2003 domain controller won't share to non-domain computers

[stolenpants]

I really need help on this, I've been trying to fix this for 3 days and I'm not getting anywhere, I can't find anything wrong, and I can't find anything through google.

This is a production server, it's been working fine for almost a year.

This is a windows 2003 x64 R2 primary domain controller

Saturday, I applied some critical updates and rebooted it, and now (for file sharing) it won't authenticate me from any machine that is NOT a member of the domain.

Example: I log in from a computer on the domain and open \\server\share\ and it works fine.

I try to log in from a laptop or home computer that is not a member of the domain, and it won't accept the username \ password.

However, I know the password is good and there is IP connectivity because from the laptop I can ping the server, RDP into it, and access exchange server. It just rejects the username / password without any explanation or error if I try to access a share.

This problem affects multiple accounts.

I already know what some of the responses are going to be, so I'll go ahead and clear these up:

1. Firewalls are not an issue, I've tried disabling them.

2. I have all the syntax right, I've tried username username@domain and domain\username, nothing works.

3. I am definitely 100% using the right password.

4. IP connectivity to the server is fine.

5. This was working fine, it quit working Saturday, apparently.

I'm afraid one of the updates changed some security setting but I have no idea which one.

[gosh]

what's the event viewer say? Would that be a policy? I'm not sure.

-gosh

[yamum]

Do you use a username and password to log on to the non-domain pc. If not then set a password for the lcoal account you are using to log into windows and then try accessing some shares on your domain. It works in our network. Try diabling simple file sharing on the non-domain pc aswell if the first suggestion doesn't work.

To disbale simple file sharing

In windows explorer click on TOOLS>FOLDER OPTIONS>VIEW and uncheck the very last checkbox.

Edited August 28, 2007 by yamum

[stolenpants]

Tried that. I don't think it's a client problem as our macs are experiencing it. I think windows update screwed something up on the server.

[nmX.Memnoch]

Someone didn't by chance change the LM Level of the domain did they? If the domain is set to 'Send NTLMv2 response only\refuse LM & NTLM' then you can have these types of problems. Run the Resultant Set of Policies MMC (Start > Run > rsop.msc) on the domain controller and navigate to the following location:

Console Root>username on computername>Computer Configuration>Windows Settings>Security Settings>Local Polices>Security Options

One you get there look for the 'Network security: LAN Manager authentication level' policy and see what the effective setting is.

[stolenpants]

The event viewer doesn't say anything about it, it's really aggravating.

It may be a policy, or a registry setting.

I remember years back, XP came out with this auto update that broke something to do with roaming profiles and a samba server. It turned out to be some policy thing, but it was a nightmare to figure out.

[stolenpants]

I looked at the NTLM setting, and it's not set to NTLM2

[cluberti]

What about a network trace from a client of this happening, to see what kind of auth the client is sending, and the 403 response from the server should tell us what level of auth the server is requiring (they'll likely not match).