Document Sample
ConnectWindowsServer Powered By Docstoc
					               Connecting to a Windows Server
 The intended audience for this document is end-users. This document is currently LSA specific because the author
                       did not have access to domains outside LSA to test the instructions.

NOTE: Most people who want to use samba are trying to connect from home. This most likely
      will NOT work using Comcast's cable modems. All indications are that Comcast is
      blocking these ports.

• In the Finder, under to the GO menu, select CONNECT TO SERVER
• You can get to your server two ways: Direct and Browse

DIRECT using smb path

• In the SERVER ADDRESS field, type the path to your share point in the format


For Example, to get to the HOME space, use…  smb://
       …to get to the DEPARTMENT space, use… smb://
       …to get to the LAB space, use…        smb://

Tip: If you enter your Server Address, click on the + button to the right of the Server address to
     create a "Favorite" link, which will cut down typing time when you want to connect to this
     server again.

• Click the CONNECT button
• Log in using your uniqname and Windows password
• The Workgroup/Domain should say LSA (or UMROOT if you have been switched)
BROWSE through the realms and servers

• Click the Browse button in the Connect to Server window

• Click on the LSA domain, you will see a list of servers in LSA
• Click on the server you wish to connect to

• Log in using your uniqname and password
• The Workgroup/Domain should say LSA (or UMROOT if you have been switched)

• Select the share point you are looking for

NOTE: It is NOT recommended that you auto-mount servers. If you need to access the server on
      a regular basis, make an alias of the folder you want to access by holding down the
      OPTION-APPLE keys, then click on the folder and drag it to the desktop.
 I Can See my Folder but not the Files Inside
   The intended audience for this document is end-users. It is meant to explain why you can connect to an LSA
                      Windows server, but you cannot get access to folders on that server.

ITCS Kerberos passwords

Kerberos is a critical security tool that is meant to keep your internet-presence safe. It is a secure
means of authentication that ensures the privacy of your password through a number of
mechanisms. Many services use Kerberos. In this document, we will deal exclusively with two of
those services, email and network file storage.

When you log into email, Kerberos is working in the background to securely identify who you are.
To see Kerberos at work, go into your /Applications/Utilities folder and double click on the
Kerberos shortcut.

The Kerberos window will show you what services you have connected to. You may not have
realized it, but Kerberos may have connected you to many services, all working together to ensure
you get your mail in a secure fashion. YOUR KERBEROS "TICKET" WILL BE VALID FOR
TEN HOURS or until you "destroy" it. This is important as you will see in the discussion about
SMB/CIFS Filesystem authentication.
SMB/CIFS Filesystem Authentication

SMB/CIFS is the mechanism by which you connect to and transfer files to a Windows file servers.
It utilizes a different form of authentication, that, like Kerberos, works in the background connecting
you to the services you are trying to link to. When it is working correctly, you will see this window
appear when you select GO -> CONNECT TO SERVER.

ONLY when this window appears, are you able to connect to the LSA windows servers and get the
right permissions to access your folders. If this window does not appear, you will have to
"destroy" your Kerberos tickets first.

       - Open the Applications folder
       - Open the Utilities folder
       - Double-click on KERBEROS (you can add this to the dock for easy access)
       - Click DESTOY TICKETS

       - Try to connect to your LSA Windows server again (GO -> CONNECT TO SERVER)
Why this happens

While the ITCS office and the College of LS&A proceed toward single sign on (also known as
'Central Accounts'), we will occasionally experience "growing pains" until all systems are converted
over and all permissions begin to pass seamlessly across operating system platforms.

When you log onto email, you get Kerberos tickets. LSA has turned on "Kerberos trusting" to
their Windows servers. This means, as a server, you can connect to it. But, because Kerberos does
not pass through SMB/CIFS permissions for these servers, you can see the server, but you cannot
see files in your folder. In other words, you have access to the server, but as an
UNAUTHENTICATED user. Again, in the background, Kerberos is connecting you to many
services, including the LSA Windows servers as shown below:

How to help avoid the problem

When most people log into their computers, the first thing they check is email, thereby getting a
Kerberos ticket as soon as they log on. However, if you connect to your LSA Window servers
first, SMB/CIFS will authenticate you to the LSA Window servers with your full list of Windows
permissions to your folders. THEN you can access your email. By getting your SMB/CIFS
authentication first, Kerberos will not override the permissions you have already established.

If you are using a research lab computer or classroom computer, which does not use a local
machine account, you may be logging on WITH your Kerberos password. If you are logging into
the computer with your Kerberos password, this suggested method will not work because the entire
process of logging in activates Kerberos immediately. Instead, you will have to destroy your
Kerberos tickets in the method described above before trying to access your LSA Windows

Shared By: