<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello list,</p>
<p>a few days ago we migrated our shares to a DFS cluster, also we
disabled SMBv1 protocol. Now we are no longer able to connect to
the shares with our linux workstations. The setup looks like this:</p>
<p>linux workstation -----> AD server (Windows Server 2008 R2)
-----> file server (Windows Server 2016, running in 2008 R2
compat mode)</p>
<p>I have searched the web for a solution on the last few days.
Mostly it came down to this:</p>
<p>Take care that smbclient, cifs-utils and keyutils is installed.
Also have these lines in /etc/request-key.conf:</p>
<pre class="code-java">create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
</pre>
<p>My setup satisfies these requirements. I have tried the
connection with these commands (I replaced our domain with
example.com):<br>
</p>
<p>mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.0<br>
mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.1</p>
<p>If I do so I can see this in tcpdump:</p>
<p>100.392000390 192.168.23.107 -> 192.168.15.6 SMB2 172
Negotiate Protocol Request<br>
100.393121936 192.168.15.6 -> 192.168.23.107 SMB2 318 Negotiate
Protocol Response<br>
100.393223968 192.168.23.107 -> 192.168.15.6 SMB2 190 Session
Setup Request, NTLMSSP_NEGOTIATE<br>
100.394178092 192.168.15.6 -> 192.168.23.107 SMB2 390 Session
Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED,
NTLMSSP_CHALLENGE<br>
100.394295512 192.168.23.107 -> 192.168.15.6 SMB2 494 Session
Setup Request, NTLMSSP_AUTH, User: OFFICE\c.garling<br>
100.397795864 192.168.15.6 -> 192.168.23.107 SMB2 142 Session
Setup Response<br>
100.397895000 192.168.23.107 -> 192.168.15.6 SMB2 198 Tree
Connect Request Tree: \\office.example.com\technik<br>
100.398866908 192.168.15.6 -> 192.168.23.107 SMB2 143 Tree
Connect Response, Error: STATUS_BAD_NETWORK_NAME</p>
<p>My client directly tries to connect to the share on 192.168.15.6,
but this is the AD server that should forward to 192.168.15.17
which is the file server.</p>
<p>I also traced the connection attempt with wireshark. In the
request sent from my workstation I found this message in the
flags:</p>
<p>"This host does NOT support DFS."</p>
<p>We re-enabled SMBv1 for testing purposes. With SMBv1 the
connection to the DFS works with the command above but vers=1.0.</p>
<p>I can not figure out why DFS does not work when vers=2.0 or
vers=2.1 will be used. We tested some different distros (Linux
Mint 18.1, Debian 8, Debian 9, Gentoo) with different kernel
versions.</p>
<p>Please ask me for further information, if I missed something.<br>
</p>
<p>Any help is welcome!</p>
<p>Regards, Christian Garling<br>
</p>
</body>
</html>