Accessing Mac OS X or Linux shares with Windows Vista

When Vista was first introduced into the environment I manage, we had an issue with it connecting to a shared drive on a Mac OS X. I did some digging and found that it has to do with a change to a default setting in the local security policy on the Vista computer. Vista defaults to using only NTLMv2 for LAN Manager authentication, which is not supported in OS X (at least not 10.4, which is what we have). In order to enable sharing from a OS X 10.4 server to a Windows Vista machine, you must change the setting on the Vista machine.

1. Go to your Start menu, then into Control Panel

2. Change to classic view (upper left) if you haven't already, then select Administrative Tools

3. Open Local Security Policy

4. Navigate to Local Policies->Security Options

5. Scroll down towards the bottom, looking for the Network Security section

6. Double-click on the entry for "Network Security: LAN Manager authentication level", which should be set by default on "Send NTLMv2 response only"

7. Change the setting to "Send LM & NTLM - use NTLMv2 session security if negotiated" and click Ok

8. Close the Local Security Policy editor, and also the control panel

Now try connecting to the Mac OS X share again and you shouldn't have any problems. We have a Red Hat Linux server as well and had no issues with the share on that, however, since OS X and Linux are so similar I added Linux to the title of this post because I'm sure some flavors have the same issue. This should solve your problem with accessing the files and now you're free to do what you were going to

UPDATE 3/4/2009 - I had a user show up today and need access to a Mac share from a Vista laptop, and I found out that Vista Home versions do not come with the Local Security Policy editor. In order to make the necessary change on Vista Home, you must change the registry. You can do so by going to Start->Run, and then typing "regedit" and pressing Enter. Be aware that the registry is vital to the computer, so it is not recommended to directly edit it like this unless you're confident that you know what you're doing. Once in the Registry Editor, you need to navigate to HKEY_LOCAL_MACHINE->System->CurrentControlSet->Control->LSA. In there you should see a key called "LmCompatibilityLevel". That is what you need to change. Double-click on it to bring up the edit box. It should have a default value of 3, which corresponds to using "NTLMv2 authentication only". Change that value to 1, which corresponds to "Send LM & NTLM - use NTLMv2 session security if negotiated" and is what you need to use. Valid values are 0-3, and I originally found that in a Microsoft KB article, but I can't find the page anymore so you'll have to either take my word for it or try to dig it up yourself. If you do happen to find it, please comment back so I can add it to this post.