problem accessing domain-based DFS with kerberos auth
Jeremy Allison
jra at samba.org
Tue Jan 10 21:09:14 UTC 2017
On Tue, Jan 10, 2017 at 05:47:59PM +0100, Aurélien Aptel wrote:
> Hi,
>
> I have an AD running Windows Server 2016 on domain suse.de, it has a
> domain-based DFS nameserver so that
>
> \\suse.de\dfs3 -> \\ws2016.suse.de\dfs3 (same machine, same ip)
>
> This DFS nameserver has a link:
>
> \\suse.de\dfs3\link -> \\ws2012.suse.de\dfstarget
>
> On a Windows client joined to the domain, I can simply navigate in
> \\suse.de\dfs3 in the explorer to reach the final target.
>
> On a linux box joined to the domain, be it with cifs.ko or smbclient I
> cannot authenticate on suse.de.
>
> # kinit Administrator
> Password for Administrator at SUSE.DE:
> # smbclient //suse.de/dfs3 -k
> ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/suse.de at SUSE.DE (Server not found in Kerberos database)
> cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server not found in Kerberos database
> session setup failed: SUCCESS - 0
>
> Looking at the network trace we can see that the Windows client directly
> makes the Tree Connect to \\WS2016.suse.de\dfs3, whereas smbclient makes
> it on \\suse.de\dfs3.
>
> This means the Windows machine somehow resolves the suse.de to
> ws2016.suse.de before making the tree connect but even after looking at
> the trace I couldn't find how (LDAP? DNS? Kerberos? something
> encrypted?).
>
> The workaround I found was to add the Service Principal Name smbclient
> is using (cifs/suse.de) to the list of authorized for ws2016.
>
> On the AD:
>
> setspn -s cifs/suse.de ws2016
>
> After this, smbclient works. Unfortunately I have a customer that says
>
> > the workaround doesn't not work for multiple servers
> >
> > spn -s cifs/<domain> <dfs server 1>
> > spn -s cifs/<domain> <dfs server 2>
> > spn -s cifs/<domain> <dfs server 3>
>
> I don't know how "multiple servers" DFS work. Can you even have
> multiple nameservers handling the same dfs share?
Yes, dfs can point to multiple copies of the same data.
Look inside source3/smbd/msdfs.c to see.
More information about the samba-technical
mailing list