Project

General

Profile

Bug #1087

Unable to connect to the CIFS server using \\servername.fqdn

Added by Brendon Baumgartner over 8 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2011-06-01
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Opensolaris bug ID:
6791642 Unable to connect to the CIFS server using \\servername.fqdn


Files

smb.snoop (6.35 KB) smb.snoop Christopher Chan, 2013-06-11 02:53 AM
smbnew.snoop (79.7 KB) smbnew.snoop Christopher Chan, 2013-06-11 02:53 AM
smbcifs.cap (31.3 KB) smbcifs.cap Christopher Chan, 2013-06-11 02:53 AM
smbcifsbdc.cap (3.64 KB) smbcifsbdc.cap Christopher Chan, 2013-06-11 02:53 AM

Related issues

Related to illumos gate - Feature #1122: smbsrv should use SPNEGO (inbound authentication)Closed2011-06-17

Actions

History

#1

Updated by Yuri Pankov over 8 years ago

I doubt that OpenSolaris bugtracker is accessible at the moment, providing more info should help here.

#2

Updated by Brendon Baumgartner over 8 years ago

Typing in a FQDN to access CIFS server vs hostname yield this error message when using FQDN. Hostname is fine.

Error:
\\server.domain.local is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

The account is not authorized to log in from this station.

#3

Updated by Kevin Halgren about 8 years ago

  • Status changed from New to Feedback

Additional information:

IP address and FQDN works from non-windows clients (Mac, Linux)

Short name or IP address works OK from Windows clients, FQDN fails.
\\servername [Works OK]
\\192.168.1.1 [Works OK]
\\servername.domain [Fails]

Windows attempts to authenticate via Kerberos when using FQDN, uses NTLMv2 for short name or IP address. This is likely a Kerberos-related issue with Samba on OpenSolaris.

#4

Updated by Kevin Halgren about 8 years ago

For this to work properly, the Samba server needs to support GSSAPI/SPNEGO. A packet trace shows that Windows and the Samba server successfully negotiate using NTLMv2, however when using FQDN, if the Kerberos security blob is not included at the end of the SMB negotiation respose, Windows ignores the NTLM negotiation agreement and closes the connection.

This link has more technical information:
http://arc.opensolaris.org/caselog/PSARC/2009/673/20091209_natalie.li

And this is a remarkably apt video illustrating (metaphorically) the process:
http://www.youtube.com/watch?v=JBtcXujRbAA

#5

Updated by Rich Lowe about 8 years ago

  • Project changed from site to illumos gate
#6

Updated by Yuri Pankov almost 8 years ago

How is Samba related and why are we talking about it all?

#7

Updated by Kevin Halgren almost 8 years ago

I mentioned Samba because I was ignorant at the time about Solaris' CIFS/SMB server and assumed it was based on Samba. You can disregard that aspect. This issue was confirmed and ultimately fixed by engineers with Nexenta, we were using their OpenSolaris-based storage server implementation. It was a bug in OpenSolaris CIFS server, unfortunately I do not have the Nexenta issue number at hand.

#8

Updated by Kevin Halgren almost 8 years ago

Found it, Nexenta support case 2268

Kevin

#9

Updated by Will Ottewell almost 7 years ago

This issue still appears in OpenIndianna 151A7 (unless I'm missing anything) - does anyone know if Nexenta have yet contributed the fix to Illumos? If needed can post configs and do packet traces as required.

#10

Updated by Christopher Chan over 6 years ago

Not exactly the same but I have had issues connecting to cifs via \\\\shortname where I get access denied and it would only work with \\\\ipaddr. I have some network traces.

#11

Updated by Gordon Ross almost 4 years ago

  • Status changed from Feedback to Closed

This is fixed with #1122

Also available in: Atom PDF