Connecting from Windows XP

Requirements:

1. You must be using FacetWin Version 3.1.g (Build 448) or later.

   This contains the latest improvements for working with Windows 2000 and XP.

The Problem:

Windows XP defaults to not having the ability to establish "plain text password" connections -- connections where the authentication password is transmitted across the network in clear, readable text.

FacetWin's "pass_security=UNIX" option technically tries to establish "plain text password" connections.

The Solution:

Either use one of the 3 other FacetWin " pass_security" options -- all 3 will work with Windows XP's no "plain text password" connection policy, or you can enable "plain text password" connection ability as described below .

See the " /usr/facetwin/facetwin.cfg" file for details about the " pass_security" configuration options.

Which is the best approach to take?

That really depends upon the situation, available resources, security policy, etc.

 

---

 

If there is a NT, 2000 or XP Server that everyone logs into...

• Then one of the easiest things to do is to have FacetWin use the NT Server for password authentication. This is done with the " pass_security=//ntserver_name" option, where " ntserver_name" is replaced with the NetBIOS name of the NT, 2000 or XP Server. With this option, the Windows user names and passwords must match what the NT, 2000 or XP Server thinks and the user names must be valid UNIX user names.

If there are only a few Windows XP machines...

• The easiest approach may be to " EnablePlainTextPassword". Other systems (DOS, Windows 3.x, Windows 95, Macintosh w/DAVE) that are not having trouble connecting won't be affected by this and should continue to connect normally. One drawback to this approach is that you may have to re-enable plain text passwords if you install later Service Packs and new Windows XP machines will need to enable plain text passwords also.

If this is a "trusted" network environment...

• Then using the " pass_security=RHOST" option might be the best approach. With this option, no passwords are sent across the network and the connecting PC is trusted to supply the user name used by the UNIX system for the connection. See the UNIX man pages on " rhosts" or " hosts.equiv" for details about how to implement this on the UNIX system. Usually it is just a matter of adding each PC hostname to the " /etc/hosts.equiv" file and perhaps also to a " .rhosts" file. The PC hostname will need to be resolvable by the UNIX system.

If none of the above options are practical...

• Then using the " pass_security=LANMAN" option may be the best choice. With this option, a DES encrypted password table (separate from " /etc/passwd") is created and maintained with the " fct_encrypt" utility. See " man fct_encrypt" for implementation details. The Windows user passwords don't have to match the UNIX user passwords and are only authenticated against the encrypted password stored in the " fctpasswd" table. Passwords are encrypted with a special DES crypt key before being transmitted across the network.

---

To enable "PlainTextPassword" connections:

Windows XP Professional has menu options (below) that should be used to enable plain text passwords for SMB servers.   The Windows XP Home edition requires manual addition of this "xp.reg" registry key.

1. Start -> Programs -> Administrative Tools

   We have seen some Windows XP systems that did not have Administrative Tools on the Programs menu. If it is not there do:

   Start -> Settings -> Control Panel
   Select Administrative Tools

2. On the Administrative Tools Folder, double-click Local Security Policy.
3. On the Security Setting folder, click the plus sign next to Local Policies to expand it.
4. Double-click Security Options.
5. Scroll down to near the bottom of the list.
6. Double-click -> Microsoft network client: Send unencrypted passwords to connect to third-party SMB servers
7. Click the Enabled radio button.
8. Click OK
9. Close the Local Security Settings Window
10. Shut down Windows XP and reboot.
11. After rebooting, use the above procedure to check that
    Microsoft network client: Send unencrypted passwords to connect to third-party SMB servers shows the Local Security Setting set to Enabled.

You should now be able to connect to FacetWin File & Print services using Windows XP. Possible connection error messages can be found in your system's syslog.

Please contact FacetCorp technical support if you have any questions or trouble implementing any of this.