Discussion:
[Samba] Missing features, RLY?!? & readme1st again
Klaus Hartnegg
2014-06-27 11:53:22 UTC
Permalink
Missing features from memory from following this mailinglist:
- Win7 join to AD still requires two registry changes.
- SYSVOL is not replicated, use a cronjob with rsync.
- Domain-Trust works only in one direction (which one?).
- winbind does not work on DCs, use a separate file server.
- Joining an AD requires one of its DCs in the same subnet?
- Cluster filesystems destroy TDB files, use CTDB.
- CTDB does not work on an AD-DC, use a separate file server.
- DFS works only server-based, not domain-based?
- DFS works only for Administrators?
- DFSR is not implemented.

Is this list correct? Is it complete?

This list should be in a Samba4-ReadmeFirst on the Wiki startpage. I
once started such a page, should I update the "limitations" section and
finally put a link to it on the startpage? Will the Wiki allow me to
edit the startpage? Where exactly should the link be?
https://wiki.samba.org/index.php/Samba_Readme_First
mourik jan heupink - merit
2014-06-27 12:22:51 UTC
Permalink
Post by Klaus Hartnegg
- Win7 join to AD still requires two registry changes.
I am under the impression that this is no longer needed.

MJ
Sven Schwedas
2014-06-27 12:30:32 UTC
Permalink
It's only needed for NT4-style domains, not AD (unless you botched up
your DNS configuration).
Post by mourik jan heupink - merit
Post by Klaus Hartnegg
- Win7 join to AD still requires two registry changes.
I am under the impression that this is no longer needed.
MJ
--
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140627/f5c9b370/attachment.pgp>
Klaus Hartnegg
2014-06-27 12:34:38 UTC
Permalink
Ok, I change that line to
- Win7 join to non-AD DC requires two registry changes.
or maybe it should not be in this list at all, if the list is Samba4
specific.
Sven Schwedas
2014-06-27 12:51:00 UTC
Permalink
Post by Klaus Hartnegg
Ok, I change that line to
- Win7 join to non-AD DC requires two registry changes.
or maybe it should not be in this list at all, if the list is Samba4
specific.
I think it's not samba-specific entirely. As far as I know you'd have
the same issues with windows-based NT4 domains. They're just a bit rare
nowadays.
--
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140627/ab5e5f8c/attachment.pgp>
Andrew Bartlett
2014-07-19 21:52:35 UTC
Permalink
Post by Sven Schwedas
Post by Klaus Hartnegg
Ok, I change that line to
- Win7 join to non-AD DC requires two registry changes.
or maybe it should not be in this list at all, if the list is Samba4
specific.
I think it's not samba-specific entirely. As far as I know you'd have
the same issues with windows-based NT4 domains. They're just a bit rare
nowadays.
No, they really are samba-specific. NT4 support isn't available, the
only support that exists is for Samba, and you can even find references
in the Microsoft website for that!

The reason is that we worked with them to upgrade the crypto in Samba
beyond NT4 levels, so that Windows wouldn't be burdened with really,
really bad crypto forever (at least in this area).

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Marc Muehlfeld
2014-06-27 20:01:44 UTC
Permalink
Hello Klaus,
Post by Klaus Hartnegg
Ok, I change that line to
- Win7 join to non-AD DC requires two registry changes.
or maybe it should not be in this list at all, if the list is Samba4
specific.
A non-AD DC is a NT4-style PDC.

DC = AD
PDC/BDC = NT4 domain



Regards,
Marc
Allen Chen
2014-06-27 14:17:29 UTC
Permalink
I can answer some of your questions based on my test environment:
1. compiled Samba 4.1.7
2. classicupgrade from samba3+ldap backend
3. Samba 4 internal DNS+LDAP
4. external DNS servers forward AD DC domain queries to the two Samba 4
AD DC servers
5. the two Samba 4 AD DC servers are on different subnets via a gateway
Post by Klaus Hartnegg
- Win7 join to AD still requires two registry changes.
No, you don't need to change anything on Win7.
Post by Klaus Hartnegg
- SYSVOL is not replicated, use a cronjob with rsync.
I use rsync to replicate SYSVOL.
Post by Klaus Hartnegg
- Domain-Trust works only in one direction (which one?).
not tested.
Post by Klaus Hartnegg
- winbind does not work on DCs, use a separate file server.
My AD DCs are the dedicated DC server, no file sharing. so I run S4 with
the default smb.conf(no changes).
I don't see any issues. If you do file sharing on DC, it's another story.
Post by Klaus Hartnegg
- Joining an AD requires one of its DCs in the same subnet?
No problems with multiple subnets for AD DCs and client machines.

I don't test the rest.
Post by Klaus Hartnegg
- Cluster filesystems destroy TDB files, use CTDB.
- CTDB does not work on an AD-DC, use a separate file server.
- DFS works only server-based, not domain-based?
- DFS works only for Administrators?
- DFSR is not implemented.
Is this list correct? Is it complete?
This list should be in a Samba4-ReadmeFirst on the Wiki startpage. I
once started such a page, should I update the "limitations" section
and finally put a link to it on the startpage? Will the Wiki allow me
to edit the startpage? Where exactly should the link be?
https://wiki.samba.org/index.php/Samba_Readme_First
My first choice on DNS setup is to change my existing DNS servers to
forward AD DC domain query to AD DC servers, and have AD DC use its
internal DNS.
So you can put all of your AD DCs' IP to your existing DNS servers.

Allen
Marc Muehlfeld
2014-06-27 20:05:39 UTC
Permalink
Post by Allen Chen
Post by Klaus Hartnegg
- Domain-Trust works only in one direction (which one?).
not tested.
https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F
Post by Allen Chen
Post by Klaus Hartnegg
- winbind does not work on DCs, use a separate file server.
My AD DCs are the dedicated DC server, no file sharing. so I run S4 with
the default smb.conf(no changes).
I don't see any issues. If you do file sharing on DC, it's another story.
You don't need to have the accounts locally if you have an Samba AD.
Winbind, Nslcd and sssd are optional - just if you require to have
user/group mappings local or have other local services that requires it.
But Samba DC can run without.




Regards,
Marc
Klaus Hartnegg
2014-06-28 19:18:07 UTC
Permalink
Post by Marc Muehlfeld
https://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_relationship_with_AD.3F
This page says "Samba can be trusted, but can't trust yet."

What exactly does this mean? Windows server calls this incoming and
outgoing trust, or it says which server will know the other servers
resources. Can Windows-DCs know the resources of the Linux DC, or is it
the other way around?
Klaus Hartnegg
2014-07-01 19:55:40 UTC
Permalink
Can two Samba AD domains trust each other, just for look ups
so that a workstation can be a member of both domains?
"Each other" implies bidirectional trust. If the info in the FAQ is
still correct, then this is not yet possible.

Also it would require moving from internal DNS server to bind, because
trust requires DNS resolving of the other domain. This is difficult when
each DC run its own DNS server, and all info about the domain is only
stored there. Windows server can do this with a Conditional Forwarder in
the DNS server. But the internal DNS server of Samba 4 can handle only
one single forwarder, and that is usually already used to resolve the
rest of the world.

