David Hurst

Do you use a multi-platform network with a Windows 2003 server? If so, you may have found with great irritation that your Mac will for some reason refuse to authenticate properly on shares held on a domain controller. It’s all to do with the way your Mac is handling .local domains and something called SMB signing on the server. Here’s how to fix it:

On your Mac, make sure you have all the latest updates from Software Update. Once it’s up to date, we need to go about enabling unicast .local resolution. First of all, open your System Preferences and select the Network pane. Now double click on your ethernet connection and select TCP/IP. In the DNS servers box, add a new line and type the internal IP address of your Windows Server. In the Search Domains box, type in your domain (i.e. mydomain.local). If there is an address next to IPv6, click the Configure IPv6 button and switch it off. Click Apply Now.

That’s that bit done. Now for some command line action. Open your Terminal - you will find this in Applications > Utilities. Follow these steps:

sudo su

You will be prompted for your password.

cd /usr/sbin

cat > EnableUnicastDotLocal

At this point you will not see a command prompt - just enter the following four lines pressing enter after each:

#!/bin/tcsh
echo domain.local > /etc/resolver/local.1
grep -v domain /etc/resolv.conf >> /etc/resolver/local.1
echo search_order 2 >> /etc/resolver/local.1

Now press Ctrl+D on your keyboard to get you back to the command prompt.

chmod +x EnableUnicastDotLocal

mkdir /etc/resolver

touch /etc/resolver/local.1

./EnableUnicastDotLocal

cat /etc/resolver/local.1

At this point you should get a display similar to the following:

domain.local
search mydomain.local
nameserver W.X.Y.Z
search_order 2

That’s all we need from the command line so we can quit Terminal now. Next open Applications > Utilities > Directory Access. Click SMB/CIFS and click Configure. Enter the NetBios name of the domain, e.g. MYDOMAIN, and in the WINS Server box type the internal IP of the server. Click Apply and close Directory Access.

That’s the Mac all configured. Now we just need to make a couple of policy changes on the Windows 2003 Server.

On the server, click Start and then Server Management. In the console tree double click Advanced Management, double click Group Policy Management, double click Forest and then double click Domains.

Click the name of the local domain. In the console tree, right click the name of the local domain and then click Create and Link a GPO Here.

In the Name box, type SMB Signing Disabled as the name of the new GPO, and then click OK.

In the details pane, right click the SMB Signing Disabled GPO that you just created, and then click Edit. Group Policy Object Editor opens.

In the console tree of Group Policy Object Editor, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

In the details pane, scroll down to Microsoft network server: Digitally sign communications (always), and then double click it.

Select the Define this policy setting check box and then click Disabled.

Click OK.

Repeat the last three steps for Microsoft network server: Digitally sign communications (if client agrees).

Close Group Policy Object Editor.

In the Server Management console, right click SMB Signing Disabled and then click Enforced. Click OK to the confirmation message.

Look in the Linked Group Policy Objects window to make sure SMB Signing Disabled shows Yes for both Enforced and Link Enabled.

In the details pane, use the Up and Down arrows to move SMB Signing Disabled just above Default Domain Policy.

Now you will probably want to immediately apply these settings, so open a command prompt on the server and type:

gpupdate /force

And that’s it. Try connecting from your Mac clients now and you should find everything works.

This text was taken largely from a draft document by Microsoft published in 2004. As far as I’m aware they never finalised the document, which is a shame as it has several very basic errors in it. In my guide those errors are corrected.