locked
DOS 6.22 connecting to Server 2008. RRS feed

  • Question

  • I found a thread here on technet that said

    "You will have to relax security (a lot) in order to be able to access files from a DOS workstation.  Unless you have "Network access: Allow anonymous SID/name translation" enabled in Group Policy, you will have to allow permissions not only to EVERYONE, but also to ANONYMOUS.  There are other setting involving Digital Signing and Encryption, and Network Access that might have to be relaxed."
                                                                                                      -bnborg.

    I have disabled "Network access: Allow anonymous SID/name translation". I've added permissions to ANONYMOUS LOGON. I've changed Everyone permissions to mean ANONYMOUS. I've turned off SMB signing. The server allows LM connections. Half of the Security in both the Default Domain Policy and the Default Domain Controllers Policy is disabled and I am still getting error 5 access is denied.

    I know this is a silly idea in the first place but I'm at gunpoint so it has to be done. Novell and CA-Clipper were involved for the last 15 or so years... Happy days.
    Wednesday, June 17, 2009 8:38 AM

Answers

  • I got it working. Here is how:

    Network Security: Do not store LAN Manager hash value on next password change - DISABLE
    Network Security: LAN Manager authentication level - SEND LM & NTLM - USE NTLM v2 IF NEGOTIATED

    Restart server.
    Reset password of the user for dos in active directory.
    • Marked as answer by aggrovendor Wednesday, June 24, 2009 7:11 AM
    Wednesday, June 24, 2009 7:11 AM

All replies

  • You can't be working for a commercial organization. You're at gunpoint.???.. you should be holding them at gunpoint ..
    I take it you are trying to connect via IP and not IPX ;-)

    Are you using the NDIS 2.0 drivers or the Novell 32-bit client drivers to map your drives?
    Is name resolution working ok with NetBIOS?

    On the GPO side... you've checked all these?

    Domain member: Digitally encrypt or sign secure channel data (always)        Disabled
    Domain member: Digitally encrypt secure channel data (when possible)       Disabled
    Domain member: Digitally sign secure channel data (when possible)       Disabled
    Domain member: Require strong (Windows 2000 or later) session key     Disabled
    Microsoft network client: Digitally sign communications (always)                Disabled
    Microsoft network server: Digitally sign communications (always)                Disabled
    Microsoft network server: Digitally sign communications (if client agrees) Disabled
    Network security: LAN Manager authentication level LM & NTLM responses
    Network security: Minimum session security for NTLM SSP based (including secure RPC) clients  No minimum
    Network security: Minimum session security for NTLM SSP based (including secure RPC) servers  No minimum
    Thursday, June 18, 2009 11:32 AM
  • Thanks for the reply Mylo,

    It is a commercial organisation.................. One that I am glad that I will be leaving very soon :P

    I am using IP and the NDIS driver to connect. I get an IP address via DHCP and pinging the server works.

    I checked the list of things you have mentioned and I did have

    Domain member: Digitally encrypt secure channel data (when possible)       Not Defined
    Domain member: Digitally sign secure channel data (when possible)            Not Defined

    I changed that but I still got error 5: access denied. 

    btw, this is running on Virtual PC 2007. I don't think that it should make any difference. The server and the DOS 6.22 are both running on it. It's a test environment for the real server that is arriving in about a week or so. The old Novell 4.2 server is dead and buried. Something to do with being at gunpoint during an arguement about network speed ;-P

    Any ideas what to do next? :S

    Thursday, June 18, 2009 2:35 PM
  • Aggrovendor,

    I'm going to give this a whirl.... one of the nice things about a DOS VM is it's pretty quick to install :0)
    Couple of other things.. can you post exactly what you are trying to do... is it a NET USE command with the Error 5: Access Denied that is failing?

    The anonymous enumaration btw is for the benefit of actually being able to see the domain resources... I trust you are trying to access resources using a user ID and password?

    Can you post your details..

    Thx,
    Mylo
    Thursday, June 18, 2009 7:22 PM
  • Thanks again Mylo,

    I am using the popup that comes up when you just type NET to connect with the basic redirector. I have also used the full redirector and when it connects at the start it asks for a username and then a password and a domain password. I just tried net use like this:

    NET USE X: \\WIN-GVF1SA7LZIL\CLIPPER 

    and it asked for me to login with the basic redirector and then it gave error 5 again. It also said the password was invalid. Now I checked the domain controller and reset the password. I also just entered a blank password since the client is probably showing up as anonymous on the server. It still did nothing for me. I also tried the Administrator account and password.

    I bet that it's going to be something silly that I'm doing wrong :P

    Thanks,
    Adam.
    Friday, June 19, 2009 7:08 AM
  • Adam,

    Can you post your PROTOCOL INI and SYSTEM.INI from your DOS Client?
    Are you logging in with DOMAIN\USER rather than just USER?

