mounting DFS filesystem with remote shares in it on Arch Linux


I have laptop joined to domain AAA. Have two DFS namespace servers which are also AD DC with Win Server 2012 R2. NAS is Synology server with CIFS enabled/domain joined.

Servers:

  • dc1.domain1.local – ip 10.8.0.3
  • dc2.domain1.local – ip 10.8.0.27
  • nas1.domain1.local – ip 10.8.0.7
  • laptop.domain1.local – 10.91.0.2

All setup was working until recently. (don’t know what happened, kernel upgrade? or Windows Update).

[sssd] domains = domain1.local config_file_version = 2 services = nss, pam  [domain/domain1.local] ad_domain = domain1.local krb5_realm = DOMAIN1.LOCAL realmd_tags = manages-system joined-with-adcli cache_credentials = True enumerate = True id_provider = ad default_shell = /bin/bash fallback_homedir = /home/%d/%u krb5_lifetime = 1h krb5_renewable_lifetime = 1d krb5_renew_interval = 60s ldap_id_mapping = True krb5_store_password_if_offline = True 
includedir /var/lib/sss/pubconf/krb5.include.d/ [logging]  default = FILE:/var/log/krb5libs.log  [libdefaults]  dns_lookup_realm = true  dns_lookup_kdc = true  ticket_lifetime = 24h  renew_lifetime = 7d  forwardable = true  clockskew = 300  rdns = false  default_ccache_name = KEYRING:persistent:%{uid} 

/etc/request-key.d/cifs.spnego.conf

create  cifs.spnego    * * /usr/bin/cifs.upcall -t %k 

I’m trying to mount share using

mount -t cifs -o sec=krb5,user=$  USER,cruid=$  USER,uid=$  USER //dc1.domain1.local/namespace1 /mnt/mp1 

I can go to /mnt/mp1. But I can’t access anything behind like //dc1.domain1.local/namespace1/share1 which is on Synology server (/mnt/mp1/share1).

Logs on laptop during mounting:

[   54.894236] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.           [   55.036042] CIFS VFS: Autodisabling the use of server inode numbers on new server. [   55.036046] CIFS VFS: The server doesn't seem to support them properly or the files might be on different servers (DFS). [   55.036049] CIFS VFS: Hardlinks will not be recognized on this mount. Consider mounting with the "noserverino" option to silence this message. 

When entering /mnt/mp1/share1 I got:

mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=DC1.domain.local;ip4=10.8.0.7;sec=krb5;uid=0x460c22f4;creduid=0x460c22f4;user=admin;pid=0x923                                                     mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: ver=2 mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: host=DC1.domain1.local mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: ip=10.8.0.7 mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: sec=1 mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: uid=1175200500 mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: creduid=1175200500 mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: user=admin mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: pid=2339 mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_cachename_from_process_env: pathname=/proc/2339/environ mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_cachename_from_process_env: cachename = KEYRING:persistent:1175200500 mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: get_existing_cc: default ccache is KEYRING:persistent:1175200500:krb_ccache_s3dU4cx                                                                                                                               mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: handle_krb5_mech: getting service ticket for server.poznan.tbhydro.net mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: handle_krb5_mech: obtained service ticket mar 20 08:05:57 LAPTOP.DOMAIN1.LOCAL cifs.upcall[14414]: Exit status 0 

Notice that it is asking for ticket for different host that it is resolved for IP address. (10.8.0.7 is host nas1.domain1.local).

And on nas1.domain1.local samba logs:

../source3/lib/access.c:338: [2019/03/20 08:08:50.530826, all 3, pid=26839] allow_access   Allowed connection from 10.91.0.2 (10.91.0.2) ../source3/smbd/oplock.c:1323: [2019/03/20 08:08:50.530929, locking 3, pid=26839] init_oplocks   init_oplocks: initializing messages. ../source3/smbd/process.c:1975: [2019/03/20 08:08:50.530968, all 3, pid=26839] process_smb   Transaction 0 of length 196 (0 toread) ../source3/smbd/smb2_negprot.c:281: [2019/03/20 08:08:50.531044, all 3, pid=26839] smbd_smb2_request_process_negprot   Selected protocol SMB3_11 ../source3/auth/auth_generic.c:246: [2019/03/20 08:08:50.531084, all 3, pid=26839] auth_generic_prepare   make_auth_context_subsystem [NT_STATUS_OK] ../source3/auth/auth_generic.c:377: [2019/03/20 08:08:50.531400, all 3, pid=26839] auth_generic_prepare   gensec_set_remote_address: [NT_STATUS_OK] ../source3/smbd/smb2_server.c:2687: [2019/03/20 08:08:50.558318, all 3, pid=26839] smbd_smb2_request_dispatch   SMB2: cmd=SMB2_OP_NEGPROT [NT_STATUS_OK] ../source3/smbd/smb2_sesssetup.c:811: [2019/03/20 08:08:50.572723, all 3, pid=26839] smbd_smb2_session_setup_send   in_session_id 0 ../source3/auth/auth_generic.c:246: [2019/03/20 08:08:50.572850, all 3, pid=26839] auth_generic_prepare   make_auth_context_subsystem [NT_STATUS_OK] ../source3/auth/auth_generic.c:377: [2019/03/20 08:08:50.572870, all 3, pid=26839] auth_generic_prepare   gensec_set_remote_address: [NT_STATUS_OK] ../source3/smbd/smb2_sesssetup.c:866: [2019/03/20 08:08:50.572877, all 3, pid=26839] smbd_smb2_session_setup_send   auth_generic_prepare [NT_STATUS_OK] ../source3/smbd/smb2_server.c:2687: [2019/03/20 08:08:50.572918, all 3, pid=26839] smbd_smb2_request_dispatch   SMB2: cmd=SMB2_OP_SESSSETUP [NT_STATUS_OK] ../source3/librpc/crypto/gse.c:503: [2019/03/20 08:08:50.599304, all 1, pid=26839] gse_get_server_auth_token   gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/dc1.domain1.local@DOMAIN1.LOCAL(kvno 76) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] ../auth/gensec/spnego.c:544: [2019/03/20 08:08:50.599342, all 1, pid=26839] gensec_spnego_parse_negTokenInit   SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE ../auth/gensec/spnego.c:719: [2019/03/20 08:08:50.599360, all 2, pid=26839] gensec_spnego_server_negTokenTarg   SPNEGO login failed: NT_STATUS_LOGON_FAILURE ../auth/gensec/gensec.c:476: [2019/03/20 08:08:50.599370, all 3, pid=26839] gensec_update_async_trigger   gensec_update [NT_STATUS_LOGON_FAILURE] ../source3/smbd/smb2_server.c:3111: [2019/03/20 08:08:50.599393, all 3, pid=26839] smbd_smb2_request_error_ex   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:136 

Any idea where to look for answer for this?