Connecting to a Windows Server The intended audience for this document is end-users. This document is currently LSA specific because the author did not have access to domains outside LSA to test the instructions. NOTE: Most people who want to use samba are trying to connect from home. This most likely will NOT work using Comcast's cable modems. All indications are that Comcast is blocking these ports. • In the Finder, under to the GO menu, select CONNECT TO SERVER • You can get to your server two ways: Direct and Browse DIRECT using smb path • In the SERVER ADDRESS field, type the path to your share point in the format smb://<server-name>.lsa.umich.edu/<share> For Example, to get to the HOME space, use… smb://LSA-F1.lsa.umich.edu/ …to get to the DEPARTMENT space, use… smb://LSA-F2.lsa.umich.edu/psych …to get to the LAB space, use… smb://LSA-F3.lsa.umich.edu/psych Tip: If you enter your Server Address, click on the + button to the right of the Server address to create a "Favorite" link, which will cut down typing time when you want to connect to this server again. • Click the CONNECT button • Log in using your uniqname and Windows password • The Workgroup/Domain should say LSA (or UMROOT if you have been switched) BROWSE through the realms and servers • Click the Browse button in the Connect to Server window • Click on the LSA domain, you will see a list of servers in LSA • Click on the server you wish to connect to • Click CONNECT • Log in using your uniqname and password • The Workgroup/Domain should say LSA (or UMROOT if you have been switched) • Select the share point you are looking for NOTE: It is NOT recommended that you auto-mount servers. If you need to access the server on a regular basis, make an alias of the folder you want to access by holding down the OPTION-APPLE keys, then click on the folder and drag it to the desktop. I Can See my Folder but not the Files Inside The intended audience for this document is end-users. It is meant to explain why you can connect to an LSA Windows server, but you cannot get access to folders on that server. ITCS Kerberos passwords Kerberos is a critical security tool that is meant to keep your internet-presence safe. It is a secure means of authentication that ensures the privacy of your password through a number of mechanisms. Many services use Kerberos. In this document, we will deal exclusively with two of those services, email and network file storage. When you log into email, Kerberos is working in the background to securely identify who you are. To see Kerberos at work, go into your /Applications/Utilities folder and double click on the Kerberos shortcut. The Kerberos window will show you what services you have connected to. You may not have realized it, but Kerberos may have connected you to many services, all working together to ensure you get your mail in a secure fashion. YOUR KERBEROS "TICKET" WILL BE VALID FOR TEN HOURS or until you "destroy" it. This is important as you will see in the discussion about SMB/CIFS Filesystem authentication. SMB/CIFS Filesystem Authentication SMB/CIFS is the mechanism by which you connect to and transfer files to a Windows file servers. It utilizes a different form of authentication, that, like Kerberos, works in the background connecting you to the services you are trying to link to. When it is working correctly, you will see this window appear when you select GO -> CONNECT TO SERVER. ONLY when this window appears, are you able to connect to the LSA windows servers and get the right permissions to access your folders. If this window does not appear, you will have to "destroy" your Kerberos tickets first. - Open the Applications folder - Open the Utilities folder - Double-click on KERBEROS (you can add this to the dock for easy access) - Click DESTOY TICKETS - Try to connect to your LSA Windows server again (GO -> CONNECT TO SERVER) Why this happens While the ITCS office and the College of LS&A proceed toward single sign on (also known as 'Central Accounts'), we will occasionally experience "growing pains" until all systems are converted over and all permissions begin to pass seamlessly across operating system platforms. When you log onto email, you get Kerberos tickets. LSA has turned on "Kerberos trusting" to their Windows servers. This means, as a server, you can connect to it. But, because Kerberos does not pass through SMB/CIFS permissions for these servers, you can see the server, but you cannot see files in your folder. In other words, you have access to the server, but as an UNAUTHENTICATED user. Again, in the background, Kerberos is connecting you to many services, including the LSA Windows servers as shown below: How to help avoid the problem When most people log into their computers, the first thing they check is email, thereby getting a Kerberos ticket as soon as they log on. However, if you connect to your LSA Window servers first, SMB/CIFS will authenticate you to the LSA Window servers with your full list of Windows permissions to your folders. THEN you can access your email. By getting your SMB/CIFS authentication first, Kerberos will not override the permissions you have already established. If you are using a research lab computer or classroom computer, which does not use a local machine account, you may be logging on WITH your Kerberos password. If you are logging into the computer with your Kerberos password, this suggested method will not work because the entire process of logging in activates Kerberos immediately. Instead, you will have to destroy your Kerberos tickets in the method described above before trying to access your LSA Windows servers.