We have a small Windows domain with 2 DC (1 Windows Server 2003 and 1 Windows Server 2008 R2), a file server which is a member server with WS2008R2, a couple of clients which are domain members, and a few clients which are not members of the domain (Windows, Linux, Mac mixed). To complicate even further, the file server is connected to two separate networks, one is an internal one where the DC/internal DNS/domain clients/etc. are, the other is a public one with a standalone DNS server and a totally different DNS suffix for the network. [I know this is not supported, not recommended, etc. but I have to live with this setup:]
Users are accessing the file share from multiple clients, and since we moved the file share from one of the DCs to a member servers, clients reported that they cannot access the file shares unless they type the name in domain\user format. I tried various setups in this deployment and with test virtual machines, and here are my observations:
- Client Win7 non-member + file server WS2003 DC: uses SMB, domain name is not needed
- Client Win7 non-member + file server WS2008R2 DC: uses SMB2, domain name is not needed
- Client Win7 non-member + file server WS2008R2 member server: uses SMB2, if no domain name is given, then access is denied
- Client Win XP non-member + file server WS2008R2 member server: uses SMB, if no domain name is given, then access is denied
- Client Mac OS X non-member + file server WS2008R2 member server: uses SMB, domain name is not needed
- Client Win7 non-member + file server WS2008R2 non-member: uses SMB2, adding remote machine name to the user name is not needed
In case 3. the following SMB2 messages are sent (as seen in WireShark):
- NegotiateProtocol Request/Response messages,
- SessionSetup Response with NT Status: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE, NTLMSSP_CHALLENGE
- SessionSetup Request, NTLMSSP_AUTH, user: clientmachinename\username
- The file server makes here an RPC call to the DC with NetrLogonSamLogonEx operation and receives a response
- SessionSetup Response, Error: STATUS_LOGON_FAILURE
The result is the same regardless whether the non-domain member client tries to connect from the internal or the public adapter of file server.
Is there a way to set e.g. the default domain for the file server so that it always tries to authenticate from the domain regardless of what name the client supplied?
Thanks for any help,
Zoltan