Networking (2 QU's Answered)

[cluberti]

Nothing? Nobody?

Ok. Disregard all posts so far except Post #1 / Question #1 and this post.

I have been troubleshooting this for a while now and the closest lead I have so far is this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000001
"AutoShareWKS"=dword:00000001

This is what makes the shares visible -- which even without these keys they are visible by default, but changing the value to "0" makes them disappear. Now I ran a scan with GFILanguard on some of the PC's that work -- and I received a "possible security" issue in the registry. That location being the previously mentioned, stating that it allows Domain Admins unlimited access to the hard drive. So I figured, knowing this key already, perhaps forcing this reg value it into one of the clients that seems to deny access -- perhaps I might get somewhere. Imported / Restarted -- Nothing.

So. That's where I am at. Maybe more ideas will spawn from this...Thanks for everything guys!!

Well, have you gotten a network trace of a failed SMB connect to a C$ share, or a failed Remote Registry connect attempt? If the reg entries are there, the services are running, and no firewall or TCP filtering is enabled, next step is a network trace to see what is coming along the wire (preferrably run at the same time on both the connecting machine, and the machine being connected to).

[Brennen]

Honestly, I wasn't quite sure what you meant. So I used one of my port sniffers (York) that works as Network Trace software to essentially do what you requested. (i believe). My results from both ends show queries from eachother suchas:

COMPUTERNAME(client)	  <->	COMPUTERNAME(host)	Shared Network Folder	896 Byte
COMPUTERNAME(host)		<->	COMPUTERNAME(client)  Shared Network Folder	896 Byte

Where COMPUTERNAME is the name of the Domain Workstation -- client / host being the problem computer and the computer accessing it. Shared Network Folder is the Query type I am given (like DHCP/Telnet/ICMP), and the Byte number I am only assuming is the packet size for the data being sent/received??

With some honestly strange results that frankly mean nothing to me as I am undereducated when it comes to subnet masking:

computername.domain.local	<->  224.0.0.251		  Shared Network Folder	1392 Byte

From here I personally do not no where to move. But hopefully someone else can decipher this?

Edited August 8, 2007 by Brennen

[cluberti]

Well, actually I was talking about using wireshark or network monitor to capture all packets between the hosts. However, it's interesting to see what amounts to a UDP request to a multicast address during the transaction - another reason to see the actual network trace, because something is happening between the machines that we'll probably not see without all of the packets back and forth.

[Brennen]

[EDIT:] Resolved. See First Post.

Edited August 9, 2007 by Brennen