Unsubscribe On Jun 8, 2017 11:01, "Christian Garling" <[email protected]> wrote:
> Hello list, > > a few days ago we migrated our shares to a DFS cluster, also we disabled > SMBv1 protocol. Now we are no longer able to connect to the shares with our > linux workstations. The setup looks like this: > > linux workstation -----> AD server (Windows Server 2008 R2) -----> file > server (Windows Server 2016, running in 2008 R2 compat mode) > > I have searched the web for a solution on the last few days. Mostly it > came down to this: > > Take care that smbclient, cifs-utils and keyutils is installed. Also have > these lines in /etc/request-key.conf: > > create cifs.spnego * * /usr/sbin/cifs.upcall %k > create dns_resolver * * /usr/sbin/cifs.upcall %k > > > My setup satisfies these requirements. I have tried the connection with > these commands (I replaced our domain with example.com): > > mount -v -t cifs //office.example.com/technik /mnt/dfs -o > username=c.garling,domain=OFFICE,vers=2.0 > mount -v -t cifs //office.example.com/technik /mnt/dfs -o > username=c.garling,domain=OFFICE,vers=2.1 > > If I do so I can see this in tcpdump: > > 100.392000390 192.168.23.107 -> 192.168.15.6 SMB2 172 Negotiate Protocol > Request > 100.393121936 192.168.15.6 -> 192.168.23.107 SMB2 318 Negotiate Protocol > Response > 100.393223968 192.168.23.107 -> 192.168.15.6 SMB2 190 Session Setup > Request, NTLMSSP_NEGOTIATE > 100.394178092 192.168.15.6 -> 192.168.23.107 SMB2 390 Session Setup > Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE > 100.394295512 192.168.23.107 -> 192.168.15.6 SMB2 494 Session Setup > Request, NTLMSSP_AUTH, User: OFFICE\c.garling > 100.397795864 192.168.15.6 -> 192.168.23.107 SMB2 142 Session Setup > Response > 100.397895000 192.168.23.107 -> 192.168.15.6 SMB2 198 Tree Connect Request > Tree: \\office.example.com\technik > 100.398866908 192.168.15.6 -> 192.168.23.107 SMB2 143 Tree Connect > Response, Error: STATUS_BAD_NETWORK_NAME > > My client directly tries to connect to the share on 192.168.15.6, but this > is the AD server that should forward to 192.168.15.17 which is the file > server. > > I also traced the connection attempt with wireshark. In the request sent > from my workstation I found this message in the flags: > > "This host does NOT support DFS." > > We re-enabled SMBv1 for testing purposes. With SMBv1 the connection to the > DFS works with the command above but vers=1.0. > > I can not figure out why DFS does not work when vers=2.0 or vers=2.1 will > be used. We tested some different distros (Linux Mint 18.1, Debian 8, > Debian 9, Gentoo) with different kernel versions. > > Please ask me for further information, if I missed something. > > Any help is welcome! > > Regards, Christian Garling >
