[olug] Win 7 and Samba

Rob Townley rob.townley at gmail.com
Fri Dec 11 21:31:37 UTC 2009 

On Sun, Dec 6, 2009 at 1:13 AM, Barry Von Ahsen <barry at vonahsen.com> wrote:
> this solved my issues:
>
> http://www.linux-archive.org/red-hat-linux/270567-windows-7-samba-support-red-hat.html
> Biggest problem we had was the Local Security Policy having NTLM
> authentication set to "undefined" which results in the default of
> NTLMv2-only. Set it to NTMLv2 If Negotiated and you should be fine.


It would be better to configure /etc/samba/smb.conf to use ntlmv2 for
both clients and servers.  If not, it would be better to not have any
passwords at all.    NTLMv1 uses MD4 / DES which hasn't been secure
for a long long time.  Unfortunately there are many bad Smb HowTos.
Winbind has been known to get in the way in ADS scenarios, but it
seems to be the most common HowTo.  ymmv.

Haven't tried Win7, just WinVista, but our ADS group policy has always
been to refuse both ntlm and refuse lm, accepting only ntlmv2.
Anonymous enumeration is disabled.
irc #samba
    #samba-technical

The following is a fedora smb.conf to access ntlmv2 only file shares.
I have several machines running Fedora and CentOS, the smb.conf isn't
the same on any two machines.  We don't run winbind bc we are all
tcp/ip and some of our software runs better without it.  Winbind may
not be able to handle ntlmv2 very well.  On this machine, nmbd is not
running either.

/etc/samba/smb.conf
[global]

   client schannel = Auto
   server schannel = Auto
   lanman auth = No
   ntlm auth = no
   client NTLMv2 auth = yes
   client lanman auth = no
   client plaintext auth = no
   client ldap sasl wrapping = seal
   workgroup = OLUGNBDOMAIN
   password server = 192.168.x.y
   realm = OLUG.COM  #see /etc/krb5.conf
   security = ads
#   idmap uid = {long harry number from net ads join?}
#   idmap gid = {ditto}
   template shell = /bin/bash
   winbind use default domain = false  #we don't have a winbind server
   winbind offline logon = true




Now for a digression,  my biggest problem has been authenticating
using Win2003 R1 MS ADS credentials to logon locally on linux
workstations.  I would get it to work flawlessly but it would fail
unexpectedly after so many days even without a change in schema.
Reverse lookups are not fun when you have two nics each with a
different reverse dns name.  Found both had to be registered in the
userPrincipalName or is it servicePrincipalName in MS LDAP.
adexplorer.exe and jxplorer are good for this.  Have to have CIFS:/
and HOST:/ entries for all combinations of nics and domains for each
workstation.


>
>
> I'm doing win7 -> centos5/samba 3.0.33-3.7.el5_3.1, using AD auth
>
> -barry
>
>
>
> Craig Wolf wrote:
>> Anyone have any experience with this??
>>
>> Too long a story to post here but that is the simple question.
>>
>>
>> Thanx!!
>>
>> Craig Wolf
>> Linux Server Support
>> Backups Administrator
>> Desktop/Network Specialist
>> Desk: (402)715-6283
>> Cell: (402)510-0301
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list