Connecting from Windows 2000

Requirements:

1. You must be using FacetWin Version 3.1.e (Build 444) or later.

   This contains that latest improvements for working with Windows 2000.

2. You must have Windows 2000 Service Pack 2 (SP2) installed.

   This fixes important problems in the way the redirector interacts with the FacetWin server. It also fixes problems in the username and password alignment.

3. You must not have a workaround flag that was only applicable to Windows 2000 without service packs.

   Please remove the following line, if it exists, from the FacetWin configuration file "facetwin.cfg":

   win2000_passwd_bug=YES

The Problem:

Windows 2000 defaults to not having the ability to establish "plain text password" connections -- connections where the authentication password is transmitted across the network in clear, readable text.

FacetWin's "pass_security=UNIX" option technically tries to establish "plain text password" connections.

The Solution:

Either use one of the 3 other FacetWin "pass_security" options -- all 3 will work with Windows 2000's no "plain text password" connection policy, or you can enable "plain text password" connection ability as described below .

See the "/usr/facetwin/facetwin.cfg" file for details about the "pass_security" configuration options.

Which is the best approach to take?

That really depends upon the situation, available resources, security policy, etc.

If there is an NT Server that everyone logs into...

Then one of the easiest things to do is to have FacetWin use the NT Server for password authentication. This is done with the "pass_security=\\ntserver_name" option, where "ntserver_name" is replaced with the NetBIOS name of the NT Server. With this option, the Windows user names and passwords must match what the NT Server thinks and the user names must be valid UNIX user names.

If there are only a few Windows 2000 machines...

The easiest approach may be to "EnablePlainTextPassword". Other systems (DOS, Windows 3.x, Windows 95, Macintosh w/DAVE) that are not having trouble connecting won't be affected by this and should continue to connect normally. One drawback to this approach is that you may have to re-enable plain text passwords if you install later Service Packs and new Windows 2000 machines will need to enable plain text passwords also.

If this is a "trusted" network environment...

Then using the "pass_security=RHOST" option might be the best approach. With this option, no passwords are sent across the network and the connecting PC is trusted to supply the user name used by the UNIX system for the connection. See the UNIX man pages on "rhosts" or "hosts.equiv" for details about how to implement this on the UNIX system. Usually it is just a matter of adding each PC hostname to the "/etc/hosts.equiv" file and perhaps also to a ".rhosts" file. The PC hostname will need to be resolvable by the UNIX system.

If none of the above options are practical...

Then using the "pass_security=LANMAN" option may be the best choice. With this option, a DES encrypted password table (separate from "/etc/passwd") is created and maintained with the "fct_encrypt" utility. See "man fct_encrypt" for implementation details. The Windows user passwords don't have to match the UNIX user passwords and are only authenticated against the encrypted password stored in the "fctpasswd" table. Passwords are encrypted with a special DES crypt key before being transmitted across the network.

To enable "PlainTextPassword" connections:

Windows 2000 has a menu option that should be used to enable plain text passwords for SMB servers.

1. Start -> Programs -> Administrative Tools

   We have seen some Windows 2000 systems that did not have Administrative Tools on the Programs menu. If it is not there do:

   Start -> Settings -> Control Panel
   Select Administrative Tools

2. On the Administrative Tools Folder, double-click Local Security Policy.
3. On the Security Setting folder, click the plus sign next to Local Policies to expand it.
4. Double-click Security Options.
5. Scroll down to near the bottom of the list.
6. Double-click -> Send unencrypted passwords to connect to third-party SMB servers
7. Click the Enabled radio button.
8. Click OK
9. Close the Local Security Settings Window
10. Shut down Windows 2000 and reboot.
11. After rebooting, use the above procedure to check that
    Send unencrypted passwords to connect to third-party SMB servers shows both Local Setting and Effective Setting as Enabled.

You should now be able to connect to FacetWin File & Print services using Windows 2000. Possible connection error messages can be found in your system's syslog.

Please contact FacetCorp technical support if you have any questions or trouble implementing any of this.