Re: Mac Connection

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Eriq Neale [MSFT] (a-eriqn_at_online.microsoft.com)
Date: 05/22/04 

Date: Sat, 22 May 2004 16:19:28 GMT

| From: Keith Ward <keith@crystalreef.com>
| Answers
|
| 1. I Get error -5000
| 2. I've Tried to setup AppleTalk on the server without success. I'm trying
| to access via smb smb://ipaddiress
| 3. No I think. I can ping the ip address but cant ping server.ms.local.
but
| can ping ms.local.
| 4. I haven't yet applied any Group Policies.

OK, Keith. Thanks for the info.

What you are running into here is an SMB encryption conflict between the
SBS server and the Macintosh. By default, an SBS server encrypts all SMB
traffic as part of a move towards increased security. The Mac OS does not
understand encrypted SMB packets, hence you are seeing those errors.

You have two options at this point. Option one is to set up Services for
Macintosh on the server and use AppleTalk to connect. The other is to
disable SMB encryption from the server. Make sure you understand the
security implications before taking steps to disable SMB signing on the
server.

Follow these steps to set up Services for Macintosh on the SBS server,
create Mac file shares, and configure the Mac to speak to the SBS server:
Install Services for Macintosh on server
* Open Add or Remove Programs in the Control Panel.
* Click Add/Remove Windows Components.
* Select Other Network File and Print Services and click Details...
* Enable File Services for Macintosh.
* Click OK, Next, wait for the components to install/configure, and click
Finish.

Configure File Server for Macintosh
* Right-click on My Computer (server) and select Manage.
* Right-click on Shared Folders and select Configure File Server for
Macintosh.
* Change Enable Authentication to Apple Clear Text or Microsoft.
* Click Apply then click OK.

Create shares on the server
1. Right-click on My Computer and select Manage.
2. Expand the Shared Folders icon.
3. Right-click on Shares and select New Share.
4. Click Next.
5. Enter the path to the folder on the hard drive or click Browse to select
the folder.
6. Click Next.
7. If the folder selected is already shared to your Windows clients,
uncheck the Microsoft Windows users checkbox.
8. Enable the Apple Macintosh users checkbox and enter a name for the share
in the Share name field.
9. Click Next.
10. Click Finish.
11. Click Close.
12. Right-click on the new share and select Properties.
13. Uncheck the This volume is read-only checkbox and click OK.

Install Microsoft UAM on Mac client
* Go to:
http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows200
0sfm
* Download the UAM for OS X 10.1 or later.
* Open the MSUAM_for_X folder and run Install MSUAM for X.pkg.

Enable AppleTalk on the Macintosh
* Under the Apple Menu, select System Preferences...
* Click the Network icon.
* Select Built-in Ethernet and click Configure...
* Click the AppleTalk tab and enable the Make AppleTalk Active checkbox.
* Click Apply Now and close System Preferences.

Configure Directory Access on the Macintosh
* Open Macintosh HD.
* Click Applications in the left pane.
* Open the Utilities folder in the right pane.
* Double-click the Directory Access application.
* Click the lock to make changes.
* Enter the appropriate username and password for the Macintosh.
* Disable Active Directory and SMB.
* Enable AppleTalk .
* Click Apply and quit Directory Access.

If you want to disable SMB signing on the server to connect via SMB, follow
these steps:
1. At the server, open the Server Management console.
2. Expand Advanced Management.
3. Expand Group Policy Management.
4. Expand the Forest.
5. Expand Domains.
6. Select the local domain. The SBS policy objects will display in the
right-hand pane along with the Default Domain Policy.
7. Right-click the domain icon (domain.local) in the console tree and
select Create and Link a GPO Here.
8. Enter "SMB Signing Disabled" (without the quotations marks) for the GPO
Name and click OK.
9. Right-click on the new GPO in the right-hand pane and select Edit to
open the Group Policy Object Editor.
10. Under Computer Configuration, expand Windows Settings.
11. Expand Security Settings.
12. Expand Local Policies.
13. Select Security Options.
14. In the right-hand pane, scroll down to "Microsoft network server:
Digitally sign communications (always)" and double-click on the policy
object.
15. Select the Disabled radio button and make sure the checkbox is enabled
for Define this policy setting.
16. Click OK.
17. Repeat steps 14-16 for "Microsoft network server: Digitally sign
communications (if client agrees)."
18. Close the Group Policy Object Editor.
19. Right-click on the SMB Signing Disabled policy object and select
Enforced. In the Linked Group Policy Objects window, the SMB Signing
Disabled object should show Yes under both Enforced and Link Enabled.
20. Move the SMB Signing Disabled policy just above the Default Domain
Policy in the window. The SMB Signing Disabled policy object should be
number 5 in the list and the Default Domain Policy should be number 6 for a
default SBS installation.
21. Open a command prompt window on the server.
22. Type "gpupdate /force" (without the quotation marks) and press Enter.
23. When the policy update completes, close the command prompt window.

Upgrading to Panther is a good idea, but it will not resolve this
situation. These same steps apply even if you are running Panther.

Hope this helps!

Eriq Neale, MCP
Microsoft Corporation

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Re: How to allow users to create groups and shares
    ... Add the user/group to the Computer configuration, windows settings, security settings, Local policies, "Allow logon locally" in the Default domain controllers policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... The domain controller for Group Policy operations is not available. ...
    (microsoft.public.win2000.active_directory)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: Move W2K3 server to its own OU seperate from SBS (MyBusiness) OU
    ... OU and move the member server to so that it does not inherit it's GPO from ... policies from inheriting the default domain policies of the SBS ... section of the default domain policy. ... In direct answer to your question, you would need to filter this ...
    (microsoft.public.windows.server.sbs)
  • Re: How to allow users to create groups and shares
    ... policy and on a existing or new created policy for the member servers. ... Filtering: Not Applied ... Allow remote desktop connections ... check with GPMC on the server or from a client the policy settings. ...
    (microsoft.public.windows.server.active_directory)