Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Random Authentication Failures with DFS Path #304

Open
dtufood-kihen opened this issue Dec 2, 2024 · 1 comment
Open

Random Authentication Failures with DFS Path #304

dtufood-kihen opened this issue Dec 2, 2024 · 1 comment

Comments

@dtufood-kihen
Copy link

I am encountering random authentication errors when accessing files on a DFS. The issue is intermittent: the same code works sometimes but fails without any changes at other times. When I replace the DFS path with the direct storage server path, the problem does not occur.

In this case, I am using Kerberos authentication and therefore am not specifying any credentials in the code:

import smbclient

smb_path = r"\\dfs-server\path\to\file.txt"
local_path = "/tmp/file.txt"

with smbclient.open_file(smb_path, mode="rb") as remote_file:
    with open(local_path, "wb") as local_file:
        local_file.write(remote_file.read())

print(f"File downloaded successfully to {local_path}")

When running the script multiple times in sequence, it works successfully for some runs but fails intermittently (typically on subsequent runs) with the following error:

smbprotocol.exceptions.SMBAuthenticationError: Failed to authenticate with server: SpnegoError (4294967295): Major (131072): An invalid name was supplied, Minor (100001): Success, Context: Processing security token
@jborean93
Copy link
Owner

DFS is tricky and combining it with Kerberos can be problematic if the resolved DFS target is for something with either an incorrectly configured SPN or no SPN at all. You can set the env var KRB5_TRACE=/dev/stdout (or any file you want to log it to) to see what SPNs are being requested by Kerberos and track down what one is problematic.

Two things I've found to be an issue in the past with DFS + Kerberos is dealing with netbios names in the DFS referral responses and things like domain name DFS paths. To solve the first one you need to configure DFS itself to return DNS names https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dfs-use-domain-names. For the DFS domain referrals you can look at explicitly setting an explicit domain controller in the client config

import smbclient

smbclient.ClientConfig(domain_controller='dc01.domain.com')

...

What this does is sends DFS Domain referral to the domain controller dc01.domain.com. This caches the domain names of the target DC in a local cache so that when the client tries to access \\domain.com (or any of the names in the domain referral response) it knows what DFS server to target for any requests to that path. If it didn't cache this result then the client will try and connect to the host domain.com which your DNS will resolve to a domain controller but potentially a different one to what the Kerberos ticket resolved it to causing the invalid name error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jborean93 @dtufood-kihen