SFM share authentication from Mac PDC

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: will (esmith_at_ascentmedia.com)
Date: 05/22/04

  • Next message: Gerry Simmons: "Re: BSOD when i ran an update from MS" 
    Date: Fri, 21 May 2004 20:13:22 -0700

     I have an OS X 10.3 Server running as an OD Master and also running as a
    Windows PDC. I also have a Win2k3 server that I have joined to the Mac PDC.
    I have made users in Workgroup Manager (with OD passwords), and I can log in
    to the desktop of the Win2k3 server with OD users. I can also log in to SMB
    shares on the Win2k3 server as OD users. I cannot, however, log in to AFP
    shares from the Win2k3 server using OD users. I can log in to AFP shares as
    local Win2k3 users, so AFP services are correct. I also have other Win2k3
    servers that are members of a Windows PDC; these servers provide AFP shares,
    so I know how to set up AFP services on Win2k3. Attempting to log in to AFP
    shares on the Win2k3 server from either OS9 or OS X workstations fails, and
    displays this error in my Samba log:

    auth_ods.c:opendirectory_smb_pwd_check_ntlmv1(261)
      opendirectory_smb_pwd_check_ntlmv1:incorrect password length (5)

    I recognize the NT LanManager version 1 password check going on, and it
    reports incorrect length (but shouldn't it be NTLMv2 ??). I have a 4
    character password, and the field displays (5); If I make an 8 character
    password, the field displays (9). It is always one higher that the password
    character count.

    I've tried changing the authentication style in the ServiceForMacintosh
    properties from Apple Clear Text to Apple Encrypted and also Microsoft. None
    seem to work. Interestingly enough, when set to Apple Encrypted, No Macs can
    even attempt to log in. I'm forced to use Apple Cleartext, even on my other
    Win2k3 servers.

     I've also installed the UAM's from Microsoft's site for OS 9 and OS X, but
    I get the same results and the same error in the samba log.

    I've read on the web where people have tweaked their Windows security
    policies, So I tried this also, but with no benficial results. I tweaked the
    following:
     DomainMember: digitally encrypt or sign secure channel data - Disabled
     MSNetworkClient: digitally sign communications - Disabled
     MSNetworkClient: send unencrypted passwords to 3rd party SMB servers -
    Enabled

    I'm not sure what else to try, So I turn to you for help. I'm so close in
    getting this to work, as I see the Windows Server and the Mac server
    communicating, and authenticating. I just can't get Services for Macintosh
    Shares to use OD users and passwords. Please help.

     Any advice is welcomed and appreciated.

    Thank you

    /eric

  • Next message: Gerry Simmons: "Re: BSOD when i ran an update from MS"

    Relevant Pages

    • Problem access Win2K server after accessing to WinNT4 domain
      ... What errors are you getting in DNS? ... > shares) of the old WinNT domain. ... > On the primary Win2K3 server, ...
      (microsoft.public.windows.server.active_directory)
    • Netbios/Smb shares
      ... Wondering if anyone has seen erratic behavior with mapping smb/netbios ... shares on win2k3 server. ... the few machines that report this are on another segment from ...
      (microsoft.public.windows.server.general)
    • Hide Logon Server Share
      ... When a domain user connects to my win2k3 server via a workstation, ... addition to seeing the intended shares, they also view the Netlogon and ... Sysvol Logon Server Shares. ...
      (microsoft.public.windows.server.general)
    • Re: Network shares
      ... fine and we can get into each others shares etc. ... How can I connect to his share but get that first authentication prompt box ...
      (microsoft.public.windows.server.general)