Authentication problems using libsmbclient to traverse DFS links
rbrowne at estreet.com
rbrowne at estreet.com
Fri Apr 6 15:10:35 GMT 2007
Hi,
This was posted this morning on the general Samba list
this morning, but I was advised
to post it here too. I'm adding a
little more info ...
I'm trying to create a map of DFS links
to actual
server/share's. I know that you can get this
information by logging
on to the DFS root server, but I'm trying to
use the libsmbclient API to
get this information.
I have
created a fairly simple DFS
structure on 2003 servers with everything
on the same domain.
//MyDomain/DFSRoot
/Link1 -> //Fileserv-1/FileShare1
/Link2 ->
//Fileserv-2/FileShare2
On the command line I can traverse
the DFS tree without any problems, so using smbclient I can
perform
the following steps:
# smbclient //10.4.1.107/DFSRoot -A
./credfile
Domain=[ENG-DEV] OS=[Windows Server 2003 3790]
Server=[Windows Server 2003 5.2]
smb: \> ls
.
D 0 Thu Mar 29 12:52:35
2007
..
D 0 Thu Mar 29 12:52:35
2007
Link1
D 0 Thu Mar 29 12:46:43
2007
Link2
D 0 Thu Mar 29 12:52:35
2007
65389 blocks of size 65536. 36670 blocks available
smb: \> showconnect
//Fileserv-1/DFSRoot
smb: \>
cd Link1
smb: \Link1\> ls
.
D 0 Thu Mar 29 12:43:19
2007
..
D 0 Thu Mar 29 12:43:19
2007
List.xls A 25088 Sat
Jan 7 23:03:18 2006
.
.
.
smb: \Link1\> showconnect
//Fileserv-1/FileShare1
smb:
\Link1\> cd ../Link2
smb: \Link2\> ls
.
D 0 Thu Mar 29 12:40:14
2007
..
D 0 Thu Mar 29 12:40:14
2007
abs-guide.pdf A 2069818 Thu Mar 29 12:39:04
2007
.
.
.
sag.pdf A
869300 Thu Mar 29 12:40:14 2007
65389 blocks of size 65536. 36659 blocks available
smb:
\Link2\>
showconnect
//Fileserv-2/FileShare2
smb:
\Link2\>
However, problems ensue when I try to
connect using the
smbc_open and smbc_opendir functions. Tracing
execution under gdb I
see that my authentication callback function is
being called every time I
use the smbc_opendir function (that's
good). I can authenticate
without any problems to the DFS root,
but the problem occurs when Samba
tries to traverse the DFS
tree. In this case the original
server/share (i.e. of the DFS
root) is not the server/share of the DFS
link. When the code
follows the path of the link, all the original
authentication
information is lost. My username, password, and
workgroup are
all changed to my Unix username and the workgroup that I've
defined
in smb.conf. I'm prompted for a password from the do_connect
function and authentication to the server/share fails.
Using
a simple program to perform a recursive list of the contents under my
DFS root with the libsmbclient interface here's my output:
****
$ ./smblister smb://10.4.1.107/DFSRoot
Opening
(smb://10.4.1.107/DFSRoot)...
Authentication function:
Connection opened with smbc_opendir().
Opening
(smb://10.4.1.107/DFSRoot/Link1)...
Authentication function:
Password:
tree connect failed: NT_STATUS_ACCESS_DENIED
Unable
to follow dfs referral [//Fileserv-1/FileShare1]
Could not resolve
\Link1\*
Could not open [smb://10.4.1.107/DFSRoot/Link1] (2:No such
file or directory)
Opening (smb://10.4.1.107/DFSRoot/Link2)...
Authentication function:
tree connect failed:
NT_STATUS_ACCESS_DENIED
Unable to follow dfs referral
[//Fileserv-2/FileShare2]
Could not resolve \Link2\*
Could not
open [smb://10.4.1.107/DFSRoot/Link2] (0:Success) *****
One
difference between the two scenarios is that in the first case the
cli_cm_set_credentials function is being called in the second case
it's
not. I'm not sure, but should the authentication callback
function
be used when resolving a DFS path? I'm still looking
into where the
defaults are set and if it's possible to get
authentication info that's
not statically defined.
I
also saw that I can define the /etc/samba/smbusers to map a Unix user name
to a Windows login and tried
this, but my default username is still
the Unix one. I also
uncommented the username map line in
smb.conf.
Thanks for looking at this...
Regards,
Rich
More information about the samba-technical
mailing list