Awards
- Community Pick
- Experts Exchange Approved
Connectivity using SMB
Symptoms
- When connecting to Windows Server shares from a Mac you receive an error similar to "Connection failed because the original item could not be found"
- Authentication persistently fails to a Windows Server from a Mac with known good credentials
- "Server could not be found" errors
- You can authenticate to your Windows share but your files are not showing up
- You can authenticate to your Windows share and see files but you are unable to transfer files, modify files, transfer large files or all of the above.
- You receive -36 errors in conjunction with "Wrong user name or "password"
- Your file server is part of a Windows 2008 Cluster and your 10.5 and 10.6 machines are unable to connect to shares. Whereas, your 10.4 clients can connect without an issue.
Domain controllers by default are enabled to “Digitally Sign Communications” always for network clients and servers (prior to a server being promoted to a DC this setting will be disabled. 2008 R2 only enables this for servers). When this is the case a Mac running Tiger (10.4.x) or below will not be able to authenticate to a Windows server. After entering your credentials you’ll receive an error saying something along the lines of “server could not be found,” when clearly it’s there because it asked you to authenticate. All the hassle is actually an easy fix on both 2003 and 2008. This disconnect is attributed to SMB signing.
Alternately, in Mac OS 10.5 or 10.6 you may have issues saving files to the server after you've authenticated (some of these issues may have been or will be resolved by Apple OS Software Updates). The symptoms are different in 10.5 and 10.6 where 10.6 can actually copy small files to the server using the Finder but when trying to copy larger files the Finder acts like the copy finishes then leaves a 0kb file on the server. Mac OS 10.5 may actually authenticate and list files but have read-only access to the server.
Another known issue that occurs after authentication is is not being able to see all of your folders, or none of your folders, when connected to a Windows share. This also causes 10.6 machines to not be able to copy larger files to the server. Alternately, you may have very slow logins. This has something to do with the port usage in Samba on the Mac OS X side and may or may not be resolved by upcoming patches in 10.5 and 10.6. There's a simple workaround but can cause problems to those of you who browse to your servers or shares using the network browser in the Finder. See the "Adding the SMB Port to Connection String" for 10.5 and 10.6 below. Similarly, if you're not seeing all of your file shares when browsing a share on a Windows XP computer you may not be able to see all the files and folders (particularly within the Documents and Settings folder). In this case you may have "simple file sharing" enabled preventing enabling of Full Control for Everyone within the share permissions (not the security permissions).
With Windows Server 2008 new security lock downs have produced new connectivity/authenticatio
Resolutions
Windows 2003/2008/Vista/7 Adjustments - Disabling SMB Signing
Microsoft network client: Digitally sign communications (always) set to disabled
Microsoft network server: Digitally sign communications (always) set to disabled
- Goto to the file server
- Start
- Run
- type gpedit.msc and hit OK
- Within GPEDIT go to Computer Configuration
- Windows Settings
- Security Options
- Local Policies
- Find the aforementioned policies in the right hand pane and set them to disabled
Windows XP - If you're unable to view certain files and folders when connecting to a Windows XP share from Mac OS X make sure "Simple File Sharing" is not enabled and you have given the Everyone user Full Access under the share permissions:
- Click Start, and then click My Computer.
- On the Tools menu, click Folder Options.
- Click the View tab.
- In the Advanced Settings section, click to clear the Use simple file sharing (Recommended) check box.
- Click OK.
- Once you've completed the above steps, go to the properties of the share
- Click on the Sharing tab
- Click the Permissions button
- Check the checkbox to allow Everyone Full Control for the share permissions
*Note: Use the security tab to limit permissions to specific users
Mac OS X 10.5/10.6 - Adding the SMB Port to Connection String
- Open the Go menu and choose Connect to Server (Command+K)
- In the Server Address field type smb://YOURSERVER:139 or smb://YOURSERVER:139/YOUR
SHARE
Windows 2008/Vista/7 Adjustments - By default Windows 2008 Server (not R2) sends only NTLMv2 responses. This prevents authentication from Macs and non-updated versions of Windows XP.
- Goto to the file server
- Start
- Run
- type gpedit.msc and hit OK
- Within GPEDIT go to Computer Configuration
- Windows Settings
- Security Options
- Local Policies
- in the right pane scroll to Network Security: LAN Manager Authentication level
- change it from "Send NTLMv2 response only" to
- "Send LM & NTLM - use NTLMv2 session security if negotiated"
Windows 2008 Cluster Servers
From: Macintosh 10.x client cannot connect to File Server on Windows 2008 Failover Cluster
In Win2008 Failover Clustering we introduced a new Share Scoping feature, where shares are only available under the clustered name instance they are associated with. In order to make the connection you need to connect to the share name associated with the cluster file share server name.
