Novell 6 CIFS pass-through authentication failures

Article translations Article translations
Article ID: 824729 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

The Novell NetWare 6 Common Internet File System (CIFS) service may not be able to complete pass-through authentication with servers that are running Microsoft Windows 2000 or Microsoft Windows Server 2003. This issue occurs because Novell NetWare 6 CIFS uses NTLM authentication and does not support server message block (SMB) signing. To resolve this issue, turn on the NTLM authentication feature and lower the SMB signing requirements on your Windows server.

SYMPTOMS

The NetWare 6 CIFS service may not be able to successfully perform pass-through authentication with a Windows 2000-based or a Windows Server 2003-based server if the server requires SMB signing or NTLMv2 authentication.

CAUSE

This issue occurs because NetWare 6 CIFS uses NTLM authentication and does not support SMB signing. By default, Windows Server 2003-based servers require SMB signing.

For example, if the NetWare 6-based server has a share that is configured as a Windows Distributed File System (DFS) link target, a domain client that tries to connect to the NetWare share receives an "access denied" error message from the Windows server. Therefore, the NetWare-based server denies the client access to the server's share.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

RESOLUTION

To resolve this issue, enable NTLM authentication and lower SMB signing requirements to permit successful connections between the NetWare 6 CIFS service and a Windows 2000-based or Windows Server 2003-based server. To do so, follow these steps:
  1. Configure the Windows domain controller policies as indicated in the "Windows 2000 Server and Windows Server 2003 policy settings" section.
  2. On the Windows-based domain controller, create a DNS "A" record for the Novell CIFS-based server.

    You can create a pre-Windows 2000 computer account for the Novell CIFS-based server.

    Note You do not have to create this account. If you do create it, the account does not adversely affect operations.

    To create a pre-Windows 2000 computer account for the Novell CIFS-based server, follow these steps:
    1. In Active Directory Users and Computers, right-click Computers, and then click New.
    2. In the Computer name box, type the NetBIOS name.
    3. In the Computer name {pre-Windows 2000}box, type the NetBIOS name.
    4. Click to select the Assign this computer account as a pre-Windows 2000 computer check box, and then click Next.
    5. Make sure that the This is a managed computer check box is not selected, click Next, and then click Finish.
  3. Install WINS on the Windows Server 2003-based server.
  4. Configure the Novell 6 CIFS service properties as indicated in the "Novell 6 (Service Pack 2) CIFS properties" section.
  5. Stop CIFS on the Novell server, restart it, and then verify that the share is available. To do this, follow these steps:
    1. Use the CIFSSTOP command to stop CIFS.
    2. Use the CIFSSTRT command to restart CIFS.
    3. Use the CIFS SHARE command to verify that the share is available.
  6. On the Windows-based domain controller, verify that the Novell-based server has registered its NetBIOS names with WINS. For example, confirm that WINS contains a registration record that is similar to the following registration record:
       Name                Number(h)  Type  Usage
       --------------------------------------------------------------------------
       Novell-server_w        00       U    Workstation Service
       Novell-server_w        03       U    Messenger Service
       Novell-server_w        20       U    File Server Service
    For additional information about NetBIOS names, click the following article number to view the article in the Microsoft Knowledge Base:
    163409 NetBIOS suffixes (16th character of the NetBIOS name)
  7. Create the DFS link on the Windows Server 2003-based server.

    For example:
    \\Novell_Server_w\share
    Microsoft recommends that you not use the IP address of the Novell server when you create this link. For example, do not use the following IP address:
    \\Novell_IP_Address\share

MORE INFORMATION

Windows 2000 and Windows Server 2003 policy settings

The following list contains the applicable policies for a default Windows Server 2003 installation (depending on inheritance blocking and on the "no override" settings). You must restart the domain controller for these settings to take effect because they are enforced during service startup:
  • Local Security Policy (domain controller)
  • Default Domain Policy
  • Default Domain Controllers Policy
The following relevant policy settings may vary depending on your specific installation requirements and configuration. To access the appropriate settings in Group Policy Management, follow these steps:
  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then clickSecurity Options.
  3. Configure the security settings of the following policies.
    • Windows 2000
      1. Double-click Digitally sign server communications (always), and then click Disabled.
      2. Double-click LAN Manager authentication level, and then click one of the following options:
        • Send LM & NTLM responses
        • Send LM & NTLM - use NTLMv2 session security if negotiated
        • Send NTLM response only
    • Windows Server 2003
      • Double-click Microsoft network server: Digitally sign communications (always) , and then click Disabled.
      • Double-click Network security: LAN Manager authentication level , and then click one of the following options:
        • Send LM & NTLM responses
        • Send LM & NTLM - use NTLMv2 session security if negotiated
        • Send NTLM response only

Novell 6 (Service Pack 2) CIFS properties

Configure the settings for the ConsoleOne server Properties CIFS tab according to the following example. In this example, square brackets indicate edit controls. Items in italic indicate placeholders. Items in parentheses are informational comments. Do not put these comments in the controls.

The CIFS Config tab

To configure the Novell server to use an authentication method that matches the Windows 2000 policy requirements, use the following settings:
  • Server Name: [Novell-server_w]
  • Comment: [server comment text]
  • WINS Address: [domain controller IP address (optional value:) Unicode (optional value:) OpLocks]
  • Authentication Mode: [Domain]
  • Domain name: [NetBIOS domain name (less than 16 characters in length)]
  • Primary Domain Controller Name: [NetBIOS domain controller name]
  • Address: [domain controller IP address]

The CIFS Shares tab

For example:
[SYS:\' 'sharename' 0 'sharename']

Properties

Article ID: 824729 - Last Review: July 21, 2009 - Revision: 2.0
APPLIES TO
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
Keywords: 
kbwinservnetwork kbnetwork kbprb KB824729

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com