info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] domain-based DFS ?
1,456 views
Skip to first unread message
Klaus Hartnegg
Jun 29, 2014, 5:19:04 PM6/29/14
to
On 28.06.2014 09:38, Davor Vusir wrote:
> Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
be impossible to configure own DFS names like this.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
> Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
be impossible to configure own DFS names like this.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Jun 29, 2014, 5:40:04 PM6/29/14
to
On Sun, 2014-06-29 at 23:19 +0200, Klaus Hartnegg wrote:
> On 28.06.2014 09:38, Davor Vusir wrote:
> > Domainbased DFS works.
>
> How? I can only find descriptions for stand-alone DFS, no mention of
> domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
> be impossible to configure own DFS names like this.
>
+1
> On 28.06.2014 09:38, Davor Vusir wrote:
> > Domainbased DFS works.
>
> How? I can only find descriptions for stand-alone DFS, no mention of
> domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
> be impossible to configure own DFS names like this.
>
sysvol and and netlogon work on the DC as:
\\domain\sysvol
but not if we add our own share.
But we don't want to use the DC as a file server anyway. Only server
name dfs is possible anywhere else but even then it only works for the
first server specified.
Do we have any guidelines as to what to expect for dfs on samba?
Thanks,
Steve
Davor Vusir
Jun 30, 2014, 2:23:48 AM6/30/14
to
2014-06-29 23:19 GMT+02:00 Klaus Hartnegg <hart...@gmx.de>:
> On 28.06.2014 09:38, Davor Vusir wrote:
>>
>> Domainbased DFS works.
>
>
> How? I can only find descriptions for stand-alone DFS, no mention of
> domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to be
> impossible to configure own DFS names like this.
>
> On 28.06.2014 09:38, Davor Vusir wrote:
>>
>> Domainbased DFS works.
>
>
> How? I can only find descriptions for stand-alone DFS, no mention of
> domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to be
> impossible to configure own DFS names like this.
>
AD DC: ostraaros.vusir.local
File server: vastraaros.vusir.local
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
Created a share definition block for the DFS:
[files]
path = /data/files
comment = "Här finns allt!" <- 'Everything is here!' in Swedish.
read only = No
msdfs root = yes
Created links according to
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/msdfs.html:
admind@ostraaros:~$ ls -l /data/files/
total 0
lrwxrwxrwx 1 root root 39 Jun 29 13:32 demoshare ->
msdfs:vastraaros.vusir.local\demoshare
lrwxrwxrwx 1 root root 37 Jun 27 19:26 familjen ->
msdfs:ostraaros.vusir.local\familjen
lrwxrwxrwx 1 root root 33 Jun 27 19:26 home -> msdfs:ostraaros.vusir.local\home
admind@ostraaros:~$
admind@ostraaros:~$ smbclient //vusir.local/files -U davor -W VUSIR
Enter davor's password:
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> cd home/davor\
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Fri Jun 27 06:41:23 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Fri Jun 27 19:43:44 2014
Contacts DR 0 Tue May 27 05:31:16 2014
Desktop DR 0 Tue Jun 10 21:30:56 2014
Searches DR 0 Tue May 27 05:31:18 2014
Favorites DR 0 Tue May 27 05:40:58 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\vusir.local\files\home\davor\
smb: \home\davor\>
admind@ostraaros:~$ smbclient //vusir.local/files -U administrator -W VUSIR
Enter administrator's password:
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> ls
. D 0 Sun Jun 29 13:32:51 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
demoshare D 0 Sun Jun 29 13:32:51 2014
56212 blocks of size 1048576. 50229 blocks available
smb: \> cd demoshare\
smb: \demoshare\> ls
. D 0 Sun Jun 29 13:33:24 2014
.. D 0 Sun Jun 29 11:41:26 2014
Testa1 D 0 Sun Jun 29 13:33:22 2014
58665 blocks of size 16777216. 55533 blocks available
smb: \demoshare\> pwd
Current directory is \\vusir.local\files\demoshare\
smb: \demoshare\>
Regards
Davor
Davor Vusir
Jun 30, 2014, 5:36:24 AM6/30/14
to
2014-06-29 23:40 GMT+02:00 steve <st...@steve-ss.com>:
> On Sun, 2014-06-29 at 23:19 +0200, Klaus Hartnegg wrote:
> On Sun, 2014-06-29 at 23:19 +0200, Klaus Hartnegg wrote:
>> On 28.06.2014 09:38, Davor Vusir wrote:
>> > Domainbased DFS works.
>>
>> How? I can only find descriptions for stand-alone DFS, no mention of
>> domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
>> be impossible to configure own DFS names like this.
>>
>> > Domainbased DFS works.
>>
>> How? I can only find descriptions for stand-alone DFS, no mention of
>> domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
>> be impossible to configure own DFS names like this.
>>
> +1
> sysvol and and netlogon work on the DC as:
> \\domain\sysvol
> but not if we add our own share.
>
> But we don't want to use the DC as a file server anyway. Only server
> name dfs is possible anywhere else but even then it only works for the
> first server specified.
>
> Do we have any guidelines as to what to expect for dfs on samba?
> Thanks,
> Steve
>
Sorry. Forgot an excerpt from the Windows Eventlog:
> sysvol and and netlogon work on the DC as:
> \\domain\sysvol
> but not if we add our own share.
>
> But we don't want to use the DC as a file server anyway. Only server
> name dfs is possible anywhere else but even then it only works for the
> first server specified.
>
> Do we have any guidelines as to what to expect for dfs on samba?
> Thanks,
> Steve
>
Log Name: Application
Source: Microsoft-Windows-Folder Redirection
Date: 2014-06-30 11:27:29
Event ID: 501
Task Category: None
Level: Information
Keywords:
User: VUSIR\davor
Computer: win7.vusir.local
Description:
Successfully applied policy and redirected folder "Documents" to
"\\vusir.local\files\home\davor\Documents".
Redirection options=0x1001.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Folder Redirection"
Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
<EventID>501</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-06-30T09:27:29.170800000Z" />
<EventRecordID>1720</EventRecordID>
<Correlation ActivityID="{538B2AD4-9830-49C6-BD0A-B475546B2E30}" />
<Execution ProcessID="892" ThreadID="3976" />
<Channel>Application</Channel>
<Computer>win7.hem.vusir.se</Computer>
<Security UserID="S-1-5-21-4135210406-1847680363-3009157138-1105" />
</System>
<EventData Name="EVENT_FDEPLOY_SucceededToApplyPolicy">
<Data Name="FromFolder">Documents</Data>
<Data Name="ToFolder">\\vusir.local\files\home\davor\Documents</Data>
<Data Name="Options">0x1001</Data>
</EventData>
</Event>
+1 Huh?
steve
Jun 30, 2014, 6:03:54 AM6/30/14
to
On Mon, 2014-06-30 at 08:23 +0200, Davor Vusir wrote:
>
> To the [global] section on the AD DC I added
> host msdfs = yes <- the trick?
Hi Davor
>
> To the [global] section on the AD DC I added
> host msdfs = yes <- the trick?
OMG. How embarrassing. Yes, of course. And then everything springs to
life.
A big thanks for persisting with us Alicante idiots. We all owe you a
beer.
Cheers,
Steve
steve
Jun 30, 2014, 6:09:32 AM6/30/14
to
over to the cifs list and ask if we can have this as a cifs mount option
instead of having to specify the server. What do you reckon?
Davor Vusir
Jun 30, 2014, 7:07:03 AM6/30/14
to
Den 30 jun 2014 12:04 skrev "steve" <st...@steve-ss.com>:
>
> On Mon, 2014-06-30 at 08:23 +0200, Davor Vusir wrote:
>
> >
> > To the [global] section on the AD DC I added
> > host msdfs = yes <- the trick?
>
> Hi Davor
> OMG. How embarrassing. Yes, of course. And then everything springs to
> life.
At least in Microsoft Country! :)
>
> On Mon, 2014-06-30 at 08:23 +0200, Davor Vusir wrote:
>
> >
> > To the [global] section on the AD DC I added
> > host msdfs = yes <- the trick?
>
> Hi Davor
> OMG. How embarrassing. Yes, of course. And then everything springs to
> life.
> A big thanks for persisting with us Alicante idiots. We all owe you a
> beer.
Good luck
Davor
L.P.H. van Belle
Jun 30, 2014, 7:24:15 AM6/30/14
to
>> > To the [global] section on the AD DC I added
>> > host msdfs = yes <- the trick?
No, not in my oppinion.
>> > host msdfs = yes <- the trick?
These are the defaults on a DC:
samba-tool testparm -vv | grep dfs
host msdfs = Yes
and member server:
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
Louis
>-----Oorspronkelijk bericht-----
>Van: davor...@gmail.com
>[mailto:samba-...@lists.samba.org] Namens Davor Vusir
>Verzonden: maandag 30 juni 2014 13:07
>Aan: steve
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] domain-based DFS ?
