[Samba] domain-based DFS ?

Davor Vusir davortvusir at gmail.com
Wed Jul 2 01:28:15 MDT 2014 

2014-07-02 7:44 GMT+02:00 Daniel Müller <mueller at tropenklinik.de>:
> HI,
> it will not work with samba4 and  smb3!? I have the same definition and I cannot reach my dfs with \\mydomain.name\dfsshare but... and that is the interesting thing from within my old  samba3 nt style domain I can reach!! the same \\mydomain.nam\dfsshare without any issues. I can read and write to it...
> I think this a awesome bug in samba4, because I can proof that within the beta versions it still was possible to reach
> and act on \\mydomain.name\share without any errors.
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von steve
> Gesendet: Dienstag, 1. Juli 2014 21:24
> An: Davor Vusir
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] domain-based DFS ?
>
> On Tue, 2014-07-01 at 20:22 +0200, Davor Vusir wrote:
>> 2014-07-01 19:56 GMT+02:00 steve <steve at steve-ss.com>:
>> > On Tue, 2014-07-01 at 19:41 +0200, Davor Vusir wrote:
>> >> 2014-07-01 16:56 GMT+02:00 steve <steve at steve-ss.com>:
>> >> > On Tue, 2014-07-01 at 16:32 +0200, L.P.H. van Belle wrote:
>> >> >> well..
>> >> >>
>> >> >> I just did a test with this for steve also.
>> >> >>
>> >> >> same result.
>> >> >>
>> >> >> \\domain.name\sysvol and netlogon accessable no problems.
>> >> >>
>> >> >> \\domain.name\dfs   Access denied again? "Network path cannot be found...", 0x8xxxyy35?
>> >> >>
>> >> >> \\server1.domain.name\dfs  works, but someshare not.
>> >> >> \\server1.domain.name\dfs\someshare
>> >> >>
>> >> >> my steps.
>> >> >>
>> >> >> mkdir -p /export/dfsroot
>> >> >> chown root:root /export/dfsroot
>> >> >> chmod 755 /export/dfsroot
>> >> >> ln -s  'msdfs:mem1.internal.domain.tld\someshare'
>> >> >> /export/dfsroot/someshare
>> >> >>
>> >> >> also tried : ln -s  'msdfs:mem1.internal.domain.tld\\someshare'
>> >> >> /export/dfsroot/someshare
>> >> >>
>> >> >>
>> >> >> smbclient //localhost/dfs  -U 'administrator'
>> >> >> cd someshare
>> >> >>
>> >> >> tree connect failed: NT_STATUS_BAD_NETWORK_NAME Unable to follow
>> >> >> dfs referral [\mem1.internal.domain.tld\] cd \somewhare\:
>> >> >> NT_STATUS_BAD_NETWORK_NAME
>> >> >>
>> >> >> so far for me..
>> >> >>
>> >> >> found this one
>> >> >> https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
>> >> >> so i think this is not fixed yet...
>> >> >> there is a patch in this link, but since im on sernet im not trying the patch.
>> >> >
>> >> > Yeah, thanks Louis.
>> >> > This is looking more and more like a time consuming, undocumented
>> >> > dead end. I'm really tempted to drop it at this point and spend
>> >> > the time on a proper cluster instead. I get the feeling that this
>> >> > was always going to be second best, and it only works with windows clients anyway.
>> >> > Cheers,
>> >> > Steve
>> >> >
>> >>
>> >> Steve, have you done any testing with smbclient? I noticed that
>> >> you've got 'kerberos method = system keytab' in alteas smb.conf.
>> >>
>> >> smbclient -k -U administrator //hh3.site/dfs/users (-k for
>> >> kerberos)
>> >
>> > Hi Davor
>> > You can't test domain dfs with smbclient because it requires a cifs
>> > mount. cifs will only work if you specify a specific server:
>> >
>> > smbclient -k -U Administrator //hh3.site/dfs
>> > ads_krb5_mk_req: smb_krb5_get_credentials failed for
>> > cifs/hh3.site at SITE (Server not found in Kerberos database)
>> > cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed:
>> > Server not found in Kerberos database session setup failed:
>> > NT_STATUS_UNSUCCESSFUL
>> >
>> > This of course presents no problem:
>> > smbclient -k -U Administrator //hh16.hh3.site/dfs Domain=[HH3]
>> > OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
>> > smb: \>
>> >
>> > and we can go on to access the share on altea fine.
>> > Cheers,
>> > Steve
>> >
>> >
>>
>> I think you´re wrong.
>>
>> From member server vastraaros:
>> admind at vastraaros:~$ smbclient //hem.vusir.se/files -U davor
>> WARNING: The "idmap backend" option is deprecated
>> WARNING: The "idmap uid" option is deprecated
>> WARNING: The "idmap gid" option is deprecated Enter davor's password:
>> Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
>> smb: \> pwd
>> Current directory is \\hem.vusir.se\files\
>> smb: \> ls
>>   .                                   D        0  Mon Jun 30 20:18:22 2014
>>   ..                                  D        0  Fri Jun 27 05:51:19 2014
>>   home                                D        0  Fri Jun 27 19:26:33 2014
>>   familjen                            D        0  Fri Jun 27 19:26:07 2014
>>                 56212 blocks of size 1048576. 50192 blocks available
>> smb: \> cd home\davor
>> smb: \home\davor\> ls
>>   .                                   D        0  Wed Apr 23 07:57:52 2014
>>   ..                                  D        0  Thu Jun 26 22:29:37 2014
>>   _aaa                                D        0  Sun Oct 20 10:16:27 2013
>>   Links                              DR        0  Mon Jun 30 21:03:55 2014
>>   AppData                             D        0  Wed Apr 23 16:15:30 2014
>>   .bash_history                       H       50  Sun Mar 30 21:45:16 2014
>>   .viminfo                            H     1745  Mon Apr  7 05:58:08 2014
>>   Documents                          DR        0  Mon Jun 30 21:03:54 2014
>>   Contacts                           DR        0  Mon Jun 30 21:03:54 2014
>>   Desktop                            DR        0  Mon Jun 30 21:03:54 2014
>>   Searches                           DR        0  Mon Jun 30 21:03:54 2014
>>   Favorites                          DR        0  Mon Jun 30 21:03:54 2014
>>                 50364 blocks of size 4194304. 27720 blocks available
>> smb: \home\davor\> pwd
>> Current directory is \\hem.vusir.se\files\home\davor\
>> smb: \home\davor\> listconnect
>> 0:      server=hem.vusir.se, share=files
>> smb: \home\davor\>
>>
>> Regards
>> Davor
>
> On our config it treats the domain as the name of the server! Anyway, thanks for your time. We can't spend any longer with this as we are looking for a solution.
> Thanks again,
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.

Commented 'idmap_ldb:use rfc2307 = yes'. No change.

Removed uid, uidNumber and gidNumber from relevant accounts and access
groups. No change.

Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.

Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.

A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.

Regards
Davor

More information about the samba mailing list