At home we have a Windows 2003 Server running as a domain controller and file server. Whilst this does its job pretty nicely for Windows clients, I’ve never been able to connect to it successfully with my Mac running OS X 10.3 Panther. Browsing the network I have always been able to see the server, but any attempt to authenticate simply returned a error along the lines of “the original item cannot be found”. Frustrating.
Despite much searching over the last six months, I’d not found the solution – until today. Allow me to share the solution again, for the benefit of those searching with the same problem.
In a nutshell, the cause of the problem is the default security policy on Windows 2003 Server being set to always encrypt network connections under all circumstances. Whilst this is fine for most clients (especially Windows clients, understandably), the version of SMB that Panther uses doesn’t support encrypted connections. Apparently this support exists in Samba 3, but not on the version OS X uses. The solution is to change the security policy to use encryption when it’s available and not otherwise. Here’s how.
From Administrative Tools, open Domain Controller Security Settings.
Go to Local Policies then Security Options.
Scroll down to find the entry Microsoft network server: Digitally sign communications (always). Set this to Disabled.
The only thing left to do is to reload the security policy, as changes don’t otherwise take effect for some time. Open up a command window and type:
gpupdate
This will buzz and whirr for a few moments before confirming that the policy has been reloaded. With a bit of luck you should now be able to mount a network share from the Windows 2003 Server on your Mac. As I say, I’ve been searching for this information periodically for more than six months, so if you find it helpful pass it on.
Update: I’ve had lots of people ask me if there’s some way they can return the favour of the time and support fees this tip has saved them. I don’t normally do this, but if you’d like to make a donation to help running costs, that would be awesome.




Comments
The funny thing is, now that it works my Mac client reads files from the share much more quickly than my Windows client.
Thanks a lot for this solution..
it was of a great help for me
sreekumar
By the way, is it possible to connect Entourage to an Exchange 2003 server?
Thanks
Works nicely though – although I’ve not figured out how to access shared calendars yet.
Athough my error-message was something like ‘Authentication failed: username or password incorrect’, this was the solution!
Great, thanx!
In order to allow Macintosh clients to communicate with the Windows Cluster Servers via AppleTalk or TCP/IP, utilise Microsoft’s Services for Macintosh. This allows the ITS Windows servers to be visible in an AppleTalk zone and allows Macintosh clients to connect to shares on the servers, as if the servers were Mac clients. However, by default, the standard Apple User Authentication Module (UAM) provides weak security and thus, with the advent of Active Directory, the use of NTLMv2 (a stronger authentication protocol) for all Macintosh connections to the ITS Windows servers. In order for Macintosh clients to use NTLMv2, it is necessary to install and configure the Microsoft User Authentication Module (or MSUAM) on the Mac client.
;-)
get it here: http://tc.versiontracker.com/product/redir/lid/143000/MSUAM_for_X.hqx
And you’re a nice guy for not taking all the credit for it too.
Thanks again.
I speak for thousands of customers around Montreal, Canada.
Thank you.
mount_smbfs: tree connect failed (extended security lookup2): syserr
= Permission denied
There are no other google indexes that point to this error so I want to be sure to link it to this page so others can find this solution. This solved my problem completely. Thanks a ton!!!
also, in response to “g barret” above – the microsoft uam will only work if the server sets up afp shares, which defeats the purpose! i want to access the currently setup (and accessed by more ppl than me) smb shares!
I’ll be passing it on.
My admin is reluctant to do this for security reasons. Is this fix safe from a security perspective? Is there a way to upgrade samba in OSX so that it does support encryption?
Thanks.
Thanks millions. I hope Apple can address by upgrading SMB or similar.
Also helpful is:
1. Make sure OSX is set to use the W2K3 domain controller as its DNS.
2. To connect to the W2K3 server, choose go=>connect_to_server (not networks). For the
location, fill in smb://FULL.URL.OF.W2K3.SERVER, e.g.
smb://dell2600.sti.CESA5.com
I find that the go=>networks does not work for W2K3 servers (though it does strangely for W2K servers and XP workstation shares) because OSX defaults to AFP and not SMB. This is followed by a lengthy timeout accompanied by a spinning wheel…
I’m not really experienced with Mac OSX, and this tip saved me TONS of time. Thanks so much!
