[Samba] domain-based DFS ?

steve steve at steve-ss.com
Tue Jul 1 08:00:36 MDT 2014


On Tue, 2014-07-01 at 15:34 +0200, Davor Vusir wrote:
> 2014-07-01 14:41 GMT+02:00 steve <steve at steve-ss.com>:
> > On Tue, 2014-07-01 at 05:27 +0200, Davor Vusir wrote:
> >> 2014-06-30 19:48 GMT+02:00 steve <steve at steve-ss.com>:
> >> > On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
> >> >> 2014-06-30 17:08 GMT+02:00 steve <steve at steve-ss.com>:
> >> >> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
> >> >> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
> >> >> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> >> >> >> > > >> > To the [global] section on the AD DC I added
> >> >> >> > > >> > host msdfs = yes <- the trick?
> >> >> >> > > No, not in my oppinion.
> >> >> >> > >
> >> >> >> > >
> >> >> >> > > These are the defaults on a DC:
> >> >> >> > > samba-tool testparm -vv | grep dfs
> >> >> >> > >         host msdfs = Yes
> >> >> >> > >
> >> >> >> > >
> >> >> >> > > and member server:
> >> >> >> > > testparm -vv | grep dfs
> >> >> >> > >         host msdfs = No
> >> >> >> > >         msdfs root = No
> >> >> >> > >         msdfs proxy =
> >> >> >> > >
> >> >> >> >
> >> >> >> > Hi it's this:
> >> >> >> > host msdfs = Yes
> >> >> >> > vfs objects = dfs_samba4 # plus whatever else you need
> >> >> >> > msdfs root = Yes
> >> >> >> >
> >> >> >> > HTH
> >> >> >> > Steve
> >> >> >> >
> >> >> >> >
> >> >> >> Oh, and the root has to be on the DC:(
> >> >> >>
> >> >> >>
> >> >> > Hi
> >> >> > Nah, false alarm.
> >> >> > DC:
> >> >> > [global]
> >> >> >         workgroup = HH3
> >> >> >         realm = HH3.SITE
> >> >> >         netbios name = HH16
> >> >> >         server role = active directory domain controller
> >> >> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> >> > drepl, winbind, ntp_signd, kcc, dnsupdate
> >> >> >         host msdfs = Yes
> >> >> >         vfs objects = dfs_samba4, acl_xattr
> >> >> >
> >> >> > [netlogon]
> >> >> >         path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
> >> >> >         read only = No
> >> >> >
> >> >> > [sysvol]
> >> >> >         path = /usr/local/samba/var/locks/sysvol
> >> >> >         read only = No
> >> >> >
> >> >> > [dfs]
> >> >> >         path = /home/dfsroot
> >> >> >         read only = No
> >> >> >         msdfs root = Yes
> >> >> >         vfs objects = acl_xattr
> >> >> >
> >> >> > hh16:/home/dfsroot # ls -l
> >> >> > total 0
> >> >> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
> >> >> >
> >> >> > The fileserver, altea is up and we can navigate to:
> >> >> > \\altea\users
> >> >> >
> >> >> > however:
> >> >> > \\hh3.site\dfs
> >> >> > and
> >> >> > \\hh3.site\dfs\users
> >> >> >
> >> >> > Gives us the infamous '...you may not have permission to access...'
> >> >> > popup.
> >> >> >
> >> >> Did you restart the Windows client?
> >> >
> >> > Yes.
> >> > \\hh16.hh3.site\dfs\users
> >> > works fine (hh16 is the DC with the dfs root) I get a security tab and a
> >> > DFS tab.
> >> >
> >> > \\hh3.site\dfs
> >> > Nothing: access denied
> >> >
> >> > \\hh3.site
> >> > shows the dfs folder which gives me a DFS tab but no security tab.
> >> >
> >> > I've tried giving Administrator access to /home/dfsroot as fs level (our
> >> > Administrator has uid:gid in AD) but still nada. I've tried giving
> >> > Administrator access to the same using the security tab as above. Nada.
> >> >
> >> > Not giving up just yet.
> >> > Any thoughts as you go through the day most welcome. I get the feeling
> >> > that not many have been this way before.
> >> > Cheers,
> >> > Steve
> >> >
> >> >>
> >> >> > Is this the acl stuff Davor was mentioning?
> >> >> > Thanks,
> >> >> > Steve
> >> >> >
> >> >> >
> >> A vague memory from one posting aeons ago just came to mind. If
> >> changes are made to the [global] section, Samba has to restarted to
> >> activate the changes. Did you restart samba?
> >
> > Hi
> > OK
> > I removed all the non default vfs objects, to leave this on the DC,
> > hh16.hh3.site
> > s
> > [global]
> >         workgroup = HH3
> >         realm = HH3.SITE
> >         netbios name = HH16
> >         server role = active directory domain controller
> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbind, ntp_signd, kcc, dnsupdate
> >         host msdfs = Yes
> >
> > [netlogon]
> >         path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> >
> > [dfs]
> >         path = /home/dfsroot
> >         read only = No
> >         msdfs root = Yes
> >
> > Here is the dfs link:
> >
> > steve at hh16:/home/dfsroot> ls -l
> > total 0
> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
> >
> 
> I used fqdn: ln -s msdfs:altea.hh3.site\\users users
> 
> > Here is the fileserver, altea.hh3.site
> > [global]
> > workgroup = HH3
> > realm = HH3.SITE
> > security = ADS
> > kerberos method = system keytab
> >
> > [users]
> > path = /home/users
> > read only = No
> >
> > Restart samba DC then file server the a xp client.
> > We can browse to \\altea\users
> > but not to \\hh3.site\dfs\users
> >
> What is the error? Access denied again? "Network path cannot be
> found...", 0x8xxxyy35?
\\hh3.site\dfs is not accessible. You might not have permission...The
network name cannot be found.

> Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
Yes.

> 
> > Here are the windows sceenshots.
> > 1. \\hh3.site
> > https://db.tt/3ksfq7qV
> >
> > 2. \\hh16.hh3.site
> > https://db.tt/9C8xtFnT
> >
> > Conclusion: server dfs works, domain dfs doesn't. But do please tell us
> > we're wrong. Is there anything in our config we've missed?
> >
> > Thanks,
> > Steve
> >
> >




More information about the samba mailing list