Just wondering if anyone might know if something we’re trying to do is going to even be possible with a fs filter driver. Sorry this post is so long but I couldn’t seem to explain the problem adequately otherwise.
Some background… I currently have a filter driver that runs on a server (2003 or 2008), that primarily is concerned with giving an altered file/dir view to remote users that map a drive to a share on the server.
For example: On the server I have 2 local drives C: and E:. I share the contents of C:\Shared out to clients as a share named “Shared”.
Now I also have a folder on drive E (E:\Background). This folder is not shared but what I want to do is make it so when the client maps to “Shared” it sees not only the contents of C:\Shared but also sees contents of E:\Background merged into the view.
So suppose contents of C:\Shared include file1.txt, and E:\Background contains file file2.txt. So we make it local users of the server see the expected view of C:\Shared, however users that access C:\Shared remotely through the mapped drive (i.e. \Server\Shared) will actually see both file1.txt and file2.txt as if they both existed in the same folder on C:.
So what I’ve described so far is what we currently have working. We attach our filter to C: and E:, pass down the folders paths we are interested in (C:\Shared and E:\Background), and the filter creates the merged view and also redirects I/O as appropriate to E: so everything appears to the remote user as a single storage location.
But what we are wanting to do now is to allow the “background” storage location (E:\Background in this case), to now be able to be to a non-local drive such as a remote NAS device or other server that uses CIFS to share out storage.
We do already support remote access but only with iSCSI, since in this block-level case the remote drive appears to be local (i.e. F:). But we want to be able to do this at the file protocol level using a UNC path to access the remote “background” location (i.e. \RemoteServer\SharedVol).
We’ve tried attaching to \Device\Mup (2008) or \Device\LanmanRedirector (2003) and can actually get it to work but only when we map the drive locally on the server where the share is defined (i.e. the server with C: locally connected).
In the working case if I look at a CIFS/SMB Lan trace as well as filter driver debug output, I can see that when the user maps a drive to C:\Shared, we see a IRP_MJ_CREATE to open C:\Shared and at this point we also do our own CREATE to \RemoteServer\SharedVol. We save the returned handle so we can later merge in the contents of the remote share with C:\Shared when we get the IRP_MJ_DIRECTORY_CONTROL request.
In the working case we also see at this point a CIFS connection is made to RemoteServer using the SAME client credentials that was used originally when the mapping was made to the “Shared” share that points to C:\Shared.
But now if we try to do this in the normal case where the client mapping the drive is server hosting C:\Shared share is on a remote client it doesn’t work.
The reason it doesn’t work is because when the filter sees the IRP_CREATE to C:\Primary and attempts to mirror that CREATE over to \RemoteServer\SharedVol, we receive an ACCESS_DENIED error and can’t progress further.
In the LAN trace of the failing case I see that when the CIFS connection is made to \RemoteServer we aren’t using the client username/credentials but are making a NULL user connection instead (i.e. Username in SessionSetup CIFS request is EMPTY/NULL). Since NULL users normally (and rightfully so) have no rights to anything, we see the ACCESS_DENIED error.
Doing some google and MSDN Lib research, I thought perhaps this had to do with authentication “Impersonation” vs. “Delegation”. I can see documentation that says that in order to do multi-tiered authentication in this way that the middle tier server (in our case the server hosting C:\Shared) must support “Delegated Authentication”, which means being and AD Domain member, running Kerberos5, and configured to allow Delegation.
So I set up an AD Domain (currently set at Windows Server 2003 functional level), joined the client and the \RemoteServer to the Domain and tried again…but same problem.
For whatever reason when the middle server hosting C:\Primary running our filter driver attempts to map to \RemoteServer\SharedVol on behalf of the client that originally mapped to \MidServer\Shared (i.e. C:\Shared), the original Client Username/Creds are NOT used but NULL/Empty Username is used instead which fails with AccessDenied.
So I guess my main question is — is it even possible with our current filter driver model to do this? Does Delegated Authentication only work in certain cases and the Mup/Redirector and/or CIFS doesn’t support this?
I guess that we are really trying to indirectly create a share to a remote share, something that Windows won’t allow you to normally do using NET USE (i.e. NET USE only takes local drives (C:, D:, etc) for SHARE destination, NOT remote mapped drives or UNC paths (Z:, Y:, \RemoteServer\SharedVol, etc.).
If you’ve made it to this point in your reading I commend you. Sorry for the very long post. Hope my questions make sense. Any help is greatly appreciated.