After installing Microsoft security update MS16-077, Windows clients fail to connect to remote NetWare and OES CIFS servers.

  • 7017821
  • 06-Jul-2016
  • 08-Jul-2016

Environment

Novell NetWare 6.5
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 11 (OES 11) Linux

Situation

After applying Microsoft security update MS16-077, Windows clients to fail to connect to remote NetWare and OES CIFS servers.

Details about this security update can be read here at https://support.microsoft.com/en-gb/kb/3161949.

Resolution

The following solutions can be applied :

Solution 1:     

Upgrade to OES2015 or OES2015SP1.

Solution 2:     

Configure the following registry setting as documented in the information about the Windows Security Update:
SUBKEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

Value Name: AllowNBToInternet
Type: Dword
Value: 1

Solution 3:

Configure an entry for the OES server in the lmhosts file (C:\Windows\System32\drivers\etc\lmhosts).

Solution 4:

Set up a WINS server and configure the OES CIFS server and the Windows clients to use the WINS server.

Cause

Until Windows NT the SMB/CIFS protocol (application layer) relied on NetBIOS (session layer).

Since the introduction of Active Directory on Windows 2000 SMB/CIFS does not rely on NetBIOS anymore and runs directly on TCP (transport layer), also known as "direct hosting SMB".

Instead of the NetBIOS Name Service, DNS is used for name resolution. The SMB/CIFS service on NetBIOS can be reached at TCP port 139 (NetBIOS Session Service) , and direct hosting SMB can be reached at TCP port 445.

If the NetBIOS protocol has been enabled with the TCP/IP configuration of Windows, the Windows SMB client will connect to the SMB/CIFS service at TCP port 139 if it has resolved the host name of the SMB/CIFS server per NetBIOS Name Service (WINS, broadcast or lmhosts file), and it will connect to the SMB/CIFS service at TCP port 445 if it has resolved the host name of the SMB/CIFS server per DNS.

Until the security update, the Windows SMB client tried to establish a NetBIOS Session Service connection at TCP port 139 if it failed to establish a direct hosting SMB connection at TCP port 445.

Since the security update the Windows SMB client does not fall back to NetBIOS anymore when it fails to establish a direct hosting SMB connection.

Until OES11SP2, the Novell CIFS server is a NetBIOS-only implementation of the SMB/CIFS protocol.
Since OES2015, the Novell CIFS server also supports direct hosting SMB.

Hence, upon installation of the Microsoft Security Update, the Windows SMB client will fail to connect to the Novell (NetBIOS) CIFS server on OES11SP2, older versions of OES, or NetWare, if DNS is used for name resolution and if the OES server does not reside in the same subnet as the Windows workstation.

Additional Information