-cej102937
It works from my W2K machine, and my WinXP machine without any problems. I can’t get to it from my OS X machine.
I CAN get to the file shares via SMB.
I did the whole disable blah blah gpo for digitally signing on my DC / gpupdate and poof smb worked.
I CAN NOT see my “stupidtalk” appletalk zone from my OSX box.
I CAN NOT get the computer to “BIND” to the Active Directory. No luck… I get some error about insufficient permissions when I use the administrator account and the correct password.
I found an article that said to fill in the user@domain.com style names, and I did that. no dice.
Neither machine has a firewall.
I’ve tried (1) Windows Printing, (2) Services for Macintosh (AFP) and (3) Internet Printing Protocol / CUPS.
I’ve tried to manually setup smb printing via the CUPS HTML management tool. I at least get an error message there.. its:
“Connection failed with error NT_STATUS_ACCESS_DENIED”
So, thats good! The computers are talking, but not authenticating, I suppose. I gave ANONYMOUS LOGIN read priv to the printer.. no dice.
Thats why I’d like to be logged in before I try this… But I can’t bind…
I haven’t tried print services for Unix yet.. anyone try this? Have any ideas or suggestions?
I GREATLY APPRICIATE WHOEVER HAS AN IDEA, ANSWER, OR THE SAME PROBLEM. I don’t want to be the only one trying to do this… :)
Right now, the best solution I have is my share. Save file to share, connect via RDP (or walk to the server) and print… but that wouldn’t work in a domain with 100 users, and I find it quite annoying for myself.
Using the Terminal and mount
% mkdir myshare
For you to mount the share, you need to be logged in as root. Once you’ve created the directory, su to the root user, then enter the following command:
# mount_smbfs -W myworkgroup //username@netbiosname/share ./myshare
and I was able to connect to the shares, but I can not browse
however, copying files TO the server takes much longer from a mac then from a pc, yet both can copy files FROM the server to themselves at the same normal speed… ie sending 100 mbs to the server takes 10 seconds on a pc… 2 minutes on the mac…
anyone any idea?
I just wanted to thank you for this.
Users on my network authenticate via Windows’ Active Directory architecture, so when they want to connect to a network share, they just have to do Command-K, select the server, then select the share (no username or password needed). Upon selecting the server to connect to and hitting OK, the user received this error:
The Finder cannot complete the operation because some data in “smb://servername.mycompany.com” could not be read or written. (Error code -36).
I tried connecting via the command line:
mount_smbfs -I servername.mycompany.com //jonp@servername/sharename /mounts/localmountdir
and received an error containing:
... extended security lookup2 …
That led me to this page, which indicated that it might be security certificate related. Knowing that Kerberos relies heavily on time stamps, I wondered if there was any time difference between the problem clients and the server. Sure enough, their clocks were a few minutes off from one another, enough to foul things up.
I synchronized the clocks using NTP, and now all’s well. Thanks for this hint – it wasn’t exactly what I needed, but it got me in the right direction!
I wonder if this is also the case between 2K and XP when the first mentioned is trying to vonnect but can’t / fails.. I bet it is.
Thx again :)
-Daxziz
Dave
for windows 2003 members server:
From Administrative Tools, open Domain Controller Security Settings.
Go to Local Policies then Security Options.
Scroll down to find the entry Microsoft network server: Digitally sign communications (always). Set this to Disabled
for windows 2003 domain controler:
Use the default domain controler Security Settings
Paul
Since my 2003 server is not a Domain Server I did the following:
From Administrative Tools, open Local Policies then Security Options.
Scroll down to find the entry Microsoft network server: Digitally sign communications (always). Set this to Disabled
Scroll down to find the entry Microsoft network server: Digitally sign communications (if client agrees). Set this to Enabled
CMD: gpupdate
Thanks Again!
OSX 10.3 on up.
Before you proceed be aware of what admin is doing what. Through the course of binding you’ll have to enter local OSX credentials as well as Domain Admin Cretentials.
1. select cache local accont in AD plug in.
allow administration by domain admins – enter yourdomian\domain admin, yourdomain\enterprise admin
2. Bind your computer using a local OSX account that has the SAME user name and password of an existing AD account. Sure the sid and uid will be off but the username and password of the local account will be enough to pass you through using a true Domain Adminuser name and password when you’re finally asked for the info.
