[cifs-protocol] [REG:111051779565831] RE: dfs referral for sysvol and windows XP

Hongwei Sun hongweis at microsoft.com
Thu May 26 17:35:34 MDT 2011 

Matthieu,

  I used your complete trace (dfs2.pcap) to see the entire scenario.    The reason it falls back to NTLM from Kerberos  is because it cannot get the TGS ticket for SPN  (cifs/w2k8r2.home.matws.net).  The error is  KDC_ERR_S_PRINCIPAL_UNKNOWN.  Have you checked if the SPN has been registered properly ?

	339	3:34:02 PM 5/17/2011	24.0070710	XP  	ARES  	DFSC	DFSC:Get DFS Referral Request, FileName: \w2k8r2.home.matws.net\sysvol, MaxReferralLevel: 4
	340	3:34:02 PM 5/17/2011	24.0145370	ARES  	XP  	DFSC	DFSC:Get DFS Referral Response, NumberOfReferrals: 2 VersionNumber: 4

	488	3:34:22 PM 5/17/2011	43.8453860	XP  	ARES  	KerberosV5	KerberosV5:TGS Request Realm: W2K8R2.HOME.MATWS.NET Sname: cifs/w2k8r2.home.matws.net
	489	3:34:22 PM 5/17/2011	43.8507430	ARES  	XP  	KerberosV5	KerberosV5:KRB_ERROR  - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

   As far as the  DFS Referral version 4,  I can see one thing that doesn't meet the requirement to be a version 4 of DFS referral.   The TargetSetBoundary bit  in  ReferralEntryFlags  of the first referral response entry MUST be set to 1, as per section 2.2.4.4 of MS-DFSC.     In the both response entries returned from Samba , this bit is always 0.    

    - ReferralEntryFlags: 1024 (0x400)
       unused1:             (0000010000000...) - Unused
       TargetSetBoundary:   (.............0..) - The target corresponding to this referral entry is not the first target of a target set.
       NameListReferral:    (..............0.) - This is not a trusted domain or DC list referral
       unused2:             (...............0) - Unused

    Please let me know what you think.

Thanks!

Hongwei


-----Original Message-----
From: Matthieu Patou [mailto:mat at samba.org] 
Sent: Sunday, May 22, 2011 3:52 PM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:111051779565831] RE: [cifs-protocol] dfs referral for sysvol and windows XP

Hello Hongwei,

So the attached pcap show dfs referral traffic between a S4 and XP hosts.

Where we can see that XP is requesting a level 4 referral and that S4 answers to it with an answer following the specification.

After this XP is blocked or fallback to NTLM auth (not shown in this capture but in this one:  http://www.matws.net/mat/misc/dfs2.pcap.gz).

So I'm wondering if it's normal, maybe XP didn't appreciate the level 4 answers.

Matthieu.

On 19/05/2011 20:23, Hongwei Sun wrote:
> Hi, Matthieu,
>
>     I need some clarification about your question.  I have a problem to match the packets to what you have described.    The trace has only  6 packets.  The following are all the packets in the trace:
>
> 1	3:28:33 PM 5/17/2011	0.0000000	172.16.101.16	172.16.101.1	DFSC	DFSC:Get DFS Referral Request, FileName:<empty>, MaxReferralLevel: 3
> 2	3:28:33 PM 5/17/2011	0.0001600	172.16.101.1	172.16.101.16	DFSC	DFSC:Get DFS Referral Response, NumberOfReferrals: 2 VersionNumber: 3
> 3	3:28:33 PM 5/17/2011	0.1360020	172.16.101.16	172.16.101.1	DFSC	DFSC:Get DFS Referral Request, FileName: \w2k8r2.home.matws.net, MaxReferralLevel: 3
> 4	3:28:33 PM 5/17/2011	0.1434180	172.16.101.1	172.16.101.16	DFSC	DFSC:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
> 5	3:28:33 PM 5/17/2011	0.1440790	172.16.101.16	172.16.101.1	DFSC	DFSC:Get DFS Referral Request, FileName: \w2k8r2.home.matws.net\sysvol, MaxReferralLevel: 4
> 6	3:28:33 PM 5/17/2011	0.1514540	172.16.101.1	172.16.101.16	DFSC	DFSC:Get DFS Referral Response, NumberOfReferrals: 2 VersionNumber: 4
>
>     Could you explain more about the configuration of your testing , scenario as well as the behavior in question?    It will be better if you can point out the packets in question.
>
> Thanks!
>
> Hongwei
>
>
> -----Original Message-----
> From: cifs-protocol-bounces at cifs.org 
> [mailto:cifs-protocol-bounces at cifs.org] On Behalf Of Matthieu Patou
> Sent: Tuesday, May 17, 2011 4:09 PM
> To: Interoperability Documentation Help; pfif at tridgell.net; 
> cifs-protocol at samba.org
> Subject: [cifs-protocol] dfs referral for sysvol and windows XP
>
> Hello doc help,
>
> While revisiting the DFS implementation for samba I remade some tests with XP and It seems that when doing the last step in order to resolve \\domain.tld\sysvol.
> Even if we tend to send the same frame, XP comes to samba 4 when asking for a DC holding \\domain.tld\sysvol. So as we support this level we return entry for this level.
>
> But then it fails to connect to \\dc.domain.tld\sysvol and keep doing ntlm connection to \\domain.tld\sysvol.
>
> Is this "normal" ?
>
> I put another capture here: http://www.matws.net/mat/misc/dfs2.pcap.gz
> where we can clearly see that the client starts to do NTLM auth to connect to \\domain.tld.
>
> Thanks for your answers.
>
> Matthieu.
>
> --
> Matthieu Patou
> Samba Team        http://samba.org
> Private repo      http://git.samba.org/?p=mat/samba.git;a=summary
>
>


--
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the cifs-protocol mailing list