SOLVED NTLMv1 not working on 12.0-U7

[Damquis]

Hi! I hope I'm at the right place with my question :)

I was using FreeNAS-9.10.2-U6 without any issues and decided to upgrade TrueNAS-12.0-U7. We are using some old tech like multi function printers and embedded system which requires NTLMv1 authentication. On 9.10.2-U6 everything was working fine but on the new system I can't make it work. The nas is in Active Directory, and the "newer" machines are able to access the shares.
I checked the forum, set everything what I found but I'm still missing something. How can I make NTLMv1 working?

Here is my config:

Network:

SMB:

Share:

(I checked with "Allow Guest Access" and it didn't help)

testparm (I masked out sensitive parts with ******)

Code:

root@truenas[~]# testparm -s
Load smb config files from /usr/local/etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        aio max threads = 2
        bind interfaces only = Yes
        client ldap sasl wrapping = seal
        client NTLMv2 auth = No
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        enable web service discovery = Yes
        kerberos method = secrets and keytab
        kernel change notify = No
        load printers = No
        local master = No
        logging = file
        max log size = 5120
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        ntlm auth = ntlmv1-permitted
        preferred master = No
        realm = ******.LOCAL
        registry shares = Yes
        restrict anonymous = 2
        security = ADS
        server min protocol = NT1
        server role = member server
        server string = TrueNAS Server
        template shell = /bin/sh
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        workgroup = ******
        idmap config *: range = 90000001-100000000
        idmap config ******: range = 100000001-200000000
        idmap config ******: backend = rid
        idmap config * : backend = tdb
        directory name cache size = 0
        dos filemode = Yes


[******]
        ea support = No
        kernel share modes = No
        path = /mnt/data/******
        posix locking = No
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs ixnas recycle crossrename aio_fbsd
        recycle:subdir_mode = 0700
        recycle:directory_mode = 0777
        recycle:touch = yes
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle/%D/%U
        nfs4:chown = true


[******]
        ea support = No
        kernel share modes = No
        path = /mnt/data/******
        posix locking = No
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs ixnas recycle crossrename aio_fbsd
        recycle:subdir_mode = 0700
        recycle:directory_mode = 0777
        recycle:touch = yes
        recycle:versions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle/%D/%U
        nfs4:chown = true

This is what I see in the logs when I try to access the server (I masked out sensitive parts with ******):

Code:

  {"timestamp": "2022-02-11T09:06:50.781216+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.1.2:445", "remoteAddress": "ipv4:10.0.1.25:37283", "serviceDescription": "SMB", "authDescription": null, "clientDomain": "*****", "clientAccount": "*****", "workstation": "10.0.1.25", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "*****", "mappedDomain": "*****", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv1", "duration": 7128}}

What is missing?

 

[sretalla]

"status": "NT_STATUS_WRONG_PASSWORD"

That seems to be the relevant point

(I checked with "Allow Guest Access" and it didn't help)

Not surprising if the above is the case.

 

[Damquis]

That seems to be the relevant point

Not surprising if the above is the case.

No it isn't. I can confirm that the password is correct.

 

[sretalla]

No it isn't. I can confirm that the password is correct.

Well, it's in the log for some kind of reason, and until you can convince the system that you're right, I guess you'll get no further.

 

[Samuel Tai]

Are you trying to use root to access? Because that's no longer allowed.

 

[Damquis]

Are you trying to use root to access? Because that's no longer allowed.

No, It is an AD user. The same user can login from a computer but not on the printer or on the embedded systems.

 

[Damquis]

SMB2 or higher is working fine for the same user but NTLMv1 has problems even with the settings listed above. I can use NTLMv1 only on the old tech.

 

[anodos]

If it's AD, then we pass authentication request to DC which may not allow NTLMv1 because it's ridiculously old and insecure.

 

[Damquis]

If it's AD, then we pass authentication request to DC which may not allow NTLMv1 because it's ridiculously old and insecure.

I'm going to have a look on the AD as well. Thank you.

 

[Damquis]

@anodos pointed me to the right direction. I use Zentyal as an AD and I added

Code:

ntlm auth = yes

to the /usr/share/zentyal/stubs/samba/smb.conf.mas and restarted the service with

Code:

zs samba restart

The printer now can access the share. This issue is solved. Thank you!

 

[anodos]

Right, it's important to understand that NTLMv1 / NTLMv2 auth requires the server performing authentication to have access to NT hash of user's password (unsalted MD4).

In AD environments, domain members do not have access to these (for fairly obvious security reasons), and the architecture is designed such that NTLM auth requests are basically forwarded to the DC. In this case we depend in part on configuration of DC.

In case of LDAP + Samba Schema, the NT hash is actually stored in the LDAP schema and (hopefully) protected by an ACL. Thus every samba server using this legacy NT-style setup has access to what is basically plain-text equivalents of user passwords. This is reason why we have explicitly labelled this feature as deprecated and will be removed at a future point, but in this case local settings for NTLMv1 prevail.

In case of local users, we have access to NT hashes (stored encrypted in our config file), and so we can do NTLM auth locally.