Klaus
Henrik Langos
2014-07-03 10:44:00 UTC
Permalink
Post by Klaus Hartnegg
Can two Samba AD domains trust each other, just for look ups
so that a workstation can be a member of both domains?
"Each other" implies bidirectional trust. If the info in the FAQ is
still correct, then this is not yet possible.
Also it would require moving from internal DNS server to bind, because
trust requires DNS resolving of the other domain. This is difficult
when each DC run its own DNS server, and all info about the domain is
only stored there. Windows server can do this with a Conditional
Forwarder in the DNS server. But the internal DNS server of Samba 4
can handle only one single forwarder, and that is usually already used
to resolve the rest of the world.
Hi Klaus,

You could solve the DNS issue simply by having a third (non-samba) DNS
server.
Both samba servers can keep using their internel DNS and use that third
server as forwarder.

The third server will need some glue records and some knowledge of those
domains, but that is rather simple.

# cat named.conf
...
// our own name resolution
zone "lan" {
type master;
file "/etc/bind/db.lan";
allow-update { none; };
};

//domain A
zone "doma.lan" {
type forward;
forward only;
forwarders {10.1.0.1;};
};

zone "1.10.IN-ADDR.ARPA." {
type forward;
forward only;
forwarders {10.1.0.1;};
};

//domain B
zone "domb.lan" {
type forward;
forward only;
forwarders {10.2.0.1;};
};

zone "2.10.IN-ADDR.ARPA." {
type forward;
forward only;
forwarders {10.2.0.1;};
};
...

options {
directory "/var/cache/bind";

forwarders {
//google
8.8.8.8;
8.8.4.4;
};
...
}


# cat db.lan
...
;; sub-domain definitions (see also named.conf.local)

doma.lan. IN NS ns.doma.lan.
ns.doma.lan. IN A 10.1.0.1 ; 'glue' record

domb.lan. IN NS ns.domb.lan.
ns.domb.lan. IN A 10.2.0.1 ; 'glue' record


That still leaves the trust issues unresolved but at least DNS wise you
should be ok.

cheers
-henrik
Davor Vusir
2014-06-28 07:38:25 UTC
Permalink
Post by Klaus Hartnegg
- Win7 join to AD still requires two registry changes.
Not true.
Post by Klaus Hartnegg
- SYSVOL is not replicated, use a cronjob with rsync.
- Domain-Trust works only in one direction (which one?).
- winbind does not work on DCs, use a separate file server.
- Joining an AD requires one of its DCs in the same subnet?
- Cluster filesystems destroy TDB files, use CTDB.
- CTDB does not work on an AD-DC, use a separate file server.
- DFS works only server-based, not domain-based?
Domainbased DFS works. I should also mention that in my single server
environment the AD DC also serves home- and other fileshares. DFS
cannot be managed from Windows with DFS management MMC.
Post by Klaus Hartnegg
- DFS works only for Administrators?
No.
Post by Klaus Hartnegg
- DFSR is not implemented.
Is this list correct? Is it complete?
DNS with BIND9_DLZ and possibly internal DNS does not support renaming
AD Sites and move DC between Sites. BIND9_FLATFILE does. The cost is
that you cannot manage hte zone(s) with DNS management MMC,

Regards
Davor
Post by Klaus Hartnegg
This list should be in a Samba4-ReadmeFirst on the Wiki startpage. I once
started such a page, should I update the "limitations" section and finally
put a link to it on the startpage? Will the Wiki allow me to edit the
startpage? Where exactly should the link be?
https://wiki.samba.org/index.php/Samba_Readme_First
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Klaus Hartnegg
2014-06-29 21:19:04 UTC
Permalink
Post by Davor Vusir
Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
be impossible to configure own DFS names like this.
steve
2014-06-29 21:40:04 UTC
Permalink
Post by Klaus Hartnegg
Post by Davor Vusir
Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
be impossible to configure own DFS names like this.
+1
sysvol and and netlogon work on the DC as:
\\domain\sysvol
but not if we add our own share.

But we don't want to use the DC as a file server anyway. Only server
name dfs is possible anywhere else but even then it only works for the
first server specified.

Do we have any guidelines as to what to expect for dfs on samba?
Thanks,
Steve
Davor Vusir
2014-06-30 09:36:24 UTC
Permalink
Post by steve
Post by Klaus Hartnegg
Post by Davor Vusir
Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
be impossible to configure own DFS names like this.
+1
\\domain\sysvol
but not if we add our own share.
But we don't want to use the DC as a file server anyway. Only server
name dfs is possible anywhere else but even then it only works for the
first server specified.
Do we have any guidelines as to what to expect for dfs on samba?
Thanks,
Steve
Sorry. Forgot an excerpt from the Windows Eventlog:

Log Name: Application
Source: Microsoft-Windows-Folder Redirection
Date: 2014-06-30 11:27:29
Event ID: 501
Task Category: None
Level: Information
Keywords:
User: VUSIR\davor
Computer: win7.vusir.local
Description:
Successfully applied policy and redirected folder "Documents" to
"\\vusir.local\files\home\davor\Documents".
Redirection options=0x1001.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Folder Redirection"
Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
<EventID>501</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-06-30T09:27:29.170800000Z" />
<EventRecordID>1720</EventRecordID>
<Correlation ActivityID="{538B2AD4-9830-49C6-BD0A-B475546B2E30}" />
<Execution ProcessID="892" ThreadID="3976" />
<Channel>Application</Channel>
<Computer>win7.hem.vusir.se</Computer>
<Security UserID="S-1-5-21-4135210406-1847680363-3009157138-1105" />
</System>
<EventData Name="EVENT_FDEPLOY_SucceededToApplyPolicy">
<Data Name="FromFolder">Documents</Data>
<Data Name="ToFolder">\\vusir.local\files\home\davor\Documents</Data>
<Data Name="Options">0x1001</Data>
</EventData>
</Event>

+1 Huh?

Regards
Davor
Post by steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-06-30 10:09:32 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by Klaus Hartnegg
Post by Davor Vusir
Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
be impossible to configure own DFS names like this.
+1
\\domain\sysvol
but not if we add our own share.
But we don't want to use the DC as a file server anyway. Only server
name dfs is possible anywhere else but even then it only works for the
first server specified.
Do we have any guidelines as to what to expect for dfs on samba?
Thanks,
Steve
Log Name: Application
Source: Microsoft-Windows-Folder Redirection
Date: 2014-06-30 11:27:29
Event ID: 501
Task Category: None
Level: Information
User: VUSIR\davor
Computer: win7.vusir.local
Successfully applied policy and redirected folder "Documents" to
"\\vusir.local\files\home\davor\Documents".
Redirection options=0x1001.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Folder Redirection"
Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
<EventID>501</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-06-30T09:27:29.170800000Z" />
<EventRecordID>1720</EventRecordID>
<Correlation ActivityID="{538B2AD4-9830-49C6-BD0A-B475546B2E30}" />
<Execution ProcessID="892" ThreadID="3976" />
<Channel>Application</Channel>
<Computer>win7.hem.vusir.se</Computer>
<Security UserID="S-1-5-21-4135210406-1847680363-3009157138-1105" />
</System>
<EventData Name="EVENT_FDEPLOY_SucceededToApplyPolicy">
<Data Name="FromFolder">Documents</Data>
<Data Name="ToFolder">\\vusir.local\files\home\davor\Documents</Data>
<Data Name="Options">0x1001</Data>
</EventData>
</Event>
+1 Huh?
Regards
Davor
Wonderful. Armed with this and our working windows clients, we'll go
over to the cifs list and ask if we can have this as a cifs mount option
instead of having to specify the server. What do you reckon?
Cheers,
Steve
Davor Vusir
2014-06-30 11:44:27 UTC
Permalink
I'm not that experienced with Linux but from what I can grasp it won't
be a problem as the mount command supports MS-DFS.