3) Repeat (it’s insane) unitl it is bound. It may take a couple of times.
4)After you’ve bound your mac be sure to add the domain and LDAP info in the authentication and directory tabs in the AD plug in.
After that is’t all gravey – OSX accounts can be created fresh out of active directory and the newly created accounts even mount the users home folder specified in AD. Drives, Printers and Shares are all fully authenticated when using the proper domain folder in the network browser.
The big problem arrises when using Windows Shared Drives – we’ve run into a number of issues revolving arround OSX data and rescource forks that cause privledge errors when mac clients connect via smb. Some OSX clients can’t move or rename folders in a timely fashion because the server w2003 doesn’t release the files from “in use”... for (sometimes) days.
Even more annoying: I can create a new user account and connect to the server with it just fine. So, it’s something specific to my user account. (well, I should mention I STILL can’t connect via smbclient, even with the new user. But the finder has no problems.)
I never had problems getting on board Server 2003 from my Mac machine through Virtual PC for Mac 7, but I was never able to get into the server running on the OS X 10.3 side.
I’m planning to update to Tiger in the next few weeks, so this will be a HUGE help for backing up my PowerBook before nuke and pave.
Once we finally stop using WordPerfect—it’s a law firm thing—I’m hoping to work almost exclusively on the OS X side of the PowerBook.
Thanks again.
Thanks!
You are a gentleman & a scholar. I had some violent tendencies at first, but they are now at bay.
Tom
Simon
(1) Run Tiger as a W2K3 Domain Controller
(2) Automatically mount network “Home” dirs
(3) Setup roaming profiles
While I see these are big advances for Tiger, I have yet to find any editorials comparing these advances to the previous issues with Panther. Does the W2K3 Schema still need to be manually modified? Will the W2K3 servers be forced to downgrade their authentication mechanisms to enable interoperability with OS X 10.4.1?
I also see that neither the Cisco VPN client, nor Norton Anti-Virus is currently compatible with OS X 10.4.1. Are their any other incompatible programs I’m unaware of?
And finally, when considering Active Directory integration, which product is easier to implement and administer? ADmitMac or OS X 10.4.1?
Thanks in advance.
The internal easy network browser in Mac OS X seems to behave different. I compared the local settings on all Mac’s, I checked the firewalls, the Directory Access Utility and cannot find a reason why one Mac still has the problem while 3 Mac’s can connect from the Network Browse as it should!
Also it seems many Win XP Pro users run into this issue reading some other posts. What does the Network Browser in Mac OS X do different than “Connect to Server” in the “Go” menu?
Been working on this for bit(day and a half on OS X 10.4.1).. I did determine that it was a policy setting on a DC that was causing the issue…
Also, AD kerberos does work NICE ! And you can even impersonate by creating yourself a new Kerberos ticket using the Keberos.app in System/Library/CoreServices then use the app to change your currently selected Kerbero Ticket.. Viola mount using a different AD user.
Question: Can SMB client signing be turned ON on OS X to fix the issue instead of leaving Windows boxes vulnerable to MIM attacks by changing this policy ??
Good work..!
However, my macs still have this problem. So, this fix hasn’t “fixed” my mac issues. :/
I also have another lab of os 9 and os x desktops and the os x emacs have the same problem. We need to have this fixed soon—any suggestions.
The discussion above prompted me to look at security settings on the PC. I realised that the firewall (Kerio) on my PC, which was running when we first connected, was not running. Once I restarted the firewall, the connection from my Mac worked again. I have no idea why this works this way but it worked. Might be useful to someone else.
http://www.microsoft.com/downloads/thankyou.aspx?familyId=89ee677b-0ff6-4558-a54b-6070e2c8cd65&displayLang=en
It gives me the “alias” message and in the console I have mount_bmfs: could not login to server MYSERVER: syserr = permission denied.
PS.: it is MAC OS X joined to my domain.
I can access others w2k3 on my network and XP boxes.
Anyone has seen this problem?
Thanks,
Another butt you saved here…
Guessed I’m lucky, just met with this issue 2 hours ago. Otherwise it could be another 6 months for me to solve if I didn’t find your page.
Probably enough links now that google ranked you high, I’ve now bookmarked your blog =)
Cheers!
