Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: wbs316 on March 16, 2010, 12:31:51 PM
-
I was wondering if anyone has had a similar issue trying to utilise a Windows 7 machine with an SME server.
I have a client who has a number of Windows XP machines that I have configured successfully previously for use with their SME server. The Windows XP machines are typically configured with a specific workgroup name, a user ID and password. This user ID and password is also configured on the SME server so that when the user logs on to the Windows XP workstation the user ID and password is cached to the SME server.
I have attempted to configure a Windows 7 laptop in a similar fashion i.e. configuring the workgroup name and a user ID and password on the Windows 7 laptop that is the same as the user ID and password configured on the SME server. While the Windows 7 laptop can see the SME server when browsing the network when an attempt is made to connect to the SME server the Windows 7 laptop produces a login ID and password window. Despite using login IDs and passwords which I know are valid for the SME server I am unable to connect to the SME server and I also was not expecting the subsequent login ID and password window to appear.
Are there settings on the Windows 7 laptop that need to be adjusted. Any help would be appreciated.
-
wbs316:
please search the forums and bugzilla.. w7 will be fully supported only on SME8 as a completely different version of samba is needed
-
I was wondering if anyone has had a similar issue trying to utilise a Windows 7 machine with an SME server.
Any help would be appreciated.
(in addition to Stefano's cogent advice)
My Win7 64bit workstation sees SME7 and iBays over
my intranet without issue. To actually connect to SME7
I use a PuTTY session from the W7 box and have also
set up the public/private passkey stuff along with
PuTTY's Pageant quick start utility. There's no problem
whatsoever, it's faultless, reliable and (AFAIK) it's all
pretty secure. I haven't stumbled over a problem.
Spend more time in SME's wiki.
-
Thank you for your input. I am not intimately familiar with SME server. PuTTY session? Is that a protocol that I add to the network on the Windows 7 box? Do I need to make any adjustments to the SME server?
-
Hi wbs316
I have an SME server in Server/Gateway mode. It is not a domain controller, just a workgroup server.
You can mix the two: some PCs connect to the domain, others just to the workgroup. Depends what you want to do.
I use a workgroup and connected my Win7 box by mapping a network drive to the server share, with no problems. I made it a permanent connection so now when I log on to my Win7 PC the network drive (the Samba Share) is available.
If you want to use a Domain, be aware there are differences between versions of Win 7 - the cheaper versions don't connect to domains. Be aware also of the differences between WinXP and Win7 as to where the NETLOGON.BAT file is stored and how it is handled.
By the way, PuTTY is a terminal program that allows you connect remotely to another computer. It is NOT a gui, it is a command line window - a bit like Windows Command Prompt window (or DOS Box). Google for PuTTY, download it and run it on your Windows PC. There are tutorials availble on the web - google them.
Good luck
Ian
-
Thank you for your input. I am not intimately familiar with SME server. PuTTY session? Is that a protocol that I add to the network on the Windows 7 box? Do I need to make any adjustments to the SME server?
[PuTTY] ...first result.
http://www.google.co.uk/search?q=PuTTY
[SME wiki] ...so, get intimate.
http://wiki.contribs.org/SME_Server:Documentation
[passkey stuff] ...give it a proper read.
http://www.wellsi.com/sme/ssh/ssh.html
-
...
Are there settings on the Windows 7 laptop that need to be adjusted. Any help would be appreciated.
Yes, it's very simple when you know how 8)
As administrator on the Win7 (or Vista, in fact) machine, go to:
control panel / administrative tools / local security policy / local policies / security options
Find the entry for: Network Security: LAN manager authentication level
Change it it to Send LM & NTLM responses
Reboot & you can login to your SME shares.
-
As administrator on the Win7 (or Vista, in fact) machine, go to:
control panel / administrative tools / local security policy / local policies / security options
Find the entry for: Network Security: LAN manager authentication level
Change it it to Send LM & NTLM responses
Reboot & you can login to your SME shares.
Have the developers done a security audit on that method?
-
Have the developers done a security audit on that method?
Not sure what you're asking here. All this does is to make Vista / Win 7 behave like XP / W2K does when using Samba. If you're already running in a mixed environment, how does this impact on security?
-
Not sure what you're asking here. All this does is to make Vista / Win 7 behave like XP / W2K does when using Samba. If you're already running in a mixed environment, how does this impact on security?
It's an automatic M$ unease of mine.
Making a W7 box behave like W2K rather negates
the additional security functionality put in by M$.
With a rootkit or trojan infection on that M$ box
does it make sense to reduce or relegate the
access procedure to SME? Just a bit uneasy,
I'd want to pass it up to the developers ...
-
But my point is that the OP's already running XP boxen that have this level of authentication to the SME, so I can't see modding the W7 box to be an additional security risk.
-
I understood your point. I'm uneasy that a W7 box can be
easily modified down to a W2K level of sophistication that
SME can or will accept for its appropriate access.
-
Sure, & I agree in principle, however it doesn't negatively impact on all of the other good things in Win7. Sometimes you have to accept that you can't be at the bleeding edge of good security practice on every box simultaneously.
-
I'm not concerned about my W7 boxes though they are an
improvement on my W2K boxes. I didn't know about this mod -
never took up XP or Vista - moved directly from W2K to W7.
I am more concerned for my SME until this mod is positively
sanctioned by the developers. OP wants this on laptop too...
