Wednesday, April 30, 2008

Forcing Vista Home Basic/Premium to play with SAMBA

After spending hours trying, I finally managed to come up with a solution...
From my posting in the MSDN forum:


[quote user="Jim Frost"]

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel

controls the security level mandated or allowed for logins. In Vista it defaults to 0x3, which means "NTLMv2 only". This is not supported by Samba, or at least not supported by any of the Samba servers I use (Mac OS X, Debian Sarge, or Buffalo TeraStation). This is despite the fact that the Samba documentation implies that it should work.
[/quote]

NTLMv2 did not work reliably until recent samba 3.0.2X releases.
Vista Home Basic/Premium does not have secpol.msc. Ultimate does.

[quote user="K Frazier"]

I had the same issue with my Linksys Media Server Router (WRTSL54GS) which offers SAMBA based NAS.

In addition to the suggestion to change the LSA Compatability from 3 to 1 (NTLMv2 required to NTLMv2 if available), which reverts back to XP type of authentication, I also found that treating the UserID as that of a foreign domain controller works.

That is...If your NAS is a member of the FOO workgroup, when you pass your authentication info, you can specify the format of "FOO\userid" in the username field. It is important to use the Workgroup name and not the NAS server machine name. This should work for most current generation SAMBA implementations.

[/quote]

The full solution for Vista Home Basic/Premium+ SambaV2/V3:

Set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel from 0x3 to 0x1 to switch from "0x3: Try NTLMv2" (Confuses samba) to "0x1: Negotiate NTLMv2 if possible, Try NTLMv1, else use MSLANMAN".

Vista also REQUIRES a domain identifier before the username:
For all of us home users without a domain controller, use your WORKGROUP name instead of a DOMAIN identifier:

If I wanted to log in on a machine named "SERVER", one would assume you would use "SERVER\username" but this is incorrect.
What you actually want to do is login as "WORKGROUP\username" with Vista AFTER setting LMCompatibilityLevel to 0x1.

So, for many people this would look something similar to:
"MSHOME\Owner" or "MSHOME\Administrator"

Remember, you need both the registry edit AND the identifier\username!

Good luck!

--Kamilion
Posted by at No comments:
Subscribe to: Posts (Atom)