5

We are in the process of upgrading our domain from windows 2000 to windows 2003.

We have a few old DOS machines that need to be able to access a share on a server on the domain. We are using MS Lan Manager 2.2a, and everything works fine on the 2000 domain.

Is this possible? Is there any specific settings we need to change?

The command we are using from the DOS pc is: 

net logon username password /DOMAIN:domainname /y

The error that occurs:

NET3779 Your logon attempt has failed due to an incorrect username or password.

[I've checked the error NET3779, and it talks about invalid characters in the pc name, which doesn't seem at all connected]

I've tried setting the LAN Manager auth level to "Send LM & NTLM - Use NTLMv2 session if negotiated" and I've disabled "Do not store LAN manager hash value on next password change" from advice I found online and it didn't make any difference. I've also tried setting "Digitally sign communications (always/if server agrees) to disabled and that didn't help.

Is it even possible to connect DOS PCs to windows server 2003 domains? What do I need to do?

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
Simon P Stevens
  • 150
  • 1
  • 7

5 Answers5

2

When I last used this sort of technique it was booting from a floppy or USB flash drive. I used

net use G: \\servername\sharename

in the autoexec.bat and then typed in a valid username and password when prompted. Any other settings were in the protocol.ini or system.ini file. I'd have to go dig those up to see but I'm assuming the domain was specified in one of those.

Is your net logon statement in the autoexec.bat?

I definitely have the files on another drive and have a Server 2003 domain I could try it on to confirm but it might take me a few days to get the chance to test it.

It's probably worth noting that the "DOS" I'm using on my newest device is from the Windows XP boot floppy. Prior to that I used the "DOS" from 98se boot floppy. At some point a few years ago I hit a situation where the 98se DOS wouldn't work and had to upgrade to the XP DOS.

OK, I haven't tested it to see if it works yet but covering the concept of what is on the disk we have (I'll leave out the custom settings):

Config.sys

device=c:\net\ifshlp.sys
dos=high,umb
lastdrive=z


Autoexec.bat

@ECHO OFF
SET DIRCMD=/O:GN
path=c:\;c:\net
c:\net\net initialize
c:\net\netbind.com
c:\net\umb.com
c:\net\tcptsr.exe
c:\net\tinyrfc.exe
c:\net\nmtsr.exe
c:\net\emsbfr.exe
c:\net\net start
net use G: \\servername\sharename
G:

protocol.ini

;modify netcard=, lana0=, the device specific section, and bindings= if used with any other NIC.


[network.setup]
version=0x3110
;netcard=ms$elnk3,1,MS$ELNK3,1
;netcard=el90x$,1,EL90X$,1
netcard=e1000$
transport=tcpip,TCPIP
;lana0=ms$elnk3,1,tcpip
;lana0=el90x$,1,tcpip
lana0=e1000$,1,tcpip

;this section is device specific
;[EL90X$]
;DRIVERNAME=EL90X$
;MAXTRANSMITS=40

[E1000$]
DRIVERNAME = E1000$

;[ms$elnk3]
;DRIVERNAME=ELNK3$
; IOADDRESS=0x300
; SLOT=1
; MAXTRANSMITS=6

[protman]
drivername=PROTMAN$
PRIORITY=MS$NDISHLP

[tcpip]
NBSessions=6
DefaultGateway0=
SubNetMask0=
IPAddress0=
DisableDHCP=0
DriverName=TCPIP$
;BINDINGS=ms$elnk3
;BINDINGS=EL90X$
BINDINGS=E1000$
LANABASE=0

Note I didn't strip out sections about different NIC drivers.

system.ini

[network]
filesharing=no
printsharing=no
;autologon=yes
autologon=no
computername=asdfg
lanroot=C:\NET
username=testid
;modify workgroup= if used with any other domain
workgroup=DOMAINNAME
passwordcaching=no
reconnect=no
dospophotkey=N
lmlogon=0
logondomain=DOMAINNAME
preferredredir=full
autostart=full
maxconnections=8

[network drivers]
;modify netcard= if used with any other NIC.
;netcard=elnk3.dos
;netcard=EL90X.DOS
netcard=e1000.dos
transport=tcpdrv.dos,nemm.dos
devdir=C:\NET
LoadRMDrivers=yes

[Password Lists]
*Shares=C:\net\Share000.PWL

Note the domain name is the "short" domain name. So if your domain is seen as "company with a long name" and "COMPANY" just use the short one.

now there are a ton of other files involved on the boot disk but the settings that matter based on how you were trying to do it versus how I do it is the "net use" statement and the autologon= setting.

