samba 4.5.10 and old clients with NTLMv1

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list

At a customer they still have some old VMs around that run Windows XP.

Yes, I already provided them with newer VMs ... but the users still
need/want the old machines as well.

Now the batch file with the "net use" statements fail, as far as I have
researched because of the weak and outdated NTLMv1:

[2017/07/27 11:11:08.538343,  2]
../libcli/auth/ntlm_check.c:424(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user vmuser1

I assume I can enable that via the parameter "ntlm auth = yes"?
Currently it is "no", sure.

It's a global parameter, according to the man page, is there a way to
only enable NTLMv1 for this specific share?

thanks, regards, Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
Hello Stefan,
had the same problem here, as you said adding "ntlm auth = yes" solved it, so yes it will work with this added to the global conf.
The problem comes from this option being set to "no" by default with the new versions.
Don't know about setting this specific parameter for a share only, interested in the answer.
Regards.

    Le Jeudi 27 juillet 2017 11h29, Stefan G. Weichinger via samba <[hidden email]> a écrit :
 

 
At a customer they still have some old VMs around that run Windows XP.

Yes, I already provided them with newer VMs ... but the users still
need/want the old machines as well.

Now the batch file with the "net use" statements fail, as far as I have
researched because of the weak and outdated NTLMv1:

[2017/07/27 11:11:08.538343,  2]
../libcli/auth/ntlm_check.c:424(ntlm_password_check)
  ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user vmuser1

I assume I can enable that via the parameter "ntlm auth = yes"?
Currently it is "no", sure.

It's a global parameter, according to the man page, is there a way to
only enable NTLMv1 for this specific share?

thanks, regards, Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

   
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
In reply to this post by Samba - General mailing list
In an AD environment, it's better to push out a GPO to force WindowsXP to
use NTLMv2. I believe it's under "Security Settings" -> "Local Security
Policy" -> "Security Options" -> "Network security: LAN Manager
authentication level". Change the value to "Send NTLMv2 response
only\refuse LM and NTLM"

If there's no AD involved, you can manually change the associated Windows
registry entry "LmCompatibilityLevel" to "3". I believe it is under "
HKLM\SYSTEM\CurrentControlSet\Control\Lsa"

On Thu, Jul 27, 2017 at 4:18 AM, Stefan G. Weichinger via samba <
[hidden email]> wrote:

>
> At a customer they still have some old VMs around that run Windows XP.
>
> Yes, I already provided them with newer VMs ... but the users still
> need/want the old machines as well.
>
> Now the batch file with the "net use" statements fail, as far as I have
> researched because of the weak and outdated NTLMv1:
>
> [2017/07/27 11:11:08.538343,  2]
> ../libcli/auth/ntlm_check.c:424(ntlm_password_check)
>   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user vmuser1
>
> I assume I can enable that via the parameter "ntlm auth = yes"?
> Currently it is "no", sure.
>
> It's a global parameter, according to the man page, is there a way to
> only enable NTLMv1 for this specific share?
>
> thanks, regards, Stefan
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
In reply to this post by Samba - General mailing list
I suggest these settings.

   lm announce = no
   lanman auth = no
   ntlm auth = no
   client lanman auth = no
   client ntlmv2 auth = yes

This keeps samba secure and allows XP clients.

Greetz,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Ph
> Lachaud via samba
> Verzonden: donderdag 27 juli 2017 12:38
> Aan: samba
> Onderwerp: Re: [Samba] samba 4.5.10 and old clients with NTLMv1
>
> Hello Stefan,
> had the same problem here, as you said adding "ntlm auth =
> yes" solved it, so yes it will work with this added to the
> global conf.
> The problem comes from this option being set to "no" by
> default with the new versions.
> Don't know about setting this specific parameter for a share
> only, interested in the answer.
> Regards.
>
>     Le Jeudi 27 juillet 2017 11h29, Stefan G. Weichinger via
> samba <[hidden email]> a écrit :
>  
>
>  
> At a customer they still have some old VMs around that run Windows XP.
>
> Yes, I already provided them with newer VMs ... but the users
> still need/want the old machines as well.
>
> Now the batch file with the "net use" statements fail, as far
> as I have researched because of the weak and outdated NTLMv1:
>
> [2017/07/27 11:11:08.538343,  2]
> ../libcli/auth/ntlm_check.c:424(ntlm_password_check)
>   ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user vmuser1
>
> I assume I can enable that via the parameter "ntlm auth = yes"?
> Currently it is "no", sure.
>
> It's a global parameter, according to the man page, is there
> a way to only enable NTLMv1 for this specific share?
>
> thanks, regards, Stefan
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>    
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-07-27 um 12:41 schrieb Andrew Walker via samba:
> In an AD environment, it's better to push out a GPO to force WindowsXP to
> use NTLMv2. I believe it's under "Security Settings" -> "Local Security
> Policy" -> "Security Options" -> "Network security: LAN Manager
> authentication level". Change the value to "Send NTLMv2 response
> only\refuse LM and NTLM"
>
> If there's no AD involved, you can manually change the associated Windows
> registry entry "LmCompatibilityLevel" to "3". I believe it is under "
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa"

Ah, good, I might look into the 3 VMs and change that.
No AD/GPOs available here, just standalone samba.
thanks



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-07-27 um 12:53 schrieb L.P.H. van Belle via samba:
> I suggest these settings.
>
>    lm announce = no
>    lanman auth = no
>    ntlm auth = no
>    client lanman auth = no
>    client ntlmv2 auth = yes
>
> This keeps samba secure and allows XP clients.

ah, great, I might do that as well.
Less editing work than 3 times registry edit :-P



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 2017-07-27 um 12:53 schrieb L.P.H. van Belle via samba:
> I suggest these settings.
>
>    lm announce = no
>    lanman auth = no
>    ntlm auth = no
>    client lanman auth = no
>    client ntlmv2 auth = yes
>
> This keeps samba secure and allows XP clients.

feedback: did not work here



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
Am 2017-07-27 um 14:11 schrieb Stefan G. Weichinger via samba:

> Am 2017-07-27 um 12:53 schrieb L.P.H. van Belle via samba:
>> I suggest these settings.
>>
>>    lm announce = no
>>    lanman auth = no
>>    ntlm auth = no
>>    client lanman auth = no
>>    client ntlmv2 auth = yes
>>
>> This keeps samba secure and allows XP clients.
>
> feedback: did not work here

sorry! shot too early, now it works in one VM.
thanks again, will test the others now as well.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba 4.5.10 and old clients with NTLMv1

Samba - General mailing list
Am 2017-07-27 um 14:16 schrieb Stefan G. Weichinger via samba:

> Am 2017-07-27 um 14:11 schrieb Stefan G. Weichinger via samba:
>> Am 2017-07-27 um 12:53 schrieb L.P.H. van Belle via samba:
>>> I suggest these settings.
>>>
>>>    lm announce = no
>>>    lanman auth = no
>>>    ntlm auth = no
>>>    client lanman auth = no
>>>    client ntlmv2 auth = yes
>>>
>>> This keeps samba secure and allows XP clients.
>>
>> feedback: did not work here
>
> sorry! shot too early, now it works in one VM.
> thanks again, will test the others now as well.

In the end I did both the registry changes and the smb.conf edit to make
it work.

thanks



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...