I have a very similar problem as the one that this wonderful solution caters for:
Mac OS X 10.4 computer trying to connect to a share on a Windows XP machine over a local area network. Mac connected via Airport wireless to router/DSL modem, PC connected via ethernet cable to the same router. All internet connectivity fully functional, ping between systems works, sharing works for a third Windows laptop also connected to this network, but NO WAY I can get the Mac to connect to the Windows XP share.
Seems to be a problem with password encryption as well, but there’s not really a Policy key that I can find to disable it… HELP???
I have just run into the same problem with my W2k3 SBS and a Mac mini running Tiger.
I have fixed the security issue on W2k3, but I still cannot connect to shared folders on W2k3. When connecting to it with “smb://...” no logon popup appears, but the usual error…
Anybody can help?
Thanks
Fabio
We’re able to reduce much time spent for this configuration.
Thanks a lot.
(worked on OS X 10.3.9 Japanese)
Thanks, thanks a million times! We’ve spent few DAYS trying to google for a solution, even Apple support is quiet about this problem – man, you’ve saved me a lot of trouble. Thanks again.
Oh, and for google users like me: Mac OS X 10.4 10.3 smb samba can’t connect incorrect password smb/cifs Finder console
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
I have tried all off the suggestions with the Domain Controller Security Policies to connect using afp however I get an error message that the Volume cannot be mounted (mount failed).
I need to access an Adobe CS2 Indesign file on a Win2k3 server using AFP because Indesign CS2 does not work with SMB.
Does anyone know why I am getting this message and a work around to incorporate both AFP and SMB.
Thanks
Ross
Thanks Again!
However, a week later, I am getting the same error message again and the settings haven’t changed in AD. I even tried “not defining” the service and re-disabling it followed by the gupudates, but it hasn’t worked.
Any suggestions?
we have the same problem with InDesign CS2, we need to connect Mac OSX to windows 2003 server via AFP. I try with “connect to server” but I recieved the error code -35…
help!!!!
Charlie_will007@yahoo.com
thanks a lot, it saved me a lot of time
My blessing goes to those still seeking this solution, and hats off to you. ;)
1. Sometimes after printing from Mac, it state that cannot connect to printer.
2. Macprint servers sometimes drop out of zones and can’t get back.
Any suggestion.Thank you! :)
Also, has anyone sent this thread to Apple? This seems so insane that they wouldnt do an update (for ALL the oses) so we dont have these problems!! (but in the world of computers, what else is new!?)
very cool this thing called Mac :)
I’ve looked for days and talked to many “experts” and this was such an easy fix….
still going at it
As we would Say in Barbados “Be Christ this working real good boss”
Thanks Allot
Sirs, I have a similar problem when trying to access the server from the network like \\domain.. always says “network path not found”. if I try to ping server does work but if I ping the IP Works.
What do you think?
Gabo
Jimena, when connecting to an AFP share the -35 error code is caused because you need to install the Microsoft UAM. This is required by Windows 2003 Servers because the MAC tries to send the password in clear text and the Windows machine will not allow it.
I found this article which helped me tremedously in connecting to win2003 server active directory.
LOL, I suppose this is still a problem for many. I hear that Tiger fixed a lot of issues with this. Can anyone confirm? I want to purchase a Mac with OS X Tiger soon.
Thanks for this hint!
Robert, it’s not fixed on Tiger. I ran into the problem using a Mac with Mac OS X 10.4.4. This hint allowed me to connect to Win 2003 shares from that Mac (it wasn’t working before that).
I’ve had several Macs connected to a w2k3 file server working great, except for the ”._” issue that I have to work around. I recently upgraded my DCs to w2k3 but still operate in 2000 native mode since I have a few 2k systems floating around. Shortly after demoting my 2k DCs and shutting them off and then upgrading our network core switches to all gigabit, our Macs started having huge issues that I think might be related to authentication/smb signing and am hoping someone else has had the same issue and can help sort it out.
