[Samba] domain-based DFS ?

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 1 08:02:41 MDT 2014 

On 01/07/14 15:00, steve wrote:
> On Tue, 2014-07-01 at 15:34 +0200, Davor Vusir wrote:
>> 2014-07-01 14:41 GMT+02:00 steve <steve at steve-ss.com>:
>>> On Tue, 2014-07-01 at 05:27 +0200, Davor Vusir wrote:
>>>> 2014-06-30 19:48 GMT+02:00 steve <steve at steve-ss.com>:
>>>>> On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
>>>>>> 2014-06-30 17:08 GMT+02:00 steve <steve at steve-ss.com>:
>>>>>>> On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
>>>>>>>> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>>>>>>>>> On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>>>>>>>>>>>>> To the [global] section on the AD DC I added
>>>>>>>>>>>>> host msdfs = yes <- the trick?
>>>>>>>>>> No, not in my oppinion.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> These are the defaults on a DC:
>>>>>>>>>> samba-tool testparm -vv | grep dfs
>>>>>>>>>>          host msdfs = Yes
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> and member server:
>>>>>>>>>> testparm -vv | grep dfs
>>>>>>>>>>          host msdfs = No
>>>>>>>>>>          msdfs root = No
>>>>>>>>>>          msdfs proxy =
>>>>>>>>>>
>>>>>>>>> Hi it's this:
>>>>>>>>> host msdfs = Yes
>>>>>>>>> vfs objects = dfs_samba4 # plus whatever else you need
>>>>>>>>> msdfs root = Yes
>>>>>>>>>
>>>>>>>>> HTH
>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Oh, and the root has to be on the DC:(
>>>>>>>>
>>>>>>>>
>>>>>>> Hi
>>>>>>> Nah, false alarm.
>>>>>>> DC:
>>>>>>> [global]
>>>>>>>          workgroup = HH3
>>>>>>>          realm = HH3.SITE
>>>>>>>          netbios name = HH16
>>>>>>>          server role = active directory domain controller
>>>>>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>>          host msdfs = Yes
>>>>>>>          vfs objects = dfs_samba4, acl_xattr
>>>>>>>
>>>>>>> [netlogon]
>>>>>>>          path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>>>>>>>          read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>>          path = /usr/local/samba/var/locks/sysvol
>>>>>>>          read only = No
>>>>>>>
>>>>>>> [dfs]
>>>>>>>          path = /home/dfsroot
>>>>>>>          read only = No
>>>>>>>          msdfs root = Yes
>>>>>>>          vfs objects = acl_xattr
>>>>>>>
>>>>>>> hh16:/home/dfsroot # ls -l
>>>>>>> total 0
>>>>>>> lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>>>>>>>
>>>>>>> The fileserver, altea is up and we can navigate to:
>>>>>>> \\altea\users
>>>>>>>
>>>>>>> however:
>>>>>>> \\hh3.site\dfs
>>>>>>> and
>>>>>>> \\hh3.site\dfs\users
>>>>>>>
>>>>>>> Gives us the infamous '...you may not have permission to access...'
>>>>>>> popup.
>>>>>>>
>>>>>> Did you restart the Windows client?
>>>>> Yes.
>>>>> \\hh16.hh3.site\dfs\users
>>>>> works fine (hh16 is the DC with the dfs root) I get a security tab and a
>>>>> DFS tab.
>>>>>
>>>>> \\hh3.site\dfs
>>>>> Nothing: access denied
>>>>>
>>>>> \\hh3.site
>>>>> shows the dfs folder which gives me a DFS tab but no security tab.
>>>>>
>>>>> I've tried giving Administrator access to /home/dfsroot as fs level (our
>>>>> Administrator has uid:gid in AD) but still nada. I've tried giving
>>>>> Administrator access to the same using the security tab as above. Nada.
>>>>>
>>>>> Not giving up just yet.
>>>>> Any thoughts as you go through the day most welcome. I get the feeling
>>>>> that not many have been this way before.
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>>>>> Is this the acl stuff Davor was mentioning?
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>> A vague memory from one posting aeons ago just came to mind. If
>>>> changes are made to the [global] section, Samba has to restarted to
>>>> activate the changes. Did you restart samba?
>>> Hi
>>> OK
>>> I removed all the non default vfs objects, to leave this on the DC,
>>> hh16.hh3.site
>>> s
>>> [global]
>>>          workgroup = HH3
>>>          realm = HH3.SITE
>>>          netbios name = HH16
>>>          server role = active directory domain controller
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>          host msdfs = Yes
>>>
>>> [netlogon]
>>>          path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /usr/local/samba/var/locks/sysvol
>>>          read only = No
>>>
>>> [dfs]
>>>          path = /home/dfsroot
>>>          read only = No
>>>          msdfs root = Yes
>>>
>>> Here is the dfs link:
>>>
>>> steve at hh16:/home/dfsroot> ls -l
>>> total 0
>>> lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>>>
>> I used fqdn: ln -s msdfs:altea.hh3.site\\users users
>>
>>> Here is the fileserver, altea.hh3.site
>>> [global]
>>> workgroup = HH3
>>> realm = HH3.SITE
>>> security = ADS
>>> kerberos method = system keytab
>>>
>>> [users]
>>> path = /home/users
>>> read only = No
>>>
>>> Restart samba DC then file server the a xp client.
>>> We can browse to \\altea\users
>>> but not to \\hh3.site\dfs\users
>>>
>> What is the error? Access denied again? "Network path cannot be
>> found...", 0x8xxxyy35?
> \\hh3.site\dfs is not accessible. You might not have permission...The
> network name cannot be found.
>
>> Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
> Yes.
>
>>> Here are the windows sceenshots.
>>> 1. \\hh3.site
>>> https://db.tt/3ksfq7qV
>>>
>>> 2. \\hh16.hh3.site
>>> https://db.tt/9C8xtFnT
>>>
>>> Conclusion: server dfs works, domain dfs doesn't. But do please tell us
>>> we're wrong. Is there anything in our config we've missed?
>>>
>>> Thanks,
>>> Steve
>>>
>>>
>
Er, I don't know if this will help, but have a look here:
http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/

Just something I chanced on

HTH

Rowland

More information about the samba mailing list