-
But all it does is to effectively (OK, I know it's a bit more) modify the password hashing algorithm to allow the older SMB authentication that the SME has to work. I don't see why you feel that the SME developers are even going to be interested, given that it's simply toning down the default W7 hash to one that the SME is designed to deal with. AIUI, you need Samba V3.3 or 3.4 to use the default security model in Win7.
Looking back, I may have been overly aggressive in my suggested change & I think "Send LM & NTLM - use NTLMv2 session security if negotiated" should also work OK.
-
I'm just being cautious. Particularly with those
things over which I don't have a detailed grasp.
SME's security is really important. I'll experiment
a little in the meantime.
-
Thanks very much NickR.
I found the same detail on a Mac related forum and tried the same option that you have mentioned and was able to access the SME server OK.
For reference this SME server is version 6, that's right Version Six, so hopefully this may be of help to others who are trying to use Windows 7 with SME 6 or 7.
-
piran
> I'm just being cautious.
I think you are being overcautious & bordering on impractical.
Window (Vista & 7) defaults to security settings that are applicable to Microsoft Windows Servers. If you want to use those settings, then you need to use Window Servers, which is what Microsoft are expecting you to do.
SME servers running Samba do not support those protocols, so you need to change the settings to a compatible protocol, as has been advised to you.
Just search for Vista login issues on google and the forums for plenty of answers, which identify the same issue you are seeing with Win 7.
See one of many articles here
http://www.builderau.com.au/blogs/codemonkeybusiness/viewblogpost.htm?p=339270746
-
piran
> I'm just being cautious.
I think you are being overcautious & bordering on impractical.
You are entitled to your opinion and which
I respect but I would ask you not to judge me.
Window (Vista & 7) defaults to security settings that are applicable to Microsoft Windows Servers. If you want to use those settings, then you need to use Window Servers, which is what Microsoft are expecting you to do.
Noted. Thank you.
SME servers running Samba do not support those protocols, so you need to change the settings to a compatible protocol, as has been advised to you.
Noted. Once again thank you.
My point of concern was that a situation where SME refused connection
to a M$ box could be resolved by a settings change on the _M$_ box where
formerly the connection was refused. This is what concerned me.
Just search for Vista login issues on google and the forums for plenty of answers, which identify the same issue you are seeing with Win 7.
I know where to look.
I have __NO__ issue with Win 7 as currently set up here.
See one of many articles here
http://www.builderau.com.au/blogs/codemonkeybusiness/viewblogpost.htm?p=339270746
Thank you for that URL. On first glance it appears to deal with
security and access arrangements, however that posting
pre-dates the launching of Win7 by some two years...
Having jumped ten years from W2K to W7 I'm not about
to throw away two years without 'some' caution;~)
It's boilerplated for possible future use.
I have no problem with W7 accessing SME7.
-
piran:
IMO you should not worry about it.. M$ is trying to change the lock to avoid that you can use the old key :-)
there's nothing to worry about in changing access protocol to a SME share as long you consider your SME safe (and, sincerely, I pretty sure that SME is far more secure than every windows version ever seen here)
about
piran
> I'm just being cautious.
I think you are being overcautious & bordering on impractical.
You are entitled to your opinion and which
I respect but I would ask you not to judge me.
if you are so worried about security, you should stop using windows ;-)
-
if you are so worried about security, you should stop using windows ;-)
Have been trying to get off windows for years but those
NM$otine patches just aren't working;~) As a photographer
I have to go with the OS supported by the drivers and RAW
rendering engines. Anyway isn't ten years' of OS effectively
'sealed in aspic' proof enough for you;~) GIMP just doesn't
do it for me the way Photoshop did (I use Silkypix now).
Meanwhile I keep the boxes as far apart as I can configure.
-
Is SME 8 going to support PDC function and domain joining ?
Have someone succeed with "hacking" or update SME 7,4 to support this ?
Just browsing ibays and making batfiles sounds not like an professinal option.
Vagabonden
-
Is SME 8 going to support PDC function and domain joining ?
Have someone succeed with "hacking" or update SME 7,4 to support this ?
Just browsing ibays and making batfiles sounds not like an professinal option.
Vagabonden
you have been aswered in the other topic.. anyway, W7 joining SME 7.4 domain will not be supportes, as a new version of samba is needed and this feature will not be backported.
-
vagabonden & piran
See
http://forums.contribs.org/index.php/topic,45474.msg221096.html#msg221096
> Is SME 8 going to support PDC function and domain joining ?
Yes, sme8beta5 has support, so I assume this will become part of sme 8 final release.
If you want to use Win7 & sme as a PDC then you need to use sme8beta5. There is no other simple practical answer.
Regarding doing a lot of hacking & upgrading to a sme7.4, it would be fraught with problems, and you would be well advised to avoid that approach.
In comparison, you would have very few problems, if any, switching to sme8beta5. Although beta, it is well advanced and basic sme7.4 equivalent functionality (plus more) appears to be there and working.
An sme8beta5 PDC for Win7 would likely be more stable and more secure than a hacked sme 7.4 or 7.5, if it were possible to upgrade a 7.x server, which I doubt is possible as suitable rpms do not exist.
So for Win7 PDC requirements you either wait for sme8.0, or use sme8beta5 for more immediate needs.
-
vagabonden & piran
...nothing to do with me, my posts or interest.