When our Mac clients transfer files to any Windows box in the org now they will hang near the end of the transfer and on occasion the connection will fail.
console logs show;
Feb 16 15:23:25 macuser kernel0: smbfs_smb_qfsattr: (fyi) share ‘NTFS’, attr 0×700ff, maxfilename 255
Feb 16 15:24:29 macuser KernelEventAgent85: tid 00000000 received VQ_NOTRESP event (1)
Feb 16 15:24:29 macuser KernelEventAgent85: tid 00000000 type ‘smbfs’, mounted on ’/Volumes/datafolder’, from ’//DOMAIN;MACUSER@SERVER/DATAFOLDER’, not responding
Feb 16 15:24:29 macuser KernelEventAgent85: tid 00000000 found 1 filesystem(s) with problem(s)
Feb 16 15:25:52 macuser kernel0: smbfs_close: error 60 closing file_name.ai
Feb 16 15:26:13 macuser KernelEventAgent85: tid 00000000 unmounting 1 filesystems
The log says it is unmounting the filesystem but it rarely really does unmount.
I don’t see any errors on the server side.
Anyone else seen anything like this?
Thanks so much! I set up a pretty nifty little network here for what is now my place of employment (network admin) and have win2003 running as a domain controller and file server! When I recently bought a mac notebook, the only thing that I could not figure out that made me hate my life everyday was this problem! You put an end to a headache that has been killing me for months!! THANKS AGAIN
Yes, it’s great, but to reiterate the point that has been brought up before: What are the implications of this to the security of the network?
We did all the above steps on the server software and installed the MS UAM. NOW, I can log in, but when I do all I see is something called the Microsoft UAM volume. All it contains are OS9 UAM installers.. That’s the only thing I can see.
Is there something else that needs to be done on the server software that allows me to see what I actually came for?
Thank you !!!!!!!!!!!!!!!!!!!!
Trying to access Windows 2003 share from VMWare ESX Server using SAMBA Client. This did the job !!!! Cheers !!!!!!
I FREAKING LOVE YOU MAN!!!!
I manage a design firm with 10 stations, a mix of os X and sbs03 server…. X users were cut off for like 5 months. And now…. its so simple.
BEST FIX EVER!!! Thanks man.
even though i was able to go through the part that asks me for my password, and recognize the server, after following your instructions… i can’t go through the part that says “Select the SMB/CIFS shared volume you want to connect to”.
Once i choose the one i want from the menu, it goes back to the “The alias ‘XXX’ could not be opened, because of the original item cannot be found”. I’m going back and forth to the windows server to figure this out, but i can’t! HELP, Please!
My problem is the other way round I’m afraid – trying to connect PC users to Mac SMB shares. Being in a massive corporate AD network I’ve absolutely zilch chance of getting the admins to turn off SMB signing. More chance of Saddam getting a US passport.
PC users trying to map to the Mac SMB share get prompted for an ID/PW. Even entering a valid account just brings back the same prompt (and increments the failed logons count for the AD account in the process).
Thursby’s DAVE installed on the Mac server overcame this. Unfortunately though, my joy was short-lived when it completely screwed Mac AFP clients connecting to the concurrent AFP share for the same volume :(
DAVE + AFP + AD all in the same bed is BAD news for AFP clients, unless you can mess about with your DC. Any two of the three will work fine together. Thursby don’t want to know when their product merely breaks something else.
You Rule! Thank you so much for posting this.
Regards!
Ricardo
This guy should get the nobel price or something! Absolutely brilliant!
Now it works!
Thanks man!
That tip about turning on NETBIOS over TCP/IP just fixed a problem that had frustrated us for weeks.
Thanks.
To #99 Jeremy H, regarding locked files on 2k3 server aka the ”._” issue.
Read the info at the link below.
http://discussions.apple.com/message.jspa?messageID=689015
Looks like we have limited options to “fix” this OS X “feature”.
Simple, Robust or Cheap – pick two.
Thank you so much. I’ve wasted hours on this problem and I was relieved to see that someone smarter than me had already nailed it. Once again it showed that the Internet is synonomous with information, and that Google is the entranceway.
Thanks again for taking the time to post this solution to a vexing problem.
Skyroom Ron
Tadaa !! I can confirm that this is a workable fix even under SCO Openserver 5.0.5 !
Thank you. Thank you. Thank you.
You may alternatively install the Microsoft UAM on the Mac so it uses encrypted passwords. Do a google search for download and howto.
Thank you so much. I tell us in spanish.
pase mucho tiempo buscando la solucion a este problema.
can i marry your brain…
thanks dude…
Yes, you “fixed” a macintosh problem by disabling a security feature on a windoze server…
I dont really clasify that as a fix in anyway at all, but more a work around for a problem which hasnt been solved yet…
Still, very nice work, seems you have made a lot of people happy :]
You made me happy with your image in the banner, but this post doesnt solve my problem or answer the question – just a botch it work around untill i actually know why this problem is occuring or mac fix it!
