[Samba] CIFS proxy

Maximiliano Bertacchini maxiberta at gmail.com
Fri Jul 22 09:30:23 MDT 2011

Hi. We managed to get samba 4 cifs proxy working with s4u2proxy auth in 
an AD environment. The problem is it won't let clients neither write 
files larger than 16441 bytes nor read files larger than 65536 bytes.
For example, writing a 16641 byte file works ok, but writing a 16642 
byte (or larger) file fails:

# ls -l 16641.txt 16642.txt
-rw-r--r-- 1 root root 16641 Jul 21 11:30 16641.txt
-rw-r--r-- 1 root root 16642 Jul 21 11:30 16642.txt

# smbclient //samba4/cifs4test -k -c "put 16641.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
putting file 16641.txt as \16641.txt (8125.1 kb/s) (average 8125.5 kb/s)

# smbclient //samba4/cifs4test -k -c "put 16642.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
cli_push returned NT_STATUS_ACCESS_DENIED
NT_STATUS_IO_TIMEOUT closing remote file \16642.txt

Reading files up to 65536 bytes works fine, but reading larger files 
produces a 0 byte file with no error messages:

# smbclient //samba4/cifs4test -k -c "get 65535.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
getting file \65535.txt of size 65535 as 65535.txt (12799.6 
KiloBytes/sec) (average 12799.8 KiloBytes/sec)

# smbclient //samba4/cifs4test -k -c "get 65536.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
getting file \65536.txt of size 65536 as 65536.txt (0.0 KiloBytes/sec) 
(average 0.0 KiloBytes/sec)

# ls -ll 65535.txt 65536.txt
-rw-r--r-- 1 root root 65535 Jul 22 12:09 65535.txt
-rw-r--r-- 1 root root     0 Jul 22 12:10 65536.txt

If clients connect directly to the server (windows 2003 SP2) everything 
works fine.
We tested this on windows xp and smbclient 3.5.8 as clients and Samba 4 
alpha16 as cifs proxy with increasing debug levels, but haven't found 
any suspicious message so far. The samba 4 server is "Trusted for 
delegation" in AD. We also tried using cifs:user/cifs:password or 
cifs:use-s4u2proxy options to no avail.

         server role = member server
         workgroup = MYDOMAIN
         realm = MYDOMAIN.COM
         netbios name = SAMBA4
         ntvfs handler = cifs
         cifs:server = SERVER01
         cifs:share = enc

Any suggestions on how to further debug this?


On 06/07/11 18:22, Andrew Bartlett wrote:
> On Wed, 2011-07-06 at 17:25 -0300, Maximiliano Bertacchini wrote:
>> Hi,
>> I need to run a Samba CIFS proxy (not DFS) in an AD environment.
>> I've checked samba4's ntvfs cifs module but it won't even compile and I
>> guess it's not ready for production.
> Samba4's CIFS proxy is what you want.  If you have issues compiling
> Samba4, then let's deal with those.  The CIFS proxy is quite well tested
> as part of our automated test suite, and I would be far happier using it
> in production than going via the linux kernel CIFS client.
> The Samba4 CIFS proxy supports both accepting forward-able Kerberos
> tickets, and newly developed by metze) using S2U4Proxy to get the
> tickets itself.
> Andrew Bartlett

More information about the samba mailing list