PROBLEM: CIFS SMB2/SMB3 does not work for domain based DFS

PROBLEM: CIFS SMB2/SMB3 does not work for domain based DFS

[Totemo Support]

Hi,

I am having problems mounting a domain based DFS share using mount.cifs with the parameter vers=2.0 or vers=3.0, even though it works with the deprecated version vers=1.0.

My test setup includes two separated Windows 2016 servers (180days eval iso), with the following roles:

* on the first I'm running the domain controller (DC)
* on the second VM I installed the DFS Namespace Root role (DFSN) and this VM also serves the actual shares

Now, when trying to mount, the following error occurs:

mount //domain.dev.com/files/sales /smb -o user=Administrator,password=xxxxxx,vers=3.0

CIFS VFS: BAD_NETWORK_NAME: \\domain.dev.com\files
CIFS VFS: session ffff88003bd0c000 has no tcon available for a dfs referral request
CIFS VFS: cifs_mount failed w/return code = -2

It's working fine, with SMB1. It does also work, when I specify the DFSN server directly:

mount //dfsn/files/sales /smb -o user=Administrator,password=xxxxxx,vers=3.0

>From my point of view it looks like there is no resolution attempt of resolving the domain based UNC (//domain.dev.com/files) into the actual dfsroot representation.

Since my domain controller doesn't host the dfsroot structure, any attempts resolving on it directly will fail.

I tried initially with Kernel 4.11 but also build a recent 4.13 with the same issues.
Latest keyutils (/sbin/key.dns_resolver) are in place and configured on the system.

Do you need any further scripts/explanations how I set up the test servers? It's nothing special, everything sticks to the defaults.

Best,
Robert

Totemo Support 

phone: +41 44 914 99 00
fax: +41 44 914 99 99

email: support-4BUtOHJXg7LQT0dZR+AlfA@public.gmane.org
web: www.totemo.com

Re: PROBLEM: CIFS SMB2/SMB3 does not work for domain based DFS

[Aurélien Aptel]

Hi Totemo,

Totemo Support <support-4BUtOHJXg7LQT0dZR+AlfA@public.gmane.org> writes:
> From my point of view it looks like there is no resolution attempt of resolving the domain based UNC (//domain.dev.com/files) into the actual dfsroot representation.
>
> Since my domain controller doesn't host the dfsroot structure, any attempts resolving on it directly will fail.
>
> I tried initially with Kernel 4.11 but also build a recent 4.13 with the same issues.
> Latest keyutils (/sbin/key.dns_resolver) are in place and configured on the system.
>
> Do you need any further scripts/explanations how I set up the test servers? It's nothing special, everything sticks to the defaults.

Could you open a bug report here [1] and provide network traces of you
mounting with smb1 and another one of you mounting with smb3 (add them
as attachement).

Thanks

1: https://bugzilla.samba.org/buglist.cgi?component=kernel%20fs&product=CifsVFS&resolution=---

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

Re: PROBLEM: CIFS SMB2/SMB3 does not work for domain based DFS

[Aurélien Aptel]

Aurélien Aptel <aaptel-IBi9RG/b67k@public.gmane.org> writes:
> Could you open a bug report here [1] and provide network traces of you
> mounting with smb1 and another one of you mounting with smb3 (add them
> as attachement).

Bug was opened here [1].

In both traces cifs.ko connects to the DC and tries to connect to the
"files" share. Since the "files" share is not hosted on the DC, the
server replies with BAD_NETWORK_NAME error. It then connects to the IPC$
share regardless of the result (in get_dfs_path() I suspect).

SMB1 uses IPC$ to make the request whereas SMB2 does a ioctl on any
valid tcon object from the session. It finds none since the connection
to the share "files" failed.

I'm surprised it even works for SMB1 since you are saying the DFSN
server is not on the DC. In the SMB1 trace we can see cifs.ko connects
to the DC (10.0.9.56) and sends a DFS request to it (in #17) which the
DC sucessfully replies to (#18).

In order for the SMB2 code to be able to use the IPC$ share aswell we
need to make SMB2_ioctl() work when tcon is NULL and use_ipc is true
(probably by passing a session pointer as an extra arg). Looks like a
nasty refactoring is needed...

1: https://bugzilla.samba.org/show_bug.cgi?id=12917

-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

Re: PROBLEM: CIFS SMB2/SMB3 does not work for domain based DFS

[Robin Blanchard]

see thread "cifs.ko + smb 3.0 + DFS fails (though direct mount succeeds)"

I can confirm smb > 1 + DFS works as expected with kernel >= 4.11. I
have, however, seen similar spurious errors/failures.

On Tue, Jul 18, 2017 at 4:47 AM, Totemo Support <support-4BUtOHJXg7LQT0dZR+AlfA@public.gmane.org> wrote:
> Hi,
>
> I am having problems mounting a domain based DFS share using mount.cifs with the parameter vers=2.0 or vers=3.0, even though it works with the deprecated version vers=1.0.
>
> My test setup includes two separated Windows 2016 servers (180days eval iso), with the following roles:
>
> * on the first I'm running the domain controller (DC)
> * on the second VM I installed the DFS Namespace Root role (DFSN) and this VM also serves the actual shares
>
> Now, when trying to mount, the following error occurs:
>
> mount //domain.dev.com/files/sales /smb -o user=Administrator,password=xxxxxx,vers=3.0
>
> CIFS VFS: BAD_NETWORK_NAME: \\domain.dev.com\files
> CIFS VFS: session ffff88003bd0c000 has no tcon available for a dfs referral request
> CIFS VFS: cifs_mount failed w/return code = -2
>
> It's working fine, with SMB1. It does also work, when I specify the DFSN server directly:
>
> mount //dfsn/files/sales /smb -o user=Administrator,password=xxxxxx,vers=3.0
>
> From my point of view it looks like there is no resolution attempt of resolving the domain based UNC (//domain.dev.com/files) into the actual dfsroot representation.
>
> Since my domain controller doesn't host the dfsroot structure, any attempts resolving on it directly will fail.
>
> I tried initially with Kernel 4.11 but also build a recent 4.13 with the same issues.
> Latest keyutils (/sbin/key.dns_resolver) are in place and configured on the system.
>
> Do you need any further scripts/explanations how I set up the test servers? It's nothing special, everything sticks to the defaults.
>
> Best,
> Robert
>
> Totemo Support
>
> phone: +41 44 914 99 00
> fax: +41 44 914 99 99
>
> email: support-4BUtOHJXg7LQT0dZR+AlfA@public.gmane.org
> web: www.totemo.com
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html