Cannot mount network share

I am running a Linux box with mounts to a windows fileserver. This fileserver
was just a domain member, I recently restructured things and the fileserver
is now a domain controller. Since I upgraded smbclient can no longer
authenticate correctly to the server. I have found the reason in KB article
870987.
http://support.microsoft.com/kb/870987

My question is, is there any work-around?

At this stage I am looking to demote the server to a member server again.

On 2006-05-23 16:04:01 -0400, Steven <ms at x-wired dot net.nz> said:

> I am running a Linux box with mounts to a windows fileserver. This
> fileserver was just a domain member, I recently restructured things and
> the fileserver is now a domain controller. Since I upgraded smbclient
> can no longer authenticate correctly to the server. I have found the
> reason in KB article 870987.
> http://support.microsoft.com/kb/870987
>
> My question is, is there any work-around?
>
> At this stage I am looking to demote the server to a member server again.

Are you sure that's the problem you are experiencing? Generally, Linux
boxes don't do Kerberos against Active Directory unless they've been
specifically configured to do so, and then their communication is with
a DC (KDC in the Kerberos world).

More likely, iMHO, is the configuration for the "LAN Manager
authentication level" policy setting. It's probably been bumped up to
NTLM v2 only or similar, and now your Samba client can't authenticate.
Have a look at the Local Security Policy and see what the settings are
for SMB signing and LAN Manager authentication levels.

Also, I just read earlier today that smb.conf has a "client ntlmv2 auth
= yes" setting that may fix this problem as well. I have not had the
opportunity to test that myself yet.

HTH.

--
Regards,
Scott Lowe
ePlus Technology Inc.

Thankyou for your input on this.

It Appears the Policy
Digitally sign commenications (if client agrees)
had to be disabled.

This this seems to be a work-around to the problem. Without an in depth
understanding of how this, it seems that smbclient cantdigitally sign the
communications even though it agrees, possibly due to the fix in the below KB
article.

You are right that NTLM is bumped up to v2, and I had tried both reducing it
on the server and adding the extra client ntlmv2 auth = yes.
What made me think that it is the bug below, is the fact that smbclient
authenticated without a problem - well you can see the correct user is
connected in Computer Management - and that when i reset the users password,
the first transaction would succeed and subsequent ones would fail.
"Scott Lowe" wrote:

> On 2006-05-23 16:04:01 -0400, Steven <ms at x-wired dot net.nz> said:
>
> > I am running a Linux box with mounts to a windows fileserver. This
> > fileserver was just a domain member, I recently restructured things and
> > the fileserver is now a domain controller. Since I upgraded smbclient
> > can no longer authenticate correctly to the server. I have found the
> > reason in KB article 870987.
> > http://support.microsoft.com/kb/870987
> >
> > My question is, is there any work-around?
> >
> > At this stage I am looking to demote the server to a member server again.
>
> Are you sure that's the problem you are experiencing? Generally, Linux
> boxes don't do Kerberos against Active Directory unless they've been
> specifically configured to do so, and then their communication is with
> a DC (KDC in the Kerberos world).
>
> More likely, iMHO, is the configuration for the "LAN Manager
> authentication level" policy setting. It's probably been bumped up to
> NTLM v2 only or similar, and now your Samba client can't authenticate.
> Have a look at the Local Security Policy and see what the settings are
> for SMB signing and LAN Manager authentication levels.
>
> Also, I just read earlier today that smb.conf has a "client ntlmv2 auth
> = yes" setting that may fix this problem as well. I have not had the
> opportunity to test that myself yet.
>
> HTH.
>
> --
> Regards,
> Scott Lowe
> ePlus Technology Inc.
>
>