Ensure interoperability between Samba and Windows computers at IU

UITS does not support the LAN Manager (LM) and NTLMv1 authentication protocols on the Indiana University Active Directory. Nearly all Windows computers on the IU network are configured to use only NTLMv2. Windows computers on ADS received a policy configuring them to accept only NTLMv2; owners of Windows computers not joined to ADS can change their settings on their own, either with an executable available on IUware, or manually through certain console or registry settings.

This affects how Windows computers on the IU network access Samba file or printer shares on Unix, Linux, and BSD servers. Only recent versions of Samba can understand the NTLMv2 protocol, and by default that ability is disabled in those versions. Therefore, if you administer a server running Samba, you may see a problem with Windows clients unless you take action to avoid it.

While it's impossible to cover every configuration across every version of Unix, Linux, or BSD, the way to avoid the problem can be generalized as follows:

• The server administrator must be running a version of Samba capable of handling NTLMv2 securely. UITS recommends versions currently supported by the Samba team.
• The smb.conf must include a line in the Global Settings section, labeled [global], that reads:

   client ntlmv2 auth = yes