Non-domain computer authenticating on a domain computer to use SMB/CIFS shares
Solution 1
Turns out the domain had a policy in place to only use NTLMv2 (as expected for stronger security), of which Windows XP will not use by default. I had to make the following registry change on the non-member computer to use NTLMv2. Local Security Policy is not available to make this change, as it's the home edition of Windows XP.
Registry path: HKLM\System\CurrentControlSet\Control\Lsa Setting name: LmCompatibilityLevel
Default value: 0 (Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.)
Required value: 5 (Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.)
More information on this setting
The non-member computer now accesses SMB/CIFS shares on the domain instantly using the classic "create the same local user on the domain with the same password" trick.
Solution 2
Behavior of stored user names and passwords
APPLIES TO
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
Related videos on Youtube
26 : 04
05 : 11
05 : 42
27 : 05
02 : 07
Adambean
Updated on September 18, 2022Comments
-
Adambean over 1 year
Long story short: One of my home servers has a share called "Profiles", in which everyone here has their own folder (of which they can only access) they can use to sync or backup their Windows profile to, along with other personal files they want a backup of on another computer instantly accessible or sync-able if needed. Users can pretty much use their personal folder on this share as they please, as it's on a multi-TB disk.
However there is a computer not a member of the domain due to it running Windows XP Home. It is not my computer so it's not for me to change the OS, however I would like it to be able to access SMB/CIFS shares stored on this server for the purpose of backing up his personal files (or ideally everywhere on the domain). Authentication always fails when attempting to use a share on the domain, even though the user exists on the active directory with the correct password matching that of the local user on the non-member computer.
Before I was using Active Directory at home users were able to authenticate on other computers transparently by using the "create the user with the same password on multiple computers" trick. This no longer works since Active Directory's arrival.
I have also tried mapping shares as drive letters whilst making use of "Login as a different user" specifying various computers, such as the server computer's name, domain NetBIOS name, and domain DNS name prior to the username as "\", but none work.