Bug 9129 - Windows 8 client can not use DNS alias server name, and unstable file copy
Summary: Windows 8 client can not use DNS alias server name, and unstable file copy
Status: CLOSED DUPLICATE of bug 1703
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-30 19:38 UTC by Allen Zhao
Modified: 2015-12-07 13:50 UTC (History)
1 user (show)

See Also:


Attachments
wireshark trace (933.29 KB, text/plain)
2012-10-09 18:54 UTC, Allen Zhao
no flags Details
binary cap file (1.18 MB, application/octet-stream)
2012-10-10 16:07 UTC, Allen Zhao
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Allen Zhao 2012-08-30 19:38:00 UTC
Just had a Windows 8 box set up in house for testing, and the Windows 8 PC gets into trouble our Samba file server right away.

The most notable issue is we can not use DNS alias (Name, instead of A record).

For example, our samba file server is called foo.gtisoft.com as FQDN, but at deployment, we use DNS name record to map the foo.gtisoft.com to files.gtisoft.com. 

We do this such that the whole always use \\files\ to access the file, and user should have no record on our real server name. 

This works fine for both Vista/7, but does not work with XP and the Windows 8. For the later two, we have to use \\foo\ directly.

The DNS server is hosted on Windows 2008 server. 

Is this the Windows' fault (registry?) or samba issue?

We notice that for Windows 2003 server had this issue, but we can fix it by change some registry. Any reason why?

Also we found copy large directory from samba file server to local C: would fail, but copy to C:\temp seems to be fine. The error is about some corrupted file. Any report along this line?
Comment 1 Jeremy Allison 2012-10-08 23:48:55 UTC
Let's keep one bug report concentrated on only one issue please.

Can you upload a network wireshark trace from the Win8 box when you're trying to connect to the Samba server. That would help discover if this is a Samba issue or some problem with how the DNS setup is interacting with Win8.

Thanks.

Jeremy.
Comment 2 Allen Zhao 2012-10-09 18:54:36 UTC
Created attachment 8023 [details]
wireshark trace

Attached is the wiresshark trace while accessing \\files\ from a Windows8 client.
Comment 3 Allen Zhao 2012-10-09 18:59:17 UTC
In the attached trace, the client's IP is 192.168.100.112, the domain server's IP is 192.168.100.2. 

The file server's IP is 192.168.100.246.

It looks like a domain logon failure:

No.     Time           Source                Destination           Protocol Length Info
    463 27.628069000   192.168.100.2         192.168.100.112       SMB2     131    SessionSetup Response, Error: STATUS_LOGON_FAILURE


But why would it happen only when the alias name is used?
Comment 4 Allen Zhao 2012-10-09 20:09:06 UTC
From the file server side, the log shows following error when Win8 client tried to connect with using alias name (\\files):

[2012/10/09 14:38:31.038623,  0] rpc_client/cli_pipe.c:4163(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server WOLFGANG.GTISOFT.COM for domain GTISOFT.
[2012/10/09 14:38:31.038707,  0] auth/auth_domain.c:188(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine WOLFGANG.GTISOFT.COM. Error was : NT_STATUS_ACCESS_DENIED.

WOLFGANG.GTISOFT.COM is the domain server (192.168.100.2)

----------------------------

Here is a good news, though:

The issue can be fixed, as it turns out, by adding kerberos service principal names (SPNs) on the domain server:

setspn -A HOST/files copland
setspn -A HOST/files.gtisoft.com copland

By adding the SPNs on domain server, at least Win8 would be accessing samba server ok for now. 

Is this a documented solution? or just a work around?
Comment 5 Jeremy Allison 2012-10-09 22:54:34 UTC
Oh the wireshark trace is not useful I'm afraid. We can't use text file descriptions of the network traffic, we need the raw data of the network traffic itself. Please upload the .cap file as a binary blob.

Jeremy.
Comment 6 Allen Zhao 2012-10-10 16:07:54 UTC
Created attachment 8042 [details]
binary cap file

hope this helps.
Comment 7 Björn Jacke 2015-12-07 13:50:54 UTC
yes, this is to be expected. if you use alias names you need to add SPNs manually. There is a long standing feature request to add SPNs for our netbios aliases but this isn't implemented so far. You might ask some professional support company to get this implemented if you need that fearure urgently.

*** This bug has been marked as a duplicate of bug 1703 ***