Davor Vusir
Jun 30, 2014, 7:44:27 AM6/30/14
to
I'm not that experienced with Linux but from what I can grasp it won't
be a problem as the mount command supports MS-DFS.
Please keep us posted and good luck.
Davor
be a problem as the mount command supports MS-DFS.
Please keep us posted and good luck.
Davor
steve
Jun 30, 2014, 8:51:52 AM6/30/14
to
On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> >> > To the [global] section on the AD DC I added
> >> > host msdfs = yes <- the trick?
> >> > To the [global] section on the AD DC I added
> >> > host msdfs = yes <- the trick?
> No, not in my oppinion.
>
>
> These are the defaults on a DC:
> samba-tool testparm -vv | grep dfs
> host msdfs = Yes
>
>
> and member server:
> testparm -vv | grep dfs
> host msdfs = No
> msdfs root = No
> msdfs proxy =
>
Hi it's this:
>
>
> These are the defaults on a DC:
> samba-tool testparm -vv | grep dfs
> host msdfs = Yes
>
>
> and member server:
> testparm -vv | grep dfs
> host msdfs = No
> msdfs root = No
> msdfs proxy =
>
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
steve
Jun 30, 2014, 8:57:58 AM6/30/14
to
On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
> On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> > >> > To the [global] section on the AD DC I added
> > >> > host msdfs = yes <- the trick?
> > No, not in my oppinion.
> >
> >
> > These are the defaults on a DC:
> > samba-tool testparm -vv | grep dfs
> > host msdfs = Yes
> >
> >
> > and member server:
> > testparm -vv | grep dfs
> > host msdfs = No
> > msdfs root = No
> > msdfs proxy =
> >
>
> Hi it's this:
> host msdfs = Yes
> vfs objects = dfs_samba4 # plus whatever else you need
> msdfs root = Yes
>
> HTH
> Steve
>
>
Oh, and the root has to be on the DC:(
> On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> > >> > To the [global] section on the AD DC I added
> > >> > host msdfs = yes <- the trick?
> > No, not in my oppinion.
> >
> >
> > These are the defaults on a DC:
> > samba-tool testparm -vv | grep dfs
> > host msdfs = Yes
> >
> >
> > and member server:
> > testparm -vv | grep dfs
> > host msdfs = No
> > msdfs root = No
> > msdfs proxy =
> >
>
> Hi it's this:
> host msdfs = Yes
> vfs objects = dfs_samba4 # plus whatever else you need
> msdfs root = Yes
>
> HTH
> Steve
>
>
Davor Vusir
Jun 30, 2014, 9:40:36 AM6/30/14
to
2014-06-30 14:57 GMT+02:00 steve <st...@steve-ss.com>:
> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>> On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>> > >> > To the [global] section on the AD DC I added
>> > >> > host msdfs = yes <- the trick?
>> > No, not in my oppinion.
>> >
>> >
>> > These are the defaults on a DC:
>> > samba-tool testparm -vv | grep dfs
>> > host msdfs = Yes
>> >
>> >
>> > and member server:
>> > testparm -vv | grep dfs
>> > host msdfs = No
>> > msdfs root = No
>> > msdfs proxy =
>> >
>>
>> Hi it's this:
>> host msdfs = Yes
>> vfs objects = dfs_samba4 # plus whatever else you need
>> msdfs root = Yes
>>
>> HTH
>> Steve
>>
>>
> Oh, and the root has to be on the DC:(
>
Sorry that I wasn't clearer about that.
> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>> On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>> > >> > To the [global] section on the AD DC I added
>> > >> > host msdfs = yes <- the trick?
>> > No, not in my oppinion.
>> >
>> >
>> > These are the defaults on a DC:
>> > samba-tool testparm -vv | grep dfs
>> > host msdfs = Yes
>> >
>> >
>> > and member server:
>> > testparm -vv | grep dfs
>> > host msdfs = No
>> > msdfs root = No
>> > msdfs proxy =
>> >
>>
>> Hi it's this:
>> host msdfs = Yes
>> vfs objects = dfs_samba4 # plus whatever else you need
>> msdfs root = Yes
>>
>> HTH
>> Steve
>>
>>
> Oh, and the root has to be on the DC:(
>
@L.P.H van Belle:
I'm aware of that 'host msdfs = Yes' is amongst the hidden settings in
global section. But to host DFS it simply didn't work until I made it
explicit.
I have two more share definitions on my AD DC, both running on RAID5,
LVM and ext4 on top. In spite of that 'vfs object = dfs_samba4
acl_xattr' is defined in the global section as a hidden setting, I
could not manipulate ACLs on these share. Not until I added 'vfs
object = acl_xattr' to the share definitions. I have not tested using
a share on the same disk/volume that Samba is installed on.
My experience is that the settings in smb.conf work great until you
add another share with vfs objects. They are not nullified, but rather
seem to not extend beyond the shares defined during provision. To
activate it you have to explicity define them in the global section.
And that is a call for following Sambas recommendation to separate the
DC functionalty from file server functionality.
Regards
Davor
Daniel Müller
Jun 30, 2014, 9:54:42 AM6/30/14
to
I think vfs objects = dfs_samba4 belongs to vfs objects= btrfs !? server
side copy !?
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Davor Vusir
Gesendet: Montag, 30. Juni 2014 15:41
An: steve
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
side copy !?
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Davor Vusir
Gesendet: Montag, 30. Juni 2014 15:41
An: steve
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
steve
Jun 30, 2014, 10:15:25 AM6/30/14
to
I think that means you have to have the line:
host msdfs = Yes
in smb.conf
The hidden (default?) value you get from testparm isn't correct.
@Davor Please could you confirm that that is what you mean?
Could you also post the vfs_object lines that we should include in 1.
[global] and 2. [share]
TIA
>
> I have two more share definitions on my AD DC, both running on RAID5,
> LVM and ext4 on top. In spite of that 'vfs object = dfs_samba4
> acl_xattr' is defined in the global section as a hidden setting, I
> could not manipulate ACLs on these share. Not until I added 'vfs
> object = acl_xattr' to the share definitions. I have not tested using
> a share on the same disk/volume that Samba is installed on.
>
Thanks,
Steve
David Disseldorp
Jun 30, 2014, 10:29:59 AM6/30/14
to
On Mon, 30 Jun 2014 15:54:42 +0200, Daniel Müller wrote:
> I think vfs objects = dfs_samba4 belongs to vfs objects= btrfs !? server
> side copy !?
No, the two modules are completely unrelated.
Cheers, David
steve
Jun 30, 2014, 11:08:01 AM6/30/14
to
On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> > > >> > To the [global] section on the AD DC I added
> > > >> > host msdfs = yes <- the trick?
> > > No, not in my oppinion.
> > >
> > >
> > > These are the defaults on a DC:
> > > samba-tool testparm -vv | grep dfs
> > > host msdfs = Yes
> > >
> > >
> > > and member server:
> > > testparm -vv | grep dfs
> > > host msdfs = No
> > > msdfs root = No
> > > msdfs proxy =
> > >
> >
> > Hi it's this:
> > host msdfs = Yes
> > vfs objects = dfs_samba4 # plus whatever else you need
> > msdfs root = Yes
> >
> > HTH
> > Steve
> >
> >
> Oh, and the root has to be on the DC:(
>
>
Hi
> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
> > > >> > To the [global] section on the AD DC I added
> > > >> > host msdfs = yes <- the trick?
> > > No, not in my oppinion.
> > >
> > >
> > > These are the defaults on a DC:
> > > samba-tool testparm -vv | grep dfs
> > > host msdfs = Yes
> > >
> > >
> > > and member server:
> > > testparm -vv | grep dfs
> > > host msdfs = No
> > > msdfs root = No
> > > msdfs proxy =
> > >
> >
> > Hi it's this:
> > host msdfs = Yes
> > vfs objects = dfs_samba4 # plus whatever else you need
> > msdfs root = Yes
> >
> > HTH
> > Steve
> >
> >
> Oh, and the root has to be on the DC:(
>
>
Nah, false alarm.
DC:
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
The fileserver, altea is up and we can navigate to:
\\altea\users
however:
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
Davor Vusir
Jun 30, 2014, 1:11:25 PM6/30/14
to
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [dfs]
> path = /home/dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = acl_xattr
Here it gets tricky, I think. I see that you have compiled Samba. So have I.
My /usr/local resides as a directory on the root disk and /etc/fstab
has got the acl,user_xattr and barrier=1.
The directory files, that contains the links to DFS targets, is just
another directory in /data.
The question is; if /etc/fstab contains acl,user_xattr and barrier=1
for the root-partition/disk and /home is just another directory. Does
smb.conf need to include vfs objects = acl_xattr for /home/dfs? Or
does Samba use the settings in /etc/fstab?
In my setup the directories /data/home and /data/familjen have mounted
LVM-volumes formatted with ext4. For these two directories I have to
include vfs objects = acl_xattr (explicit setting) to be able to
manipulate ACLs. It seems that Sambas understanding (or how to put it)
of this does not "spill" over to mounted volumes.
Your [dfs] and my [files] are manually added to smb.conf. And as soon
you add a share definition, you have to add a 'explicit' setting (host
msdfs = Yes to the global section).
And it's about here I start to realize that it might not be such good
idea in the log run to create a SBS-equivalent server where both the
AD DC and file server runs simultanously.
Is this understandable?
Regards
Davor
>
> hh16:/home/dfsroot # ls -l
> total 0
> lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>
> The fileserver, altea is up and we can navigate to:
> \\altea\users
>
> however:
> \\hh3.site\dfs
> and
> \\hh3.site\dfs\users
>
> Gives us the infamous '...you may not have permission to access...'
> popup.
>
> Is this the acl stuff Davor was mentioning?
> Thanks,
> Steve
>
>
This is my smb.conf at the AD DC:
# Global parameters
[global]
workgroup = VUSIR
realm = VUSIR.LOCAL
netbios name = OSTRAAROS
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
disable spoolss = yes
log level = 1
host msdfs = yes
[files]
path = /data/files
comment = "Här finns allt!"
read only = No
msdfs root = yes
[home]
path = /data/home
comment = Homedirectories
read only = No
vfs objects = acl_xattr recycle
acl_xattr:ignore system acl = yes
recycle:keeptree = yes
recycle:versions = yes
recycle:maxsize = 1073741824
csc policy = programs
[familjen]
path = /data/familjen
comment = "Familjens samlade verk!"
read only = No
vfs objects = acl_xattr recycle
acl_xattr:ignore system acl = yes
recycle:keeptree = yes
recycle:versions = yes
recycle:maxsize = 1073741824
csc policy = disable
[netlogon]
path = /usr/local/samba/var/locks/sysvol/vusir.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
>
Davor Vusir
Jun 30, 2014, 1:19:19 PM6/30/14
to
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [dfs]
> path = /home/dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = acl_xattr
>
> path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [dfs]
> path = /home/dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = acl_xattr
>
> hh16:/home/dfsroot # ls -l
> total 0
> lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>
> The fileserver, altea is up and we can navigate to:
> \\altea\users
>
> however:
> \\hh3.site\dfs
> and
> \\hh3.site\dfs\users
>
> Gives us the infamous '...you may not have permission to access...'
> popup.
>
Did you restart the Windows client?
> total 0
> lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>
> The fileserver, altea is up and we can navigate to:
> \\altea\users
>
> however:
> \\hh3.site\dfs
> and
> \\hh3.site\dfs\users
>
> Gives us the infamous '...you may not have permission to access...'
> popup.
>
> Is this the acl stuff Davor was mentioning?
> Thanks,
> Steve
>
>
>
steve
Jun 30, 2014, 1:48:40 PM6/30/14
to
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Klaus Hartnegg
Jun 30, 2014, 2:06:53 PM6/30/14
to
On 30.06.2014 14:51, steve wrote:
> vfs objects = dfs_samba4
Oh great, another undefined option.
On 30.06.2014 17:08, steve wrote;
> [global]
If you do this, then in the [dfs] share the option dfs_samba4 is NOT
active, only acl_xattr. You might need both.
> vfs objects = dfs_samba4
Oh great, another undefined option.
On 30.06.2014 17:08, steve wrote;
> [global]
> vfs objects = dfs_samba4, acl_xattr
>
>
> [dfs]
> path = /home/dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = acl_xattr
Attention, vfs objects is a very special beast!
> path = /home/dfsroot
> read only = No
> msdfs root = Yes
> vfs objects = acl_xattr
If you do this, then in the [dfs] share the option dfs_samba4 is NOT
active, only acl_xattr. You might need both.
Klaus Hartnegg
Jun 30, 2014, 2:10:57 PM6/30/14
to
On 30.06.2014 14:57, steve wrote:
> Oh, and the root has to be on the DC:(
"the" DC? Which DC? What if I have three DCs, and a client has logged in
> Oh, and the root has to be on the DC:(
via another one?
Davor Vusir
Jun 30, 2014, 2:12:24 PM6/30/14
to
2014-06-30 19:48 GMT+02:00 steve <st...@steve-ss.com>:
> On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
>> 2014-06-30 17:08 GMT+02:00 steve <st...@steve-ss.com>:
>> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
>> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>> >> > > >> > To the [global] section on the AD DC I added
>> >> > > >> > host msdfs = yes <- the trick?
>> >> > > No, not in my oppinion.
>> >> > >
>> >> > >
>> >> > > These are the defaults on a DC:
>> >> > > samba-tool testparm -vv | grep dfs
>> >> > > host msdfs = Yes
>> >> > >
>> >> > >
>> >> > > and member server:
>> >> > > testparm -vv | grep dfs
>> >> > > host msdfs = No
>> >> > > msdfs root = No
>> >> > > msdfs proxy =
>> >> > >
>> >> >
>> >> > Hi it's this:
>> >> > host msdfs = Yes
>> >> > vfs objects = dfs_samba4 # plus whatever else you need
>> >> > msdfs root = Yes
>> >> >
>> >> > HTH
>> >> > Steve
>> >> >
>> >> >
> On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
>> 2014-06-30 17:08 GMT+02:00 steve <st...@steve-ss.com>:
>> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
>> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>> >> > > >> > To the [global] section on the AD DC I added
>> >> > > >> > host msdfs = yes <- the trick?
>> >> > > No, not in my oppinion.
>> >> > >
>> >> > >
>> >> > > These are the defaults on a DC:
>> >> > > samba-tool testparm -vv | grep dfs
>> >> > > host msdfs = Yes
>> >> > >
>> >> > >
>> >> > > and member server:
>> >> > > testparm -vv | grep dfs
>> >> > > host msdfs = No
>> >> > > msdfs root = No
>> >> > > msdfs proxy =
>> >> > >
>> >> >
>> >> > Hi it's this:
>> >> > host msdfs = Yes
>> >> > vfs objects = dfs_samba4 # plus whatever else you need
>> >> > msdfs root = Yes
>> >> >
>> >> > HTH
>> >> > Steve
>> >> >
>> >> >
>> >> Oh, and the root has to be on the DC:(
>> >>
>> >>
>> >>
>> >>
>> > Hi
>> > Nah, false alarm.
>> > DC:
>> > [global]
>> > workgroup = HH3
>> > realm = HH3.SITE
>> > netbios name = HH16
>> > server role = active directory domain controller
>> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> > drepl, winbind, ntp_signd, kcc, dnsupdate
>> > host msdfs = Yes
>> > vfs objects = dfs_samba4, acl_xattr
>> >
>> > [netlogon]
>> > path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>> > read only = No
>> >
>> > [sysvol]
>> > path = /usr/local/samba/var/locks/sysvol
>> > read only = No
>> >
>> > Nah, false alarm.
>> > DC:
>> > [global]
>> > workgroup = HH3
>> > realm = HH3.SITE
>> > netbios name = HH16
>> > server role = active directory domain controller
>> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> > drepl, winbind, ntp_signd, kcc, dnsupdate
>> > host msdfs = Yes
>> > vfs objects = dfs_samba4, acl_xattr
>> >
>> > [netlogon]
>> > path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
>> > read only = No
>> >
>> > [sysvol]
>> > path = /usr/local/samba/var/locks/sysvol
>> > read only = No
>> >
>> > [dfs]
>> > path = /home/dfsroot
>> > read only = No
>> > msdfs root = Yes
>> > vfs objects = acl_xattr
>> >
>> > path = /home/dfsroot
>> > read only = No
>> > msdfs root = Yes
>> > vfs objects = acl_xattr
>> >
>> > hh16:/home/dfsroot # ls -l
>> > total 0
>> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>> >
>> > The fileserver, altea is up and we can navigate to:
>> > \\altea\users
>> >
>> > however:
>> > \\hh3.site\dfs
>> > and
>> > \\hh3.site\dfs\users
>> >
>> > Gives us the infamous '...you may not have permission to access...'
>> > popup.
>> >
>> Did you restart the Windows client?
>
> Yes.
> \\hh16.hh3.site\dfs\users
> works fine (hh16 is the DC with the dfs root) I get a security tab and a
> DFS tab.
>
> \\hh3.site\dfs
> Nothing: access denied
>
What happens if you remove 'vfs objects = acl_xattr' from [dfs] and
>> > total 0
>> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
>> >
>> > The fileserver, altea is up and we can navigate to:
>> > \\altea\users
>> >
>> > however:
>> > \\hh3.site\dfs
>> > and
>> > \\hh3.site\dfs\users
>> >
>> > Gives us the infamous '...you may not have permission to access...'
>> > popup.
>> >
>> Did you restart the Windows client?
>
> Yes.
> \\hh16.hh3.site\dfs\users
> works fine (hh16 is the DC with the dfs root) I get a security tab and a
> DFS tab.
>
> \\hh3.site\dfs
> Nothing: access denied
>
restart both Samba and the client?
> \\hh3.site
> shows the dfs folder which gives me a DFS tab but no security tab.
