<div dir="auto">Unsubscribe</div><div class="gmail_extra"><br><div class="gmail_quote">On Jun 8, 2017 11:01, "Christian Garling" <<a href="mailto:christian.garling@cg-networks.de">christian.garling@cg-networks.de</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello list,</p>
<p>a few days ago we migrated our shares to a DFS cluster, also we
disabled SMBv1 protocol. Now we are no longer able to connect to
the shares with our linux workstations. The setup looks like this:</p>
<p>linux workstation -----> AD server (Windows Server 2008 R2)
-----> file server (Windows Server 2016, running in 2008 R2
compat mode)</p>
<p>I have searched the web for a solution on the last few days.
Mostly it came down to this:</p>
<p>Take care that smbclient, cifs-utils and keyutils is installed.
Also have these lines in /etc/request-key.conf:</p>
<pre class="m_6187947202675776312code-java">create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
</pre>
<p>My setup satisfies these requirements. I have tried the
connection with these commands (I replaced our domain with
<a href="http://example.com" target="_blank">example.com</a>):<br>
</p>
<p>mount -v -t cifs //<a href="http://office.example.com/technik" target="_blank">office.example.com/technik</a> /mnt/dfs -o
username=c.garling,domain=<wbr>OFFICE,vers=2.0<br>
mount -v -t cifs //<a href="http://office.example.com/technik" target="_blank">office.example.com/technik</a> /mnt/dfs -o
username=c.garling,domain=<wbr>OFFICE,vers=2.1</p>
<p>If I do so I can see this in tcpdump:</p>
<p>100.392000390 192.168.23.107 -> 192.168.15.6 SMB2 172
Negotiate Protocol Request<br>
100.393121936 192.168.15.6 -> 192.168.23.107 SMB2 318 Negotiate
Protocol Response<br>
100.393223968 192.168.23.107 -> 192.168.15.6 SMB2 190 Session
Setup Request, NTLMSSP_NEGOTIATE<br>
100.394178092 192.168.15.6 -> 192.168.23.107 SMB2 390 Session
Setup Response, Error: STATUS_MORE_PROCESSING_<wbr>REQUIRED,
NTLMSSP_CHALLENGE<br>
100.394295512 192.168.23.107 -> 192.168.15.6 SMB2 494 Session
Setup Request, NTLMSSP_AUTH, User: OFFICE\c.garling<br>
100.397795864 192.168.15.6 -> 192.168.23.107 SMB2 142 Session
Setup Response<br>
100.397895000 192.168.23.107 -> 192.168.15.6 SMB2 198 Tree
Connect Request Tree: \\<a href="http://office.example.com" target="_blank">office.example.com</a>\technik<br>
100.398866908 192.168.15.6 -> 192.168.23.107 SMB2 143 Tree
Connect Response, Error: STATUS_BAD_NETWORK_NAME</p>
<p>My client directly tries to connect to the share on 192.168.15.6,
but this is the AD server that should forward to 192.168.15.17
which is the file server.</p>
<p>I also traced the connection attempt with wireshark. In the
request sent from my workstation I found this message in the
flags:</p>
<p>"This host does NOT support DFS."</p>
<p>We re-enabled SMBv1 for testing purposes. With SMBv1 the
connection to the DFS works with the command above but vers=1.0.</p>
<p>I can not figure out why DFS does not work when vers=2.0 or
vers=2.1 will be used. We tested some different distros (Linux
Mint 18.1, Debian 8, Debian 9, Gentoo) with different kernel
versions.</p>
<p>Please ask me for further information, if I missed something.<br>
</p>
<p>Any help is welcome!</p>
<p>Regards, Christian Garling<br>
</p>
</div>
</blockquote></div></div>