The Samba-Bugzilla – Bug 7652
DFS referral causing XP client to request file access using machine account credentials?
Last modified: 2013-02-05 07:14:16 UTC
I'm having a strange problem with a new file server running Debian Squeeze, Samba 3.4.8. Our users are intermittently getting access denied to parts of the file system.
The setup has the users mapping \\BRIGHTON\shared as S:\ on their computers (Windows XP) and there are a number of DFS links from there to other shares. The one they are having trouble with links to the same server as \\brighton.wumi.org.au\sub_fcd\SHS. Most of the time this works fine, but at seemingly random intervals the users start getting access denied errors to the \\brighton.wumi.org.au\sub_fcd\SHS parts of the filesystem, while still having access to \\BRIGHTON\shared. We can get things working again by disconnecting all their network drives and re-mapping them again.
I'll attach smb.conf for the server and two logs - one showing the access denied error and another where access to the same file works as expected. The file in this example is an icon file for a desktop shortcut. Not sure if that's significant, but it was the first file to show the symptom in this instance.
Created attachment 5929 [details]
Created attachment 5930 [details]
level 10 log showing access denied
Created attachment 5931 [details]
level 10 log showing access ok
Just FYI, this is the same machine as I was reporting bug 7650 from.
Could be related? I don't understand what's happening in either case.
Stared at the log files for a long time and worked out that the client machine is for some reason trying to follow the DFS referral using the machine account credentials, rather than the user credentials. After I gave the machine account read (r-x) access to the files and directories in question, the user can access their files again.
No idea why the client is behaving this way. Our other servers running largely identical setups with Debian Lenny (Samba 3.2.5) and I've never had to give the machine accounts access to the user's directories before.
Created attachment 5991 [details]
level 10 log showing problem on Samba 3.5.5
Unfortunately, looks like the problem is still present in 3.5.5.
New log file attached.
Can you try and join the server using "security=domain" and "winbind rpc only=yes" please? I've seen XP and w2k3 clients that don't set the "resolve dfs" bit when accessing servers that support kerberos. Looks like Windows bug or strange kind of "optimization".