm auth = ntlmv2-only` is default. This will not work if Windows is set to `NTVLM2 responses only to LM and NTLM - use NTLMV2 session security if negotiated`. It will only work if Windows is set to `Send NTLMv2 response only`. Setting `ntlm auth = yes` allows NTLMv1 and above, which allows Windows to start with less secure protocol, but negotiate higher. – Lectrode Sep 28 '18 at 20:52
  • `yes` is an alias for `ntlmv1-permitted` so this doesn't answer the question. This actually does the opposite, i.e. enabling NTLMv1. – Elliott B Dec 17 '21 at 03:08
2

Check the Windows registry for the key:

HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

If this is set to 0 then Windows will try to connect only using NTLMv1. I have seen this registry key set like this on several Windows 10 machines, and I'm not sure why. However, you can delete this registry key and Windows will revert to its default behavior which is to use NTLMv2 and connect to Samba 4 fine.

Nick
  • 185
  • 1
  • 10
0

I needed to add --allow-mschapv2 to the file /etc/freeradius/3.0/mods-enabled/mschap, so that it looks like this:

ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

(that is, besides setting the correct ntlm auth parameter. In my case it's ntlm auth = mschapv2-and-ntlmv2-only in smb.conf)

Oleg
  • 343
  • 1
  • 6
  • 16