[Samba] Domain DFS on new share

Jonathan Hunter jmhunter1 at gmail.com
Thu Apr 20 23:09:25 UTC 2017 

Hi,

I am trying to configure domain DFS (I think that's the correct term)
as below, using the guide on the wiki:
https://wiki.samba.org/index.php/Distributed_File_System_(DFS)#Configure_domain-based_DFS_in_Samba

I am aware that the wiki says that this doesn't quite work... however
it feels to me that it's very close, nearly working, and I might be
able to get it going (hopefully?!) by means of a simple fix.. I can
dream, can't I?

My goal is not to enable DFS-R (that's a whole other conversation -
and I use lsyncd for sysvol etc. at the moment, anyway) but rather to
simply use the redirection features so that (for example)
\\mydomain\dfs\publishedshare goes to \\myserver\realshare.

My setup is as follows.

On each of my four DCs, I have added the following to smb.conf:

[dfs]
        path = /usr/local/samba/dfsroot
        msdfs root = Yes

And in /usr/local/samba/dfsroot, again on all four DCs, I have a symlink:
lrwxrwxrwx  1 root root   38 Apr 15 01:14 test ->
msdfs:testserver.mydomain.org.uk\test

The DCs already have the following (confirmed using testparm) :

[global]
        vfs objects = dfs_samba4 acl_xattr


This new 'dfs' share works fine from my test Windows 7 and Windows 10
clients, if I access it via \\dc1\dfs, \\dc1\dfs\test, \\dc2\dfs\test,
\\dc3\dfs and so on.

However, if I access the very same share via \\mydomain\dfs or
\\mydomain\dfs\test instead, then it fails with the following error:
Windows cannot access \\mydomain\dfs. Error code 0x80070035 The
network path was not found.

Interestingly, accessing "smb://mydomain/dfs/test" from my Mac mini
does work perfectly well - it just seems to be Windows that has an
issue with it.

I don't think it is anything to do with the contents of the dfsroot
directory on the server at all, because Windows doesn't even get as
far as showing me \\mydomain\dfs as an empty directory or similar; it
just fails with the error above every time.

My theory is that there is clearly something different about 'domain
DFS' when accessed as \\domain\share rather than directly as
\\dc\share - but I haven't yet been able to track down exactly what it
is, and what I might be able to do in order to fix it. It does work
for sysvol, after all..

The closest I could find was this old post from 2013, but I couldn't
find mention of a resolution.
https://lists.samba.org/archive/samba/2013-May/173548.html

There is a Microsoft KB article that makes mention of domain DFS using
entries in AD to control DFS, but I am pretty sure that's a
MS-specific thing - sysvol does work perfectly well as
\\mydomain\sysvol, and there is nothing in my AD in the DFS
configuration part at all. (I haven't looked at a real MS AD setup to
compare, admittedly)
CN=Dfs-Configuration,CN=System,DC=mydomain,DC=org,DC=uk

FWIW, all my DCs are on 4.6.0, and the Mac Mini that works is running
OSX 10.10.5. The Windows machines failing are fully-patched Windows 7
Pro and Windows 10 Pro.

Has anybody got this to work - or can offer any pointers for what I
might be able to try next?

Cheers,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list