Got it

The Account May Be Locked in the LiteAD Scenario If LAN Management Is Set to NTLM in the Windows Group Policy

Latest reply: Apr 4, 2022 14:29:56 1055 7 3 0 0

Hello, friend!

This post will share with you a case about the LiteAD.

Issue Description

In LiteAD scenarios, when the LAN Manager authentication level is set to Send LM & NTLM responses in the local policy of a VM, the account will be locked if the user logs out of or logs in to the VM or logs in to the VM for six times using mstsc within 15 minutes.

NTLM is a hash algorithm used for account authentication. It is used by the operating system earlier than Windows 2003. The security level is low. The NTLMv2 is recommended for the operating system later than Windows 2007. This mode is more secure.

Key Word

LiteAD, account locking, NTLM, LAN management

Applicable Version

R6C10 and later versions

Problem Analysis

LiteAD does not support login in NTLM mode by default in 4.0.5 and later versions. Only the NTLMv2 mode is supported. Therefore, if the user group policy is set to LM and NTLM login mode, the login fails. More than five login failures within 15 minutes will cause the account to be locked.

Solution

Solution 1:

Change the customer VM or template group policy to support only the NTLMv2. The customer needs to confirm whether NTLM is required. If no, perform the following operations:

1. Log in to the faulty VM as an administrator.

2. In the Run dialog box, enter gpedit.msc to open the local policy.

3. Choose Security Settings > Local Policies > Security Options and then locate "Network security: LAN Manager authentication level" security policy.

102804mmiq8xwdbivwawqa.png?9.png

4. In the Properties dialog box, select Send NTLMv2 response only, click Apply, and click OK.

102904vjumeedi6ab13rui.png?11.png

Solution 2:

If the customer needs to use the NTLM, you can modify the LiteAD to be compatible with this algorithm, but the security level is low. Perform the following steps:

1. Log in to the LiteAD server as user gandalf and switch to user root.

2. Run the following command to use the vi editor to modify the smb.conf configuration file:

vi /etc/samba/smb.conf

3. Add the following configuration items to the configuration file, save the settings, and exit:

lanman auth = yes

ntlm auth = yes

raw NTLMv2 auth = yes

As shown in the following figure:

103010t593c75c7zo7a1ad.png?12.png

4. Run the following command to restart the service:

service samba-ad restart

103034r7z0kgaic5lq4qtr.png?13.png

5. Modify the standby LiteAD server by referring to steps 1 to 5.

That's all, thanks!


The post is synchronized to: Huawei Cloud Computing Case

  • x
  • convention:

zj5000
Created Oct 13, 2021 09:49:07

Thanks for your sharing!
View more
  • x
  • convention:

VinceD
Moderator Created Oct 24, 2021 07:34:56

interesting article.
View more
  • x
  • convention:

VinceD
VinceD Created Oct 24, 2021 07:35:11 (0) (0)
 
wissal
MVE Created Oct 24, 2021 08:42:46

Practical case, useful solution!
View more
  • x
  • convention:

olive.zhao
olive.zhao Created Oct 25, 2021 00:50:17 (0) (0)
Thanks!  
phuta
Created Apr 4, 2022 14:29:56

Thanks for sharing
View more
  • x
  • convention:

olive.zhao
olive.zhao Created Apr 6, 2022 05:33:10 (0) (0)
 

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.