Toby – of course it’s up to the individual to assess the security concerns before making any such change. However, I think you’ll find that for most people this won’t be a concern. If your security model relies on a Windows server encrypting SMB connections, then you probably ought to be tunnelling your connections instead.
We got the same problem for a couple of days. Thanks to your excellent explanation and hint we’ve solved the problem with a few maus clicks.
Great tip! Thank you for posting that!
Dear Drew, For me its been a year trying to find a solution to connecting my house Macs (preferred by the whole family) to our Win2003 Server. You’re a life saver. Just when they had almost lost all confidence in “Techno-Dad”. You’ve recued my shattered reputation and I thank you much for this. Nevertheless, I’m taking full credit in order to regain their adoration. Thanks again!
This isn’t quite what I need, I have an issue with to Win2K servers via afp: random disconnection of Mac OSX users, open a desktop share up and it appears think it’s a different share, and we have 3 Win2k shares per desktop – and this appears to lead to kernel panics. Any suggestions? I have heard that ExtremeZ-IP fixes this sort of behaviour – but I’d rather not spend that sort of cash.
thanks, upgrade my 2000 server to 2003 and my os x box could not login… many thanks
Thanks!
Domain Controller Security Settings should be
Domain Controller Security Policy in my case. But thanks anyway.
I’m a Windows man who is making the switch to a Mac at home and this one had me stumped until I found your blog – thanks for taking the time to post the solution.
Strangely, the option to digitally sign communications (if client agrees) didn’t seem to make any difference, so it really is necessary to disable digitally signed communications (always). Although it would seem logical to make the change via Group Policy, this is a computer setting (so is not applied to a user account) and as Macs are not domain members they are not affected by group policy either (although the policy for the target server could be set at domain level)
Beware that if editing local policies, these are overridden by site and domain-level policies; however in this case, it’s probably best to make the change only on those servers to which access is required from a computer that doesn’t support SMB signing as the need for digitally signed communications is intended to prevent man-in-the-middle attacks from occuring and disabling this represents a security risk. Further details can be found in the Microsoft Windows Server TechCenter (http://technet2.microsoft.com/WindowsServer/en/library/1a2546ce-b45a-4a2d-a0c9-082e444f1fe81033.mspx?mfr=true).
In response to Aaron Baxter (post no.102)
I had the same problem. It turned out that I had made the simple mistake of typing in the IP address of our domain server instead of our file server.
Entering the correct IP address into Finder-Go-Connect to Server gave me access to the shares that I was expecting to see
The only shares visible to a G5 on the domain server were the UAM and a Sophos Antivirus folder or two.
Woow: I’m really impressed with this easy solution.. This works now for all my mixed environnements with Mac-W2K3-Linux clients.. Yee thx a lot
Thanks so much. I’m still surprised this hasn’t been resolved in 10.4.7
Wow! Thats for the tip! we just upgraded our server to 2K3 R2 and had a heck of a time getting our mac clients to connect. Now, they connect without issue.
Thanks again!
We have 2 Win 2003 File Servers. We do not use afp because it is a v 2. something (old technology) our macs are bound to A/D using the active directory pluggin. Kerberos and SSO work perfectly when connecting to these servers. They can even change their A/D password and it syncs with their keychain password. No downgrade in security was required.
Fantastic. Straight to the problem. Problem ‘nixed! Thank you sir!
We had similar issues, and especially issues with Quark and Dreamweaver. I was about to lose all my hair. We finally bit the bullet and bought Extreme IPZ. It solved all our afp, Quark quarkiness and resource fork problems.
Hey this works pretty well. Thanks for the help. Now if anyone can tell me how to setup roaming profiles so that I can roam from Windows XP Pro to Mac and Back to Windows without using ADMIT MAC email me PLEASE.
Thank you man!!! your tip is great, i’ve been fooling arounf for hours trying to tackle this issue!!!
Like magic: its simple and easy… once you know how to do it. Thank you very very much.
Thank you for this article. I’ve been having this problem for a long time, and had given up on it. Just gave it another try, and found this page via Google.
thank you so much.