Please keep us posted and good luck.
Davor
Post by steve
Post by Davor Vusir
Post by steve
Post by Klaus Hartnegg
Post by Davor Vusir
Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to
be impossible to configure own DFS names like this.
+1
\\domain\sysvol
but not if we add our own share.
But we don't want to use the DC as a file server anyway. Only server
name dfs is possible anywhere else but even then it only works for the
first server specified.
Do we have any guidelines as to what to expect for dfs on samba?
Thanks,
Steve
Log Name: Application
Source: Microsoft-Windows-Folder Redirection
Date: 2014-06-30 11:27:29
Event ID: 501
Task Category: None
Level: Information
User: VUSIR\davor
Computer: win7.vusir.local
Successfully applied policy and redirected folder "Documents" to
"\\vusir.local\files\home\davor\Documents".
Redirection options=0x1001.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Folder Redirection"
Guid="{7D7B0C39-93F6-4100-BD96-4DDA859652C5}" />
<EventID>501</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-06-30T09:27:29.170800000Z" />
<EventRecordID>1720</EventRecordID>
<Correlation ActivityID="{538B2AD4-9830-49C6-BD0A-B475546B2E30}" />
<Execution ProcessID="892" ThreadID="3976" />
<Channel>Application</Channel>
<Computer>win7.hem.vusir.se</Computer>
<Security UserID="S-1-5-21-4135210406-1847680363-3009157138-1105" />
</System>
<EventData Name="EVENT_FDEPLOY_SucceededToApplyPolicy">
<Data Name="FromFolder">Documents</Data>
<Data Name="ToFolder">\\vusir.local\files\home\davor\Documents</Data>
<Data Name="Options">0x1001</Data>
</EventData>
</Event>
+1 Huh?
Regards
Davor
Wonderful. Armed with this and our working windows clients, we'll go
over to the cifs list and ask if we can have this as a cifs mount option
instead of having to specify the server. What do you reckon?
Cheers,
Steve
Davor Vusir
2014-06-30 06:23:48 UTC
Permalink
Post by Klaus Hartnegg
Post by Davor Vusir
Domainbased DFS works.
How? I can only find descriptions for stand-alone DFS, no mention of
domainbased DFS in Samba anywhere. It works with SYSVOL, but it seems to be
impossible to configure own DFS names like this.
AD DC: ostraaros.vusir.local
File server: vastraaros.vusir.local

To the [global] section on the AD DC I added
host msdfs = yes <- the trick?

Created a share definition block for the DFS:
[files]
path = /data/files
comment = "H?r finns allt!" <- 'Everything is here!' in Swedish.
read only = No
msdfs root = yes

Created links according to
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/msdfs.html:
admind at ostraaros:~$ ls -l /data/files/
total 0
lrwxrwxrwx 1 root root 39 Jun 29 13:32 demoshare ->
msdfs:vastraaros.vusir.local\demoshare
lrwxrwxrwx 1 root root 37 Jun 27 19:26 familjen ->
msdfs:ostraaros.vusir.local\familjen
lrwxrwxrwx 1 root root 33 Jun 27 19:26 home -> msdfs:ostraaros.vusir.local\home
admind at ostraaros:~$

admind at ostraaros:~$ smbclient //vusir.local/files -U davor -W VUSIR
Enter davor's password:
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> cd home/davor\
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Fri Jun 27 06:41:23 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Fri Jun 27 19:43:44 2014
Contacts DR 0 Tue May 27 05:31:16 2014
Desktop DR 0 Tue Jun 10 21:30:56 2014
Searches DR 0 Tue May 27 05:31:18 2014
Favorites DR 0 Tue May 27 05:40:58 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\vusir.local\files\home\davor\
smb: \home\davor\>

admind at ostraaros:~$ smbclient //vusir.local/files -U administrator -W VUSIR
Enter administrator's password:
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> ls
. D 0 Sun Jun 29 13:32:51 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
demoshare D 0 Sun Jun 29 13:32:51 2014
56212 blocks of size 1048576. 50229 blocks available
smb: \> cd demoshare\
smb: \demoshare\> ls
. D 0 Sun Jun 29 13:33:24 2014
.. D 0 Sun Jun 29 11:41:26 2014
Testa1 D 0 Sun Jun 29 13:33:22 2014
58665 blocks of size 16777216. 55533 blocks available
smb: \demoshare\> pwd
Current directory is \\vusir.local\files\demoshare\
smb: \demoshare\>

Regards
Davor
Post by Klaus Hartnegg
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-06-30 10:03:54 UTC
Permalink
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
Hi Davor
OMG. How embarrassing. Yes, of course. And then everything springs to
life.
A big thanks for persisting with us Alicante idiots. We all owe you a
beer.
Cheers,
Steve
Davor Vusir
2014-06-30 11:07:03 UTC
Permalink
Post by steve
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
Hi Davor
OMG. How embarrassing. Yes, of course. And then everything springs to
life.
At least in Microsoft Country! :)
Post by steve
A big thanks for persisting with us Alicante idiots. We all owe you a
beer.
I'll hold you to that. The beer thing. :)

Good luck
Davor
Post by steve
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2014-06-30 11:24:15 UTC
Permalink
Post by steve
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.


These are the defaults on a DC:
samba-tool testparm -vv | grep dfs
host msdfs = Yes


and member server:
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =



Louis
-----Oorspronkelijk bericht-----
Van: davortvusir at gmail.com
[mailto:samba-bounces at lists.samba.org] Namens Davor Vusir
Verzonden: maandag 30 juni 2014 13:07
Aan: steve
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] domain-based DFS ?
Post by steve
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
Hi Davor
OMG. How embarrassing. Yes, of course. And then everything springs to
life.
At least in Microsoft Country! :)
Post by steve
A big thanks for persisting with us Alicante idiots. We all owe you a
beer.
I'll hold you to that. The beer thing. :)
Good luck
Davor
Post by steve
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-06-30 12:51:52 UTC
Permalink
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
Hi it's this:
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes

HTH
Steve
steve
2014-06-30 12:57:58 UTC
Permalink
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Davor Vusir
2014-06-30 13:40:36 UTC
Permalink
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Sorry that I wasn't clearer about that.

@L.P.H van Belle:
I'm aware of that 'host msdfs = Yes' is amongst the hidden settings in
global section. But to host DFS it simply didn't work until I made it
explicit.

I have two more share definitions on my AD DC, both running on RAID5,
LVM and ext4 on top. In spite of that 'vfs object = dfs_samba4
acl_xattr' is defined in the global section as a hidden setting, I
could not manipulate ACLs on these share. Not until I added 'vfs
object = acl_xattr' to the share definitions. I have not tested using
a share on the same disk/volume that Samba is installed on.

My experience is that the settings in smb.conf work great until you
add another share with vfs objects. They are not nullified, but rather
seem to not extend beyond the shares defined during provision. To
activate it you have to explicity define them in the global section.

And that is a call for following Sambas recommendation to separate the
DC functionalty from file server functionality.


Regards
Davor
Daniel Müller
2014-06-30 13:54:42 UTC
Permalink
I think vfs objects = dfs_samba4 belongs to vfs objects= btrfs !? server
side copy !?



EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de




-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Davor Vusir
Gesendet: Montag, 30. Juni 2014 15:41
An: steve
Cc: samba at lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
To the [global] section on the AD DC I added host msdfs = yes
<- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need msdfs root =
Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Sorry that I wasn't clearer about that.

