Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] invalid NTLMSSP_MIC / SPNEGO login failed: NT_STATUS_INVALID_PARAMETER

895 views
Skip to first unread message

Boris S. via samba

unread,
Oct 16, 2016, 10:50:03 AM10/16/16
to

Hello,

since I upgraded my NT4 domain Samba 4.2.11 to 4.2.14 I can no longer
authenticate
when I access any share.
After that I even upgraded to Samba 4.4.5 but still get the same error:


[2016/10/15 04:42:19.786198, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [xx] -> [xx] -> [xx]
succeeded
[2016/10/15 04:42:19.789933, 1]
../auth/ntlmssp/ntlmssp_server.c:950(ntlmssp_server_postauth)
ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[xx]
domain=[XXXXXXX] workstation=[XXXXX]
[2016/10/15 04:42:19.789982, 1] ../lib/util/util.c:559(dump_data)
[0000] 97 BD D0 A6 D7 16 E4 0A 59 33 62 ED CC 6A 35 04 ........
Y3b..j5.
[2016/10/15 04:42:19.790035, 1] ../lib/util/util.c:559(dump_data)
[0000] F2 85 BB 00 46 11 89 C4 84 E3 2C 4C 5D FA F4 6A ....F...
..,L]..j
[2016/10/15 04:42:19.790095, 2]
../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_INVALID_PARAMETER


Server: FreeBSD 10.3/64 bit
Clients: Windows 7 64bit

When I downgrade to 4.2.11 everything works again.
An upgrade to DC is currently not an option so I need to stick to NT4
PDC for a while.

I duplicated the whole server to a VM, so I could test anything and
wouldn't harm the production server.

My smb.conf:

[global]

workgroup = XXXXXXX
netbios name = SERVER
unix password sync = false
max log size = 100
unix extensions = no
log level = 2 vfs:2
map to guest = Bad User
server max protocol = smb2
server min protocol = smb2
passdb backend = tdbsam
unix charset = ISO8859-1
dos charset = CP1252
bind interfaces only = yes
hosts allow = 192.168.255. 127.
acl allow execute always = True
load printers = no
log file = /var/log/samba4/log.%m
log level = 2
security = user
encrypt passwords = yes
interfaces = em0, lo0
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
wins support = yes
wins proxy = yes
dns proxy = no


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Boris S. via samba

unread,
Oct 24, 2016, 1:10:04 PM10/24/16
to

Hello,

Any idea what might the cause?
Do you need more Information?

Alex Crow via samba

unread,
Oct 24, 2016, 2:30:03 PM10/24/16
to

I have had pretty much the same issue against CentOS 6.x/Samba 3.x DCs
from Samba 4.2.x (CentOS) and 4.4.x (Sernet) File servers.

Please look at BZ#12393 and add your findings:
https://bugzilla.samba.org/show_bug.cgi?id=12303

We upgraded our DCs to 4.4.x and it went away. Are you /really/ still
running actual NT4 DCs? Wow....

Cheers

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

Gaiseric Vandal via samba

unread,
Nov 2, 2016, 10:30:03 AM11/2/16
to
With the patches for BADLOCK I had to upgrade/patch my domain
controllers first then upgrade the member servers.

In addition to security fixes, some of the signing defaults changed so I
think I had to explicitly set

server signing = No

Boris S. via samba

unread,
Nov 4, 2016, 3:10:03 PM11/4/16
to
Answering my own question:

I "fixed" it with forcing Windows 7 clients to use LM/NTLM.

using gpedit.msc -> Local Computer Policy - Computer Configuration -
Windows Settings - Security Settings - Local Policies - Security Options
Changing "LAN Manager authentication level" to "send LM & NTLM responses"
https://social.technet.microsoft.com/Forums/windows/en-US/aca3e2d0-6d43-431f-bbba-3c01aea6d5a6/changing-authentication-level?forum=w7itpronetworking


So it seems that all current Samba versions doesn't support a classic
domain (PDC) to use NTLMv2
although it was possible until Samba 4.2.11.

Boris

0 new messages