Discussion:
mount.cifs fails with protocol SMBv2.x on a DFS share
Christian Garling
2017-06-08 14:35:00 UTC
Permalink
Hello list,

a few days ago we migrated our shares to a DFS cluster, also we disabled
SMBv1 protocol. Now we are no longer able to connect to the shares with
our linux workstations. The setup looks like this:

linux workstation -----> AD server (Windows Server 2008 R2) -----> file
server (Windows Server 2016, running in 2008 R2 compat mode)

I have searched the web for a solution on the last few days. Mostly it
came down to this:

Take care that smbclient, cifs-utils and keyutils is installed. Also
have these lines in /etc/request-key.conf:

create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k

My setup satisfies these requirements. I have tried the connection with
these commands (I replaced our domain with example.com):

mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.0
mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.1

If I do so I can see this in tcpdump:

100.392000390 192.168.23.107 -> 192.168.15.6 SMB2 172 Negotiate Protocol
Request
100.393121936 192.168.15.6 -> 192.168.23.107 SMB2 318 Negotiate Protocol
Response
100.393223968 192.168.23.107 -> 192.168.15.6 SMB2 190 Session Setup
Request, NTLMSSP_NEGOTIATE
100.394178092 192.168.15.6 -> 192.168.23.107 SMB2 390 Session Setup
Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
100.394295512 192.168.23.107 -> 192.168.15.6 SMB2 494 Session Setup
Request, NTLMSSP_AUTH, User: OFFICE\c.garling
100.397795864 192.168.15.6 -> 192.168.23.107 SMB2 142 Session Setup Response
100.397895000 192.168.23.107 -> 192.168.15.6 SMB2 198 Tree Connect
Request Tree: \\office.example.com\technik
100.398866908 192.168.15.6 -> 192.168.23.107 SMB2 143 Tree Connect
Response, Error: STATUS_BAD_NETWORK_NAME

My client directly tries to connect to the share on 192.168.15.6, but
this is the AD server that should forward to 192.168.15.17 which is the
file server.

I also traced the connection attempt with wireshark. In the request sent
from my workstation I found this message in the flags:

"This host does NOT support DFS."

We re-enabled SMBv1 for testing purposes. With SMBv1 the connection to
the DFS works with the command above but vers=1.0.

I can not figure out why DFS does not work when vers=2.0 or vers=2.1
will be used. We tested some different distros (Linux Mint 18.1, Debian
8, Debian 9, Gentoo) with different kernel versions.

Please ask me for further information, if I missed something.

Any help is welcome!

Regards, Christian Garling
Erwin Baeyens
2017-06-08 17:31:01 UTC
Permalink
Post by Christian Garling
Hello list,
a few days ago we migrated our shares to a DFS cluster, also we
disabled SMBv1 protocol. Now we are no longer able to connect to the
linux workstation -----> AD server (Windows Server 2008 R2) ----->
file server (Windows Server 2016, running in 2008 R2 compat mode)
I have searched the web for a solution on the last few days. Mostly it
Take care that smbclient, cifs-utils and keyutils is installed. Also
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
My setup satisfies these requirements. I have tried the connection
mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.0
mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.1
100.392000390 192.168.23.107 -> 192.168.15.6 SMB2 172 Negotiate
Protocol Request
100.393121936 192.168.15.6 -> 192.168.23.107 SMB2 318 Negotiate
Protocol Response
100.393223968 192.168.23.107 -> 192.168.15.6 SMB2 190 Session Setup
Request, NTLMSSP_NEGOTIATE
100.394178092 192.168.15.6 -> 192.168.23.107 SMB2 390 Session Setup
Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
100.394295512 192.168.23.107 -> 192.168.15.6 SMB2 494 Session Setup
Request, NTLMSSP_AUTH, User: OFFICE\c.garling
100.397795864 192.168.15.6 -> 192.168.23.107 SMB2 142 Session Setup Response
100.397895000 192.168.23.107 -> 192.168.15.6 SMB2 198 Tree Connect
Request Tree: \\office.example.com\technik
100.398866908 192.168.15.6 -> 192.168.23.107 SMB2 143 Tree Connect
Response, Error: STATUS_BAD_NETWORK_NAME
My client directly tries to connect to the share on 192.168.15.6, but
this is the AD server that should forward to 192.168.15.17 which is
the file server.
I also traced the connection attempt with wireshark. In the request
"This host does NOT support DFS."
We re-enabled SMBv1 for testing purposes. With SMBv1 the connection to
the DFS works with the command above but vers=1.0.
I can not figure out why DFS does not work when vers=2.0 or vers=2.1
will be used. We tested some different distros (Linux Mint 18.1,
Debian 8, Debian 9, Gentoo) with different kernel versions.
Please ask me for further information, if I missed something.
Any help is welcome!
Regards, Christian Garling
DarkMasterHalo
2017-06-16 00:50:44 UTC
Permalink
Unsubscribe
Post by Christian Garling
Hello list,
a few days ago we migrated our shares to a DFS cluster, also we disabled
SMBv1 protocol. Now we are no longer able to connect to the shares with our
linux workstation -----> AD server (Windows Server 2008 R2) -----> file
server (Windows Server 2016, running in 2008 R2 compat mode)
I have searched the web for a solution on the last few days. Mostly it
Take care that smbclient, cifs-utils and keyutils is installed. Also have
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
My setup satisfies these requirements. I have tried the connection with
mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.0
mount -v -t cifs //office.example.com/technik /mnt/dfs -o
username=c.garling,domain=OFFICE,vers=2.1
100.392000390 192.168.23.107 -> 192.168.15.6 SMB2 172 Negotiate Protocol
Request
100.393121936 192.168.15.6 -> 192.168.23.107 SMB2 318 Negotiate Protocol
Response
100.393223968 192.168.23.107 -> 192.168.15.6 SMB2 190 Session Setup
Request, NTLMSSP_NEGOTIATE
100.394178092 192.168.15.6 -> 192.168.23.107 SMB2 390 Session Setup
Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
100.394295512 192.168.23.107 -> 192.168.15.6 SMB2 494 Session Setup
Request, NTLMSSP_AUTH, User: OFFICE\c.garling
100.397795864 192.168.15.6 -> 192.168.23.107 SMB2 142 Session Setup Response
100.397895000 192.168.23.107 -> 192.168.15.6 SMB2 198 Tree Connect Request
Tree: \\office.example.com\technik
100.398866908 192.168.15.6 -> 192.168.23.107 SMB2 143 Tree Connect
Response, Error: STATUS_BAD_NETWORK_NAME
My client directly tries to connect to the share on 192.168.15.6, but this
is the AD server that should forward to 192.168.15.17 which is the file
server.
I also traced the connection attempt with wireshark. In the request sent
"This host does NOT support DFS."
We re-enabled SMBv1 for testing purposes. With SMBv1 the connection to the
DFS works with the command above but vers=1.0.
I can not figure out why DFS does not work when vers=2.0 or vers=2.1 will
be used. We tested some different distros (Linux Mint 18.1, Debian 8,
Debian 9, Gentoo) with different kernel versions.
Please ask me for further information, if I missed something.
Any help is welcome!
Regards, Christian Garling
Loading...