@L.P.H van Belle:
I'm aware of that 'host msdfs = Yes' is amongst the hidden settings in
global section. But to host DFS it simply didn't work until I made it
explicit.

I have two more share definitions on my AD DC, both running on RAID5, LVM
and ext4 on top. In spite of that 'vfs object = dfs_samba4 acl_xattr' is
defined in the global section as a hidden setting, I could not manipulate
ACLs on these share. Not until I added 'vfs object = acl_xattr' to the share
definitions. I have not tested using a share on the same disk/volume that
Samba is installed on.

My experience is that the settings in smb.conf work great until you add
another share with vfs objects. They are not nullified, but rather seem to
not extend beyond the shares defined during provision. To activate it you
have to explicity define them in the global section.

And that is a call for following Sambas recommendation to separate the DC
functionalty from file server functionality.


Regards
Davor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
David Disseldorp
2014-06-30 14:29:59 UTC
Permalink
Post by Daniel Müller
I think vfs objects = dfs_samba4 belongs to vfs objects= btrfs !? server
side copy !?
No, the two modules are completely unrelated.

Cheers, David
steve
2014-06-30 14:15:25 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Sorry that I wasn't clearer about that.
I'm aware of that 'host msdfs = Yes' is amongst the hidden settings in
global section. But to host DFS it simply didn't work until I made it
explicit.
Hi
I think that means you have to have the line:
host msdfs = Yes
in smb.conf
The hidden (default?) value you get from testparm isn't correct.
@Davor Please could you confirm that that is what you mean?

Could you also post the vfs_object lines that we should include in 1.
[global] and 2. [share]

TIA
Post by Davor Vusir
I have two more share definitions on my AD DC, both running on RAID5,
LVM and ext4 on top. In spite of that 'vfs object = dfs_samba4
acl_xattr' is defined in the global section as a hidden setting, I
could not manipulate ACLs on these share. Not until I added 'vfs
object = acl_xattr' to the share definitions. I have not tested using
a share on the same disk/volume that Samba is installed on.
As above.
Thanks,
Steve
Post by Davor Vusir
My experience is that the settings in smb.conf work great until you
add another share with vfs objects. They are not nullified, but rather
seem to not extend beyond the shares defined during provision. To
activate it you have to explicity define them in the global section.
And that is a call for following Sambas recommendation to separate the
DC functionalty from file server functionality.
Regards
Davor
steve
2014-06-30 15:08:01 UTC
Permalink
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
DC:
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr

[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr

hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users

The fileserver, altea is up and we can navigate to:
\\altea\users

however:
\\hh3.site\dfs
and
\\hh3.site\dfs\users

Gives us the infamous '...you may not have permission to access...'
popup.

Is this the acl stuff Davor was mentioning?
Thanks,
Steve
Davor Vusir
2014-06-30 17:11:25 UTC
Permalink
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
This I don't have^
Post by steve
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
This I don't have^

Here it gets tricky, I think. I see that you have compiled Samba. So have I.
My /usr/local resides as a directory on the root disk and /etc/fstab
has got the acl,user_xattr and barrier=1.
The directory files, that contains the links to DFS targets, is just
another directory in /data.

The question is; if /etc/fstab contains acl,user_xattr and barrier=1
for the root-partition/disk and /home is just another directory. Does
smb.conf need to include vfs objects = acl_xattr for /home/dfs? Or
does Samba use the settings in /etc/fstab?

In my setup the directories /data/home and /data/familjen have mounted
LVM-volumes formatted with ext4. For these two directories I have to
include vfs objects = acl_xattr (explicit setting) to be able to
manipulate ACLs. It seems that Sambas understanding (or how to put it)
of this does not "spill" over to mounted volumes.

Your [dfs] and my [files] are manually added to smb.conf. And as soon
you add a share definition, you have to add a 'explicit' setting (host
msdfs = Yes to the global section).

And it's about here I start to realize that it might not be such good
idea in the log run to create a SBS-equivalent server where both the
AD DC and file server runs simultanously.

Is this understandable?

Regards
Davor
Post by steve
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
This is my smb.conf at the AD DC:
# Global parameters
[global]
workgroup = VUSIR
realm = VUSIR.LOCAL
netbios name = OSTRAAROS
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
disable spoolss = yes
log level = 1
host msdfs = yes
[files]
path = /data/files
comment = "H?r finns allt!"
read only = No
msdfs root = yes
[home]
path = /data/home
comment = Homedirectories
read only = No
vfs objects = acl_xattr recycle
acl_xattr:ignore system acl = yes
recycle:keeptree = yes
recycle:versions = yes
recycle:maxsize = 1073741824
csc policy = programs
[familjen]
path = /data/familjen
comment = "Familjens samlade verk!"
read only = No
vfs objects = acl_xattr recycle
acl_xattr:ignore system acl = yes
recycle:keeptree = yes
recycle:versions = yes
recycle:maxsize = 1073741824
csc policy = disable
[netlogon]
path = /usr/local/samba/var/locks/sysvol/vusir.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Post by steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-06-30 17:19:19 UTC
Permalink
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-06-30 17:48:40 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.

\\hh3.site\dfs
Nothing: access denied

\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.

I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.

Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-06-30 18:12:24 UTC
Permalink
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.
\\hh3.site\dfs
Nothing: access denied
What happens if you remove 'vfs objects = acl_xattr' from [dfs] and
restart both Samba and the client?
Post by steve
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-07-01 03:27:10 UTC
Permalink
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
A vague memory from one posting aeons ago just came to mind. If
changes are made to the [global] section, Samba has to restarted to
activate the changes. Did you restart samba?
Post by steve
Post by Davor Vusir
Post by steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-07-01 12:41:03 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
A vague memory from one posting aeons ago just came to mind. If
changes are made to the [global] section, Samba has to restarted to
activate the changes. Did you restart samba?
Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes

Here is the dfs link:

steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users

Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab

[users]
path = /home/users
read only = No

Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users

Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV

2. \\hh16.hh3.site
https://db.tt/9C8xtFnT

Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?

Thanks,
Steve
Klaus Hartnegg
2014-07-01 12:48:42 UTC
Permalink
I would try to comment out the line "server services", and make the link
contain the full server name altea.hh3.site instead of just altea.
steve
2014-07-01 13:56:03 UTC
Permalink
Post by Klaus Hartnegg
I would try to comment out the line "server services",
samba fails to start:(
Post by Klaus Hartnegg
and make the link
contain the full server name altea.hh3.site instead of just altea.
Leaving the server services and making the link you suggest:

hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 26 Jul 1 15:49 users -> msdfs:altea.hh3.site
\users

same errors:(
Steve
Davor Vusir
2014-07-01 13:34:55 UTC
Permalink
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
A vague memory from one posting aeons ago just came to mind. If
changes are made to the [global] section, Samba has to restarted to
activate the changes. Did you restart samba?
Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
I used fqdn: ln -s msdfs:altea.hh3.site\\users users
Post by steve
Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
[users]
path = /home/users
read only = No
Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users
What is the error? Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
Post by steve
Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV
2. \\hh16.hh3.site
https://db.tt/9C8xtFnT
Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?
Thanks,
Steve
steve
2014-07-01 14:00:36 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
A vague memory from one posting aeons ago just came to mind. If
changes are made to the [global] section, Samba has to restarted to
activate the changes. Did you restart samba?
Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
I used fqdn: ln -s msdfs:altea.hh3.site\\users users
Post by steve
Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
[users]
path = /home/users
read only = No
Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users
What is the error? Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
\\hh3.site\dfs is not accessible. You might not have permission...The
network name cannot be found.
Post by Davor Vusir
Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
Yes.
Post by Davor Vusir
Post by steve
Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV
2. \\hh16.hh3.site
https://db.tt/9C8xtFnT
Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?
Thanks,
Steve
Rowland Penny
2014-07-01 14:02:41 UTC
Permalink
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission to access...'
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a security tab and a
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as fs level (our
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as above. Nada.
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get the feeling
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
A vague memory from one posting aeons ago just came to mind. If
changes are made to the [global] section, Samba has to restarted to
activate the changes. Did you restart samba?
Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
I used fqdn: ln -s msdfs:altea.hh3.site\\users users
Post by steve
Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
[users]
path = /home/users
read only = No
Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users
What is the error? Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
\\hh3.site\dfs is not accessible. You might not have permission...The
network name cannot be found.
Post by Davor Vusir
Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
Yes.
Post by Davor Vusir
Post by steve
Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV
2. \\hh16.hh3.site
https://db.tt/9C8xtFnT
Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?
Thanks,
Steve
Er, I don't know if this will help, but have a look here:
http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/

