Boxee

regression: SAMBA Authentication to Servers Accepting NTLMv2 Only Fails (Reopen)

Details

  • Product:
    Boxee Client
  • Severity:
    Critical
  • Version:
    1.2.0.20151
  • Operating System:
    Boxee Box
  • Number of attachments:
    0

Description

Not fixed: Still not possible to authenticate against server like SAMBA configured to accept NTLMv2 only.

workaround:
change the compatibility level of NTLM security at your server.
Open "Administrative Tools" > "Local Security Policy"
Browse to "Security Settings > Local Policies > Security Options"
Change the value of "Network security: LAN Manager authentication level" from
"Send NTLMv2 response only" to
"Send LM & NTLM - use NTLMv2 session security if negotiated"

or use the registry editor
Go to "HKEY_LOCAL_MACHINE" > "SYSTEM" > "CurrentControlSet" > "Control" > "Lsa"
In the pane on the right change "LmCompatibiltyLevel" to "1"

Issue Links

Activity

Hide
Kurt A. Schumacher added a comment - 17/Jul/11 3:04 PM
Show
Kurt A. Schumacher added a comment - 17/Jul/11 3:04 PM Original report: http://jira.boxee.tv/browse/BOXEE-10053
Hide
Rafael Mizrahi [Boxee] added a comment - 18/Jul/11 5:22 AM
we have previously verified that version 1.2 supports NTLMv2
can you set your server to support "Send LM & NTLM responses - Use NTLMv2 session security if negotiated"
please specify your server security settings.
Show
Rafael Mizrahi [Boxee] added a comment - 18/Jul/11 5:22 AM we have previously verified that version 1.2 supports NTLMv2 can you set your server to support "Send LM & NTLM responses - Use NTLMv2 session security if negotiated" please specify your server security settings.
Hide
Rafael Mizrahi [Boxee] added a comment - 18/Jul/11 5:36 AM
I have now changed the "WIndows xp pro" "Network security: LAN Manager authentication level" into "Send NTLMv2 response only" , restarted windows.
and using boxee 1.2.0.20156 I could access shared and password protected shared on this windows.
Show
Rafael Mizrahi [Boxee] added a comment - 18/Jul/11 5:36 AM I have now changed the "WIndows xp pro" "Network security: LAN Manager authentication level" into "Send NTLMv2 response only" , restarted windows. and using boxee 1.2.0.20156 I could access shared and password protected shared on this windows.
Hide
Kurt A. Schumacher added a comment - 18/Jul/11 6:54 AM
Hi Rafael,

The "Send NTLMv2" affects only is a client function and does not change the file sharing "server" side. The (no longer new) Microsoft default server security policy is to use NTLMv2 only.

For the Windows legacy and almost legacy systems check this: http://support.microsoft.com/kb/239869 For the newer Windows systems (2008/2008R2/Vista/7 you can chcek LMCompatibilityLevel, and set to:

5- Use only NTLMv2 authentication, use NTLMv2 session security if the server supports it. Refuse LM and NTLM responses (accept only NTLM 2).

On SAMBA configure in the [global] section:

..
lanman auth = no
ntlm auth = no
...

Please ensure testing at least against Vista, Win 7, Server 2008/Server 2008 R2 (which are almost equivalent), plus SAMBA 3.5.x..

Regards,
-Kurt.
Show
Kurt A. Schumacher added a comment - 18/Jul/11 6:54 AM Hi Rafael, The "Send NTLMv2" affects only is a client function and does not change the file sharing "server" side. The (no longer new) Microsoft default server security policy is to use NTLMv2 only. For the Windows legacy and almost legacy systems check this: http://support.microsoft.com/kb/239869 For the newer Windows systems (2008/2008R2/Vista/7 you can chcek LMCompatibilityLevel, and set to: 5- Use only NTLMv2 authentication, use NTLMv2 session security if the server supports it. Refuse LM and NTLM responses (accept only NTLM 2). On SAMBA configure in the [global] section: .. lanman auth = no ntlm auth = no ... Please ensure testing at least against Vista, Win 7, Server 2008/Server 2008 R2 (which are almost equivalent), plus SAMBA 3.5.x.. Regards, -Kurt.
Hide
Rafael Mizrahi [Boxee] added a comment - 18/Jul/11 10:13 AM
issue assigned to Boxee Support although I'm not sure this issue will be fixed soon as we are using the highest CIFS SMB library version we can have with boxee.
I think you should consider a workaround around this issue.
this issue might be closed as limitation.
Show
Rafael Mizrahi [Boxee] added a comment - 18/Jul/11 10:13 AM issue assigned to Boxee Support although I'm not sure this issue will be fixed soon as we are using the highest CIFS SMB library version we can have with boxee. I think you should consider a workaround around this issue. this issue might be closed as limitation.
Hide
Kurt A. Schumacher added a comment - 18/Jul/11 11:35 AM
Highest CIFS library? You must be kidding.... sorry. As per Microsoft, NTLMv2 is standard, the usage of NTML or LM is discouraged. Mandatory NTLMv2 is configured by default on the actual Microaoft OS like Windows 2008R2 and Windows 7. Beyond, it will be likely also standard on Windows 8.

