Cannot Login To CIFS Server In DOMAIN PASSTHROUGH Mode, But Can In LOCAL Mode

  • Document ID:7006442
  • Creation Date:13-Jul-2010
  • Modified Date:27-Apr-2012
    • Micro Focus Products:
      NetWare
      Open Enterprise Server

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell NetWare 6.5 Support Pack 8

Situation

While trying to map a drive to a CIFS share (either from a Windows client or PDC), several errors or problems may be encountered (not necessarily all of the listed errors). 
 
ACCESS DENIED errors may be encountered if trying to access the CIFS shares from the PDC itself.
 
Users may be able to login to the server without error, but cannot access the share.  The user will either encounter and ACCESS DENIED error, or will not see the complete contents of the share (if anything at all).
 
Depending on how the domain security policy may be setup, and local security policies on the Windows server, it may be necessary to modify registry settings on the Windows server.  Windows may conclude that a man-in-the-middle attack is occuring and block login authentication attempts from the NetWare or OES server.
 
System error 1351 has occurred
 

Resolution

SMB SIGNING must be disable when CIFS is configured for DOMAIN PASSTHROUGH mode.  It cannot be set to mandatory or optional.  DOMAIN PASSTHROUGH mode is only supported for LOCAL authentication only.  With that in mind the following can be tried. 
 
  1. Disable SMB SIGNING on CIFS via iManager (under FILE PROTOCOLS > CIFS) and restart CIFS (skip this step if authentication mode is configured for LOCAL)
  2. NTLM v2 is not supported on OES 2 SP 2 and earlier; therefore, double-check the security settings on the Microsoft client to make sure that it is not strictly trying to use NTLM v2.  Please see TID 3437586 for details on how to accomplish this.
  3. If the issue persists, backup the registry on the Microsoft client (even if the client is the PDC)
  4. To resolve ACCESS DENIED errors while trying to map drives directly from the PDC, change the following registry setting to zero to disable reflection attack checks:
    •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\disableloopbackcheck = 0 (create the registry setting if missing)
  5. It may also be necessary to change the following registry keys.  These keys represent SMB SIGNING from the Microsoft Workstation and Server perspectives.  Essentially, this is disabling SMB SIGNING from the client's perspective:
    •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\enablesecuritysignature = 0
    •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\requiresecuritysignature = 0
    •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\enablesecuritysignature = 0
    •  KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\requiresecuritysignature = 0