Just something I chanced on

HTH

Rowland
steve
2014-07-01 14:10:09 UTC
Permalink
Post by Rowland Penny
O
http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-use-fully-qualified-domain-names-its-not-the-default/
Just something I chanced on
HTH
Rowland
Thanks, yeah. We've tried both. netbios and fqdn. nada:(
Steve
L.P.H. van Belle
2014-07-01 14:32:55 UTC
Permalink
well..

I just did a test with this for steve also.

same result.

\\domain.name\sysvol and netlogon accessable no problems.

\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?

\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare

my steps.

mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare

also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare


smbclient //localhost/dfs -U 'administrator'
cd someshare

tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME

so far for me..

found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.


Louis
-----Oorspronkelijk bericht-----
Van: rowlandpenny at googlemail.com
[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
Verzonden: dinsdag 1 juli 2014 16:03
Aan: samba at lists.samba.org
Onderwerp: Re: [Samba] domain-based DFS ?
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl,
ldap, cldap, kdc,
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/hh3.site/scripts
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users ->
msdfs:altea\users
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission
to access...'
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a
security tab and a
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no
security tab.
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
I've tried giving Administrator access to /home/dfsroot
as fs level (our
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Administrator has uid:gid in AD) but still nada. I've
tried giving
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Administrator access to the same using the security tab
as above. Nada.
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Not giving up just yet.
Any thoughts as you go through the day most welcome. I
get the feeling
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
A vague memory from one posting aeons ago just came to mind. If
changes are made to the [global] section, Samba has to
restarted to
Post by steve
Post by Davor Vusir
Post by steve
Post by Davor Vusir
activate the changes. Did you restart samba?
Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
I used fqdn: ln -s msdfs:altea.hh3.site\\users users
Post by steve
Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
[users]
path = /home/users
read only = No
Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users
What is the error? Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
\\hh3.site\dfs is not accessible. You might not have permission...The
network name cannot be found.
Post by Davor Vusir
Can you browse to \\hh3.sit\netlogon and \\hh3.site\sysvol?
Yes.
Post by Davor Vusir
Post by steve
Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV
2. \\hh16.hh3.site
https://db.tt/9C8xtFnT
Conclusion: server dfs works, domain dfs doesn't. But do
please tell us
Post by steve
Post by Davor Vusir
Post by steve
we're wrong. Is there anything in our config we've missed?
Thanks,
Steve
http://markparris.co.uk/2010/03/19/configure-dfs-namepaces-to-u
se-fully-qualified-domain-names-its-not-the-default/
Just something I chanced on
HTH
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-07-01 14:56:01 UTC
Permalink
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Davor Vusir
2014-07-01 17:41:55 UTC
Permalink
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Steve, have you done any testing with smbclient? I noticed that you've
got 'kerberos method = system keytab' in alteas smb.conf.

smbclient -k -U administrator //hh3.site/dfs/users (-k for kerberos)
Post by steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-07-01 17:56:28 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Steve, have you done any testing with smbclient? I noticed that you've
got 'kerberos method = system keytab' in alteas smb.conf.
smbclient -k -U administrator //hh3.site/dfs/users (-k for kerberos)
Hi Davor
You can't test domain dfs with smbclient because it requires a cifs
mount. cifs will only work if you specify a specific server:

smbclient -k -U Administrator //hh3.site/dfs
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/hh3.site at SITE
(Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server
not found in Kerberos database
session setup failed: NT_STATUS_UNSUCCESSFUL

This of course presents no problem:
smbclient -k -U Administrator //hh16.hh3.site/dfs
Domain=[HH3] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
smb: \>

and we can go on to access the share on altea fine.
Cheers,
Steve
Davor Vusir
2014-07-01 18:22:59 UTC
Permalink
Post by steve
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Steve, have you done any testing with smbclient? I noticed that you've
got 'kerberos method = system keytab' in alteas smb.conf.
smbclient -k -U administrator //hh3.site/dfs/users (-k for kerberos)
Hi Davor
You can't test domain dfs with smbclient because it requires a cifs
smbclient -k -U Administrator //hh3.site/dfs
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/hh3.site at SITE
(Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server
not found in Kerberos database
session setup failed: NT_STATUS_UNSUCCESSFUL
smbclient -k -U Administrator //hh16.hh3.site/dfs
Domain=[HH3] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
smb: \>
and we can go on to access the share on altea fine.
Cheers,
Steve
I think you?re wrong.
admind at vastraaros:~$ smbclient //hem.vusir.se/files -U davor
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Enter davor's password:
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> pwd
Current directory is \\hem.vusir.se\files\
smb: \> ls
. D 0 Mon Jun 30 20:18:22 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
56212 blocks of size 1048576. 50192 blocks available
smb: \> cd home\davor
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Mon Jun 30 21:03:55 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Mon Jun 30 21:03:54 2014
Contacts DR 0 Mon Jun 30 21:03:54 2014
Desktop DR 0 Mon Jun 30 21:03:54 2014
Searches DR 0 Mon Jun 30 21:03:54 2014
Favorites DR 0 Mon Jun 30 21:03:54 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\hem.vusir.se\files\home\davor\
smb: \home\davor\> listconnect
0: server=hem.vusir.se, share=files
smb: \home\davor\>

Regards
Davor
steve
2014-07-01 19:23:35 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare' /export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Steve, have you done any testing with smbclient? I noticed that you've
got 'kerberos method = system keytab' in alteas smb.conf.
smbclient -k -U administrator //hh3.site/dfs/users (-k for kerberos)
Hi Davor
You can't test domain dfs with smbclient because it requires a cifs
smbclient -k -U Administrator //hh3.site/dfs
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/hh3.site at SITE
(Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Server
not found in Kerberos database
session setup failed: NT_STATUS_UNSUCCESSFUL
smbclient -k -U Administrator //hh16.hh3.site/dfs
Domain=[HH3] OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
smb: \>
and we can go on to access the share on altea fine.
Cheers,
Steve
I think you?re wrong.
admind at vastraaros:~$ smbclient //hem.vusir.se/files -U davor
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> pwd
Current directory is \\hem.vusir.se\files\
smb: \> ls
. D 0 Mon Jun 30 20:18:22 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
56212 blocks of size 1048576. 50192 blocks available
smb: \> cd home\davor
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Mon Jun 30 21:03:55 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Mon Jun 30 21:03:54 2014
Contacts DR 0 Mon Jun 30 21:03:54 2014
Desktop DR 0 Mon Jun 30 21:03:54 2014
Searches DR 0 Mon Jun 30 21:03:54 2014
Favorites DR 0 Mon Jun 30 21:03:54 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\hem.vusir.se\files\home\davor\
smb: \home\davor\> listconnect
0: server=hem.vusir.se, share=files
smb: \home\davor\>
Regards
Davor
On our config it treats the domain as the name of the server! Anyway,
thanks for your time. We can't spend any longer with this as we are
looking for a solution.
Thanks again,
Steve
Daniel Müller
2014-07-02 05:44:24 UTC
Permalink
HI,
it will not work with samba4 and smb3!? I have the same definition and I cannot reach my dfs with \\mydomain.name\dfsshare but... and that is the interesting thing from within my old samba3 nt style domain I can reach!! the same \\mydomain.nam\dfsshare without any issues. I can read and write to it...
I think this a awesome bug in samba4, because I can proof that within the beta versions it still was possible to reach
and act on \\mydomain.name\share without any errors.


EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de




-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von steve
Gesendet: Dienstag, 1. Juli 2014 21:24
An: Davor Vusir
Cc: samba at lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare'
/export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME Unable to follow
NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented
dead end. I'm really tempted to drop it at this point and spend
the time on a proper cluster instead. I get the feeling that this
was always going to be second best, and it only works with windows clients anyway.
Cheers,
Steve
Steve, have you done any testing with smbclient? I noticed that
you've got 'kerberos method = system keytab' in alteas smb.conf.
smbclient -k -U administrator //hh3.site/dfs/users (-k for
kerberos)
Hi Davor
You can't test domain dfs with smbclient because it requires a cifs
smbclient -k -U Administrator //hh3.site/dfs
ads_krb5_mk_req: smb_krb5_get_credentials failed for
cifs/hh3.site at SITE (Server not found in Kerberos database)
NT_STATUS_UNSUCCESSFUL
smbclient -k -U Administrator //hh16.hh3.site/dfs Domain=[HH3]
OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
smb: \>
and we can go on to access the share on altea fine.
Cheers,
Steve
I think you?re wrong.
admind at vastraaros:~$ smbclient //hem.vusir.se/files -U davor
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> pwd
Current directory is \\hem.vusir.se\files\
smb: \> ls
. D 0 Mon Jun 30 20:18:22 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
56212 blocks of size 1048576. 50192 blocks available
smb: \> cd home\davor
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Mon Jun 30 21:03:55 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Mon Jun 30 21:03:54 2014
Contacts DR 0 Mon Jun 30 21:03:54 2014
Desktop DR 0 Mon Jun 30 21:03:54 2014
Searches DR 0 Mon Jun 30 21:03:54 2014
Favorites DR 0 Mon Jun 30 21:03:54 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\hem.vusir.se\files\home\davor\
smb: \home\davor\> listconnect
0: server=hem.vusir.se, share=files
smb: \home\davor\>
Regards
Davor
On our config it treats the domain as the name of the server! Anyway, thanks for your time. We can't spend any longer with this as we are looking for a solution.
Thanks again,
Steve


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-07-02 07:28:15 UTC
Permalink
Post by Daniel Müller
HI,
it will not work with samba4 and smb3!? I have the same definition and I cannot reach my dfs with \\mydomain.name\dfsshare but... and that is the interesting thing from within my old samba3 nt style domain I can reach!! the same \\mydomain.nam\dfsshare without any issues. I can read and write to it...
I think this a awesome bug in samba4, because I can proof that within the beta versions it still was possible to reach
and act on \\mydomain.name\share without any errors.
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von steve
Gesendet: Dienstag, 1. Juli 2014 21:24
An: Davor Vusir
Cc: samba at lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare'
/export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME Unable to follow
NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented
dead end. I'm really tempted to drop it at this point and spend
the time on a proper cluster instead. I get the feeling that this
was always going to be second best, and it only works with windows clients anyway.
Cheers,
Steve
Steve, have you done any testing with smbclient? I noticed that
you've got 'kerberos method = system keytab' in alteas smb.conf.
smbclient -k -U administrator //hh3.site/dfs/users (-k for
kerberos)
Hi Davor
You can't test domain dfs with smbclient because it requires a cifs
smbclient -k -U Administrator //hh3.site/dfs
ads_krb5_mk_req: smb_krb5_get_credentials failed for
cifs/hh3.site at SITE (Server not found in Kerberos database)
NT_STATUS_UNSUCCESSFUL
smbclient -k -U Administrator //hh16.hh3.site/dfs Domain=[HH3]
OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
smb: \>
and we can go on to access the share on altea fine.
Cheers,
Steve
I think you?re wrong.
admind at vastraaros:~$ smbclient //hem.vusir.se/files -U davor
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> pwd
Current directory is \\hem.vusir.se\files\
smb: \> ls
. D 0 Mon Jun 30 20:18:22 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
56212 blocks of size 1048576. 50192 blocks available
smb: \> cd home\davor
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Mon Jun 30 21:03:55 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Mon Jun 30 21:03:54 2014
Contacts DR 0 Mon Jun 30 21:03:54 2014
Desktop DR 0 Mon Jun 30 21:03:54 2014
Searches DR 0 Mon Jun 30 21:03:54 2014
Favorites DR 0 Mon Jun 30 21:03:54 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\hem.vusir.se\files\home\davor\
smb: \home\davor\> listconnect
0: server=hem.vusir.se, share=files
smb: \home\davor\>
Regards
Davor
On our config it treats the domain as the name of the server! Anyway, thanks for your time. We can't spend any longer with this as we are looking for a solution.
Thanks again,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.

Commented 'idmap_ldb:use rfc2307 = yes'. No change.

Removed uid, uidNumber and gidNumber from relevant accounts and access
groups. No change.

Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.

Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.

A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.

