Topic: Cannot map drives or connect to Ibay

[alext]

I recently installed a fresh SME 7.5 server in Gateway mode and then installed all required updates.
Configuration went smoothly with the server configured as a domain controller handling roaming profiles.
I set up the PPTP settings to allow 6 clients via the Security Settings tab.
I created a user group.
I created users and allocated them to the user group and permitted VPN connections to those who needed it, (me included).
I created a test IBay and allowed READ/WRITE access to the group, access to the entire Internet (Password required outside local network) and execution of dynamic content ENABLED.

I installed the Shared Folders RPM from the SME repository and created a share, (testgbl), that was READ/WRITEABLE by the group.

I successfully created a VPN tunnel from outside the network, (using my login name for testing), and declaring my SME server domain name during the connection, (Windows XP standard VPN client).

I then attempted to map a drive from the Windows workstation using net use G: \\(sme local ip address)\testgbl

I entered my username and password as requested but then got:

   System error 53 has occurred.
   The network path was not found.

I then tried to map a drive via Window Explorer but it kept asking me my username password.

I triple-checked my password and all is OK, (VPN connects fine with the same username password).

I then tried to connect to the test IBay via FireFox and, again, I was constantly asked for my username/password.

So then I made sure of my connection by pinging the server's local IP address from my remotely connected, (via VPN), workstation. This was successful.
I then successfully connected to the server's "Server-Manager" from my remote workstation.

Mapping shares to drives works if I use a workstation within the local network.

Connections to other systems works fine from the same remote workstation.

Am I doing something wrong or did I miss something in my configuration?

Any help would be very welcome and I apologise if I am in the wrong forum...

Cheers,

Alex

[janet]

alext

At the remote site, do you log in to your Windows workstation ?
Windows passes the user login credentials to SME via the VPN connection, so if you have not logged into your workstation then you will be asked for your user credentials (which may be what is happening). These credentials will not match up as you may have not logged into Windows.

Access to ibays via browser with password enabled on the ibay, will ask you to provide login details, but these are the ibayname and the ibaypassword, NOT your username and password.

I do not use that shared folders contrib, I would remove it to see if it is interfering with normal ibay drive mapping via VPN connection (subject to abovementioned considerations).

The other point to note is that you seem to be logging in to the SME domain via VPN. Therefore access rights will be applied by SME server based on the user group membership, and whether the group owns access to the ibay ie ibay read write should be group1 and group1 and the user1 should be a member of group1.

[alext]

Hi Mary,
Thanks for the quick reply.

    At the remote site, do you log in to your Windows workstation ?

Yes, otherwise I would not be able to establish the VPN connection. (Can't run a windows programme without logging in).
In the MS VPN client I have ticked the box entitled  "Include Widows logon domain" in the options tab. This causes the additional "Domain" entry to be displayed on the VPN login dialogue window, (in addition to username and password). Here I enter the SME domain name which I would expect to be passed to the sme server along with the username and password for authentication.

   Access to ibays via browser with password enabled on the ibay...

Oh dear, I knew I had forgotten something...
Thank you. I have set up a password and can now access the Ibay remotely.

   I do not use that shared folders contrib,...

I use it because it gives much better control over access and access rights than using straight Ibays. I have users out in the field that need different classes of access rights to several shares. I may temporarily remove it to see the effect but I really need something like this.

   ...you seem to be logging in to the SME domain via VPN...

Yes I am by supplying the SME domain name/user name/password.
The Ibay is owned by the group which has READ/WRITE access

Once again, thanks for the help.

Cheers,
Alex

[janet]

alext

    At the remote site, do you log in to your Windows workstation ?

Yes, otherwise I would not be able to establish the VPN connection. (Can't run a windows programme without logging in).

Well not exactly what I meant.
I was referring to whether your workstation is configured to log in to Windows Networking and presents users with a user name and password login screen when you first start Windows. 
The alternative commonly used scenario is auto log in without needing to enter a user name and password, or where you have user switching enabled (as you do not log in to networking correctly in these latter situations).