>
> I've tried giving Administrator access to /home/dfsroot as fs level (our
> Administrator has uid:gid in AD) but still nada. I've tried giving
> Administrator access to the same using the security tab as above. Nada.
>
> Not giving up just yet.
> Any thoughts as you go through the day most welcome. I get the feeling
> that not many have been this way before.
> Cheers,
> Steve
>
>>
>> > Is this the acl stuff Davor was mentioning?
>> > Thanks,
>> > Steve
>> >
>> >
>> >
Davor Vusir
Jun 30, 2014, 2:15:31 PM6/30/14
to
>> Oh, and the root has to be on the DC:(
>
>
>
>
> "the" DC? Which DC? What if I have three DCs, and a client has logged in via
> another one?
>
>
On Windows you have to define the domain DFS on every DC. I guess it's
> another one?
>
>
the same on the Samba AD DC.
Regards
Davor
Klaus Hartnegg
Jun 30, 2014, 3:11:09 PM6/30/14
to
On 30.06.2014 20:15, Davor Vusir wrote:
>> "the" DC? Which DC? What if I have three DCs, and a client has logged in via
>> another one?
>>
> On Windows you have to define the domain DFS on every DC.
No. In Windows DFS works great with just one single DFS server running
>> "the" DC? Which DC? What if I have three DCs, and a client has logged in via
>> another one?
>>
> On Windows you have to define the domain DFS on every DC.
on a pure file server, in a domain with four DCs. Running more DFS
servers just increases the reliability and spreads the load.
"The namespace server can be a member server or a domain controller."
(http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx)
"You can increase the availability of a domain-based namespace by
specifying additional namespace servers to host the namespace."
(http://msdn.microsoft.com/en-us/library/cc732807.aspx)
"When a DFS client first attempts to access a domain-based namespace, a
domain controller provides a list of root servers to the client. This
list of root servers is known as a root referral."
(http://technet.microsoft.com/en-us/library/cc782417%28v=ws.10%29.aspx)
Davor Vusir
Jun 30, 2014, 11:27:10 PM6/30/14
to
2014-06-30 19:48 GMT+02:00 steve <st...@steve-ss.com>:
> On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
>> 2014-06-30 17:08 GMT+02:00 steve <st...@steve-ss.com>:
>> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
>> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>> >> > > >> > To the [global] section on the AD DC I added
>> >> > > >> > host msdfs = yes <- the trick?
>> >> > > No, not in my oppinion.
>> >> > >
>> >> > >
>> >> > > These are the defaults on a DC:
>> >> > > samba-tool testparm -vv | grep dfs
>> >> > > host msdfs = Yes
>> >> > >
>> >> > >
>> >> > > and member server:
>> >> > > testparm -vv | grep dfs
>> >> > > host msdfs = No
>> >> > > msdfs root = No
>> >> > > msdfs proxy =
>> >> > >
>> >> >
>> >> > Hi it's this:
>> >> > host msdfs = Yes
>> >> > vfs objects = dfs_samba4 # plus whatever else you need
>> >> > msdfs root = Yes
>> >> >
>> >> > HTH
>> >> > Steve
>> >> >
>> >> >
> On Mon, 2014-06-30 at 19:19 +0200, Davor Vusir wrote:
>> 2014-06-30 17:08 GMT+02:00 steve <st...@steve-ss.com>:
>> > On Mon, 2014-06-30 at 14:57 +0200, steve wrote:
>> >> On Mon, 2014-06-30 at 14:51 +0200, steve wrote:
>> >> > On Mon, 2014-06-30 at 13:24 +0200, L.P.H. van Belle wrote:
>> >> > > >> > To the [global] section on the AD DC I added
>> >> > > >> > host msdfs = yes <- the trick?
>> >> > > No, not in my oppinion.
>> >> > >
>> >> > >
>> >> > > These are the defaults on a DC:
>> >> > > samba-tool testparm -vv | grep dfs
>> >> > > host msdfs = Yes
>> >> > >
>> >> > >
>> >> > > and member server:
>> >> > > testparm -vv | grep dfs
>> >> > > host msdfs = No
>> >> > > msdfs root = No
>> >> > > msdfs proxy =
>> >> > >
>> >> >
>> >> > Hi it's this:
>> >> > host msdfs = Yes
>> >> > vfs objects = dfs_samba4 # plus whatever else you need
>> >> > msdfs root = Yes
>> >> >
>> >> > HTH
>> >> > Steve
>> >> >
>> >> >
>> >> Oh, and the root has to be on the DC:(
>> >>
>> >>
>> >>
>> >>
> \\hh3.site
> shows the dfs folder which gives me a DFS tab but no security tab.
>
> I've tried giving Administrator access to /home/dfsroot as fs level (our
> Administrator has uid:gid in AD) but still nada. I've tried giving
> Administrator access to the same using the security tab as above. Nada.
>
> Not giving up just yet.
> Any thoughts as you go through the day most welcome. I get the feeling
> that not many have been this way before.
> Cheers,
> Steve
>
>>
>> > Is this the acl stuff Davor was mentioning?
>> > Thanks,
>> > Steve
>> >
>> >
A vague memory from one posting aeons ago just came to mind. If
> shows the dfs folder which gives me a DFS tab but no security tab.
>
> I've tried giving Administrator access to /home/dfsroot as fs level (our
> Administrator has uid:gid in AD) but still nada. I've tried giving
> Administrator access to the same using the security tab as above. Nada.
>
> Not giving up just yet.
> Any thoughts as you go through the day most welcome. I get the feeling
> that not many have been this way before.
> Cheers,
> Steve
>
>>
>> > Is this the acl stuff Davor was mentioning?
>> > Thanks,
>> > Steve
>> >
>> >
changes are made to the [global] section, Samba has to restarted to
activate the changes. Did you restart samba?
Davor Vusir
Jun 30, 2014, 11:41:22 PM6/30/14
to
2014-06-30 21:11 GMT+02:00 Klaus Hartnegg <hart...@gmx.de>:
> On 30.06.2014 20:15, Davor Vusir wrote:
>>>
>>> "the" DC? Which DC? What if I have three DCs, and a client has logged in
>>> via
>>> another one?
>>>
>> On Windows you have to define the domain DFS on every DC.
>
>
> No. In Windows DFS works great with just one single DFS server running on a
> pure file server, in a domain with four DCs. Running more DFS servers just
> increases the reliability and spreads the load.
>
> "The namespace server can be a member server or a domain controller."
> (http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx)
>
> "You can increase the availability of a domain-based namespace by specifying
> additional namespace servers to host the namespace."
> (http://msdn.microsoft.com/en-us/library/cc732807.aspx)
>
> "When a DFS client first attempts to access a domain-based namespace, a
> domain controller provides a list of root servers to the client. This list
> of root servers is known as a root referral."
> (http://technet.microsoft.com/en-us/library/cc782417%28v=ws.10%29.aspx)
>
>
"Domain controllers store DFS metadata in Active Directory about
> On 30.06.2014 20:15, Davor Vusir wrote:
>>>
>>> "the" DC? Which DC? What if I have three DCs, and a client has logged in
>>> via
>>> another one?
>>>
>> On Windows you have to define the domain DFS on every DC.
>
>
> No. In Windows DFS works great with just one single DFS server running on a
> pure file server, in a domain with four DCs. Running more DFS servers just
> increases the reliability and spreads the load.
>
> "The namespace server can be a member server or a domain controller."
> (http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx)
>
> "You can increase the availability of a domain-based namespace by specifying
> additional namespace servers to host the namespace."
> (http://msdn.microsoft.com/en-us/library/cc732807.aspx)
>
> "When a DFS client first attempts to access a domain-based namespace, a
> domain controller provides a list of root servers to the client. This list
> of root servers is known as a root referral."
> (http://technet.microsoft.com/en-us/library/cc782417%28v=ws.10%29.aspx)
>
>
domain-based namespaces. DFS metadata consists of information about
entire namespace, including the root, root targets, links, link
targets, and settings. By default, root servers that host domain-based
namespaces periodically poll the domain controller acting as the
primary domain controller (PDC) emulator master to obtain an updated
version of the DFS metadata and store this metadata in memory."
http://technet.microsoft.com/sv-se/library/cc782417(v=ws.10).aspx
As the endpointmapper for DFS is not implemented in Samba, there is no
way for the DFS management MMC to store and manipulate the settings in
AD and for the DFS client to retrieve it. Which leaves you no option
but add the requiered settings on every AD DC.
Regards
Davor
steve
Jul 1, 2014, 8:41:03 AM7/1/14
to
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
Here is the dfs link:
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
steve@hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
Here is the fileserver, altea.hh3.site
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
workgroup = HH3
realm = HH3.SITE
kerberos method = system keytab
[users]
path = /home/users
read only = No
Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users
Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV
2. \\hh16.hh3.site
https://db.tt/9C8xtFnT
Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?
