Windows7 - “The specified network password is not correct.” when the password is in fact correct

Question

I have a samba server setup for some time now. It is a Hardware NAS - which unfortunately does not provide access to the Samba logs. (the exact model of the NAS is called Addonics NAS Adapter )

I also have a Windows Vista and a Windows XP machine - from both I am able to map \\192.168.0.20\Smd with no errors ( net use l: \\192.168.0.20\Smd works, after asking for my username and password).

I also bought a brand new computer, with Windows 7, and when I try to execute the same exact net use command on it - using the exact same username/password pair, I get a "The specified network password is not correct." message. I also tried mapping from the Windows explorer menu, and got the same error.

I synchronized the clocks of the two machines, tried again... and yet the same error persists.

So what is really surprising here is that mapping works from WindowXP and Windows Vista machines, but fails from a Windows7 machine using the exact same command and username/password - Anyone has any idea of what could be causing this or how to solve the problem? Thanks

Answer 1

Dominic D's explanation of what is going on is correct: Vista, Windows7, and Windows2008 r2 use NTLMv2 by default. Older implementations of Samba don't support this and will return a password failure. Fortunately you can tell Vista and Windows 7 (and I presume Server 2k8) to use the v1 protocol if the v2 is not available.

These are my notes for Vista, they worked for Windows 7 Pro 64-bit.

1. Start -> run -> secpol.msc
2. Local Policies -> Security Options -> Network Security: LAN Manager Authentication
3. Change NTVLM2 responses only to LM and NTLM - use NTLMV2 session security if negotiated

If you are stuck with a Vista Home, there is no secpol.msc. Instead:

1. Start -> Run -> regedit
2. navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. for LmCompatibilityLevel, change the '3' to a '1'
4. Rebooting might be necessary at this point.

Answer 2

Windows7 and Windows2008 r2 use NTLMv2 by default. Older implementations of Samba don't support this and will return a password failure.

We had this exact same problem on our NAS.

Two solutions

1. Bug your NAS vendor to update their implementation (we've just received a patch).
2. Push a policy change either via GPO or via Local Policy. The setting you need to modify is: Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: LAN Manager authentication level. Set it to Send LM & NTLM - use NTLMv2 session security if negotiated. This gives you the best of both worlds, better security if supported, fall back if not. This should be the default Windows7/Windows2008r2 option IMO, but for whatever reason it isn't.

Answer 3

This is probably not it, but you can try disabling SMB2 on the Windows 7 machine. SMB2 was introduced with Windows Vista so if the Vista machine works I would think the 7 machine would work as well, but it won't hurt to try it.

Answer 4

I hesitate to post this as an answer, because it's so flimsy, but this may be a purely Win7 Home thing that people using pro or ultimate editions wouldn't see. I remember reading something about homegroups - and they may have limited functionality or a change in syntax?

You may want to check with superuser.com if only because they may have more experience with the home version. (Home version may also mean the question belongs on SU, but I feel like the votes should decide that... seems a bit gray-area to just mod it over).

Are you able to pull up the share by sticking \192.168.0.20\Smd in the run box?

Answer 5

It could be an issue with requirements of NTLM. I've read some people have to do the following to get their Win 7 box to work with samba.

Control Panel - Administrative Tools - Local Security Policy

Local Policies - Security Options

Network security: LAN Manager authentication level

Send LM & NTLM responses

Minimum session security for NTLM SSP

Disable Require 128-bit encryption

Answer 6

You need to use double leading backslashes in your UNC paths.

Like this: net use I: \\192.168.0.20\Smd