The Samba-Bugzilla – Bug 9129
Windows 8 client can not use DNS alias server name, and unstable file copy
Last modified: 2015-12-07 13:50:54 UTC
Just had a Windows 8 box set up in house for testing, and the Windows 8 PC gets into trouble our Samba file server right away.
The most notable issue is we can not use DNS alias (Name, instead of A record).
For example, our samba file server is called foo.gtisoft.com as FQDN, but at deployment, we use DNS name record to map the foo.gtisoft.com to files.gtisoft.com.
We do this such that the whole always use \\files\ to access the file, and user should have no record on our real server name.
This works fine for both Vista/7, but does not work with XP and the Windows 8. For the later two, we have to use \\foo\ directly.
The DNS server is hosted on Windows 2008 server.
Is this the Windows' fault (registry?) or samba issue?
We notice that for Windows 2003 server had this issue, but we can fix it by change some registry. Any reason why?
Also we found copy large directory from samba file server to local C: would fail, but copy to C:\temp seems to be fine. The error is about some corrupted file. Any report along this line?
Let's keep one bug report concentrated on only one issue please.
Can you upload a network wireshark trace from the Win8 box when you're trying to connect to the Samba server. That would help discover if this is a Samba issue or some problem with how the DNS setup is interacting with Win8.
Created attachment 8023 [details]
Attached is the wiresshark trace while accessing \\files\ from a Windows8 client.
In the attached trace, the client's IP is 192.168.100.112, the domain server's IP is 192.168.100.2.
The file server's IP is 192.168.100.246.
It looks like a domain logon failure:
No. Time Source Destination Protocol Length Info
463 27.628069000 192.168.100.2 192.168.100.112 SMB2 131 SessionSetup Response, Error: STATUS_LOGON_FAILURE
But why would it happen only when the alias name is used?
From the file server side, the log shows following error when Win8 client tried to connect with using alias name (\\files):
[2012/10/09 14:38:31.038623, 0] rpc_client/cli_pipe.c:4163(cli_rpc_pipe_open_schannel)
cli_rpc_pipe_open_schannel: failed to get schannel session key from server WOLFGANG.GTISOFT.COM for domain GTISOFT.
[2012/10/09 14:38:31.038707, 0] auth/auth_domain.c:188(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session to machine WOLFGANG.GTISOFT.COM. Error was : NT_STATUS_ACCESS_DENIED.
WOLFGANG.GTISOFT.COM is the domain server (192.168.100.2)
Here is a good news, though:
The issue can be fixed, as it turns out, by adding kerberos service principal names (SPNs) on the domain server:
setspn -A HOST/files copland
setspn -A HOST/files.gtisoft.com copland
By adding the SPNs on domain server, at least Win8 would be accessing samba server ok for now.
Is this a documented solution? or just a work around?
Oh the wireshark trace is not useful I'm afraid. We can't use text file descriptions of the network traffic, we need the raw data of the network traffic itself. Please upload the .cap file as a binary blob.
Created attachment 8042 [details]
binary cap file
hope this helps.
yes, this is to be expected. if you use alias names you need to add SPNs manually. There is a long standing feature request to add SPNs for our netbios aliases but this isn't implemented so far. You might ask some professional support company to get this implemented if you need that fearure urgently.
*** This bug has been marked as a duplicate of bug 1703 ***