Tuesday, February 19, 2008

Getting Vista to work with Samba

Steven J. Vaughan-Nichols Dec. 15, 2006 Linux-Watch

I was tinkering with my Vista system the other day, when I found it wouldn't connect with a pair of NAS (Network Attached Storage) drives. I was not a happy camper.


The drives, a pair of Seagate 400GB USB2.0 External Hard Drives, were connected to my Fast Ethernet network by a Linksys NSLU2, aka Slug, network storage link. All my other systems, which include XP Pro, MEPIS 6.01, Fedora 6, openSUSE 10.2, and SLED (SUSE Linux Enterprise Desktop) 10, had no trouble at all accessing these drives, so what was the problem?

After staring for much too long at network traffic logs, it suddenly hit me, I've seen a variation of this problem years ago. Vista defaults to using the NTLMv2 authentication. NTLMv2 is a 128-bit encrypted authentication protocol that has been around for over a decade. It was first introduced back in NT4 SP4.

Back in those days of stone-axes and bear-skins, I'd run into trouble with Windows 95 clients being unable to connect with "secured" NT4 SP4 servers. I fixed it then by setting the servers back to using NTLM.

Today, my problem was that by default Vista only used NTLMv2, and not NTLM or LM authentication. My NAS setup, like many NAS appliances, relies on a firmware-based Linux and Samba for its CIFS (Common Internet File System) file server.

The NSLU2 uses Samba 2.x, and that version doesn't speak NTLMv2. That's not too surprising. While NTLMv2 has been around for ages, almost no one, until now, has deployed it as a client operating system default protocol. Consequently, in addition to the NSLU2, you can expect many other such Linux/Samba-based devices, like the Iomega StorCenter Pro NAS 100d/160GB, the D-Link DSM-G600, and the Buffalo HD-H1.0TGL/R5-1 Terastation 1.0 Terabyte NAS, to not work with Vista.

It doesn't help any in working with NTLM2 that Microsoft has changed how it worked over time and its documentation is, to be kind, awful. For more on how NTLM2 actually works, see The Most Misunderstood Windows Security Setting of All Time. This is must reading for any network administrator who will be dealing with Vista.

Fortunately, there are two ways to fix this problem. The first is just to force Vista to use the NTLM protocol as well as NTLM2. To do that, use these commands:

Click "Start -> Run." Then, type in the Run field: "secpol.msc." That will bring you to Vista's security policy system. Once there, use "Go to: Local Policies > Security Options" and then find "Network Security: LAN Manager" authentication level. Once there, change the Setting from "Send NTLMv2 response only" to "Send LM & NTLM -- use NTLMv2 session security if negotiated."

Ta-da! My Vista workstation could use my Seagate drives.

The better long-term solution is to upgrade any of your Samba servers to 3.0.22 or higher, since they can handle NTLMv2. 3.0.21 will also do the trick, but it has a security hole in it, so if you're still using it, upgrade as soon as possible. The most recent stable version of Samba is 3.0.23d, and I highly recommend it.

I'd already done that with my SLES (SUSE Linux Enterprise Server) and RHEL (Red Hat Enterprise Linux) servers, so that's why I didn't immediately consider a Samba authentication problem when I first had trouble with the Vista box.

Unfortunately, upgrading the NSLU2, like any network appliance, isn't so easy. Upgrading almost any appliance requires you to change the firmware. However, in the case of the NSLU2, its most recent firmware dates from July, 2005 and it doesn't do the job.

So, what I did instead was head over to the NSLU2 Linux site. Once there, I installed an alternative firmware, Unslung. With that up and working -- they're not kidding, by the way, about following all the instructions -- I then used OptWare, a software package system for Unslung, to install an up-to-date version of Samba.

If that sounds complicated, well, yes, it is. I recommend only users who are very comfortable with getting their hands dirty with deep, down technology give it a try. For the rest of you, and there will be many of you soon, who want to get Vista and your network appliances on the same page, I recommend changing Vista's settings as described above, for now, and bugging your device vendors for upgraded firmware for the long-run.

-- Steven J. Vaughan-Nichols

===
This comment was written in Dec 2005.
In Erele/2008, I got a Vista present and tried to prepare it for conversion to Linux. First I could not find "Run" when I clicked on Microsoft's "Start" logo. SI will shortly be reformating the hardrive and enlighten the computer. Meanwhile, here is a workaround that might work for you.

No comments: