Created attachment 18960 [details] Log from smbclient (normal share) When a DFS root has a link with a path that contains a NetBIOS server name like //DC3/Share (DC3 is in MSDOM.ALT), it can only work when the user is from the same domain. Otherwise, when a user from a trusted domain SAMDOM1.ALT is used, a principal "cifs/DC3@SAMDOM1.ALT" is formed, which doesn't exist and no realm in service name is provided. "cifs/DC3@MSDOM.ALT" does work as the realm is the same as the user and server, ticket request is performed against it also. When a full DNS hostname is used in a link, like //DC3.msdom.alt/Share, everything works fine, even with user from trusted domain, as now the principal formed is "cifs/DC3.msdom.alt@SAMDOM1.ALT". How to reproduce: - kinit with user from trusted domain (administrator@SAMDOM1.ALT) on a client from trusting domain - access a DFS share in a trusting domain > smbclient --use-kerberos=required -d 10 //msdom.alt/DFS/Test >share-dfs-netbios.txt 2>&1 Same is true for a normal share when accessing it by a NetBIOS name: > smbclient --use-kerberos=required -d 10 //DC3/Share >share-trust-netbios.txt 2>&1 Output from smbclient is attached.
Created attachment 18961 [details] Log from smbclient (DFS share)