LM and NTLM Authentication in AD Integration

I’ve received some feedback from a reader who alerted me to some sort of interaction between the Local Security Policy on the Windows side and Linux servers authenticating to Active Directory via Kerberos/LDAP/Samba.  I haven’t quite been able to get to the root issue yet, but here’s the high level overview.

The reader was seeing strange delays at the end of a Linux logon process that seemingly could not be explained.  After jumping through all the hoops, another administrator within the organization changed the Local Security Policy setting that governed the use of LM and NTLM authentication, and the delays disappeared.

The policy had been set to allow both LM and NTLM authentication; when changed to allow only NTLM authentication, the delays disappeared immediately.  The Linux server in question did have Samba installed, so apparently Samba was timing out trying the LM authentication; this caused the delays.  Of course, this is all just speculation, as we don’t know exactly why the policy change eliminated the delay.

In any case, since I’ve been pushing the use of Samba in my latest integration instructions (Solaris version here), I thought it might be prudent to mention this feedback.  In the event you start seeing some strange delays in your Linux authentication requests, check the Local Security Policy and see if LM authentication is being permitted.  That might just be your culprit.

Tags: , , , , ,

2 comments

  1. Daniel Milisic’s avatar

    Hi Scott,

    This is kind of lame for me to ask in an OT thread but I’ll be damned if I can find an e-mail addy to send you a message! ;)

    Hit me back, I built a new toy you might like to help me kick around before it’s unleashed unto the world… Thanks mate!

    D.

  2. slowe’s avatar

    Daniel,

    I’ll hit you up shortly….and BTW, you can reach me via e-mail at scott dot lowe at scottlowe dot org. I guess I really need to publish that “About” page after all…

Comments are now closed.