Previous 1 2 3 4 5 6 Next 136 Replies Latest reply: Sep 21, 2014 6:50 PM by brad-dog Go to original post
  • mambro Level 1 Level 1

    Looking at the log on the Mac side:




    ...and seeing the "od failed with 22 proto=ntlmv2" reminded me of a problem I'd seen in the past with LAN Manager version 2.


    Here is what worked for me today coming from a Win 7 Home Premium SP1 laptop connecting to Lion (non-server version) serving up SMB:


    Registry editing for LAN manager authentication level (in Home edition this can be configured through registry)

    How to do it:
    1. Open registry editor ( Start search – regedit)
    2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    3. Create a new DWORD value with the following properties:

         NAME: LmCompatibilityLevel
         VALUE: 1

    4. Restart your PC and try the connection again

    I can't take the credit here... it was a comment posted in THIS thread:



    I have in the past also used his original method of secpol.msc with non-home versions of Win 7 (ex. Ultimate).



  • techgal Level 1 Level 1

    Interesting. Mine is (was) a lion server with od accounts and I wanted to connect to the server shared folders authenticating with these and not local accounts (as there are none and I refuse to create 2 accounts per user......) Anyway, will give it a try on another day, when I am willing to resurrect the frightful Lion Server once again.


  • davidh Level 4 Level 4

    Connecting Windows 7 computers to a standalone Lion Server running as Open Directory master:


    You can lower the required security settings for Windows 7 via secpol.msc (Win 7 Pro) or editing the registry as some how-to's will suggest - this has been a suggestion made for resolving problems authenticating from Vista to earlier verions of Mac OS X Server. See mambro's post above, or


    In this day and age of increasing (and valid) concerns over security, many may prefer to not *decrease* the security for network authentication on their Windows workstations.


    Bear in mind that the following tip is for Lion Server that is not part of an Active Directory Domain!

    If that is the case with your server, stop here and do not proceed. Instead, seek out and work with your network administrar(s) and Active Directory admin(s). Your server should already have been bound to your AD domain - for example in what's known as a "Golden Triangle" setup - and you should resolve authentication issues with your admins, as your client machines should be authenticating against AD.

    With a standalone setup of Lion Server (you have setup Lion server on a single Mac) promoted to an Open Directory Master, your 10.7 Server can provide Kerberos authentication for your Windows client machines. The problem is that your Win machines don't know anything about your Lion server and won't trust it as a KDC.


    There is a helpful document from, al+Kerberos+KDC


    which summarizes the steps you can take, of course adjusting accordingly for your own server & FQDN,

    please do not use any hostnames in that article !!!


    Please ensure that you have verified the Kerberos realm for your Lion server. Unless you have specified otherwise (for good reason), then it will match the FQDN (dns name) for your server, but should be written in all-caps (see

    to learn more about Kerberos)


    The key steps being (on your Win 7 workstation):

    Ksetup /setdomain SERVER.YOURNAMEHERE.COM



    After taking the steps above, and rebooting the Windows client machine,

    I added one additional step from Microsoft, (please do see)


    /AddKpasswd RealmName KpasswdName






    You can then connect to your Lion server via (an Explorer window) (editing accordingly for the shortname

    of your server:





    at which point you'll be asked to authenticate and should be able to do so successfully and connect to the sharepoint in question, as long as the user in question (that you have authenticated as), has indeed already been assigned appropriate access permissions on your server.


    Other sharepoints that the same user has authorization to access on your Lion Serve, s/he should also now be able to access. Keep in mind that the default setting in (where you setup your sharepoints in Lion server) sets Read Access for "Everyone Else" - you might wish or need to change Read-Access to No Access to prevent users from seeing the sharepoint altogether.




    -- David Haines (ACTC, ACSA)

  • techgal Level 1 Level 1

    Wow. I am impressed and thankful. Assuming this will also work on earlier windows versions.

    Have a great weekend. Grateful for this discussion forum.

    Kim (ACTC, ACSP)

  • davidh Level 4 Level 4

    This article from Microsoft refers to Win XP Pro,


    But I haven't tested the procedure (as outlined by me above) with Windows XP (nor with Vista) & Lion Server, only Windows 7.

  • bradfrommilwaukee Level 1 Level 1

    Update for XP client. Not able to login.


    Tried ksetup configuration on an XP Pro machine. Installed the XP Support Tools to get ksetup.exe. Ran the commands as outlined in post. No errors running ksetup. Restart.


    But still can't authenticate to Lion Server OD account.


    Tomorrow I'll try from a Windows 7 machine.


    (Looks like I'll be downgrading to SL server. What a pain.)

  • techgal Level 1 Level 1

    Yes it is a pain especially when one has no choice but to purchase a lion server when as is our case, our server dies... Cannot even buy a refurbished macmini running SL from apple.... already looked. The Lion server macmini is shelved for now.

