Mac Tiger and Panther can't access Windows 2008 sharing

[guest]

We test file sharing on one windows 2008 running on workgroup, Macintosh computers can access the windows file sharing. We just built two windows 2008 as DCs in our student lab. However, the Mac computers can't access the file sharing. If we try, we receive "Connection failed. The server name may not exit or it is not operational at this time".

The Mac can ping the windows servers and access the SharePoint running on one of windows 2008 server. We use IP not computer name so that it is name resolution issue. Windows clients don't have a problem to access the file sharing. How do you troubleshoot it?

-
From your description, I understand that your Macintosh cannot access file
sharing after joined to the domain. if I have misunderstood, please let me
know.

To help us narrow down this issue, I would appreciate your help in
providing more information for us:
1. Please tell me the results of pinging the FQDN of the server.
2. Please try to use the FQDN instead of server name when you use
SMB:\\servername
3. Can you tell me whether it's OK to join the Mac to the domain or not?

[guest]

We found Mac version 10.6 Leopard can access the windows 2008 DC sharing
folders and join the domain without a problem. However Panther and Tiger can't
access the same sharing folders and join the domain. If we try
smb://windowsipaddress, the logon screen display, but we will receive "Could
not connect to the server because the name or password is not correct"
message if we type the dolman username and password to logon. If we try to
setup active Directory on the Panther and Tiger, we can't continue because
the username and password. We can ping any computers in the domain by
hostname or FQDN.

We have tried the following suggestions we found in the Internet.

1. Network access: Sharing and Security Model for Local Accounts: Classic -
local users authenticate as themselves.

2. Disable: Microsoft network server: Digitally sign communications (always)

3. Disable: Microsoft network client: Digitally sign communications
(always).

4. Modify NTLM settings.

For a test, we also installed one windows 2008 server to out windows 2003
domain. Both Panther and Tiger can access the windows 2008 sharing without
any problems. Could the problem is that the server windows 2008 DC? Any
suggestions?

-
From your tests, I understand that Leopard machine can connect to the share
with both Windows 2008 DC and member server. However, the Panther and Tiger
can connect to member server only. In this case, from Microsoft's
perspective, I would suggest to capture the network traffic to analyze the
cause.
Please download and install network monitor from the following link:
Microsoft Network Monitor 3.1
http://www.microsoft.com/downloads/deta ... f4d8-4213-
8d17-2f6dde7d7aac&DisplayLang=en
a) Run Network Monitor on the DC and member server. On the start page,
please select the correct NIC to monitor. Go to File-> New -> Capture
b) Press F10 to start the capture
c) Try to connect to the share
d) When the error occurs again, Stop the Capture (Capture -> Stop)
e) Save the Capture, By default, the file path is: C:\Documents and
Settings\Account Name\My Documents\My Network Monitor\Captures
f) Please use both Leopard and Panther/Tiger to connect the share. In this
case, there should be at least four captured files (Leopard->DC,
Leopard->Member Server, Panther/Tiger->DC, Panther/Tiger-> Member Server).

[chicagotech]

set "enablesecuritysignature" and "requiresecuritysignature " both to 0
fixed the problem. What does that mean? Did we lower our security?

Thank you.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Hong Shao" <v> wrote in message
news:JIxnXcN6IHA.4056@TK2MSFTNGHUB02.phx.gbl...
> Hi Bob,
>
> Thank you for your information.
>
> I have checked the trace files and please correct me if I am wrong: the IP
> of Leopard is 10.20.0.15.
>
> I think below might be the symptom when the problem occured.
> 482 25.187500 10.2.0.15 cbged.cbgedu.local SMB SMB: C; Session Setup Andx,
> Account = administrator
> 483 25.187500 cbged.cbgedu.local 10.2.0.15 SMB SMB: R; Session Setup Andx
> - NT Status: System - Error, Code = (13) STATUS_INVALID_PARAMETER
>
> Source 10.2.0.15 connect to cbged.cbgedu.local with account administrator;
> Source cbged.cbgedu.local connect to destination 10.2.0.15 but failed. The
> error code is 13, STATUS_INVALID_PARAMETER.
>
> After checking the detailed packet information, I found some settings with
> Security Signatures. On the problematic machine, the security settings are
> enabled. But on the Panther and Tiger machine, they are set to disable. So
> I suspect this is the issue. I am not quite sure how Mac OS works but I
> think maybe we can check the SMB singing on the Windows 2008 machine
> first.
> To do so, Please open the registry and go to "
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> ", set "enablesecuritysignature" and "requiresecuritysignature " both to
> 0.
>
> If Leopard requires Security Signature(if there is any) and your server's
> security signature is set to 0, then please set "enablesecuritysignature"
> to 1. However, please keep "requiresecuritysignature" to 0 otherwise it
> might not work for Panter and Tiger.
>
> Please try the suggestion and tell me the results.

