On Thu, 2005-11-10 at 08:44 +0200, Dave Raven wrote: > Hi again all, > I have a few questions regarding NTLMv2. Do you have to be in a > domain for NTLMv2 authentication to work (specifically through a program > like squid). I found an article that says: > > "These computers will use Kerberos when they are communicating with Active > Directory and the members of Active Directory. When these computers are in a > workgroup, they will use NTLMv2." > > Also, when I am not in the same domain (or when I am) I see the following > from ntlm_auth: > Got 'YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from squid > (length: 59). > > As far as I understand it that is NTLMv2 - or not? I also see > Got NTLMSSP neg_flags=0xa2088207 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_NEGOTIATE_OEM > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > > Which specifies NTLM2. Does that mean my negotiation is working properly?
No. NTLM2 (modified challenge, which is what the flag is for) and NTLMv2 are different. > The main problem is that I am getting a NT_STATUS_WRONG_PASSWORD always, and > am trying to decipher why... It still happens when I'm in the domain. > > The way this all started happening was after turning 'Network security: LAN > Manager authentication level' to be 'Send NTLMv2 response only/refuse LM & > NTLM'. Is this configured on your clients? Does it show up in the effective policy value? Also, are you still getting len2=24 in current debug traces? This indicates that NTLMv2 is not in use. > [2005/11/09 22:21:04, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) > Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
