[Samba] domain-based DFS ?

steve steve at steve-ss.com
Tue Jul 1 06:41:03 MDT 2014 

On Tue, 2014-07-01 at 05:27 +0200, Davor Vusir wrote:
> 2014-06-30 19:48 GMT+02:00 steve <steve at steve-ss.com>:
> > On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
> >> 2014-06-30 17:08 GMT+02:00 steve <steve at steve-ss.com>:
> >> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
> >> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
> >> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> >> >> > > >> > To the [global] section on the AD DC I added
> >> >> > > >> > host msdfs = yes <- the trick?
> >> >> > > No, not in my oppinion.
> >> >> > >
> >> >> > >
> >> >> > > These are the defaults on a DC:
> >> >> > > samba-tool testparm -vv | grep dfs
> >> >> > >         host msdfs = Yes
> >> >> > >
> >> >> > >
> >> >> > > and member server:
> >> >> > > testparm -vv | grep dfs
> >> >> > >         host msdfs = No
> >> >> > >         msdfs root = No
> >> >> > >         msdfs proxy =
> >> >> > >
> >> >> >
> >> >> > Hi it's this:
> >> >> > host msdfs = Yes
> >> >> > vfs objects = dfs_samba4 # plus whatever else you need
> >> >> > msdfs root = Yes
> >> >> >
> >> >> > HTH
> >> >> > Steve
> >> >> >
> >> >> >
> >> >> Oh, and the root has to be on the DC:(
> >> >>
> >> >>
> >> > Hi
> >> > Nah, false alarm.
> >> > DC:
> >> > [global]
> >> >         workgroup = HH3
> >> >         realm = HH3.SITE
> >> >         netbios name = HH16
> >> >         server role = active directory domain controller
> >> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> > drepl, winbind, ntp_signd, kcc, dnsupdate
> >> >         host msdfs = Yes
> >> >         vfs objects = dfs_samba4, acl_xattr
> >> >
> >> > [netlogon]
> >> >         path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
> >> >         read only = No
> >> >
> >> > [sysvol]
> >> >         path = /usr/local/samba/var/locks/sysvol
> >> >         read only = No
> >> >
> >> > [dfs]
> >> >         path = /home/dfsroot
> >> >         read only = No
> >> >         msdfs root = Yes
> >> >         vfs objects = acl_xattr
> >> >
> >> > hh16:/home/dfsroot # ls -l
> >> > total 0
> >> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
> >> >
> >> > The fileserver, altea is up and we can navigate to:
> >> > \\altea\users
> >> >
> >> > however:
> >> > \\hh3.site\dfs
> >> > and
> >> > \\hh3.site\dfs\users
> >> >
> >> > Gives us the infamous '...you may not have permission to access...'
> >> > popup.
> >> >
> >> Did you restart the Windows client?
> >
> > Yes.
> > \\hh16.hh3.site\dfs\users
> > works fine (hh16 is the DC with the dfs root) I get a security tab and a
> > DFS tab.
> >
> > \\hh3.site\dfs
> > Nothing: access denied
> >
> > \\hh3.site
> > shows the dfs folder which gives me a DFS tab but no security tab.
> >
> > I've tried giving Administrator access to /home/dfsroot as fs level (our
> > Administrator has uid:gid in AD) but still nada. I've tried giving
> > Administrator access to the same using the security tab as above. Nada.
> >
> > Not giving up just yet.
> > Any thoughts as you go through the day most welcome. I get the feeling
> > that not many have been this way before.
> > Cheers,
> > Steve
> >
> >>
> >> > Is this the acl stuff Davor was mentioning?
> >> > Thanks,
> >> > Steve
> >> >
> >> >
> A vague memory from one posting aeons ago just came to mind. If
> changes are made to the [global] section, Samba has to restarted to
> activate the changes. Did you restart samba?

Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
        workgroup = HH3
        realm = HH3.SITE
        netbios name = HH16
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
        host msdfs = Yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[dfs]
        path = /home/dfsroot
        read only = No
        msdfs root = Yes

Here is the dfs link:

steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users

Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab

[users]
path = /home/users
read only = No

Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users

Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV

2. \\hh16.hh3.site
https://db.tt/9C8xtFnT

Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?

Thanks,
Steve

More information about the samba mailing list