With MAC OS 10.4 we've seen it work correctly with Win2008 Clustered file shares.
With MAC OS 10.5 there appears to be a change to the client where it only tries the IP Address, and never tries the NetBIOS name or FQDN. And in turn does not work with Win2008 Clustered file shares.
With MAC OS 10.4 we've seen it work correctly with Win2008 Clustered file shares.
With MAC OS 10.5 there appears to be a change to the client where it only tries the IP Address, and never tries the NetBIOS name or FQDN. And in turn does not work with Win2008 Clustered file shares.
This same issue is apparent in Mac OS 10.6 with recent experience and none of our numerous attempted workarounds were sufficient. After contacting Microsoft support on the issue they confirmed it would not work due to the quoted issue above. The workaround and recommended solution is to use Group Logic's ExtremeZIP.
Connectivity Using AFP
Symptoms
- You're unable to authenticate to your Windows 2003 server AFP shares
- You have read-only access to your Windows 2003 server AFP shares
- Trouble with long file names or deep folder structures using AFP to your Windows 2003 server
In Windows 2003 it’s easy enough to install Apple File Sharing from Add/Remove Programs and create Macintosh file shares in addition to your Windows shares. After you have Appletalk installed when you go to create a share Within Computer Management you’ll be given the option to create Apple shares and Windows shares. Once you’ve created your Mac share you may find that when you go to mount your share you receive the same authentication error as you did when trying to mount the share over SMB. There’s an easy fix for this as well.
Resolutions
AFP/Windows Authentication
- On the file server right click on My Computer and go to “Manage”
- right click on "Shared Folders"
- Select "Configure File Server for Macintosh"
- Under Security “Enable Authentication”
- Select “Apple Clear Text or Microsoft”
- Click OK
Now, that you're able to authenticate to the server over AFP but now you're stuck with read-only permissions no matter what you do. Also, another simple fix.
AFP/Windows Read-Only
- On the file server right click on My Computer and go to “Manage”
- Expand "Shared Folders"
- Select "Shares"
- In the list of shares find your Mac share
- Right click on your mac share and go to "Properties"
- Under SFM Volume Security un-check “This volume is read-only”
- Click OK
AFP/Windows Character and File Name Limitations
There's a couple of limitations when using AFP. Some characters that are allowed in file name on the Mac aren't allowed in file names in Windows. The following characters are not allowed in Windows file names and there’s a 31 character file name length limitation.
Additional Tips
If you're having trouble copying large files or any files to a Windows share you can often copy the files using the Terminal with RSYNC or the CP command. The issues in Snow Leopard not being able to copy large files has something to do with the Finder and not the actual connection.
If you're having trouble seeing files and folders even after the suggested changes, or you're having trouble with files and folders on the Windows machines after Macs have began using Windows file shares, you should check your shared files/folders for leading or trailing spaces and/or unsupported characters in the file names.
Closing
With the current exception of SMB file sharing in Windows 2008 Failover Clusters file sharing between Mac OS X and Windows can be accomplished with little problems. Although, if you can afford it, I recommend using ExtremeZIP or a Mac OS X server to reduce issues caused by sharing files over SMB or Windows 2003's AFP to prevent small unavoidable cross platform issues. If you need to backup your files from the Windows side ExtremeZIP is a great alternative to introducing a Mac server in your environment and has worked flawlessly for me in all versions of Windows server.
If you're concerned about security in disabling these functions you should read the article below named "So what is SMB Signing all about?"
Links and Sources
Apple Discussion - Topic : Mac OS X 10.4: Error -36 alert displays when connecting to a Windows server
MacWindows - Snow Leopard File Sharing Issues and Reports
MacWindows - Mac OS X 10.5 Leopard Cross-platform Issues
TechNet Social - Macintosh 10.x client cannot connect to File Server on Windows 2008 Failover Cluster
Apple Support - Mac OS X: How to connect to Windows File Sharing (SMB)
MSMVPS KWSupport - So what is SMB Signing all about?
TechNet - Network security: LAN Manager authentication level
TechNet - Microsoft network client: Digitally sign communications (always)
Tech Republic - Allow Windows Vista, Server 2008 systems to interact with older Samba installations
Mac OS X Hints - Fix a Vista to Mac failure to connect problem Network
Group Logic ExtremeZIP
Disable Simple File Sharing in XP