CIFS login fails in domain mode with Windows 2003 server (W2k3)
(Last modified: 26Jan2006)
This document (10084607) is provided subject to the disclaimer at the end of this document.
fact
Novell Netware 5.1 sp6
Novell Netware 6.0 sp3
Native File Access for Windows
Windows 2003 server
symptom
CIFS login fails in domain mode with Windows 2003 server (W2k3)
NFAP Import Users option in NetWare Remote Manager returns error:
cause
Windows 2003 server performs SMB signing by default. CIFS added support for SMB SIGNING with NW 6.5 sp4a.
fix
There are two options for resolving this issue.
1. Enable SMB signing on the NW 6.5 sp4a or later server via the CIFS SIGNATURES commands.
2. Disable SMB SIGNING or make signing optional on the W2K3 server.
Enabling CIFS SIGNATURES
In order to enable SMB SIGNING at the Netware server you use the CIFS SIGNATURES options. You can see these and get information on each individual command by typing the following at the server console: HELP CIFS SIGNATURES. The same is true for getting info on individual signature options: HELP CIFS SIGNATURES ENABLE.
The quick and simple answer is to simply type: CIFS SIGNATURES ENABLE at the server console. This will enable SMB signing on the Netware server in OPTIONAL mode which means the server will do signing if required by the W2K3 server. For more information on CIFS SIGNATURES see section 5.1.9 in the OES Native File Access Guide at: http://www.novell.com/documentation/oes/native/data/ac23vb4.html#bwlbv8a <-- Copy and paste link into browser...linking was not working at the time this was updated.
Works for both NW 6.5 sp4a and OES Netware sp4a.
Disabling SMB SIGNING on the W2K3 server
SMB signing needs to be disabled in the domain controller 'Local Security Policy'.
Policy is applied in "LSDOU" order (Local, Site, Domain, then OU containers in hierarchical descending order). So more than one policy may need to be modified, depending on which have the policy items enabled/disabled/undefined (with attention to policy blocking and block override).
Essentially, the Novell server performs NTLM without 'SMB signing'.
Here are the policies that apply on a default Windows 2003 installation:
Local Security Policy (domain controller)
Default Domain Policy
Default Domain Controllers Policy
Depending on your needs and configuration, we recommend implimenting the new security policy settings in the lowest entity of necessary scope in the policy application hierarchy.
This is what we did at Novell with a default installation of W2k3 to get it working. We changed the following security policy settings on BOTH of the following:
Default Domain Policy
Default Domain Controllers Policy
1. Start | Programs | Administrative tools
2. Choose Domain Controller Security Policy | Local Policies | Security Options
3. Change the following:
Microsoft network server: Digitally sign communications (always) Value = disabled
Network security: LAN Manager authentication level value = Send LM & NTLM - use NTLMv2 session
security if negotiated
4. Close
5. Choose Domain Security Policy | Local Policies | Security Options
6. Change the following:
Microsoft network server: Digitally sign communications (always) Value = disabled
Network security: LAN Manager authentication level value = Send LM & NTLM - use NTLMv2 session
security if negotiated
7. Close
8. Reboot the PDC
Microsoft says that any of the below options for LAN Manager authentication level should work:
Value: Send LM & NTLM responses
Or value: Send LM & NTLM - use NTLMv2 session security if negotiated
Or value: Send NTLM response only
We arbitraly chose Send LM & NTLM - use NTLMv2 session security if negotiated. You can choose which one you want, but this one for sure works.
Our testing shows that this resolves the issue with CIFS pass thru authentication and Windows 2003 server.
.
If domain authentication still fails after having configured the Primary Domain Controller as instructed above, please also ensure that Windows clients are configured to send LM responses.
document
Document Title: | CIFS login fails in domain mode with Windows 2003 server (W2k3) |
Document ID: | 10084607 |
Solution ID: | NOVL90611 |
Creation Date: | 27Jun2003 |
Modified Date: | 26Jan2006 |
Novell Product Class: | NetWare |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.