[Samba] domain-based DFS ?
steve
steve at steve-ss.com
Tue Jul 1 06:41:03 MDT 2014
On Tue, 2014-07-01 at 05:27 +0200, Davor Vusir wrote:
> 2014-06-30 19:48 GMT+02:00 steve <steve at steve-ss.com>:
> > On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
> >> 2014-06-30 17:08 GMT+02:00 steve <steve at steve-ss.com>:
> >> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
> >> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
> >> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> >> >> > > >> > To the [global] section on the AD DC I added
> >> >> > > >> > host msdfs = yes <- the trick?
> >> >> > > No, not in my oppinion.
> >> >> > >
> >> >> > >
> >> >> > > These are the defaults on a DC:
> >> >> > > samba-tool testparm -vv | grep dfs
> >> >> > > host msdfs = Yes
> >> >> > >
> >> >> > >
> >> >> > > and member server:
> >> >> > > testparm -vv | grep dfs
> >> >> > > host msdfs = No
> >> >> > > msdfs root = No
> >> >> > > msdfs proxy =
> >> >> > >
> >> >> >
> >> >> > Hi it's this:
> >> >> > host msdfs = Yes
> >> >> > vfs objects = dfs_samba4 # plus whatever else you need
> >> >> > msdfs root = Yes
> >> >> >
> >> >> > HTH
> >> >> > Steve
> >> >> >
> >> >> >
> >> >> Oh, and the root has to be on the DC:(
> >> >>
> >> >>
> >> > Hi
> >> > Nah, false alarm.
> >> > DC:
> >> > [global]
> >> > workgroup = HH3
> >> > realm = HH3.SITE
> >> > netbios name = HH16
> >> > server role = active directory domain controller
> >> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> > drepl, winbind, ntp_signd, kcc, dnsupdate
> >> > host msdfs = Yes
> >> > vfs objects = dfs_samba4, acl_xattr
> >> >
> >> > [netlogon]
> >> > path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
> >> > read only = No
> >> >
> >> > [sysvol]
> >> > path = /usr/local/samba/var/locks/sysvol
> >> > read only = No
> >> >
> >> > [dfs]
> >> > path = /home/dfsroot
> >> > read only = No
> >> > msdfs root = Yes
> >> > vfs objects = acl_xattr
> >> >
> >> > hh16:/home/dfsroot # ls -l
> >> > total 0
> >> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
> >> >
> >> > The fileserver, altea is up and we can navigate to:
> >> > \\altea\users
> >> >
> >> > however:
> >> > \\hh3.site\dfs
> >> > and
> >> > \\hh3.site\dfs\users
> >> >
> >> > Gives us the infamous '...you may not have permission to access...'
> >> > popup.
> >> >
> >> Did you restart the Windows client?
> >
> > Yes.
> > \\hh16.hh3.site\dfs\users
> > works fine (hh16 is the DC with the dfs root) I get a security tab and a
> > DFS tab.
> >
> > \\hh3.site\dfs
> > Nothing: access denied
> >
> > \\hh3.site
> > shows the dfs folder which gives me a DFS tab but no security tab.
> >
> > I've tried giving Administrator access to /home/dfsroot as fs level (our
> > Administrator has uid:gid in AD) but still nada. I've tried giving
> > Administrator access to the same using the security tab as above. Nada.
> >
> > Not giving up just yet.
> > Any thoughts as you go through the day most welcome. I get the feeling
> > that not many have been this way before.
> > Cheers,
> > Steve
> >
> >>
> >> > Is this the acl stuff Davor was mentioning?
> >> > Thanks,
> >> > Steve
> >> >
> >> >
> A vague memory from one posting aeons ago just came to mind. If
> changes are made to the [global] section, Samba has to restarted to
> activate the changes. Did you restart samba?
Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
Here is the dfs link:
steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
[users]
path = /home/users
read only = No
Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users
Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV
2. \\hh16.hh3.site
https://db.tt/9C8xtFnT
Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?
Thanks,
Steve
More information about the samba
mailing list