CSI SMB mappings to DFS namespaces do not handle DFS links correctly

[braveness23]

Describe the bug

This bug is due to a bug in the New-SmbGlobalMapping powershell command. A corresponding issue has been submitted to Microsoft via the Feedback Hub tool. A link to the issue is here: https://aka.ms/AAj03f7

Kubernetes can leverage csi-driver-smb and csi-proxy to present a remote SMB share as a mounted volume within containers. If the remote SMB share is a DFS root with DFS target links in the directory structure, Windows containers cannot follow the DFS links to their targets.

This is due to csi-proxy's usage of the New-SmbGlobalMapping powershell command. New-SmbGlobalMapping produces Smb Mappings that do not correctly follow DFS links.

The problem can be reproduced within a Windows container in kubernetes with an SMB share mounted to the local file system using csi-driver-smb and csi-proxy (see kubernetes templates at bottom).

The problem can also be reproduced on a full stand-alone Windows client such as Windows Desktops and Servers.

To Reproduce

The following is an example of how to reproduce the issue from a full Windows client but illustrates the underlying problem that Windows containers also experience.

Create a mapping with New-SmbGlobalMapping to \server\share where share is a DFS namespace root

New-SmbGlobalMapping -LocalPath Z: -RemotePath \\server\share

Attempt any file operation on a subdirectory that is a DFS link. For example, attempt to list the children of Target-1 where Target-1 is a DFS link.

Get-ChildItem Z:\Target-1

Expected behavior

Get-ChildItem Z:\Target-1\


    Directory: Z:\Target-1


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         12/1/2022   8:37 AM                New folder

Actual behavior

Get-ChildItem Z:\Target-1\

Get-ChildItem : The network location cannot be reached. For information about network troubleshooting, see Windows
Help.
At line:1 char:1
+ Get-ChildItem Z:\Target-1\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (Z:\Target-1\:String) [Get-ChildItem], IOException
    + FullyQualifiedErrorId : DirIOError,Microsoft.PowerShell.Commands.GetChildItemCommand

Additional context

Relevant Kubernetes templates to recreate environment:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: smb
provisioner: smb.csi.k8s.io
parameters:
  source: "//server/share"
  csi.storage.k8s.io/node-stage-secret-name: "smbcreds"
reclaimPolicy: Retain      # only Retain is supported
volumeBindingMode: Immediate

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: smb
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: smb

apiVersion: v1
kind: Pod
metadata:
  name: smbtest
spec:
  containers:
    image: mcr.microsoft.com/windows/servercore:ltsc2019
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - mountPath: C:/mnt/smb
      name: smb
 volumes:
  - name: smb
    persistentVolumeClaim:
      claimName: smb

[microsoft-github-policy-service]

This issue has been open for 30 days with no updates.
no assignees, please provide an update or close this issue.

[nedpyle]

Hi. Thanks for providing this well-written feedback.

The issue here is within SMB global mapping subsystem itself - we did not add support for DFSN links when the global mapping feature was introduced. We may consider adding that support in a future version of Windows. I've updated the containers documentation and the cmdlet help to make sure this expected behavior is clear.