On 30/08/11 22:53, Danner, Mearl wrote:
Might be the LAN Manager authentication level on the 2K8 servers. It needs to be "downgraded". Probably to "Send LM and NTLM".
Samba used to put a note about that in the documentation.
That's related to the LM/NT hashes used to authenticate an SMB connection. It's unrelated to the use of ntlm_auth in helper mode. There seems to be some confusion about this; just so people are clear, in a working Samba/ntlm_auth configuration, the following is true: 1. Samba is joined into the domain, and thus has its own machine account credentials 2. Winbind is running, and maintains a long-lived SMB connection to a domain controller 3. That SMB connection is authenticated using the machine account credentials; provided you have a recent enough version of Samba, it can have all the security bells & whistles enabled 4. When "ntlm_auth" is called, it passes the mschap challenge/response to winbind, which calls an RPC (over the SMB connection) on the domain controller, which is basically: SamLogonUserEx(username, mschap_challenge, mschap_response) ...and the domain controller says yes or no. "LAN Manager authentication level" is largely irrelevant to all that.