OS X Server & Vista

Windows 7 & Vista with OS X Server Shares

After deciding to go in at the deep end with Windows 7 I have struggling to get the Lappy to see and authenticate into an OS X Server (Leopard 10.5) OpenDirectory environment.

Symptoms

I could go into the network pane and the server was visible, double click and an error would pop up “0×80070035 Network Path not found” Obviously it was found – the icon is clearly sat there!

What I Did First…

I messed around with the Samba setting on OS X Server, this had to be done at the command line because Apple don’t do UI’s for complex tasks. If they can’t make it look pretty then it’s “screw you dude your an your own, open Terminal”.

It didn’t work.

I messed around with the network settings on Windows 7. Turn IP6 off, tweak this, fiddle with that. Turn IP6 back on. Is the OS X box a WINS server? no! why not? Should it be? Could that be the problem, spend a while pissing around with that idea.

It didn’t work.

Check that DNS was working on OS X Server. Apparently if anything isn’t working on OS X Server it’s a problem with DNS.

DNS was fine.

Authentication, hmm, authentication, wait a minute AUTHENTICATION! What about OpenDirectory and Kerberos?

Nope and Nope!

…What I should have done

GOOGLE GOOGLE GOOGLE!

Now ok, the first path a Google led me down was bogus, it wasn’t a Firewall/Router issue on either machine, although that did look promising at the start. The actual solution took a bit of digging, it was a know problem for Vista but Windows 7 has added an extra sting in the tail.

Solutions

It turns out that Vista, by default, will only use NTLMv2 for authentication. OS X Leopard’s version of Samba doesn’t support this protocol. The fix is slightly different depending on your version of Windows.

NOTE: This downgrades Vista and Widows 7 security level when talking to Samba.

Vista Business & Ultimate

1. Click the start button
2. Type ‘secpol.msc’ in the Start Search box, when it finds it hit return.
3. Click Continue on the UAC prompt (your ARE still using UAC right )
4. On the left expand ‘Local Policy’ then select ‘Security Options’
5. In the list on the right scroll down to ‘Network Security: LAN Manager authentication level’
6. Double click and then change the drop down list to display ‘Send LM & NTLM responses – use NTLMv2 session security if negotiated’
7. Click OK
8. Reboot, you should now be able to authenticate against OS X Server Leopard and Samba to access network shares.

Windows 7

With Windows 7 Microsoft have increases the baseline security level even further by default, so…

1. Click the start button
2. Type ‘secpol.msc’ in the Start Search box, when it finds it hit return.
3. Click Continue on the UAC prompt (your ARE still using UAC right )
4. On the left expand ‘Local Policy’ then select ‘Security Options’
5. In the list on the right scroll down to ‘Network Security: LAN Manager authentication level’
6. Double click and then change the drop down list to display ‘Send LM & NTLM responses – use NTLMv2 session security if negotiated’
7. Click OK
8. In the list on the left find ‘Network Security: Minimum session security for NTLM SSP Based (including secure RPC) Clients’ Uncheck ‘require 128bit’
9. Click OK
10. Reboot, you should now be able to authenticate against OS X Server Leopard and Samba to access network shares.

Vista Home & Home Premium

Neither of these versions of windows have the Local Security Policy snap-in, so we need to take a trip into the registry.

NOTE: All the standard warnings apply: Backup your registry, be very careful, the world may end if you do something wrong, it defiantly isn’t my fault if you hose your system – It works on my machine.

1. Click the Start Button
2. Type ‘regedit.exe’ in the Start Search box, when it’s found hit return.
3. Click Continue on the UAC prompt
4. Carefully negotiate your way to: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
5. In the list on the right double click ‘LmCompatibilityLevel’ type 1 and press enter.
6. Close the Registry Editor.
7. Reboot, you should now be able to authenticate against OS X Server Leopard and Samba to access network shares.

Google Food

A few versions of what I searched for to hopefully make this easy to find.

• Error code 0×80070035
• Cannot access OS X Leopard Shares from Vista
• Cannot access OS X Leopard Shares from Windows 7
• Cannot see OS Leopard Server in Network Browser on Vista
• Vista authentication problems against OS X Server
• Networking OS X Server and Vista.

…And Finally

Let’s not have MS bashing please, you know, “MS are just spitting their dummy out and making it hard to talk to Macs…”, “Why haven’t MS made this easier…”, or anything with dollar sign in it.

NTLMv2 is an inherently more secure protocol and the blame here falls squarely on Apple inc. for not supporting it. It took a fair bit of digging around to find the solution, and it was, in the main, Microsoft staff and Vista users who supplied the information. I honestly don’t know if the Apple Support site talks about the problem or offers a solution, mainly because the site is a joke, search results are non-existent or totally irrelevant. Its time you sorted your stall out Apple Chaps.