Thanks,
Steve
L.P.H. van Belle
Jul 1, 2014, 8:46:45 AM7/1/14
to
Hai steve,
what does
ping hh3.site
for me it resolves back to one of my DCs
Louis
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: dinsdag 1 juli 2014 14:41
>Aan: Davor Vusir
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] domain-based DFS ?
what does
ping hh3.site
for me it resolves back to one of my DCs
Louis
>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: dinsdag 1 juli 2014 14:41
>Aan: Davor Vusir
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] domain-based DFS ?
Klaus Hartnegg
Jul 1, 2014, 8:48:42 AM7/1/14
to
I would try to comment out the line "server services", and make the link
contain the full server name altea.hh3.site instead of just altea.
contain the full server name altea.hh3.site instead of just altea.
Davor Vusir
Jul 1, 2014, 9:34:55 AM7/1/14
to
> Here is the fileserver, altea.hh3.site
> [global]
> workgroup = HH3
> realm = HH3.SITE
> security = ADS
> kerberos method = system keytab
>
> [users]
> path = /home/users
> read only = No
>
> Restart samba DC then file server the a xp client.
> We can browse to \\altea\users
> but not to \\hh3.site\dfs\users
>
found...", 0x8xxxyy35?
Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
> Here are the windows sceenshots.
> 1. \\hh3.site
> https://db.tt/3ksfq7qV
>
> 2. \\hh16.hh3.site
> https://db.tt/9C8xtFnT
>
> Conclusion: server dfs works, domain dfs doesn't. But do please tell us
> we're wrong. Is there anything in our config we've missed?
>
> Thanks,
> Steve
>
>
steve
Jul 1, 2014, 9:46:36 AM7/1/14
to
On Tue, 2014-07-01 at 14:46 +0200, L.P.H. van Belle wrote:
> Hai steve,
>
> what does
>
> ping hh3.site
>
> for me it resolves back to one of my DCs
>
Yep. Same here.
> Hai steve,
>
> what does
>
> ping hh3.site
>
> for me it resolves back to one of my DCs
>
steve
Jul 1, 2014, 9:56:03 AM7/1/14
to
On Tue, 2014-07-01 at 13:48 +0100, Klaus Hartnegg wrote:
> I would try to comment out the line "server services",
samba fails to start:(
> I would try to comment out the line "server services",
> and make the link
> contain the full server name altea.hh3.site instead of just altea.
>
Leaving the server services and making the link you suggest:
> contain the full server name altea.hh3.site instead of just altea.
>
hh16:/home/dfsroot # ls -l
total 0
\users
same errors:(
Steve
steve
Jul 1, 2014, 10:00:36 AM7/1/14
to
> >> >> > hh16:/home/dfsroot # ls -l
> >> >> > total 0
> >> >> > total 0
> > total 0
> > lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
> >
>
> I used fqdn: ln -s msdfs:altea.hh3.site\\users users
>
> > Here is the fileserver, altea.hh3.site
> > [global]
> > workgroup = HH3
> > realm = HH3.SITE
> > security = ADS
> > kerberos method = system keytab
> >
> > [users]
> > path = /home/users
> > read only = No
> >
> > Restart samba DC then file server the a xp client.
> > We can browse to \\altea\users
> > but not to \\hh3.site\dfs\users
> >
> What is the error? Access denied again? "Network path cannot be
> found...", 0x8xxxyy35?
\\hh3.site\dfs is not accessible. You might not have permission...The
> >
>
> I used fqdn: ln -s msdfs:altea.hh3.site\\users users
>
> > Here is the fileserver, altea.hh3.site
> > [global]
> > workgroup = HH3
> > realm = HH3.SITE
> > security = ADS
> > kerberos method = system keytab
> >
> > [users]
> > path = /home/users
> > read only = No
> >
> > Restart samba DC then file server the a xp client.
> > We can browse to \\altea\users
> > but not to \\hh3.site\dfs\users
> >
> What is the error? Access denied again? "Network path cannot be
> found...", 0x8xxxyy35?
network name cannot be found.
> Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
>
> > Here are the windows sceenshots.
> > 1. \\hh3.site
> > https://db.tt/3ksfq7qV
> >
> > 2. \\hh16.hh3.site
> > https://db.tt/9C8xtFnT
> >
> > Conclusion: server dfs works, domain dfs doesn't. But do please tell us
> > we're wrong. Is there anything in our config we've missed?
> >
> > Thanks,
Rowland Penny
Jul 1, 2014, 10:02:41 AM7/1/14
to
http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/
Just something I chanced on
HTH
Rowland
steve
Jul 1, 2014, 10:10:09 AM7/1/14
to
On Tue, 2014-07-01 at 15:02 +0100, Rowland Penny wrote:
> O
Steve
> O
> >>>
> >
> Er, I don't know if this will help, but have a look here:
> http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/
>
> Just something I chanced on
>
> HTH
>
> Rowland
>
Thanks, yeah. We've tried both. netbios and fqdn. nada:(
> >
> Er, I don't know if this will help, but have a look here:
> http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/
>
> Just something I chanced on
>
> HTH
>
> Rowland
>
Steve
L.P.H. van Belle
Jul 1, 2014, 10:32:55 AM7/1/14
to
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: dinsdag 1 juli 2014 16:03
>Aan: sa...@lists.samba.org
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: dinsdag 1 juli 2014 16:03
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] domain-based DFS ?
>
>
>Er, I don't know if this will help, but have a look here:
>http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-u
se-fully-qualified-domain-names-its-not-the-default/
>
>Just something I chanced on
>
>HTH
>
>Rowland
>
>http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-u
se-fully-qualified-domain-names-its-not-the-default/
>
>Just something I chanced on
>
>HTH
>
>Rowland
>
steve
Jul 1, 2014, 10:56:01 AM7/1/14
to
On Tue, 2014-07-01 at 16:32 +0200, L.P.H. van Belle wrote:
> well..
>
> I just did a test with this for steve also.
>
> same result.
>
> \\domain.name\sysvol and netlogon accessable no problems.
>
> \\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
>
> \\server1.domain.name\dfs works, but someshare not.
> \\server1.domain.name\dfs\someshare
>
> my steps.
>
> mkdir -p /export/dfsroot
> chown root:root /export/dfsroot
> chmod 755 /export/dfsroot
> ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
>
> also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
>
>
> smbclient //localhost/dfs -U 'administrator'
> cd someshare
>
> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
> Unable to follow dfs referral [\mem1.internal.domain.tld\]
> cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
>
> so far for me..
>
> found this one
> https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
> so i think this is not fixed yet...
> there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
> well..
>
> I just did a test with this for steve also.
>
> same result.
>
> \\domain.name\sysvol and netlogon accessable no problems.
>
> \\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
>
> \\server1.domain.name\dfs works, but someshare not.
> \\server1.domain.name\dfs\someshare
>
> my steps.
>
> mkdir -p /export/dfsroot
> chown root:root /export/dfsroot
> chmod 755 /export/dfsroot
> ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
>
> also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
>
>
> smbclient //localhost/dfs -U 'administrator'
> cd someshare
>
> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
> Unable to follow dfs referral [\mem1.internal.domain.tld\]
> cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
>
> so far for me..
>
> found this one
> https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
> so i think this is not fixed yet...
> there is a patch in this link, but since im on sernet im not trying the patch.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Davor Vusir
Jul 1, 2014, 1:41:55 PM7/1/14
to
2014-07-01 16:56 GMT+02:00 steve <st...@steve-ss.com>:
got 'kerberos method = system keytab' in alteas smb.conf.
smbclient -k -U administrator //hh3.site/dfs/users (-k for kerberos)
steve
Jul 1, 2014, 1:56:28 PM7/1/14
to
You can't test domain dfs with smbclient because it requires a cifs
mount. cifs will only work if you specify a specific server:
smbclient -k -U Administrator //hh3.site/dfs
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/hh3.site@SITE
(Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server
not found in Kerberos database
session setup failed: NT_STATUS_UNSUCCESSFUL
This of course presents no problem:
smbclient -k -U Administrator //hh16.hh3.site/dfs
Domain=[HH3] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
smb: \>
and we can go on to access the share on altea fine.
Cheers,
Steve
Davor Vusir
Jul 1, 2014, 2:22:59 PM7/1/14
to
I think you´re wrong.
From member server vastraaros:
admind@vastraaros:~$ smbclient //hem.vusir.se/files -U davor
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Enter davor's password:
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> pwd
Current directory is \\hem.vusir.se\files\
smb: \> ls
. D 0 Mon Jun 30 20:18:22 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
56212 blocks of size 1048576. 50192 blocks available
smb: \> cd home\davor
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Mon Jun 30 21:03:55 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Mon Jun 30 21:03:54 2014
Contacts DR 0 Mon Jun 30 21:03:54 2014
Desktop DR 0 Mon Jun 30 21:03:54 2014
Searches DR 0 Mon Jun 30 21:03:54 2014
Favorites DR 0 Mon Jun 30 21:03:54 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\hem.vusir.se\files\home\davor\
smb: \home\davor\> listconnect
0: server=hem.vusir.se, share=files
smb: \home\davor\>
Regards
Davor
steve
Jul 1, 2014, 3:23:35 PM7/1/14
to
On our config it treats the domain as the name of the server! Anyway,
thanks for your time. We can't spend any longer with this as we are
looking for a solution.