    Regards,
    Mylo
    Friday, June 19, 2009 8:53 PM
  • Hi Mylo,

    I tried DOMAIN/USER but it gives "error 2202: The user name or groupname paramater is invalid." I googled the error and found a thread on the symantec forums that was similar to this one but on Server 2003. It basically says that DOS won't connect to a domain controller. This machine is a domain controller. Do you know if that is true? (Link) Here is my protocol.ini and System.ini:

    PROTOCOL.INI

    [network.setup]
    version=0x3110
    netcard=DC21X4,1,DC21X4,1
    transport=tcpip,TCPIP
    lana0=DC21X4,1,tcpip

    [TCPIP]
    NBSessions=6
    SubNetMask0=255 0 0 0
    IPAddress0=0 0 0 0
    DisableDHCP=0
    DriverName=TCPIP$
    BINDINGS=DC21X4
    LANBASE=0

    [protman]
    DriverName=PROTMAN$
    PRIORITY=MS$NDISHLP

    [DC21X4]
    DriverName=DC21X4$
    SLOT=16


    SYSTEM.INI

    [network]
    sizworkbuf=1498
    filesharing=no
    printsharing=no
    autologon=yes
    computername=DOSCLIENT
    lanroot=C:\NET
    username=ADAM
    workgroup=WORKGROUP
    reconnect=yes
    dospophotkey=N
    lmlogon=1
    logondomain=ADAMDOMAIN
    preferredredir=full
    autostart=full,popup
    maxconnections=8

    [network drivers]
    netcard=dc21x4.dos
    transport=tcpdrv.dos,nemm.dos
    devdir=C:\NET
    LoadRMDrivers=yes

    [386enh]
    TimerCriticalSection=5000
    UniqueDosPSP=TRUE
    PSPIncrement=2

    [Password Lists]
    *Shares=C:\NET\Shares.PWL
    ADAM=C:\NET\ADAM.PWL
    ADMINISTRATOR=C:\NET\ADMINIST.PWL
    ADAMDOMAIN\ADAM=C:\NET\ADAMDOMA.PWL

    Thank you again for the help,
    Adam.

    Monday, June 22, 2009 7:13 AM
  • I got it working. Here is how:

    Network Security: Do not store LAN Manager hash value on next password change - DISABLE
    Network Security: LAN Manager authentication level - SEND LM & NTLM - USE NTLM v2 IF NEGOTIATED

    Restart server.
    Reset password of the user for dos in active directory.
    • Marked as answer by aggrovendor Wednesday, June 24, 2009 7:11 AM
    Wednesday, June 24, 2009 7:11 AM
  • Thank you for your help Mylo.
    Wednesday, June 24, 2009 8:36 AM
  • Aggrovendor,

    You're welcome. I was looking at this last night. It's the LMHash that's the clincher.... the NDIS client stores the hash...

    Now that you've demonstrated that you can resolve their problems, here's hoping that they'll listen to you when you explain to them the error of their ways :-)

    Regards,
    Mylo
    Wednesday, June 24, 2009 7:33 PM
  • Adam,

    I have similar project and I would like to thank you for finding solution to connect DOS workstation to Windows 2008 server. The project I have is to design diskless DOS workstation (no floppy or hard drive) to connect to the windows 2008 server using PXE or BOOTP. I wonder if you can share ideas how it is better to approach it.

    Regards,
    David.

     

     

    Friday, June 26, 2009 6:01 PM
  • Hi David,

    Maybe you should make a new thread for this. You might have an easier time finding the answer that way. Regardless, what is your plan so far?
    Saturday, June 27, 2009 9:54 AM
  • WOW! Thanx for your hard work on this. It really saved my bacon. I just did the same thing on a Window 2008 R2 x64 server and it worked like a charm! Thanx.

    While I hate having to use DOS for networking (or at all really) sometimes you can't get away from it.


    Thanx!
    Kizan
    Friday, September 18, 2009 3:13 PM
  • Hi Kizan,

    Your welcome, it's good to hear that this helped some other people out.

    I have since managed to get the company using windows 98 instead of DOS. It's not perfect either but you can use SMB signing and NTLM2 with a little bit of registry modification and Active Directory Client Extensions for Windows 9x. Kerberos is not supported. All but one program works on windows 98. It's an old program that uses certain parts of memory to raster graphics. We contacted the company and purchased a newer version.

    You should have a look and see if it works for you.

    Here are two articles that should help you achieve this if you would like to pursue this.

    Connecting Windows 9x and NT  to Server 2003 (worked fine for me with 2008): http://support.microsoft.com/kb/555038

    Hardening Windows 98: http://technet.microsoft.com/en-us/library/cc750830.aspx

    Regards,

    Adam. 

    Saturday, September 19, 2009 10:47 AM
  • Mylo,

     

    I just recently had a consultant help me upgrade my domain from 2000 to 2008.

    I was using Ghost imaging and needed to allow DOS networking for downloading images off our servers.  So one of the items to verify was this access.

    He did some googling and found out that only MSDOS would work and PCDOS that comes with Symantec Ghost wouldn't.

    Tested it out with my boot disks using Win98 DOS and it failed.

    We put in a Group policy oject on PDC which we enabled " Network access: Allow anonymous SID/Name translation". 

    It worked fine after that with Win98 and MSDOS 6.22.

    I just tried to ghost a machine a few weeks back and couldn't get onto my network using my DOS boot disks. 

    In futher testing I found that a few of my domain admins and a few other users could get onto the network just fine but not my user login any longer. 

    I tried modifing this policy with your's and Adam's suggestions here and still haven't made any progress.

    Using the net view or net view /workgroup:wgname command I always get Error 6118: The list of servers for this workgroup is not currently available.


    Can you make any suggestions to help me out?


    Thanks, 

    mikej



    Tuesday, December 22, 2009 12:37 AM