CIFS login fails in domain mode with Windows 2003 server (W2k3)

  • 10084607
  • NOVL90611
  • 27-Jun-2003
  • 26-Jan-2006

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

Novell Netware 5.1 sp6

Novell Netware 6.0 sp3

Native File Access for Windows

Windows 2003 server

Symptom

CIFS login fails in domain mode with Windows 2003 server (W2k3)

NFAP Import Users option in NetWare Remote Manager returns error:

"Import StatusImport users from NT Domain: ADDM Import Domain Failed.
Reason: CIFS error = -1"

Cause

Windows 2003 server performs SMB signing by default. CIFS added support for SMB SIGNING with NW 6.5 sp4a.

Fix

There are two options for resolving this issue.

1. Enable SMB signing on the NW 6.5 sp4a or later server via the CIFS SIGNATURES commands.

2. Disable SMB SIGNING or make signing optional on the W2K3 server.

 

Enabling CIFS SIGNATURES

In order to enable SMB SIGNING at the Netware server you use the CIFS SIGNATURES options. You can see these and get information on each individual command by typing the following at the server console:  HELP CIFS SIGNATURES. The same is true for getting info on individual signature options:  HELP CIFS SIGNATURES ENABLE.

The quick and simple answer is to simply type: CIFS SIGNATURES ENABLE at the server console. This will enable SMB signing on the Netware server in OPTIONAL mode which means the server will do signing if required by the W2K3 server. For more information on CIFS SIGNATURES see section 5.1.9 in the OES Native File Access Guide at:  https://www.novell.com/documentation/oes/native/data/ac23vb4.html#bwlbv8a  <-- Copy and paste link into browser...linking was not working at the time this was updated.

Works for both NW 6.5 sp4a and OES Netware sp4a.

 

Disabling SMB SIGNING on the W2K3 server

SMB signing needs to be disabled in the domain controller 'Local Security Policy'.

Policy is applied in "LSDOU" order (Local, Site, Domain, then OU containers in hierarchical descending order). So more than one policy may need to be modified, depending on which have the policy items enabled/disabled/undefined (with attention to policy blocking and block override).

Essentially, the Novell server performs NTLM without 'SMB signing'.

Here are the policies that apply on a default Windows 2003 installation:
Local Security Policy (domain controller)
Default Domain Policy
Default Domain Controllers Policy

Depending on your needs and configuration, we recommend implimenting the new security policy settings in the lowest entity of necessary scope in the policy application hierarchy.

This is what we did at Novell with a default installation of W2k3 to get it working. We changed the following security policy settings on BOTH of the following:
 
Default Domain Policy
Default Domain Controllers Policy

1. Start | Programs | Administrative tools
2. Choose Domain Controller Security Policy | Local Policies | Security Options
3. Change the following:
      Microsoft network server: Digitally sign communications (always)  Value = disabled
      Network security: LAN Manager authentication level        value = Send LM & NTLM - use NTLMv2 session
                                                                                                              security if negotiated
4. Close
5. Choose Domain Security Policy | Local Policies | Security Options
6. Change the following:
      Microsoft network server: Digitally sign communications (always)  Value = disabled
      Network security: LAN Manager authentication level        value = Send LM & NTLM - use NTLMv2 session
                                                                                                               security if negotiated
7. Close
8. Reboot the PDC

Microsoft says that any of the below options for LAN Manager authentication level should work:

                                    Value:  Send LM & NTLM responses
                                    Or value: Send LM & NTLM - use NTLMv2 session security if negotiated
                                    Or value: Send NTLM response only

We arbitraly chose Send LM & NTLM - use NTLMv2 session security if negotiated. You can choose which one you want, but this one for sure works.

Our testing shows that this resolves the issue with CIFS pass thru authentication and Windows 2003 server.

 

.

If domain authentication still fails after having configured the Primary Domain Controller as instructed above, please also ensure that Windows clients are configured to send LM responses.

On Windows NT, Windows 2000 and Windows XP the setting of the Registry entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel must be 0, which is the default setting.

On Windows 95 and Windows 98 the setting of the Registry entry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibility must be 0, which is the default setting.

Please follow Microsoft's instructions when editing the Windows Registry.