[alext]

Yes, I log in to Windows using username and password. I never use Auto Log in as security is almost non-existant. I never employ user switching.

All users of my client use this method too; most travel and need to connect via VPN to the server. They also connect to other servers via VPN, (i.e different domains, usernames and passwords).

Cheers,
Alex

[janet]

alext

Yes, I log in to Windows using username and password......

OK then, is the username they log in to Windows with, the same as the username on SME server ?

[alext]

No, not necessarily.
They login to their own laptop as a local user using whatever name they have configured then use the VPN connection to create the tunnel using the domain/username/password defined for them on the SME server.
This is successful.
From that point I would assume that from the SME server viewpoint a user is logged into its domain and authenticated via the VPN supplied username/password and would thus have the rights of the same user logged in on a workstation connected to the local LAN.

Maybe I am wrong but that seems to be the logical way of looking at it.
(Yes, I am aware the expression concerning "Assumption"...!)

Just to try it out, I have created an account on my remote machine with the same username as the one I defined on the SME server. Once again, the VPN connection was established successfully but mapping a drive using the SME username/pasword combination caused:
   System error 53 has occurred.
   The network path was not found.


Incidentally, if I browse "Entire Newwork" on my remote workstation with the VPN tunnel established, I do not see the SME domain.

Thanks for your patience,
Cheers,
Alex

[janet]

alext

Log in to Windows as the same user that exists on SME. It should work then.

[alext]

That is what I am doing.

Windows username:  alex
SME username:        alex

The same "net use..." error occurs

   System error 53 has occurred.
   The network path was not found.

(I added the last two paragraphs on to my last reply a little after I had posted the original so maybe you read it in between times, sorry)

Cheers,
Alex

[janet]

alext

OK got you re the same user.
I can only answer that VPN and drive mapping works for me on a variety of Windows platforms connecting to different sme servers.

   System error 53 has occurred.
   The network path was not found.

Just googled that and this answer looks interesting.
http://support.microsoft.com/kb/840634

ie Is the problem to do with Windows Firewall.
Perhaps you could disable it or open some ports on one of the remote Windows workstations and try again.

[alext]

Thanks for the pointer and the helpful advice.
I checked a little further and found all sorts of nasty things concerning port 445. Looks really scary!

I am not using the Windows Firewall, I am using Panda Internet Secure.
I created a rule allowing inbound TCP port 445 and...
hey-presto! I could then map drives.
(Still not too happy about the security angle)

However, I still cannot see my SME domain in Windows Explorer > "Entire Network", and when I log in via VPN it seems that the NETLOGON script on the SME server does not get executed.

Any ideas?

I may try to connect from my Ubuntu laptop to see if I can use a pure Linux setup.

Cheers,
Alex

[Stefano]

However, I still cannot see my SME domain in Windows Explorer > "Entire Network", and when I log in via VPN it seems that the NETLOGON script on the SME server does not get executed.

Any ideas?

please disable (only for test) all kind of personal firewall on windows client and retry

[alext]

Hi Stefano,
I am not in my office at the present time so I cannot use the same workstation that I used at the beginning of this topic but I am at my client's site, (the one with the SME server), and I have used one of his laptops that is connected to the outside of the router, (external SME gateway port), to try out your suggestion.

The laptop has no anti-virus installed and the Windows firewall has been stopped.

I can make a successful VPN tunnel using my domain/username/password as defined on the SME server.

I am able to manually map drives to shares on the SME server.

Browsing on the workstation with Windows Explorer does not show the SME domain in "Entire Network".

Also I do not see the drives that were defined in the SME Netlogon script.

Cheers,
Alex

[Stefano]

Browsing on the workstation with Windows Explorer does not show the SME domain in "Entire Network".

the remote one? it's quite "normal".. you have to wait ages to have it (in my experience).. edit your vpn setup on windows client and add the remote server as the dns..

