Ensure interoperability between Samba and Windows computers at IU

UITS does not support the LAN Manager (LM) and NTLMv1 authentication protocols on the Indiana University Active Directory. Nearly all Windows computers on the IU network are configured to use only NTLMv2. Windows computers on ADS received a policy configuring them to accept only NTLMv2; owners of Windows computers not joined to ADS can change their settings on their own, either with an executable available on IUware, or manually through certain console or registry settings.

This affects how Windows computers on the IU network access Samba file or printer shares on Unix, Linux, and BSD servers. Only recent versions of Samba can understand the NTLMv2 protocol, and by default that ability is disabled in those versions. Therefore, if you administer a server running Samba, you may see a problem with Windows clients unless you take action to avoid it.

While it's impossible to cover every configuration across every version of Unix, Linux, or BSD, the way to avoid the problem can be generalized as follows:

  • The server administrator must be running a version of Samba capable of handling NTLMv2 securely. UITS recommends versions currently supported by the Samba team.
  • The smb.conf must include a line in the Global Settings section, labeled [global], that reads:
     client ntlmv2 auth = yes

At Indiana University, for personal or departmental Linux or Unix systems support, see Get help for Linux or Unix at IU.

This is document atvt in the Knowledge Base.
Last modified on 2019-01-14 15:01:56.

Contact us

For help or to comment, email the UITS Support Center.