Allow Windows Vista, Server 2008 systems to interact with older Samba installations

Windows Vista and Server 2008 have a default version requirement of MS-LAN Manager communication that prohibits communication to older Linux-based Samba installations. This can be fixed via group policy or the local security policy.

Whether or not you have officially adopted Vista or Windows Server 2008 (WSK8), there may be some level of compulsory testing environments. If you have any network attached storage (NAS) devices, Linux servers running Samba there may have been interoperability issues with Vista and WS2K8. Beyond Linux and NAS devices, print server shares and other device shares may be affected by Vista and WS2K8's requirement to communicate at NTLMv2 or higher. Samba versions 3.0.21c and prior may be candidates for the interoperability issues with Vista and WS2K8. This may be particularly frustrating as the TCP/IP address of the Linux system or NAS device will resolve by name and ping, but file access will not work in most situations.This inconvenience does not entice many to embrace Vista and WS2K8, as the downstream modifications of the Samba installations may be an unmanageable task. For Vista and W2K8, there are a couple of ways to address this issue. For domain systems, one approach is to make a domain group policy object (GPO) and link it to the domain and be done with the issue. The other way is to make local policy changes for specific systems where the communication to NTLMv1 systems (Linux, NAS, etc.) is required.Local configuration To make a local security policy change for Vista and WS2K8, open the Security Policy Editor (secpol.msc). Browse to Security Settings, Local Policies, Security Options, Network security: LAN Manager authentication level. The "Send LM & NTLM responses" option will provide the most interoperability. If the configuration is set and you are unable to change it, there is a domain-based GPO preventing local configuration. Figure A shows the local security policy configured authoritatively by a GPO. Figure A Figure A Domain-based GPO The other scenario is creating a domain-based GPO to configure this for a single system, a collection of systems in an organizational unit, or the entire domain. On a domain controller, run the Group Policy Management snap-in (gpmc.msc) and browse to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options, and find the Network security: LAN Manager authentication level option. Figure B shows the option when creating a domain-based GPO: Figure B

Figure B

Again, selecting the "Send LM &NTLM responses" option will provide the most functionality and will allow the newer Windows clients the ability to communicate with systems using an older Samba installation. It is important to note that WSK8 domain controllers running cannot go down to the NTLMv1 level.