Novell 6 CIFS pass-through authentication failures (824729)

CAUSE

This issue occurs because NetWare 6 CIFS uses NTLM authentication and does not support SMB signing. By default, Windows Server 2003-based servers require SMB signing.

For example, if the NetWare 6-based server has a share that is configured as a Windows Distributed File System (DFS) link target, a domain client that tries to connect to the NetWare share receives an "access denied" error message from the Windows server. Therefore, the NetWare-based server denies the client access to the server's share.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

RESOLUTION

To resolve this issue, enable NTLM authentication and lower SMB signing requirements to permit successful connections between the NetWare 6 CIFS service and a Windows 2000-based or Windows Server 2003-based server. To do so, follow these steps:

Configure the Windows domain controller policies as indicated in the "Windows 2000 Server and Windows Server 2003 policy settings" section.
On the Windows-based domain controller, create a DNS "A" record for the Novell CIFS-based server.

You can create a pre-Windows 2000 computer account for the Novell CIFS-based server.

Note You do not have to create this account. If you do create it, the account does not adversely affect operations.

To create a pre-Windows 2000 computer account for the Novell CIFS-based server, follow these steps:
1. In Active Directory Users and Computers, right-click Computers, and then click New.
2. In theComputer namebox, type the NetBIOS name.
3. In the Computer name {pre-Windows 2000}box, type the NetBIOS name.
4. Click to select the Assign this computer account as a pre-Windows 2000 computer check box, and then click Next.
5. Make sure that the This is a managed computer check box is not selected, click Next, and then click Finish.
Install WINS on the Windows Server 2003-based server.
Configure the Novell 6 CIFS service properties as indicated in the "Novell 6 (Service Pack 2) CIFS properties" section.
Stop CIFS on the Novell server, restart it, and then verify that the share is available. To do this, follow these steps:
1. Use the CIFSSTOP command to stop CIFS.
2. Use the CIFSSTRT command to restart CIFS.
3. Use the CIFS SHARE command to verify that the share is available.
On the Windows-based domain controller, verify that the Novell-based server has registered its NetBIOS names with WINS. For example, confirm that WINS contains a registration record that is similar to the following registration record:
```
   Name                Number(h)  Type  Usage
   --------------------------------------------------------------------------
   Novell-server_w        00       U    Workstation Service
   Novell-server_w        03       U    Messenger Service
   Novell-server_w        20       U    File Server Service
```
For additional information about NetBIOS names, click the following article number to view the article in the Microsoft Knowledge Base:
163409 NetBIOS suffixes (16th character of the NetBIOS name)
Create the DFS link on the Windows Server 2003-based server.

For example:
\\Novell_Server_w\share
Microsoft recommends that you not use the IP address of the Novell server when you create this link. For example, do not use the following IP address:
\\Novell_IP_Address\share

MORE INFORMATION

Windows 2000 and Windows Server 2003 policy settings

The following list contains the applicable policies for a default Windows Server 2003 installation (depending on inheritance blocking and on the "no override" settings). You must restart the domain controller for these settings to take effect because they are enforced during service startup:

Local Security Policy (domain controller)
Default Domain Policy
Default Domain Controllers Policy

The following relevant policy settings may vary depending on your specific installation requirements and configuration. To access the appropriate settings in Group Policy Management, follow these steps:

Click Start, click Run, type gpedit.msc, and then click OK.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then clickSecurity Options.
Configure the security settings of the following policies.
- Windows 2000
  1. Double-click Digitally sign server communications (always), and then click Disabled.
  2. Double-click LAN Manager authentication level, and then click one of the following options:
    - Send LM & NTLM responses
    - Send LM & NTLM - use NTLMc2 session security if negotiated
    - Send NTLM response only
- Windows Server 2003
  - Double-click Microsoft network server: Digitally sign communications (always) , and then click Disabled.
  - Double-click Network security: LAN Manager authentication level , and then click one of the following options:
    - Send LM & NTLM responses
    - Send LM & NTLM - use NTLMc2 session security if negotiated
    - Send NTLM response only

Novell 6 (Service Pack 2) CIFS properties

Configure the settings for the ConsoleOne server Properties CIFS tab according to the following example. In this example, square brackets indicate edit controls. Items in italic indicate placeholders. Items in parentheses are informational comments. Do not put these comments in the controls.

The CIFS Config tab

To configure the Novell server to use an authentication method that matches the Windows 2000 policy requirements, use the following settings:

Server Name: [Novell-server_w]
Comment: [server comment text]
WINS Address: [domain controller IP address (optional value:) Unicode (optional value:) OpLocks]
Authentication Mode: [Domain]
Domain name: [NetBIOS domain name (less than 16 characters in length)]
Primary Domain Controller Name: [NetBIOS domain controller name]
Address: [domain controller IP address]

The CIFS Shares tab

For example:

[SYS:\' 'sharename' 0 'sharename']