Support can't help...! We perfectly know on how to sacrify the security on our customers systems - but we are not willing to do so just because of BOXEE BOX; Further on, BOXEE must not encourage users to sacrify the security on their Windows systems and SAMBA servers. This would leave a very bad impression..

mount.cifs (also called by mount -t cifs) coming from the SAMBA suite (I assume you use on the BOX anyway to share local attached media...) can perfectly handle NTLMv2 authentication. The critical point for the K,I.S.S. implementation as per BOXEE: The NTLM authentication version is not negotiated by the protocol. It must be configured on both the client and the server prior to authentication. Very likely, there is no other way than identifiying and configuring NTMLv2 explicitly on a per-share or per-server base.

I was under the impression BOXEE engineering to understand the requirement for NTLMv2 support confirming it's implementation on v1.2 following our first bug report. Aparently I was wrong. Dsappointed.
Show
Kurt A. Schumacher added a comment - 18/Jul/11 11:35 AM Highest CIFS library? You must be kidding.... sorry. As per Microsoft, NTLMv2 is standard, the usage of NTML or LM is discouraged. Mandatory NTLMv2 is configured by default on the actual Microaoft OS like Windows 2008R2 and Windows 7. Beyond, it will be likely also standard on Windows 8. Support can't help...! We perfectly know on how to sacrify the security on our customers systems - but we are not willing to do so just because of BOXEE BOX; Further on, BOXEE must not encourage users to sacrify the security on their Windows systems and SAMBA servers. This would leave a very bad impression.. mount.cifs (also called by mount -t cifs) coming from the SAMBA suite (I assume you use on the BOX anyway to share local attached media...) can perfectly handle NTLMv2 authentication. The critical point for the K,I.S.S. implementation as per BOXEE: The NTLM authentication version is not negotiated by the protocol. It must be configured on both the client and the server prior to authentication. Very likely, there is no other way than identifiying and configuring NTMLv2 explicitly on a per-share or per-server base. I was under the impression BOXEE engineering to understand the requirement for NTLMv2 support confirming it's implementation on v1.2 following our first bug report. Aparently I was wrong. Dsappointed.
Hide
Petter Nilsen added a comment - 18/Jul/11 7:58 PM
SMB is broken for me too, both using against my NAS and my Win7 box, see http://forums.boxee.tv/showpost.php?p=200718&postcount=165
Show
Petter Nilsen added a comment - 18/Jul/11 7:58 PM SMB is broken for me too, both using against my NAS and my Win7 box, see http://forums.boxee.tv/showpost.php?p=200718&postcount=165
Hide
Rafael Mizrahi [Boxee] added a comment - 15/Aug/11 9:57 AM
issue reproduced using 1.2.0.20310 and assigned to R&D
Show
Rafael Mizrahi [Boxee] added a comment - 15/Aug/11 9:57 AM issue reproduced using 1.2.0.20310 and assigned to R&D
Hide
Rafael Mizrahi [Boxee] added a comment - 25/Oct/11 10:19 AM
closed. verified using 1.2.2.20482
Show
Rafael Mizrahi [Boxee] added a comment - 25/Oct/11 10:19 AM closed. verified using 1.2.2.20482

People

Vote (1)
Watch (4)

Dates

  • Created:
    17/Jul/11 3:03 PM
    Updated:
    04/Nov/11 10:09 AM
    Resolved:
    25/Oct/11 10:19 AM