Brilliant! Tried this with SCO OpenServer 5.0.5 today and the problem I’ve been wrecking my brain over ceases to exist :D
Thanks Microsoft for the headache and TYVM Drew for the prescription :)
THANK YOUUUU Perfekt solution! Greets from Frankfurt
Thanks very much. Moved to MacBook from PC a couple of months ago – everything is so much simpler! My firm is half-half split Mac and PC still. I installed SBS2003r2 a few weeks ago, but was only managing to fully access server folders using Parallels which was annoying. I’ve been searching for this solution for a fortnight – now I can sleep at night! I’ll share the knowledge.
If it has not been stated yet, the reason that encryption is the default is because you can do replay attacks to against the server.
Specifically, I ran into this issue when trying to reduce SMB communications overhead between domain member servers – the thing that failed when I flipped it over to “never encrypt” was an inability to download the group policy file (even though it was not being used).
I have the same problem—from my new imac, I get an error message ”[computer name] could not be opened, because the original item cannot be found.” I read the remedy above, but cannot find Administrative Tools to begin thep process.
Upgrading to Tiger fixes all this guys. The goofy Quark filenames, locked and disappearing files are fixed. You can also have your OSX users log in to their machines under AD credentials.
See, we’ve gone through this at my company. We just upgraded to Windows Server 2003,took care of the digital encryption, and we can connect to the windows shares okay, but the connections keep dropping. We don’t lose any other network connectivity.
My sysadmin is stumped. Anyone got any ideas(pretty please)? Thanks in advance!
Actually, it looks as though it was a licence issue – we didn’t have enterprise edition, so we had a limitation of 10 user connections at a time. Well, there are about 20 people in my company, so we where constantly competing for connections!
Anyway, hope this helps anyone who might have this issue.
Wonderfull. THE solution for me here also !!
Great thanks from Paris, France
This is great. I’m a first time MAC user and a LONG time windows user. I’m running OSX 10.4.8 and this problem was driving me crazy. Apple has to correct this problem for users asap.
Thanks A Bunch.
Hi, everyone. We had a similar problem at our school where we needed mobile lab iBooks with OS 10.3 and 10.4 to access AFP share on Windows 2003 server to be able to run Mavis Beacon Typing program. The problem was when we tried connecting to AFP it would give us errors (different error for OS 10.3 and 10.4). In OS 10.3 it would not let us even connect to the share but OS 10.4 it would come up with a login window and fail after you logged in. When we connected with SMB it worked fine, but the typing program was not compatible with SMB protocol. Its amazing how such a simple solution had us stumped for weeks. We called Apple and Riverdeep (Mavis Beacon Teaches Typing 16 company) on this issue, Apple said there was no know issues connecting OS X to AFP shares on Windows 2003 Server, so they were no help. Riverdeep spent hours with us on phone support to try to figure it but were not able to help. After spending hours with outside network tech support we were able to find a very simple fix that we should have seen right away. Here is how we solved this issue.
1.)You will need to create a new share that you want to access.
2.)Go to Start menu on your server
3.)Open All Programs -> Administrative Tool -> Manage Your Server
4.)Under “File Server†click on “Manage this file serverâ€
5.)Under “File Server Management†tree right click on “Share†and select “New Shareâ€
6.)In the Wizard click Next
7.)In this next window either browse to the place where you want to create the new share or type it in and click Next.
8.)Here is where we found the solution. Make sure “Apple Macintosh users†is checked, and click Next.
9.)Configure your permission in this next window and click Finish.
10.)Now you should be able to access your AFP share from your Macs, at least in our case this worked.
Also thanks for everyone sharing their knowledge on issues, you guys have been great help. These types of forums are more help most of the time than the people that actually created the software.
Best solution for W2K3 Server with MAC OS 10 or above save me TONS of time
Great find.
While i am being cursed by all the windows nerds here in the company for buying a Mac, they where laughing at the problems i had with this. (yes its sad, but that is the real world eh)
Thanks for this sollution.
I wonder if it would be that difficult to detect this problem for Apple. Instead of finding a sollution they could at least give a more descriptive message…
Sir, thank you very very much, Google and yourself Rock.
Saved me a lot of headaches.
Thank you so much for posting this information. Saved me hours of frustration trying to figure out why the network folders seemed to be a snapshot rather than a current look!
Have been struggling with this for months, on-and-off. The solution works, but for me there was one other key thing to avoid Error -36.
