[Samba] domain-based DFS ?

Davor Vusir davortvusir at gmail.com
Tue Jul 1 07:34:55 MDT 2014 

2014-07-01 14:41 GMT+02:00 steve <steve at steve-ss.com>:
> On Tue, 2014-07-01 at 05:27 +0200, Davor Vusir wrote:
>> 2014-06-30 19:48 GMT+02:00 steve <steve at steve-ss.com>:
>> > On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
>> >> 2014-06-30 17:08 GMT+02:00 steve <steve at steve-ss.com>:
>> >> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
>> >> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>> >> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>> >> >> > > >> > To the [global] section on the AD DC I added
>> >> >> > > >> > host msdfs = yes <- the trick?
>> >> >> > > No, not in my oppinion.
>> >> >> > >
>> >> >> > >
>> >> >> > > These are the defaults on a DC:
>> >> >> > > samba-tool testparm -vv | grep dfs
>> >> >> > >         host msdfs = Yes
>> >> >> > >
>> >> >> > >
>> >> >> > > and member server:
>> >> >> > > testparm -vv | grep dfs
>> >> >> > >         host msdfs = No
>> >> >> > >         msdfs root = No
>> >> >> > >         msdfs proxy =
>> >> >> > >
>> >> >> >
>> >> >> > Hi it's this:
>> >> >> > host msdfs = Yes
>> >> >> > vfs objects = dfs_samba4 # plus whatever else you need
>> >> >> > msdfs root = Yes
>> >> >> >
>> >> >> > HTH
>> >> >> > Steve
>> >> >> >
>> >> >> >
>> >> >> Oh, and the root has to be on the DC:(
>> >> >>
>> >> >>
>> >> > Hi
>> >> > Nah, false alarm.
>> >> > DC:
>> >> > [global]
>> >> >         workgroup = HH3
>> >> >         realm = HH3.SITE
>> >> >         netbios name = HH16
>> >> >         server role = active directory domain controller
>> >> >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> >> > drepl, winbind, ntp_signd, kcc, dnsupdate
>> >> >         host msdfs = Yes
>> >> >         vfs objects = dfs_samba4, acl_xattr
>> >> >
>> >> > [netlogon]
>> >> >         path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>> >> >         read only = No
>> >> >
>> >> > [sysvol]
>> >> >         path = /usr/local/samba/var/locks/sysvol
>> >> >         read only = No
>> >> >
>> >> > [dfs]
>> >> >         path = /home/dfsroot
>> >> >         read only = No
>> >> >         msdfs root = Yes
>> >> >         vfs objects = acl_xattr
>> >> >
>> >> > hh16:/home/dfsroot # ls -l
>> >> > total 0
>> >> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>> >> >
>> >> > The fileserver, altea is up and we can navigate to:
>> >> > \\altea\users
>> >> >
>> >> > however:
>> >> > \\hh3.site\dfs
>> >> > and
>> >> > \\hh3.site\dfs\users
>> >> >
>> >> > Gives us the infamous '...you may not have permission to access...'
>> >> > popup.
>> >> >
>> >> Did you restart the Windows client?
>> >
>> > Yes.
>> > \\hh16.hh3.site\dfs\users
>> > works fine (hh16 is the DC with the dfs root) I get a security tab and a
>> > DFS tab.
>> >
>> > \\hh3.site\dfs
>> > Nothing: access denied
>> >
>> > \\hh3.site
>> > shows the dfs folder which gives me a DFS tab but no security tab.
>> >
>> > I've tried giving Administrator access to /home/dfsroot as fs level (our
>> > Administrator has uid:gid in AD) but still nada. I've tried giving
>> > Administrator access to the same using the security tab as above. Nada.
>> >
>> > Not giving up just yet.
>> > Any thoughts as you go through the day most welcome. I get the feeling
>> > that not many have been this way before.
>> > Cheers,
>> > Steve
>> >
>> >>
>> >> > Is this the acl stuff Davor was mentioning?
>> >> > Thanks,
>> >> > Steve
>> >> >
>> >> >
>> A vague memory from one posting aeons ago just came to mind. If
>> changes are made to the [global] section, Samba has to restarted to
>> activate the changes. Did you restart samba?
>
> Hi
> OK
> I removed all the non default vfs objects, to leave this on the DC,
> hh16.hh3.site
> s
> [global]
>         workgroup = HH3
>         realm = HH3.SITE
>         netbios name = HH16
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
>         host msdfs = Yes
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
> [dfs]
>         path = /home/dfsroot
>         read only = No
>         msdfs root = Yes
>
> Here is the dfs link:
>
> steve at hh16:/home/dfsroot> ls -l
> total 0
> lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>

I used fqdn: ln -s msdfs:altea.hh3.site\\users users

> Here is the fileserver, altea.hh3.site
> [global]
> workgroup = HH3
> realm = HH3.SITE
> security = ADS
> kerberos method = system keytab
>
> [users]
> path = /home/users
> read only = No
>
> Restart samba DC then file server the a xp client.
> We can browse to \\altea\users
> but not to \\hh3.site\dfs\users
>
What is the error? Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?

> Here are the windows sceenshots.
> 1. \\hh3.site
> https://db.tt/3ksfq7qV
>
> 2. \\hh16.hh3.site
> https://db.tt/9C8xtFnT
>
> Conclusion: server dfs works, domain dfs doesn't. But do please tell us
> we're wrong. Is there anything in our config we've missed?
>
> Thanks,
> Steve
>
>

More information about the samba mailing list