  • Steve Maser Level 1 Level 1



    After upgrading my production OD master server from 10.6.8 to 10.7.1 last night, I can confirm that the need to use the 10.7.1 netbios name as part of the "User Name" when logging in from Windows 7 -- is now needed.


    So, what was "maser" is now "LIONSERVERNETBIOSNAME\maser".


    It was not an expected change, but once I flipped through all the logs (and the debug logs for smbd pointed me in the right direction), it was telling me this if I tried to authenticate without the netbios name:


    gss_parse_external_name [gssapi.cpp:118] mapped GSS name SPY\maser to SPY\maser

    initialize [darwin_token.cpp:297] failed to turn exported name into uuid: No such file or directory


    Where "SPY" is the Windows 7 Computer name (which shows as the "Domain" name in the Windows Security "Enter Network Password" dialog box)


    If I changed the login User Name in the Network connection box to "SERVER\maser" -- which just the act of typing "SERVER\" updates the "Domain:" in that box -- then the connection works as expected.


    It *is* a Kerberos-related issue, clearly.   The krb5kdc logs show things like:


    2011-08-25T13:40:38 digest-request: user=SPY\\maser

    2011-08-25T13:40:38 digest-request: kdc failed with 36150275 proto=unknown

    2011-08-25T13:40:38 digest-request: guest failed with 22 proto=ntlmv2



    But what's still not clear to me is if there's something that can be changed on either end to make things work like they did with 10.6.8 server (kerberos change?   Something in   Something on the Windows side (which, for all points before this, has never required me to configure Kerberos on it for any reason...)


    I'd like to know if this is a "bug" or by design now...

  • douglaswardacn Level 1 Level 1

    I think you've narrowed it down, Steve, but a related issues is trying to connect multifunction printers with scan settings that are supposed to be able to scan documents, and write their output to an SMB share. I have several clients who did this just fine under Snow Leopard, entering username / password for the SMB user and share in the SnoLo server. Now, under Lion, those connections don't work. After adding the NetBIOS name, LIONSERVERNETBIOSNAME\username, it STILL doesn't work. I confirmed that others have found this to be an issue when I was poking around the documentation for Xerox's Lion support PDF...


    While digging around for a printer recommendation for a client, I was looking at Xerox's PDF on Lion compatibility < en/MacOSX10-7_Matrix.pdf>, which is very good. However, on page 10 they state...


    "Scan Driver Compatibility with Mac OS X 10.7


    "Some scan functionality is diminished in Mac OS X 10.7. In particular, scanning via the SMB protocol is no longer supported due to architectural changes in Mac OS X 10.7. Please continue to visit periodically for updates regarding enhancements to scan drivers that address this change."


    So, it's nice to know I'm not crazy, and Apple's switch from using Samba to their own SMB flavor has broken something, and big guns like Xerox have an issue too.

  • russellfromroseville Level 1 Level 1

    Thank you David for getting me on the right path!  OMG!!!  The only change I would make is that I thought I performed the steps as you layed them out and it changed the client's workgroup to:  (yes I replaced that with the name of my Kerberos server)  I changed the workgroup back to the correct workgroup name... rebooted the PC client... input the IP address of the share in Windows Explore and voila!!


    Why the **** didn't Apple let us know about this!!


    BTW, What would someone do if they didn't have an XP disc lying around with the Ksetup tool to be installed?  I couldn't find the same tool on my Win7 disc. Hmmmmmm...

  • russellfromroseville Level 1 Level 1

    oops! Ignore that last remark.  It only worked because I used an account that was also a local account on the server.  Network accounts still not working.

  • davidh Level 4 Level 4

    I'll have to revisit the steps when I can, but it was a fairly striking A/B result (not working, then working after the steps I outlined), and with network accounts being the only kind I was testing with.


    Make sure your client machine is pointed to your server for DNS, or that you have working DNS lookups including the necessary service records, and said (DNS) servers are what are being provided (via DHCP) to your client machines.

  • Simonp123456 Level 1 Level 1

    hacking the registry fixed this for me Well done that man !

  • ctj Level 1 Level 1

    I've been beating my head against the wall for hours and I finally came up with a solution that doesn't involve Kerberos.


    First, I had to make sure my WINS name matched my DNS name.  My machine's DNS is "office" but I had titled it "mini-server", so when I was on the Windows 7 machine I saw "mini-server" but when I tried to click on it I was told that it didn't really exist (or something — I think it said "check the spelling").


    Second was a combination of two tips from earlier in the thread: I had to change my username from "ctj" to "OFFICE\ctj".  The prefix is important, and the capitals are important.


    This is an Open Directory account, and when I logged on that way all the files came up exactly like one would expect.  If you have a user with a local account who needs to log in, you can just use their username without the prefix.


    Hope this helps someone!

  • ctj Level 1 Level 1

    Also, this might be important also: In Server Admin, I changed the SMB setting from allowing only some users & groups to allowing all users & groups.  Not at all straight-forward, but this setup works!

Previous 1 2 3 4 5 6 Next