Posted on 1 Comment

Vista Fails to Connect to Samba

I was (still am) a huge fan of the e-smith gateway server (now SME Server see also http://contribs.org) which was a very simplistic way to take almost any computer and have it up and running as a email, web, database server and more in under 2 hours. It has reliably been my development server of choice for years although my next nix server is likely to be Ubuntu.

I am having a problem getting Vista to authenticate across the network to allow me to browse directories and work on my development files. As it turns out, the default Vista security is set to use only NTLMv2 authentication. Samba can’t handle this. One solution is:

To solve the problem run secpol.msc to get into the Local Security Policy screen. Goto "Security Options" then find "Network Security: LAN Manager authentcation level." Change it from "NTVLM2 responses only" to "LM and NTLM – use NTLMv2 session security if negociated”.

Now, to exasperate the problem, Vista Home Premium does not have secpol.msc. Instead you must manually edit the registry. Use caution when editing the registry! Run regedit. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Look for the key LmCompatibilityLevel, right click, choose modify, and change the number to the appropriate value of 0 to 5.

0 – Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1 – Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2 – Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.

3 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.

5 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

[Source, Microsoft TechNet, LmCompatibilityLevel]

In this case, to support Samba, I want the value to change from the default of 3 to 1.

After doing this, reboot for the change to take affect. Next, read Security Watch The Most Misunderstood Windows Security Setting of All Time.

See also.

1 thought on “Vista Fails to Connect to Samba

  1. I am using Windows 7. I am trying to connect to an Apache server on Unix via NTLM authentication. Like you said Windows 7 has NTLMv2 by default. So i change the lmcompatibilitylevel to 1. Rebooted. Still did not authenticate. Changed lmcompatibilitylevel to 0. Rebooted. Still did not authenticate. Do you have any ideas why?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.