Regards
Davor
Davor Vusir
2014-07-02 07:32:02 UTC
Permalink
Post by Davor Vusir
Post by Daniel Müller
HI,
it will not work with samba4 and smb3!? I have the same definition and I cannot reach my dfs with \\mydomain.name\dfsshare but... and that is the interesting thing from within my old samba3 nt style domain I can reach!! the same \\mydomain.nam\dfsshare without any issues. I can read and write to it...
I think this a awesome bug in samba4, because I can proof that within the beta versions it still was possible to reach
and act on \\mydomain.name\share without any errors.
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von steve
Gesendet: Dienstag, 1. Juli 2014 21:24
An: Davor Vusir
Cc: samba at lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare'
/export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME Unable to follow
NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented
dead end. I'm really tempted to drop it at this point and spend
the time on a proper cluster instead. I get the feeling that this
was always going to be second best, and it only works with windows clients anyway.
Cheers,
Steve
Steve, have you done any testing with smbclient? I noticed that
you've got 'kerberos method = system keytab' in alteas smb.conf.
smbclient -k -U administrator //hh3.site/dfs/users (-k for kerberos)
Hi Davor
You can't test domain dfs with smbclient because it requires a cifs
smbclient -k -U Administrator //hh3.site/dfs
ads_krb5_mk_req: smb_krb5_get_credentials failed for
cifs/hh3.site at SITE (Server not found in Kerberos database)
NT_STATUS_UNSUCCESSFUL
smbclient -k -U Administrator //hh16.hh3.site/dfs Domain=[HH3]
OS=[Windows 6.1] Server=[Samba 4.2.0pre1-GIT-55c279f]
smb: \>
and we can go on to access the share on altea fine.
Cheers,
Steve
I think you?re wrong.
admind at vastraaros:~$ smbclient //hem.vusir.se/files -U davor
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
Domain=[VUSIR] OS=[Unix] Server=[Samba 4.1.9]
smb: \> pwd
Current directory is \\hem.vusir.se\files\
smb: \> ls
. D 0 Mon Jun 30 20:18:22 2014
.. D 0 Fri Jun 27 05:51:19 2014
home D 0 Fri Jun 27 19:26:33 2014
familjen D 0 Fri Jun 27 19:26:07 2014
56212 blocks of size 1048576. 50192 blocks available
smb: \> cd home\davor
smb: \home\davor\> ls
. D 0 Wed Apr 23 07:57:52 2014
.. D 0 Thu Jun 26 22:29:37 2014
_aaa D 0 Sun Oct 20 10:16:27 2013
Links DR 0 Mon Jun 30 21:03:55 2014
AppData D 0 Wed Apr 23 16:15:30 2014
.bash_history H 50 Sun Mar 30 21:45:16 2014
.viminfo H 1745 Mon Apr 7 05:58:08 2014
Documents DR 0 Mon Jun 30 21:03:54 2014
Contacts DR 0 Mon Jun 30 21:03:54 2014
Desktop DR 0 Mon Jun 30 21:03:54 2014
Searches DR 0 Mon Jun 30 21:03:54 2014
Favorites DR 0 Mon Jun 30 21:03:54 2014
50364 blocks of size 4194304. 27720 blocks available
smb: \home\davor\> pwd
Current directory is \\hem.vusir.se\files\home\davor\
smb: \home\davor\> listconnect
0: server=hem.vusir.se, share=files
smb: \home\davor\>
Regards
Davor
On our config it treats the domain as the name of the server! Anyway, thanks for your time. We can't spend any longer with this as we are looking for a solution.
Thanks again,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.
Commented 'idmap_ldb:use rfc2307 = yes'. No change.
Removed uid, uidNumber and gidNumber from relevant accounts and access
groups. No change.
relevant accounts should read test account.
Post by Davor Vusir
Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.
Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.
Regards
Davor
Henrik Langos
2014-07-02 16:48:31 UTC
Permalink
Post by Davor Vusir
Post by Daniel Müller
On our config it treats the domain as the name of the server! Anyway, thanks for your time. We can't spend any longer with this as we are looking for a solution.
Thanks again,
Steve
Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.
Commented 'idmap_ldb:use rfc2307 = yes'. No change.
Removed uid, uidNumber and gidNumber from relevant accounts and access
groups. No change.
Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.
Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.
Hi Davor,

This pretty much matches my observations with domain based dfs. It's a
hit and miss with lots of poking around in the dark.

Occasionally it works and all looks very nice, but then on the next
login it might fail again. For me it was mostly failing.
(But then again I suspect it had to do with my removing one of the AD
DCs and downgrading it to a normal member server. I've seen the former
AD pop up in one of the DFS tabs as dfs root even though it wasn't a DC
any more.)

Once DFS failed in the observed way, there is no point in logout/login
cycles.
The only thing that *sometimes* helps is a complete reboot of the client
and hoping for the best.
This makes debugging the problem a very frustrating and time consuming
business.

Also smbclient and windows 7 show very different behavior.
In smbclient I can always at least see the dfs directory but access to
the visible shares will fail.

$ smbclient -U sample12 '\\domain.local\dfs'
Enter sample12's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.9-Debian]
smb: \> ls
. D 0 Mon Jun 30 20:53:09 2014
.. D 0 Thu Jun 26 13:17:10 2014
test2 D 0 Mon Jun 30 18:08:11 2014
test D 0 Mon Jun 30 10:20:23 2014

64514 blocks of size 32768. 30984 blocks available
smb: \> ls test
session setup failed: NT_STATUS_LOGON_FAILURE
Unable to follow dfs referral [\shares01\test]
do_list: [\test] NT_STATUS_PATH_NOT_COVERED
smb: \>

In Windows 7 I can see the dfs share when I go to \\domain.local\ but
changing into that \\domain.local\dfs share results in an error.

In contrast to this, access via \\addchost.domain.local\dfs works
reliably from Windows and smbclient alike.
Using this form I can even use smbclient with Kerberos authentication.
(which fails for "domain.local" as there is no service principle for
cfis/domain.local at DOMAIN.LOCAL in the Kerberos database.)

I'll put that topic away for now.

cheers
-henrik
Davor Vusir
2014-07-02 19:05:39 UTC
Permalink
Post by Henrik Langos
Post by Davor Vusir
Post by steve
On our config it treats the domain as the name of the server! Anyway,
thanks for your time. We can't spend any longer with this as we are looking
for a solution.
Thanks again,
Steve
Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.
Commented 'idmap_ldb:use rfc2307 = yes'. No change.
Removed uid, uidNumber and gidNumber from relevant accounts and access
groups. No change.
Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.
Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.
Hi Davor,
Hi Henrik,

thank you for your mail and sharing your experiences.
Post by Henrik Langos
This pretty much matches my observations with domain based dfs. It's a hit
and miss with lots of poking around in the dark.
For me it was quite straight forward and "just worked". I don't share
the troubles expressed in this thread.
Post by Henrik Langos
Occasionally it works and all looks very nice, but then on the next login it
might fail again. For me it was mostly failing.
(But then again I suspect it had to do with my removing one of the AD DCs
and downgrading it to a normal member server. I've seen the former AD pop up
in one of the DFS tabs as dfs root even though it wasn't a DC any more.)
I think your suspicions are right. But for me it was (is) mostly
success. The troubles I have encountered, I believe rather depends on
that I run the AD DC and file server at the same host and using a
network bridge for virtualization.
Post by Henrik Langos
Once DFS failed in the observed way, there is no point in logout/login
cycles.
The only thing that *sometimes* helps is a complete reboot of the client and
hoping for the best.
This makes debugging the problem a very frustrating and time consuming
business.
Also smbclient and windows 7 show very different behavior.
In smbclient I can always at least see the dfs directory but access to the
visible shares will fail.
$ smbclient -U sample12 '\\domain.local\dfs'
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.9-Debian]
smb: \> ls
. D 0 Mon Jun 30 20:53:09 2014
.. D 0 Thu Jun 26 13:17:10 2014
test2 D 0 Mon Jun 30 18:08:11 2014
test D 0 Mon Jun 30 10:20:23 2014
64514 blocks of size 32768. 30984 blocks available
smb: \> ls test
session setup failed: NT_STATUS_LOGON_FAILURE
Unable to follow dfs referral [\shares01\test]
do_list: [\test] NT_STATUS_PATH_NOT_COVERED
smb: \>
In Windows 7 I can see the dfs share when I go to \\domain.local\ but
changing into that \\domain.local\dfs share results in an error.
I have not experienced neither what have been mentioned on this thread
nor what you write here. But I'm having trouble when the host is
(re)started; Windows complains about non-existing logon servers. I
restart the Samba service, reboot the Windows client and the problem
is gone. The Samba errors are:

WARNING: no network interfaces found
task_server_terminate: [nbtd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [cldapd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [kdc: no network interfaces configured]
/usr/local/samba/sbin/samba_dnsupdate: WARNING: no network interfaces found
WARNING: no network interfaces found
task_server_terminate: [nbtd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [cldapd: no network interfaces configured]
WARNING: no network interfaces found
task_server_terminate: [kdc: no network interfaces configured]

This was not a problem before I configured DFS. Please note that I do
not think that neither Samba as AD DC, file server (the two running on
the same host), DFS nor the network bridge and the Windows client
running as virtual guest per se that is the problem. It is the
combination, all running on the same host, that is the problem.

