Netlogon Issue "schannel required"

Hi.

When I try to authenticate a proprietary client with Netlogon or respective NTLMv1, I see the following error message in log.samba:

[2019/11/24 19:40:02.252780,  0, pid=3525] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:284(dcesrv_netr_ServerAuthenticate3_helper)
  dcesrv_netr_ServerAuthenticate3_helper: schannel required but client failed to offer it. Client was xyz$

I searched Google for the message and you should set

server schannel = auto

in smb.conf, but I can’t find a suitable entry in the UCS registry.

Hello @tinux,

please have a look at the Release Notes for UCS 4.3-2. NTLMv1 authentication is deactivated per default because of security reasons starting with this UCS version. Activating it is not recommended.

One issue in our bugzilla contains server schannel = auto, see https://forge.univention.org/bugzilla/show_bug.cgi?id=49898.

Nevertheless, you could set that option in /etc/samba/local.conf at your own risk. There is no UCR variable for it.

Best regards,
Nico

1 Like

Hi Nico

Thanks. For the schannel parameter I created the file /etc/samba/local.conf as follows:

[global]
schannel = auto