Thanks again,
Steve
Daniel Müller
Jul 2, 2014, 1:44:24 AM7/2/14
to
HI,
it will not work with samba4 and smb3!? I have the same definition and I cannot reach my dfs with \\mydomain.name\dfsshare but... and that is the interesting thing from within my old samba3 nt style domain I can reach!! the same \\mydomain.nam\dfsshare without any issues. I can read and write to it...
I think this a awesome bug in samba4, because I can proof that within the beta versions it still was possible to reach
and act on \\mydomain.name\share without any errors.
it will not work with samba4 and smb3!? I have the same definition and I cannot reach my dfs with \\mydomain.name\dfsshare but... and that is the interesting thing from within my old samba3 nt style domain I can reach!! the same \\mydomain.nam\dfsshare without any issues. I can read and write to it...
I think this a awesome bug in samba4, because I can proof that within the beta versions it still was possible to reach
and act on \\mydomain.name\share without any errors.
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von steve
Gesendet: Dienstag, 1. Juli 2014 21:24
An: Davor Vusir
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
Davor Vusir
Jul 2, 2014, 3:28:15 AM7/2/14
to
Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.
Commented 'idmap_ldb:use rfc2307 = yes'. No change.
Removed uid, uidNumber and gidNumber from relevant accounts and access
groups. No change.
Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.
Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.
Regards
Davor
Davor Vusir
Jul 2, 2014, 3:32:02 AM7/2/14
to
Davor Vusir
Jul 2, 2014, 8:40:21 AM7/2/14
to
But...
I have turned off IPv6 on the AD DC. And installed Microsoft Fixit 50409 on
my Win 7.
Regards
Davor
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Daniel Müller
Jul 2, 2014, 8:54:42 AM7/2/14
to
As I mnetioned since the end of the beta versions no longer possible
(smb3!?).
If you have an old sama4 style domain running and you do as member
\\younewsamba4.domainame\share (or)dfs
it will work certain.
I can proof it with my production running samba pdc domain and a samba4
domain side by side
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Davor Vusir
Gesendet: Mittwoch, 2. Juli 2014 14:40
An: steve
(smb3!?).
If you have an old sama4 style domain running and you do as member
\\younewsamba4.domainame\share (or)dfs
it will work certain.
I can proof it with my production running samba pdc domain and a samba4
domain side by side
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Gesendet: Mittwoch, 2. Juli 2014 14:40
An: steve
Henrik Langos
Jul 2, 2014, 12:48:31 PM7/2/14
to
On 07/02/14 09:28, Davor Vusir wrote:
>
>>
>> On our config it treats the domain as the name of the server! Anyway, thanks for your time. We can't spend any longer with this as we are looking for a solution.
>> Thanks again,
>> Steve
>>
>
>>
>> On our config it treats the domain as the name of the server! Anyway, thanks for your time. We can't spend any longer with this as we are looking for a solution.
>> Thanks again,
>> Steve
>>
> Added uid, uidnumber and gidNumber to every account and group.
> Resulted in access denied to \\vusir.local\dfs\share and home
> directory.
>
> Commented 'idmap_ldb:use rfc2307 = yes'. No change.
>
> Removed uid, uidNumber and gidNumber from relevant accounts and access
> groups. No change.
>
> Resulted in access denied to \\vusir.local\dfs\share and home
> directory.
>
> Commented 'idmap_ldb:use rfc2307 = yes'. No change.
>
> Removed uid, uidNumber and gidNumber from relevant accounts and access
> groups. No change.
>
> Removed uid, uidNumber and gidNumber from all accounts and access
> Groups. No change.
>
> Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
>
> A couple of restarts of the Windows 7 client, AD DC restarts and a
> server reboot. Back in business.
Hi Davor,
> Groups. No change.
>
> Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
>
> A couple of restarts of the Windows 7 client, AD DC restarts and a
> server reboot. Back in business.
This pretty much matches my observations with domain based dfs. It's a
hit and miss with lots of poking around in the dark.
Occasionally it works and all looks very nice, but then on the next
login it might fail again. For me it was mostly failing.
(But then again I suspect it had to do with my removing one of the AD
DCs and downgrading it to a normal member server. I've seen the former
AD pop up in one of the DFS tabs as dfs root even though it wasn't a DC
any more.)
Once DFS failed in the observed way, there is no point in logout/login
cycles.
The only thing that *sometimes* helps is a complete reboot of the client
and hoping for the best.
This makes debugging the problem a very frustrating and time consuming
business.
Also smbclient and windows 7 show very different behavior.
In smbclient I can always at least see the dfs directory but access to
the visible shares will fail.
$ smbclient -U sample12 '\\domain.local\dfs'
Enter sample12's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.9-Debian]
smb: \> ls
. D 0 Mon Jun 30 20:53:09 2014
.. D 0 Thu Jun 26 13:17:10 2014
test2 D 0 Mon Jun 30 18:08:11 2014
test D 0 Mon Jun 30 10:20:23 2014
64514 blocks of size 32768. 30984 blocks available
smb: \> ls test
session setup failed: NT_STATUS_LOGON_FAILURE
Unable to follow dfs referral [\shares01\test]
do_list: [\test] NT_STATUS_PATH_NOT_COVERED
smb: \>
In Windows 7 I can see the dfs share when I go to \\domain.local\ but
changing into that \\domain.local\dfs share results in an error.
In contrast to this, access via \\addchost.domain.local\dfs works
reliably from Windows and smbclient alike.
Using this form I can even use smbclient with Kerberos authentication.
(which fails for "domain.local" as there is no service principle for
cfis/domain...@DOMAIN.LOCAL in the Kerberos database.)
I'll put that topic away for now.
cheers
-henrik
Davor Vusir
Jul 2, 2014, 3:05:39 PM7/2/14
to
2014-07-02 18:48 GMT+02:00 Henrik Langos <hlango...@innominate.com>:
> On 07/02/14 09:28, Davor Vusir wrote:
>>
>>
>>>
>>> On our config it treats the domain as the name of the server! Anyway,
>>> thanks for your time. We can't spend any longer with this as we are looking
>>> for a solution.
>>> Thanks again,
>>> Steve
>>>
>> Added uid, uidnumber and gidNumber to every account and group.
>> Resulted in access denied to \\vusir.local\dfs\share and home
>> directory.
>>
>> Commented 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> Removed uid, uidNumber and gidNumber from relevant accounts and access
>> groups. No change.
>>
>> Removed uid, uidNumber and gidNumber from all accounts and access
>> Groups. No change.
>>
>> Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> A couple of restarts of the Windows 7 client, AD DC restarts and a
>> server reboot. Back in business.
>
>
> Hi Davor,
>
Hi Henrik,
> On 07/02/14 09:28, Davor Vusir wrote:
>>
>>
>>>
>>> On our config it treats the domain as the name of the server! Anyway,
>>> thanks for your time. We can't spend any longer with this as we are looking
>>> for a solution.
>>> Thanks again,
>>> Steve
>>>
>> Added uid, uidnumber and gidNumber to every account and group.
>> Resulted in access denied to \\vusir.local\dfs\share and home
>> directory.
>>
>> Commented 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> Removed uid, uidNumber and gidNumber from relevant accounts and access
>> groups. No change.
>>
>> Removed uid, uidNumber and gidNumber from all accounts and access
>> Groups. No change.
>>
>> Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> A couple of restarts of the Windows 7 client, AD DC restarts and a
>> server reboot. Back in business.
>
>
> Hi Davor,
>
thank you for your mail and sharing your experiences.
> This pretty much matches my observations with domain based dfs. It's a hit
> and miss with lots of poking around in the dark.
>
the troubles expressed in this thread.
> Occasionally it works and all looks very nice, but then on the next login it
> might fail again. For me it was mostly failing.
> (But then again I suspect it had to do with my removing one of the AD DCs
> and downgrading it to a normal member server. I've seen the former AD pop up
> in one of the DFS tabs as dfs root even though it wasn't a DC any more.)
>
success. The troubles I have encountered, I believe rather depends on
that I run the AD DC and file server at the same host and using a
network bridge for virtualization.
nor what you write here. But I'm having trouble when the host is
(re)started; Windows complains about non-existing logon servers. I
restart the Samba service, reboot the Windows client and the problem
is gone. The Samba errors are:
WARNING: no network interfaces found
task_server_terminate: [nbtd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [cldapd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [kdc: no network interfaces configured]
/usr/local/samba/sbin/samba_dnsupdate: WARNING: no network interfaces found
WARNING: no network interfaces found
task_server_terminate: [nbtd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [cldapd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [kdc: no network interfaces configured]
This was not a problem before I configured DFS. Please note that I do
not think that neither Samba as AD DC, file server (the two running on
the same host), DFS nor the network bridge and the Windows client
running as virtual guest per se that is the problem. It is the
combination, all running on the same host, that is the problem.
