forge

Windows 7, Windows Server 2008 R2, NAS, Samba, NTLMv2, 1326, and Why can’t I get in?

Sometimes my past comes back to haunt me. You see many moons ago in a land far away I wanted to learn about Linux. So I setup a server and ran it. I got to learn all about Samba and the ability to make Linux disks look like they were coming from a Windows file server. Back then I can loosely remember this problem with NTLM and NTLMv2. Windows in whatever flavor that it was didn’t want to talk to Samba unless you hacked the registry. This particular fact was something that I let get buried over by new facts about SharePoint. However, that came back and bit me.

What some folks know is that many of the Network Attached Storage (NAS) devices, particularly on the low to middle of the market, actually run Samba underneath. Such is the case with the Thecus 5200Pro that I have here. I recently installed Windows 7 RC and the Windows Server 2008 R2 RC. Everything was going relatively well and then I realized that neither of them could see my NAS. That’s bad. After some digging I started thinking about Samba because Thecus mentioned that their latest firmware upgrades the Samba version (to a well and truly out of date version of Samba). A bit of digging lead me to a message from Jim Pinkerton where he lays out the details of the issues related to connecting to Samba from Windows. If you want the cliff notes version, you need to set HKLM\System\CurrentControlSet\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 0.

What was my NAS doing when I tried to connect? Bad username or password. (Logon error 1326) Why? Because it didn’t/doesn’t understand NTLMv2 – and Windows was requiring it.

Honestly, I’m going to be very interested to see where this goes. I’m quite curious to see if all of the vendors using Samba for their NAS devices will support Samba.org to get the extra code in it to support all of the things in Jim’s message – or if the project will slowly die because of a lack of support. In the mean time, I’m being a little less secure than I want to be.

2 replies
  1. Dazza
    Dazza says:

    I have similar issues but the RequireSignOrSeal alone didn’t do it for me. I’m in the process of going through the Pinkerton stuff to see if there is more to it….

  2. Jay
    Jay says:

    I had to change RequireSignOrSeal to 0 and RequireStrongKey to 0.

    Once I did that worked fine for me, though slightly insecure.

Comments are closed.