Also I do not see the drives that were defined in the SME Netlogon script.

edit the netlogon script and (I'm assuming it's a bat file) and add a "pause" at the bottom..
just a question: are you invoking remote server via its name or via its ip?

[alext]

Thanks Stefano, I will try on my original workstation when I get back later thhis afternoon as the client needs his laptop

Cheers,
Alex

[alext]

Hi Stefano,

Re. your suggestions;

I guessed that the SME domain may take some time to be "discovered" by Windows but having left the VPN connection up for some considerable time it never showed up.
I assume that by suggesting that I define the SME server as DNS for the VPN connection you meant that I should modify the DNS address in the TCP/IP item in the Networking tab of the VPN profile. This I have done,  (set to the internal IP address of the SME server - 192.168.100.1), but it makes no difference - still no domain discovered.

I put a pause at the end of the SME login script then, after establishing the VPN tunnel, I attempted to get a directory listing of the netlogon share of the SME server by using the DOS command;

   dir \\192.168.100.1\netlogon

The result was:

   Access is denied.

As an integrity test of the command I also tried;

   dir \\192.168.100.1\NETLOGON

The result was:

   The network path was not found.

Which seems to suggest that netlogon is a share but NETLOGON is not and that somehow my VPN connection is not getting the correct access rights, (if any...). In fact I am wondering if the domain login is happening at all: I am being authenticated so that part of the VPN connection is working but it seems that the server is ignoring my domain login request.
 
In all cases (VPN connection and drive mapping), I am using IP addresses.

Cheers,
Alex

[janet]

alext

Have you actually joined the computer to the domain before you try to do a domain login via VPN ?

A domain is a trusted network of computers, and at some point in time you have to setup that trust ie join the domain. Only then are you allowed to login to a domain.

Typically a notebook would have joined the domain when connected to the local network (LAN) where the SME Domain controller is. Then that notebook goes off site to a remote location. The user logins in to the notebook workstation using the normal domain login screen, but as there is no domain controller (DC) available to authenticate against, Windows uses the cached memory. Then when you establish the VPN Domain login connection, the correct trusted credentials are presented to the "now remote" Domain Controller, and you are then granted appropriate access rights to the domain.

If you are using a standalone PC that has not yet joined the domain, then you need to initially connect using a normal "non domain" VPN login screen, and then go through the process of joining that PC  to the domain (using the admin user and password etc etc).
Then you disconnect the VPN connection and login again using the VPN Domain login option. the domain should then be found and connected to, as your PC is now a trusted member of the domain.
It will still take many minutes to discover the domain depending on Internet connection speed, but remember VPN is very slow anyway, compared to the actual Internet connection speed.

Do a google search on VPN Domain login issues, there are many results.

[axessit]

Am asumming here that the remote PC's workgroup is the same as the SME's workgroup? The workstation will only initially browse it's own workgroup and not see the SME if it's workgroup (domain) is different.

[alext]

Mary,

Sorry for the delay in replying - had some other problems.

My office, (remote) workstation can connect to the SME server via VPN but not to the domain.
(My office workstation is XP3 Prof SP3)

I followed your suggestion in paragraph 4, (standalone PC), by connecting, as usual to the SME sever via VPN using the "non-domain" VPN login screen, (no domain name is requested). This was successful.

Then, with the VPN tunnel still established, I attempted to join the domain via the Control Panel > System > Computer Name > Change dialogue.
Initially I was a member of a local workgroup, (comprising 1 PC). I requested membership to my remote SME served domain by entering the domain name in the "Domain" box, (switching on the radio button first, of course), then clicking "OK".

This resulted in an error stating that a domain controller for my remote domain could not me found.
As the remote domain is private and NOT registered with a DNS server I added the domain name and remote server local IP address to me HOSTS file. I tested connectivity by successfuly pinging the remote domain name.

I then tried several combinations in the "Domain" box, (e.g. server local ip address, server local IP name, server external IP address). None of which worked which was as I expected.

I then created an entry in my LMHOSTS file defining the SME domain name pointing to the SME server at its local IP address. This also failed.
I modified my NETWORK > WINS parameters on my VPN connection to first enable NETBIOS over TCP/IP then to disable it: neither worked.

