Bug 7652 - DFS referral causing XP client to request file access using machine account credentials?
DFS referral causing XP client to request file access using machine account c...
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: File services
3.5.5
x86 Linux
: P3 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-27 01:29 UTC by Kevin Shanahan (dead mail address)
Modified: 2013-02-05 07:14 UTC (History)
2 users (show)

See Also:


Attachments
smb.conf (3.76 KB, text/plain)
2010-08-27 01:31 UTC, Kevin Shanahan (dead mail address)
no flags Details
level 10 log showing access denied (195.29 KB, text/plain)
2010-08-27 01:32 UTC, Kevin Shanahan (dead mail address)
no flags Details
level 10 log showing access ok (183.14 KB, application/octet-stream)
2010-08-27 01:34 UTC, Kevin Shanahan (dead mail address)
no flags Details
level 10 log showing problem on Samba 3.5.5 (83.00 KB, text/plain)
2010-09-30 19:58 UTC, Kevin Shanahan (dead mail address)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Shanahan (dead mail address) 2010-08-27 01:29:50 UTC
I'm having a strange problem with a new file server running Debian Squeeze, Samba 3.4.8. Our users are intermittently getting access denied to parts of the file system.

The setup has the users mapping \\BRIGHTON\shared as S:\ on their computers (Windows XP) and there are a number of DFS links from there to other shares. The one they are having trouble with links to the same server as \\brighton.wumi.org.au\sub_fcd\SHS. Most of the time this works fine, but at seemingly random intervals the users start getting access denied errors to the \\brighton.wumi.org.au\sub_fcd\SHS parts of the filesystem, while still having access to \\BRIGHTON\shared. We can get things working again by disconnecting all their network drives and re-mapping them again.

I'll attach smb.conf for the server and two logs - one showing the access denied error and another where access to the same file works as expected. The file in this example is an icon file for a desktop shortcut. Not sure if that's significant, but it was the first file to show the symptom in this instance.
Comment 1 Kevin Shanahan (dead mail address) 2010-08-27 01:31:06 UTC
Created attachment 5929 [details]
smb.conf
Comment 2 Kevin Shanahan (dead mail address) 2010-08-27 01:32:02 UTC
Created attachment 5930 [details]
level 10 log showing access denied
Comment 3 Kevin Shanahan (dead mail address) 2010-08-27 01:34:37 UTC
Created attachment 5931 [details]
level 10 log showing access ok
Comment 4 Kevin Shanahan (dead mail address) 2010-08-27 01:37:36 UTC
Just FYI, this is the same machine as I was reporting bug 7650 from.
Could be related? I don't understand what's happening in either case.
Comment 5 Kevin Shanahan (dead mail address) 2010-08-29 19:18:30 UTC
Stared at the log files for a long time and worked out that the client machine is for some reason trying to follow the DFS referral using the machine account credentials, rather than the user credentials. After I gave the machine account read (r-x) access to the files and directories in question, the user can access their files again.

No idea why the client is behaving this way. Our other servers running largely identical setups with Debian Lenny (Samba 3.2.5) and I've never had to give the machine accounts access to the user's directories before.
Comment 6 Kevin Shanahan (dead mail address) 2010-09-30 19:58:32 UTC
Created attachment 5991 [details]
level 10 log showing problem on Samba 3.5.5

Unfortunately, looks like the problem is still present in 3.5.5.
New log file attached.
Comment 7 Björn Jacke 2013-02-04 20:46:20 UTC
Can you try and join the server using "security=domain" and "winbind rpc only=yes" please? I've seen XP and w2k3 clients that don't set the "resolve dfs" bit when accessing servers that support kerberos. Looks like Windows bug or strange kind of "optimization".