Bug 11333 - Domain-based DFS/msdfs proxy doesn't perform root referral correctly
Summary: Domain-based DFS/msdfs proxy doesn't perform root referral correctly
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.2.2
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2015-06-15 23:14 UTC by samba
Modified: 2015-06-17 00:27 UTC (History)
0 users

See Also:

Here's an example patch that works in my domain (2.75 KB, patch)
2015-06-17 00:27 UTC, samba
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description samba 2015-06-15 23:14:56 UTC
I work in an environment with the following properties:
  domain name=CONTOSO
  domain-based dfs "root" name=\\contoso.corp\DFS
  dfs servers that actually implement the root dfs namespace:

On Windows, when I open \\contoso.corp\DFS, that kicks off:
* [presumably] a comparison with server (contoso.corp) against the dnsdomainname (contoso.corp)
* because they are equal
  * windows looks up the domain controller (as normal)
  * a connection is made to dc.contoso.corp, rather than contoso.corp (\\dc.contoso.corp\IPC$)
* a FSCTL_GET_DFS_REFERRALS is made to the domain controller, which returns the following referrers:
  * Path: \contoso.corp\DFS
    Alt Path: \contoso.corp\DFS
	Node: \dfs1.contoso.corp\dfs
  * Path: \contoso.corp\DFS
    Alt Path: \contoso.corp\DFS
	Node: \dfs2.contoso.corp\dfs
* Windows then begins a session to whichever of those referrers is marked active (currently it's dfs2), and the share is mounted, etc.

Using SMBCLIENT from samba-4.2.2, do_connect in clidfs.c attempts to connect to contoso.corp directly, rather than do the dnsdomainname compare and connect to the domain controller.  Because contoso.corp isn't a "real" host, there's no kerberos principal for that hostname, and the call to cli_session_setup() fails.

If at the top of the do_connect() function, after the server is parsed out from the function's input, I add:
	if (0 == strcmp(server, "contoso.corp")) {
Then the initial connection is forced to be made to my domain controller, and the cli_check_msdfs_proxy() call near the bottom is made correctly to my domain controller, and I can connect to "smbclient -k //contoso.corp/dfs" just fine.

Likewise, it seems that Windows does a similar, additional check for server == domain, as \\contoso\DFS also works in my environment, but not with smbclient (unless I make a similar modification as above for "contoso" as well).

In short, it seems that Windows's domain-based DFS client treats both the dnsdomainname(s) (or maybe the REALM name, for me they are the same, but different case) and the domain name as references for the client's domain controller of choice.  Smbclient 4.2.2 appears to not do this.
Comment 1 samba 2015-06-15 23:16:03 UTC
It's possible that this is related to https://bugzilla.samba.org/show_bug.cgi?id=10288
Comment 2 samba 2015-06-17 00:27:27 UTC
Created attachment 11166 [details]
Here's an example patch that works in my domain