The Novell NetWare 6 Common Internet File System (CIFS) service may not be able to complete
pass-through authentication with servers that are running Microsoft Windows 2000 or Microsoft Windows Server 2003. This issue occurs because Novell NetWare 6 CIFS uses NTLM authentication and does not support server message block (SMB)
signing. To resolve this issue, turn on the NTLM
authentication feature and lower the SMB signing requirements on your Windows server.
The NetWare 6 CIFS service may not be able to successfully perform
pass-through authentication with a Windows 2000-based or a Windows Server 2003-based server if the server requires SMB signing
or NTLMv2 authentication.
This issue occurs because NetWare 6 CIFS uses NTLM authentication and does not support SMB
signing. By default,
Windows Server 2003-based servers require SMB signing.
For example, if the NetWare 6-based server has a share that is configured as a Windows
Distributed File System (DFS) link target, a domain client that tries to connect to the NetWare share
receives an "access denied" error message from the Windows
server. Therefore, the NetWare-based server denies the client access to the server's share.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
To resolve this issue, enable NTLM
authentication and lower SMB signing requirements to permit successful connections between the NetWare 6 CIFS service and a Windows 2000-based
or Windows Server 2003-based server. To do so, follow these steps:
Configure the Windows domain controller policies as indicated in the
"Windows 2000 Server and Windows Server 2003 policy settings" section.
On the Windows-based domain controller, create a DNS "A" record for the Novell
CIFS-based server.
You can create a pre-Windows 2000 computer account for the
Novell CIFS-based server.
Note You do not have to create this account. If you do create it, the account does not adversely affect
operations.
To create a pre-Windows 2000 computer account for the
Novell CIFS-based server, follow these steps:
In Active Directory Users and Computers, right-click Computers, and then click New.
In the Computer name box, type the NetBIOS name.
In the Computer name {pre-Windows 2000}box, type the NetBIOS name.
Click to select the Assign this computer account as a pre-Windows 2000 computer check box, and then click Next.
Make sure that the This is a managed computer check box is not selected, click Next, and then click Finish.
Install WINS on the Windows Server 2003-based server.
Configure the Novell 6 CIFS service properties as indicated in the
"Novell 6 (Service Pack 2) CIFS properties" section.
Stop CIFS on the Novell server, restart it, and then verify that the share is available. To do this, follow these steps:
Use the CIFSSTOP command to stop CIFS.
Use the CIFSSTRT command to restart CIFS.
Use
the CIFS SHARE command to verify that the share is available.
On the Windows-based domain controller, verify that the Novell-based server has registered
its NetBIOS names with WINS. For example, confirm that WINS contains a registration record that is similar to the following registration record:
Name Number(h) Type Usage
--------------------------------------------------------------------------
Novell-server_w 00 U Workstation Service
Novell-server_w 03 U Messenger Service
Novell-server_w 20 U File Server Service
For additional information about NetBIOS names, click the following article number to view the article in the Microsoft Knowledge Base:
Windows 2000 and Windows Server 2003 policy settings
The following list contains the applicable policies for a default Windows Server 2003 installation (depending on inheritance blocking and on the "no override" settings). You must restart the domain controller for these settings to take effect because they are enforced during service startup:
Local Security Policy (domain controller)
Default Domain Policy
Default Domain Controllers Policy
The following relevant policy settings may vary depending on your specific
installation requirements and configuration. To access the appropriate settings in Group Policy Management, follow these steps:
Click Start, click Run, type gpedit.msc, and then click OK.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then clickSecurity
Options.
Configure the security settings of the following policies.
Windows 2000
Double-click Digitally sign server communications (always), and then click Disabled.
Double-click LAN Manager authentication level, and then click one of the following options:
Send LM & NTLM responses
Send LM & NTLM - use NTLMv2 session security if negotiated
Send NTLM response only
Windows Server 2003
Double-click Microsoft network server: Digitally sign communications (always)
, and then click Disabled.
Double-click Network security: LAN Manager authentication level
, and then click one of the following options:
Send LM & NTLM responses
Send LM & NTLM - use NTLMv2 session security if negotiated
Send NTLM response only
Novell 6 (Service Pack 2) CIFS properties
Configure the settings for the ConsoleOne server Properties CIFS tab according to the following example. In this example, square brackets indicate edit controls. Items in italic indicate placeholders. Items in parentheses are informational comments. Do not put these comments in the controls.
The CIFS Config tab
To configure the Novell server to use an authentication method that matches the Windows 2000 policy requirements, use the following settings:
Back to the top