[guest]

FYI

In Windows Server 2003 and Windows XP, the "Microsoft network client: Digitally sign communications (if server agrees)" Group Policy, and in Windows 2000, the "Digitally sign client communication (when possible)" Group Policy map to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
Value Name: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)

Note The default value in Windows Server 2003, Windows XP, and Windows 2000 is 1 (enabled).

In Windows Server 2003 and Windows XP, the "Microsoft network client: Digitally sign communications (always)" Group Policy, and in Windows 2000, the "Digitally sign client communication (always)" Group Policy map to the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters

Value Name: RequireSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)

Note The default value in Windows Server 2003, Windows XP, and Windows 2000 is 0 (not required).
Server
In Windows Server 2003 and Windows XP, the Group Policy named "Microsoft network client: Digitally sign communications (if client agrees)", and in Windows 2000, the Group Policy named "Digitally sign server communication (when possible)" map to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters

Value Name: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)

Note The default value in Windows Server 2003 domain controllers and Windows 2000 domain controllers is 1 (enabled). The default value in Windows NT 4.0 domain controllers is 0 (disabled).
Windows Server 2003 and Windows XP policy is named "Microsoft network server: Digitally sign communications (always)"
Windows 2000 policy is named "Digitally sign server communication (always)" and both map to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters

Value Name: RequireSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)

Note The default value in Windows Server 2003 domain controllers and Windows 2000 domain controllers is 1 (required). The default value in Windows NT 4.0 domain controllers is 0 (not required).
For Windows NT 4.0-based computers to be able to connect to Windows 2000-based computers by using SMB signing, you must create the following registry value on the Windows 2000-based computers:
Value Name: enableW9xsecuritysignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)
Note There is no Group Policy associated with the EnableW9xsecuritysignature registry value.

[guest]

I am glad that disable SMB signing fixed the problem. SMB signing is also
called security signature, it digitally signs Server Message Block (SMB)
packets to ensure that the data has not been changed while in transit.
However, it does not encrypt data in any way. Enable SMB signing can
mitigate "man-in-the-middle" attacks using SMB packets. In your case, if
you are using file sharing in a LAN environment, the chance of
"man-in-the-middle" attack is rare. If you are using it in an open network
such as the Internet, you may want to enable the setting. If you are
concerned about this kind of attack, you can enable and require SMB Signing
at the both the Server side and the client side. In this case, please
contact Apple for how to enable and require SMB signing for Panther and
Tiger machine, provide that they have such settings.

I have included the following article for your information.
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/libr ... TechNet.10).aspx

[chicagotech]

Mac computers cold not access the windows 2008 DC
this morning. Then I check the regedit, both
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=
1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=
1

If I open Default Domain Controller Policy, the Microsoft network server:
Digitally sign communications (always) is Enabled.

Microsoft network server: Digitally sign communications (if client agrees)
is Enabled.

However, if I open Default Domain Policy, the Microsoft network server:
Digitally sign communications (always) is Disable.

Microsoft network server: Digitally sign communications (if client agrees)
is Disabled.

Should we disable SMB signing on both Default Domain Policy and Default
Domain Controller Policy?

[chicagotech]

Thank you for the update.

1. If the MAC is not using any signed SMB packets, but the DC requires SMB
signing, then the MAC would not be able to access the share because the DC
requires SMB signing.
2. GPO does overwrite registry. It's better to modify this settings in GPO
instead of the registry. Since this is a Windows 2008 DC, then the GPO
should be in the Domain Controller Policy. If it's a server, then Domain
Policy applies.
3. In this case, it's better to enable all the SMB signing and requirement
and test again. Enable and require SMB Signing at both the server and all
the MAC machines. It's better for the security reasons. If security is not
your concern, then you can disable it. However, please test it to see if
this works because I am not sure how SMB Signing works on the MAC machines.
4. SMB signing is a two-way thing: if the MAC machine requires it, then the
DC must enable it. if the DC requires it, then the MAC must enable it.

[chicagotech]

It is to confirm that if I modify the settings using regedit, the GP will
restore back the original settings. So, I have modified the settings using
GP. I will report back if I still have the same issue.

[julio01]

Hello there, we had this trouble here, the solution was choose authentication method forced to 128bit. The w 2008 does not accept a first attempt of 40bit.

[blin]

Thank you for sharing your experience with us.