When the the above combination, AD DC, file server and DFS, starts, it
runs fine! It seems stable.
> In contrast to this, access via \\addchost.domain.local\dfs works reliably
> from Windows and smbclient alike.
> Using this form I can even use smbclient with Kerberos authentication.
> (which fails for "domain.local" as there is no service principle for
> cfis/domain...@DOMAIN.LOCAL in the Kerberos database.)
>
> I'll put that topic away for now.
>
Regards
Davor
Davor Vusir
Jul 3, 2014, 3:54:17 AM7/3/14
to
First of all, I refuse to believe that I'm the only one that got
domain-based DFS to work.
I want to share some final thoughts in this matter.
This link, https://wiki.samba.org/index.php/WIP/Beginner_HowTo_-_SOHO_business_server,
is a transcript of how I installed and configured Samba. To make
domain-based DFS work I simply put 'host msdfs = yes' to the global
section, added the required share definition, created the links,
restarted Samba end rebooted the Windows client.
If you take a few minutes and read the wiki page, you'll see a section
about turning off IPv6 on the host. This might be what differs in my
and your setup. And what makes the difference.
My thoughts:
The host is IPv6 capable. Samba understands and responds to requests
over both IPv4 and IPv6. An IPv4-only host, like Windows XP or Windows
7 with Microsoft Fixit 50409 installed, sends a request. Samba, or the
DFS-module, recieves it and processess it but as the host is IPv6
capable, Samba, or the DFS-module, returns an answer over a valid
adapter. May it be IPv4 or IPv6. Is the IPv6 adapter prioritized? For
Samba, or the DFS-module, it doesn't seem to matter. If samba, or the
DFS-module, just makes the check 'if ValidAdapter == true send
response;' it might just be sent over IPv6 and there is no one on the
other end to recieve the message. Or if the DFS code doesn't support
IPv6, it simply drops it.
Would 'bind interfaces only',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#BINDINTERFACESONLY,
be a better alternative to turning off IPv6 on the host? In
co-operation with 'interfaces',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#INTERFACES?
Regards
Davor
L.P.H. van Belle
Jul 3, 2014, 5:05:41 AM7/3/14
to
Thanks Davor...
you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
No changes on the windows 7 pc.
in smb.conf i added
interfaces = 127.0.0.1 192.168.1.1/24
bind interfaces only = yes
( Ubuntu users dont use eth or lo, this is buggy )
added
[dfs]
comment = DFS Root Share
path = /export/dfsroot
browsable = yes
msdfs root = yes
read only = no
now my test :
smbclient //localhost/dfs -U 'DOMAIN\administrator'
cd someshare
works
windows7 pc to \\servername\dfs\someshare
works
...
now working on the domain based dfs
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: davor...@gmail.com
>[mailto:samba-...@lists.samba.org] Namens Davor Vusir
>Verzonden: donderdag 3 juli 2014 9:54
>Aan: steve
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] domain-based DFS ?
you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
No changes on the windows 7 pc.
in smb.conf i added
interfaces = 127.0.0.1 192.168.1.1/24
bind interfaces only = yes
( Ubuntu users dont use eth or lo, this is buggy )
added
[dfs]
comment = DFS Root Share
path = /export/dfsroot
browsable = yes
msdfs root = yes
read only = no
now my test :
smbclient //localhost/dfs -U 'DOMAIN\administrator'
cd someshare
works
windows7 pc to \\servername\dfs\someshare
works
...
now working on the domain based dfs
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: davor...@gmail.com
>[mailto:samba-...@lists.samba.org] Namens Davor Vusir
>Verzonden: donderdag 3 juli 2014 9:54
>Aan: steve
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] domain-based DFS ?
L.P.H. van Belle
Jul 3, 2014, 5:38:21 AM7/3/14
to
some extra info.
I applied Microsoft Fixit 50409.
Domain based dfs still not working.
turned of IPV6, still not working.
run the following in window 7 pc. :
dfsutil /pktinfo
5 entries...
Entry: \dc1\dfs\someshare
ShortEntry: \dc1\dfs\someshare
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\rtd-mem1.internal.domain.tld\someshare] AccessStatus: 0 ( ACTIVE )
Entry: \internal.domain.tld\dfs
ShortEntry: \internal.domain.tld\dfs
Expires in 0 seconds
UseCount: 0 Type:0x10 ( OUTSIDE_MY_DOM )
0:[\internal.domain.tld\dfs]
Entry: \internal.domain.tld\netlogon
ShortEntry: \internal.domain.tld\netlogon
Expires in 179 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\dc1.internal.domain.tld\netlogon] AccessStatus: 0 ( ACTIVE TARGETSET)
1:[\dc2.internal.domain.tld\netlogon]
Entry: \internal.domain.tld\sysvol
ShortEntry: \internal.domain.tld\sysvol
Expires in 133 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\dc1.internal.domain.tld\sysvol] AccessStatus: 0 ( ACTIVE TARGETSET )
1:[\dc2.internal.domain.tld\sysvol]
Entry: \dc1\dfs
ShortEntry: \dc1\dfs
Expires in 0 seconds
UseCount: 0 Type:0x81 ( REFERRAL_SVC DFS )
0:[\dc1\dfs] AccessStatus: 0 ( ACTIVE )
Im wondering why the domain base dfs is outside the domain?
anyone?
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: be...@bazuin.nl [mailto:samba-...@lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: donderdag 3 juli 2014 11:06
>Aan: sa...@lists.samba.org
I applied Microsoft Fixit 50409.
Domain based dfs still not working.
turned of IPV6, still not working.
run the following in window 7 pc. :
dfsutil /pktinfo
5 entries...
Entry: \dc1\dfs\someshare
ShortEntry: \dc1\dfs\someshare
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\rtd-mem1.internal.domain.tld\someshare] AccessStatus: 0 ( ACTIVE )
Entry: \internal.domain.tld\dfs
ShortEntry: \internal.domain.tld\dfs
Expires in 0 seconds
UseCount: 0 Type:0x10 ( OUTSIDE_MY_DOM )
0:[\internal.domain.tld\dfs]
Entry: \internal.domain.tld\netlogon
ShortEntry: \internal.domain.tld\netlogon
Expires in 179 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\dc1.internal.domain.tld\netlogon] AccessStatus: 0 ( ACTIVE TARGETSET)
1:[\dc2.internal.domain.tld\netlogon]
Entry: \internal.domain.tld\sysvol
ShortEntry: \internal.domain.tld\sysvol
Expires in 133 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\dc1.internal.domain.tld\sysvol] AccessStatus: 0 ( ACTIVE TARGETSET )
1:[\dc2.internal.domain.tld\sysvol]
Entry: \dc1\dfs
ShortEntry: \dc1\dfs
Expires in 0 seconds
UseCount: 0 Type:0x81 ( REFERRAL_SVC DFS )
0:[\dc1\dfs] AccessStatus: 0 ( ACTIVE )
Im wondering why the domain base dfs is outside the domain?
anyone?
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: be...@bazuin.nl [mailto:samba-...@lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: donderdag 3 juli 2014 11:06
>Aan: sa...@lists.samba.org
steve
Jul 3, 2014, 5:51:14 AM7/3/14
to
Yes, I can confirm this. Specifying the server works but not on a load
balancing or failover share where two servers offer the same share. If
the first server is unavailable the second server is not consulted.
Cheers,
Steve
Davor Vusir
Jul 5, 2014, 11:33:08 PM7/5/14
to
2014-07-03 11:05 GMT+02:00 L.P.H. van Belle <be...@bazuin.nl>:
> Thanks Davor...
>
> you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
>
> No changes on the windows 7 pc.
>
> in smb.conf i added
>
> interfaces = 127.0.0.1 192.168.1.1/24
> bind interfaces only = yes
>
> ( Ubuntu users dont use eth or lo, this is buggy )
>
Thanks for the info. I didn't know that.
> Thanks Davor...
>
> you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
>
> No changes on the windows 7 pc.
>
> in smb.conf i added
>
> interfaces = 127.0.0.1 192.168.1.1/24
> bind interfaces only = yes
>
> ( Ubuntu users dont use eth or lo, this is buggy )
>
> added
> [dfs]
> comment = DFS Root Share
> path = /export/dfsroot
> browsable = yes
> msdfs root = yes
> read only = no
>
>
> now my test :
>
> smbclient //localhost/dfs -U 'DOMAIN\administrator'
> cd someshare
>
> works
>
> windows7 pc to \\servername\dfs\someshare
> works
>
> ...
> now working on the domain based dfs
>
>
> Greetz,
>
> Louis
>
>
>
Davor Vusir
Jul 5, 2014, 11:35:45 PM7/5/14
to
2014-07-03 11:51 GMT+02:00 steve <st...@steve-ss.com>:
the AD DC. I don't think it will work until there is a endpointmapper
in place that handles DFS.
