[Samba] AD+DFS+Samba flakiness

Carl Wilhelm Soderstrom chrome at real-time.com
Wed Mar 5 08:27:59 MST 2014

We have a situation at a couple of completely unrelated locations, where
there is an Active Directory server (Windows 2008R2) hosting a DFS tree, but
the back end is a collection of Samba servers hosting the files (Samba 3.6.3
on Ubuntu 12.04).

Every now and then users will get 'access denied' messages when trying to
browse shares under the DFS tree.

If they go directly to the share on the Samba server, they generally can get
their files just fine.

One location has occasional issues with winbind on the Samba servers
'hanging' while trying to query the AD server, but I think this is
unrelated. (Subject for another post).

I'd like some confirmation from people who understand the workings of the
authentication systems involved, whether this occasional DFS flakiness is
*certainly* a problem with the Windows server, or if there's any way in
which the Samba servers might be related to the problem.

When a client querys a MS DFS tree, does the Windows server do any sort of
authentication checking to see if that user is allowed to access a given DFS
share; and if so, does the DFS server query the AD server, or does it query
the backend server actually serving up that share?

Could there be a problem with a trust relationship between the DFS or AD
server and the Samba server, which would give the DFS server a false belief
that the user is denied access?

Carl Soderstrom
Systems Administrator
Real-Time Enterprises

More information about the samba mailing list