I'll give it a shot today and let you know what happens.

I'm getting logged on to the domain but when I try the net use statement I get Error 5: Access has been denied. Let me check some things and see if I can get it to work.

pplrppl
  • 1,242
  • 2
  • 14
  • 22
  • What do you mean by XP boot floppy? I tried to make an XP boot floppy (Went to format A drive, and checked the make boot disc option) but it doesn't include the net command so I tried copying the net command on manually, but it says "This program cannot be run in DOS mode". – Simon P Stevens Oct 14 '09 at 15:33
  • The net.exe I'm using shows as 10-14-96 1:38a and is about 450kb. If you are grabbing net.exe from a modern source it won't run in DOS. service1.symantec.com/SUPPORT/ghost.nsf/… might be a good place to find the old files. I haven't tried that particular download since I've had these files for years. – pplrppl Oct 20 '09 at 14:18
1

Perhaps you need to enable lmhash on the 2003 domain servers for backwards compatibility?

This site might give some clues (here)

Ooh...nevermind...more info for you...here and here. Maybe they can give more info.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • Thanks, but that doesn't fix it. We've tried setting "Do not store LAN manager hash value on next password change" to disabled. (And we changed the account password and rebooted after changing the setting). – Simon P Stevens Oct 14 '09 at 13:09
  • The other two links aren't giving clues either? It may be that the lanman client just won't do it anymore. Maybe there's a way to get DOS to authenticate to a Linux system running Samba? – Bart Silverstrim Oct 14 '09 at 13:21
  • This might help too http://www.petri.co.il/forums/showthread.php?t=24336 – Bart Silverstrim Oct 14 '09 at 13:25
  • No, sorry, I've tried everything in all those links. I've changed the NTLM & NTLMv2 settings and I've disabled SMB signing. I'm starting to suspect that it just isn't possible. None of those forum links have successful conclusions, Have you actually ever seen this done? – Simon P Stevens Oct 14 '09 at 13:39
  • Nope. I haven't run into too many people authing DOS against AD lately. But if you have the LanMan client it should work against SAMBA, so I didn't know if depending on your situation you might find a way to set up a SAMBA server that could "chain" authentication from DOS->SAMBA->AD. Otherwise you might be out of luck. – Bart Silverstrim Oct 14 '09 at 13:55
  • Thanks, I'm not sure that SAMBA is really an option. I'll pass the suggestion on to our IT department, but I suspect they won't go for that. It's not something I can just do without their approval. Thanks for your suggestions though. – Simon P Stevens Oct 14 '09 at 14:10
1

Is your password "complex"? If so, it may not be an invalid computer name, so much as an invalid password ... just a thought. Try resetting your password to something trivial.

Joseph Kern
  • 9,809
  • 3
  • 31
  • 55
0

Maybe its time to look at using a DOS emulator like DOSBox to run whatever it is you need to run in DOS. Even if you do manage to hack it together now, its likely to get harder and harder to manage as time goes on.

AnonJr
  • 500
  • 1
  • 5
  • 13
  • We are planning to move it up to windows soon anyway, but there are some other issues (with serial ports and printers) that require some code rework to run in windows, so we were just hoping for a quick temporary solution by leaving the PC as DOS for now until we are ready with the code change. Thanks though. – Simon P Stevens Oct 21 '09 at 12:55
  • DOSBox has been used to successfully emulate DOS for legacy business apps despite its "gaming" roots. You should be able to run what you need in emulation and still get access to the domain etc. via the Windows host. – AnonJr Oct 21 '09 at 14:58
0

Could it be that the domain name is actually too long? If it's DOS 6.22, i believe it still only has character support for a max of 8 characters (including directory and computer names). Therefore wouldn't you need to use something like this for logging on:

net logon username password /DOMAIN:domain~1 /y

and ensuring that all usernames and passwords are only 8 characters in length. This could be why it's saying you have invalid characters. They aren't invalid, but just too many.

I remember having to do that all the time working in DOS with directories created in Win95.

  • No, this isn't the problem. Our test domain name is only 7 characters long. Also, the existing 2000 domain is 13 characters long and DOS connects fine to that. Thanks for the idea though. – Simon P Stevens Oct 21 '09 at 12:49