> On Thu, 2014-07-03 at 11:05 +0200, L.P.H. van Belle wrote:
>> Thanks Davor...
>>
>> you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
>>
>> No changes on the windows 7 pc.
>>
>> in smb.conf i added
>>
>> interfaces = 127.0.0.1 192.168.1.1/24
>> bind interfaces only = yes
>>
>> ( Ubuntu users dont use eth or lo, this is buggy )
>>
>> Thanks Davor...
>>
>> you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
>>
>> No changes on the windows 7 pc.
>>
>> in smb.conf i added
>>
>> interfaces = 127.0.0.1 192.168.1.1/24
>> bind interfaces only = yes
>>
>> ( Ubuntu users dont use eth or lo, this is buggy )
>>
>> added
>> [dfs]
>> comment = DFS Root Share
>> path = /export/dfsroot
>> browsable = yes
>> msdfs root = yes
>> read only = no
>>
>>
>> now my test :
>>
>> smbclient //localhost/dfs -U 'DOMAIN\administrator'
>> cd someshare
>>
>> works
>>
>> windows7 pc to \\servername\dfs\someshare
>> works
>>
>> ...
>> now working on the domain based dfs
>>
>>
>> Greetz,
>>
>> Louis
>
>> [dfs]
>> comment = DFS Root Share
>> path = /export/dfsroot
>> browsable = yes
>> msdfs root = yes
>> read only = no
>>
>>
>> now my test :
>>
>> smbclient //localhost/dfs -U 'DOMAIN\administrator'
>> cd someshare
>>
>> works
>>
>> windows7 pc to \\servername\dfs\someshare
>> works
>>
>> ...
>> now working on the domain based dfs
>>
>>
>> Greetz,
>>
>> Louis
>
> Hi
> Yes, I can confirm this. Specifying the server works but not on a load
> balancing or failover share where two servers offer the same share. If
> the first server is unavailable the second server is not consulted.
> Cheers,
> Steve
>
The information about possible failover hosts are in the AD part of
> Yes, I can confirm this. Specifying the server works but not on a load
> balancing or failover share where two servers offer the same share. If
> the first server is unavailable the second server is not consulted.
> Cheers,
> Steve
>
the AD DC. I don't think it will work until there is a endpointmapper
in place that handles DFS.
Davor Vusir
Jul 6, 2014, 12:14:08 AM7/6/14
to
2014-07-02 18:48 GMT+02:00 Henrik Langos <hlango...@innominate.com>:
> On 07/02/14 09:28, Davor Vusir wrote:
>>
>>
>>>
>>> On our config it treats the domain as the name of the server! Anyway,
>>> thanks for your time. We can't spend any longer with this as we are looking
>>> for a solution.
>>> Thanks again,
>>> Steve
>>>
>> Added uid, uidnumber and gidNumber to every account and group.
>> Resulted in access denied to \\vusir.local\dfs\share and home
>> directory.
>>
>> Commented 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> Removed uid, uidNumber and gidNumber from relevant accounts and access
>> groups. No change.
>>
>> Removed uid, uidNumber and gidNumber from all accounts and access
>> Groups. No change.
>>
>> Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> A couple of restarts of the Windows 7 client, AD DC restarts and a
>> server reboot. Back in business.
>
>
> Hi Davor,
>
> On 07/02/14 09:28, Davor Vusir wrote:
>>
>>
>>>
>>> On our config it treats the domain as the name of the server! Anyway,
>>> thanks for your time. We can't spend any longer with this as we are looking
>>> for a solution.
>>> Thanks again,
>>> Steve
>>>
>> Added uid, uidnumber and gidNumber to every account and group.
>> Resulted in access denied to \\vusir.local\dfs\share and home
>> directory.
>>
>> Commented 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> Removed uid, uidNumber and gidNumber from relevant accounts and access
>> groups. No change.
>>
>> Removed uid, uidNumber and gidNumber from all accounts and access
>> Groups. No change.
>>
>> Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
>>
>> A couple of restarts of the Windows 7 client, AD DC restarts and a
>> server reboot. Back in business.
>
>
> Hi Davor,
>
> This pretty much matches my observations with domain based dfs. It's a hit
> and miss with lots of poking around in the dark.
>
> and miss with lots of poking around in the dark.
>
> Occasionally it works and all looks very nice, but then on the next login it
> might fail again. For me it was mostly failing.
> (But then again I suspect it had to do with my removing one of the AD DCs
> and downgrading it to a normal member server. I've seen the former AD pop up
> in one of the DFS tabs as dfs root even though it wasn't a DC any more.)
>
> might fail again. For me it was mostly failing.
> (But then again I suspect it had to do with my removing one of the AD DCs
> and downgrading it to a normal member server. I've seen the former AD pop up
> in one of the DFS tabs as dfs root even though it wasn't a DC any more.)
>
> In contrast to this, access via \\addchost.domain.local\dfs works reliably
> from Windows and smbclient alike.
> Using this form I can even use smbclient with Kerberos authentication.
> (which fails for "domain.local" as there is no service principle for
> cfis/domain...@DOMAIN.LOCAL in the Kerberos database.)
>
> I'll put that topic away for now.
>
> cheers> from Windows and smbclient alike.
> Using this form I can even use smbclient with Kerberos authentication.
> (which fails for "domain.local" as there is no service principle for
> cfis/domain...@DOMAIN.LOCAL in the Kerberos database.)
>
> I'll put that topic away for now.
>
> -henrik
>
>
Hi Henrik,
you're right. Eventually it decays to what you describe. Eroding,
maybe. It's very annoying, because if it works with the netlogon and
sysvol shares, it has to work with a domain-based DFS.
Below are the latest changes I made to smb.conf.
I also configured WINS-server on the client and enabled NetBIOS in the
TCP/IP Control Panel.
When I enabled NetBIOS in the TCP/IP Control Panel I got the access
error. I can't recall how I fixed that but it might be a good idea to
edit ACLs on the DFS share.
And while you're at it, why not add WINS...
I'm wondering how much I'm violating the AD DC...
Perhaps it was the 'allow insecure wide links = yes' that made it
work. Well... it's still working.
Regards
Davor
# Global parameters
[global]
host msdfs = yes
interfaces = 192.168.1.3/24
bind interfaces only = yes
wins support = yes
wins server = 192.168.1.3
allow insecure wide links = yes
[files]
path = /data/files
comment = "Här finns allt!"
read only = No
vfs objects = acl_xattr
msdfs root = yes
Daniel Müller
Jul 7, 2014, 1:45:54 AM7/7/14
to
Dear all,
as i mentioned in this thread: since the alpha samba4 has ended it was not possible!!!! anymore to
reach a share, ex.: \\your.samba4domain\share without this errors. I myself think it is bug and it should be covered by the
samba technical. The only workaround I found is to run a samba3 old style domain and within this domain you have no trouble
with pointing to \\your.samba4domain\share . It could be it is an issue with smb3.
as i mentioned in this thread: since the alpha samba4 has ended it was not possible!!!! anymore to
reach a share, ex.: \\your.samba4domain\share without this errors. I myself think it is bug and it should be covered by the
samba technical. The only workaround I found is to run a samba3 old style domain and within this domain you have no trouble
with pointing to \\your.samba4domain\share . It could be it is an issue with smb3.
Greetings
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
"Der Mensch ist die Medizin des Menschen"
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im Auftrag von Davor Vusir
Gesendet: Sonntag, 6. Juli 2014 06:14
An: Henrik Langos
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
kr...@gmx.de
Jan 25, 2017, 9:48:00 AM1/25/17
to
On Thursday, July 3, 2014 at 11:38:21 AM UTC+2, L.P.H. van Belle wrote:
> dfsutil /pktinfo
>
> 5 entries...
>
> dfsutil /pktinfo
>
> 5 entries...
>
> Entry: \internal.domain.tld\dfs
> ShortEntry: \internal.domain.tld\dfs
> Expires in 0 seconds
> UseCount: 0 Type:0x10 ( OUTSIDE_MY_DOM )
> 0:[\internal.domain.tld\dfs]
>
> ShortEntry: \internal.domain.tld\dfs
> Expires in 0 seconds
> UseCount: 0 Type:0x10 ( OUTSIDE_MY_DOM )
> 0:[\internal.domain.tld\dfs]
>
> Im wondering why the domain base dfs is outside the domain?
Hi,
I ran into the same situation (Debian samba 4.2.14+dfsg-0+deb8u2) creating a domain-based DFS root share. The Partition Knowledge Table always show OUTSIDE_MY_DOM.
As a workaround I created a DFS proxy share pointing to the real DFS root share:
[dfs]
comment = DFS Proxy Share
msdfs root = Yes
msdfs proxy = \dc01.example.dom\dfsroot
browsable = Yes
read only = No
[dfsroot]
comment = DFS Root Share
path = /var/lib/samba/dfs
msdfs root = Yes
browsable = No
read only = No
Regards
Chris
0 new messages