Return-Path: owner-ntbugtraq@LISTSERV.NTBUGTRAQ.COM X-Authentication-Warning: mailhost.cb1.com: lkcl owned process doing -bs X-Sender: lkcl@mailhost.cb1.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Tue, 22 Jun 1999 22:40:11 +0100 Reply-To: Luke Kenneth Casson Leighton Sender: Windows NT BugTraq Mailing List From: Luke Kenneth Casson Leighton Subject: Re: Possible bug using NTLMv2 across trusted domains. To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM In-Reply-To: kevin, the LmCompatibilityLevel parameter is a bit odd. it certainly isn't a bit-field. in other words, you can't configure the SMB client-side to send NTLMv2 or NTv1 or LMv1 independently of configuring the SMB server-side to accept NTLMv2 or NTv1 or LMv1 on the same host. you might want to try LmcompatibilityLevel=0x4 or 0x5 and see what happens, rather than 0x3. you _can_ configure the minimum encrypted MSRPC services to use (NTLMminclientsec) or accept (NTLMminserversec). this is probably a better place for you to attempt to configure what you want than with LmCompatibilityLevel, as the synchronisation etc occurs over MSRPC pipes. [set each key to 0x00040000 to use / accept NTLMv2, and 0x80040000 for 128-bit NTLMv2. both keys are DWORDs in HKLM\system\currentcontrolset\control\lsa\MSV1_0 (check the KB article 147706)]. however, if microsoft have not configured (recompiled?) the inter-domain synchronisation services to use NTLMv2, then this ain't gonna help. luke p.s with NT 4, LMcompatibilityLevel applies to SMB; NTLMminclient/serverSec apply to NTLMSSP (and therefore to MSRPC; HTTP auth). Luke Kenneth Casson Leighton Samba and Network Development Samba Web site ===================================================================== Luke Kenneth Casson Leighton | Direct Dial : (678) 443-6183 Systems Engineer / ISS XForce Team | ISS Front Desk: (678) 443-6000 Internet Security Systems, Inc. | ISS Fax : (678) 443-6477 ===================================================================== On Mon, 21 Jun 1999, Kevin wrote: > I believe I have found a problem with NTLMv2 authentication across trusted > domains. > > the setup: > DomainA (PDC-A and BDC-A both SP4) > DomainB (PDC-B and BDC-B both SP4) > Two-way trust exists between DomainA and DomainB > client machine (Client1) tested with both SP4 & SP5 resides in DomainA > > When I add the value LMCompatibilityLevel in > HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA > and set it at 3 (send NTLMv2 response only) everything works fine while I > am in DomainA. However, attempting to access resources in DomainB fails. > > The error NT reports when I attempt to access a share on the remote > domain, or when I try to view DomainB in Server Manager or User Manager > for Domains, is "the trust relationship between the primary domain and the > trusted domain failed." > > When I change the registry entry back to '1' everything works as it should > and I assume that I am using NTLMv2 over my local domain and NTLM when > accessing resources on remote domains. > I saw nothing in the KB article about multiple domains. > > Can anyone out there verify these findings? > > Kevin T. Neely MCSE > Systems Administrator, Interliant Inc. >