I had installed Windows Server 2003 but not as a Domain Controller and had operated my network in Workgroup mode. Along with this, I am not sure my DNS server was properly configured.
Short story: I ran the Domain Controller/AD setup wizard (new Domain, new Forest) and let it auto-configure the DNS.
Then, presto! All the Mac OSX and SMB interaction suddenly worked, with the above-mentioned security modification:
Microsoft network server: Digitally sign communications (always). Set this to Disabled.Thanks for all the tips.
Thank you so much! I’ve been tearing my hair out on this issue for months!
and whats about samba server? i have freebsd server with running samba server and i want to connect there from mac, how i can disable there ‘Digitally sign communications’ ?
thanx,
tomas
I love you.
I can’t bind the Mac OS X client to the windows 2000 domain even I made the changes to Domain Controller Security Settings.The server is only domain controller server with no DNS capabillities.
When I try to bind the MAC OS X client from directory access/Active Directory settings the response is “An invalid domain and Forest combination was specified. ...” Thanks for any tips.
Dude you rule!!! This worked perfectly and apple wanted to charge me $50 for tech support.
I’ll just give it to you!!!
THANK YOU! I have a customer that I had to upgrade thier domain from NT to 2003, and they used 3rd party software to get Macs to connect before, but it was not compatible with Windows 2003. You saved me a lot of headaches.
My client had been looking for a solution to get his iMac to connect to a windows 2003 share for a year. This got him connected in two minutes. You are the man. Thanks
WONDERFULLLLLLLLL! This has been haunting me for days now. Thanks!
weird, before implementing this change on the server, I was able to access the share via the smbclient command on the command-line, however the Finder was not working..
I wonder why the Finder doesn’t use the encryption if smbclient is able to..
Would this also work for printer shares on a Win 2003 Server? I can see the printer but it prints gibberish. The Mac book cannot be joined to the domain for the time being.
Many thanks
Thanks, I have been looking for this issue for some time and even crashed the windows 2003 server (installing the Macintosh services gave some surpising results).
Oh man! I tell you what. I have just bought a new MacBook, having spent over £1000 on it and with really no Mac knowledge, I was thinking that living the MacDream was going to be impossible. BUT – Your solution solve my networking error out in 4 minutes!!! Thank you so much for your time and detailed explaination. People like you are what makes the internet a great place! Thanks
Amazing – Windows Server 2003 and OSX Tiger didn’t work with sporradic erros and this minor policy change worked a treat. Thankyou so much.
I love you so much right now. Thanks for posting this.
Thank you!
This tip was great! Too bad I had to search a while on google to get it.. but it was worth it! :D
We had access problems with both XP & OS X clients for file and printer sharing on an XP box, but changing LmCompatibilityLevel in the registry to 3 fixed it- http://www.netid.washington.edu/documentation/faqCommon.aspx#whatLmLevel
Excellent! Thank you for this! I’ve been talking to two different Windows gurus about this. They had me install Mac services, etc., and had me enable “digitally sign communications (when the client agrees)”, but never had me UNable “digitally sign communications (always)”! One little search, and I found the answer right here! Thanks again!
Thank you so, SO much.
muah!
Hey Mate, thanks a bunch for this.. I dont normally work with Macs but clients of mine consistantly buy different types of hardware and expect me to know everything.. your a legend!
@timh: THANKS A LOT!
After weeks (!) of looking for a solution of exactly this problem I reread the thread above, enabled the NetBIOS over TCP/IP settings on the Windows SBS Server—and magically I can now log on.
That worked for me, thanks a mill, i could have spend ages looking this up. fair play to you for getting it up on the web and on google search.
I have a problem semi-related. Please read and help me if you can, I desperately need it.
I am a mac tech at a research center with about 150 pc’s and 55 macs. I am able to connect and access all shares and volumes. My problem lies in changing network passwords from a Mac. With macs running 10.3 and 10.4, I am able to install the MS UAM and it allows me to successfully change password via the MS UAM window that says microsoft on it. But, on some 10.4 machines, I installed the MS UAM and rebooted only to find that when I connect to the share via AFP;//servername, the MS UAM window that says microsoft on it will not pop up. I am only getting the standard mac osx auth window. Please email me if you have a fix. I can’t find any info on this problem anywhere. augwell@gmail.com