Looking into this a bit deeper it seems to me, (and I accept that I may be very wrong), that the SME server is not accepting and/or processing the datagram generated by the Netlogon process of me client when delivered via VPN.

I do have a valid user account on the SME server, (the one that I am using to attempt to join the domain), and VPN access for the user account on the server is enabled.

Stranger and stranger...

Cheers,
Alex

PS. - reply tp axesslt:

We really are talking DOMAINS not WORKGROUPS. My remote client the is not initially connected to any domain and is thus in its own workgroup whose name is different to the domain to which I am trying to connect.
My remote client is on a LAN which also has a locally connected SME server that is also a domain controller. The remote unattached client can see the local SME server with Windows browser.
 

[janet]

alext

Are you trying all this with the personal or any firewall disabled for the VPN connection, and with the remote SME server configured as the WINS/DNS server for your VPN connection (ie in your VPN setup) ?
Is the SME server you are remotely connecting to, actually the Domain Controller for that network ?

This resulted in an error stating that a domain controller for my remote domain could not be found.
As the remote domain is private and NOT registered with a DNS server....

Don't blame SME server, that error is reasonably explicit. Your system cannot find the domain controller. You need to troubleshoot and understand why that is so, but you seem to be trying random fixes and then saying it's very strange when it doesn't work. Do your research and find out why. Investigate domain login via VPN much more than you have done so far.

I don't understand the relevance or meaning of your comment re the remote domain is private and not registered with a DNS server. Does it have some meaning to you that may impact upon the issues you are experiencing ? As I asked earlier, is the server you are connecting to an SME server and is it the Domain Controller for that network ?

[Stefano]

This resulted in an error stating that a domain controller for my remote domain could not me found.
As the remote domain is private and NOT registered with a DNS server I added the domain name and remote server local IP address to me HOSTS file. I tested connectivity by successfuly pinging the remote domain name.

I haven't had any problem to authenticate a domain client via vpn..

I mean: pc client joined to a remote SME server.. at windows startup, che flag "Use remote connection" (or similar, my O.S. is in italian) was set... no problem at all..

it's a network problem.. investigate on it

[axessit]

PS. - reply tp axesslt:

We really are talking DOMAINS not WORKGROUPS. My remote client the is not initially connected to any domain and is thus in its own workgroup whose name is different to the domain to which I am trying to connect.
My remote client is on a LAN which also has a locally connected SME server that is also a domain controller. The remote unattached client can see the local SME server with Windows browser.

I realise we are  talking about domains, but the "workgroup" box in the configuration has a windows workgroup name, that is the name of the domain you try and join. I have often found you have to change the windows workgroup name to match the domain (and you leave out the ".co.xx") on the workstation, reboot, then try and join it to the domain.

For instance, I have a SME server with the domain axessit.test, and the workgroup is set for testing, so the domain I put into the windows Domain box to join is testing, not axessit.test.

I do have a valid user account on the SME server, (the one that I am using to attempt to join the domain),

If you are getting asked for a username and password, then the workstation has found the domain controller. You must use a domain admin account, such as admin/passwd, not just any user account name.

Maybe you should tell us the SME workgroup setting, the and the Windows domain you are trying to join.

[janet]

alext

Ah yes, axessit has identified your confusion between a Domain (trusted group of computers) and a domain name (URL for Internet access). They are totally different things.

The Domain name for purposes of logging in to a trusted DOMAIN (ie login to a SME Domain Controller server or DC) is the same as the workgroup name you configured in server manager, but only in the case where the server is also configured to be the only DC on your network eg WRKGROUP or OFFICE1

The Internet URL type domain name is the main domain name given to your server when you first ran the Configure this server screens eg mymaindomain.com.au

Also as axessit identified & I said earlier, only the admin username and password combination or a user who has admin privileges, can authorize a workstation to join a domain.

Try again with the correct DOMAIN name and admin user details.