When the the above combination, AD DC, file server and DFS, starts, it
runs fine! It seems stable.
Post by Henrik Langos
In contrast to this, access via \\addchost.domain.local\dfs works reliably
from Windows and smbclient alike.
Using this form I can even use smbclient with Kerberos authentication.
(which fails for "domain.local" as there is no service principle for
cfis/domain.local at DOMAIN.LOCAL in the Kerberos database.)
I'll put that topic away for now.
Yes. But I think it is worth put some time and energy on.

Regards
Davor
Post by Henrik Langos
cheers
-henrik
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-07-06 04:14:08 UTC
Permalink
Post by Henrik Langos
Post by Davor Vusir
Post by steve
On our config it treats the domain as the name of the server! Anyway,
thanks for your time. We can't spend any longer with this as we are looking
for a solution.
Thanks again,
Steve
Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.
Commented 'idmap_ldb:use rfc2307 = yes'. No change.
Removed uid, uidNumber and gidNumber from relevant accounts and access
groups. No change.
Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.
Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.
Hi Davor,
This pretty much matches my observations with domain based dfs. It's a hit
and miss with lots of poking around in the dark.
Occasionally it works and all looks very nice, but then on the next login it
might fail again. For me it was mostly failing.
(But then again I suspect it had to do with my removing one of the AD DCs
and downgrading it to a normal member server. I've seen the former AD pop up
in one of the DFS tabs as dfs root even though it wasn't a DC any more.)
Once DFS failed in the observed way, there is no point in logout/login
cycles.
The only thing that *sometimes* helps is a complete reboot of the client and
hoping for the best.
This makes debugging the problem a very frustrating and time consuming
business.
Also smbclient and windows 7 show very different behavior.
In smbclient I can always at least see the dfs directory but access to the
visible shares will fail.
$ smbclient -U sample12 '\\domain.local\dfs'
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.9-Debian]
smb: \> ls
. D 0 Mon Jun 30 20:53:09 2014
.. D 0 Thu Jun 26 13:17:10 2014
test2 D 0 Mon Jun 30 18:08:11 2014
test D 0 Mon Jun 30 10:20:23 2014
64514 blocks of size 32768. 30984 blocks available
smb: \> ls test
session setup failed: NT_STATUS_LOGON_FAILURE
Unable to follow dfs referral [\shares01\test]
do_list: [\test] NT_STATUS_PATH_NOT_COVERED
smb: \>
In Windows 7 I can see the dfs share when I go to \\domain.local\ but
changing into that \\domain.local\dfs share results in an error.
In contrast to this, access via \\addchost.domain.local\dfs works reliably
from Windows and smbclient alike.
Using this form I can even use smbclient with Kerberos authentication.
(which fails for "domain.local" as there is no service principle for
cfis/domain.local at DOMAIN.LOCAL in the Kerberos database.)
I'll put that topic away for now.
cheers
-henrik
Hi Henrik,
you're right. Eventually it decays to what you describe. Eroding,
maybe. It's very annoying, because if it works with the netlogon and
sysvol shares, it has to work with a domain-based DFS.

Below are the latest changes I made to smb.conf.

I also configured WINS-server on the client and enabled NetBIOS in the
TCP/IP Control Panel.
When I enabled NetBIOS in the TCP/IP Control Panel I got the access
error. I can't recall how I fixed that but it might be a good idea to
edit ACLs on the DFS share.

And while you're at it, why not add WINS...

I'm wondering how much I'm violating the AD DC...

Perhaps it was the 'allow insecure wide links = yes' that made it
work. Well... it's still working.

Regards
Davor

# Global parameters
[global]
host msdfs = yes
interfaces = 192.168.1.3/24
bind interfaces only = yes
wins support = yes
wins server = 192.168.1.3
allow insecure wide links = yes
[files]
path = /data/files
comment = "H?r finns allt!"
read only = No
vfs objects = acl_xattr
msdfs root = yes
Post by Henrik Langos
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Daniel Müller
2014-07-07 05:45:54 UTC
Permalink
Dear all,
as i mentioned in this thread: since the alpha samba4 has ended it was not possible!!!! anymore to
reach a share, ex.: \\your.samba4domain\share without this errors. I myself think it is bug and it should be covered by the
samba technical. The only workaround I found is to run a samba3 old style domain and within this domain you have no trouble
with pointing to \\your.samba4domain\share . It could be it is an issue with smb3.

Greetings
Daniel


EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de

"Der Mensch ist die Medizin des Menschen"




-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Davor Vusir
Gesendet: Sonntag, 6. Juli 2014 06:14
An: Henrik Langos
Cc: samba at lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
Post by Henrik Langos
Post by Davor Vusir
Post by steve
On our config it treats the domain as the name of the server!
Anyway, thanks for your time. We can't spend any longer with this as
we are looking for a solution.
Thanks again,
Steve
Added uid, uidnumber and gidNumber to every account and group.
Resulted in access denied to \\vusir.local\dfs\share and home
directory.
Commented 'idmap_ldb:use rfc2307 = yes'. No change.
Removed uid, uidNumber and gidNumber from relevant accounts and
access groups. No change.
Removed uid, uidNumber and gidNumber from all accounts and access
Groups. No change.
Reactivated 'idmap_ldb:use rfc2307 = yes'. No change.
A couple of restarts of the Windows 7 client, AD DC restarts and a
server reboot. Back in business.
Hi Davor,
This pretty much matches my observations with domain based dfs. It's a
hit and miss with lots of poking around in the dark.
Occasionally it works and all looks very nice, but then on the next
login it might fail again. For me it was mostly failing.
(But then again I suspect it had to do with my removing one of the AD
DCs and downgrading it to a normal member server. I've seen the former
AD pop up in one of the DFS tabs as dfs root even though it wasn't a
DC any more.)
Once DFS failed in the observed way, there is no point in logout/login
cycles.
The only thing that *sometimes* helps is a complete reboot of the
client and hoping for the best.
This makes debugging the problem a very frustrating and time consuming
business.
Also smbclient and windows 7 show very different behavior.
In smbclient I can always at least see the dfs directory but access to
the visible shares will fail.
$ smbclient -U sample12 '\\domain.local\dfs'
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.9-Debian]
smb: \> ls
. D 0 Mon Jun 30 20:53:09 2014
.. D 0 Thu Jun 26 13:17:10 2014
test2 D 0 Mon Jun 30 18:08:11 2014
test D 0 Mon Jun 30 10:20:23 2014
64514 blocks of size 32768. 30984 blocks available
smb: \> ls test
session setup failed: NT_STATUS_LOGON_FAILURE Unable to follow dfs
referral [\shares01\test]
do_list: [\test] NT_STATUS_PATH_NOT_COVERED
smb: \>
In Windows 7 I can see the dfs share when I go to \\domain.local\ but
changing into that \\domain.local\dfs share results in an error.
In contrast to this, access via \\addchost.domain.local\dfs works
reliably from Windows and smbclient alike.
Using this form I can even use smbclient with Kerberos authentication.
(which fails for "domain.local" as there is no service principle for
cfis/domain.local at DOMAIN.LOCAL in the Kerberos database.)
I'll put that topic away for now.
cheers
-henrik
Hi Henrik,
you're right. Eventually it decays to what you describe. Eroding, maybe. It's very annoying, because if it works with the netlogon and sysvol shares, it has to work with a domain-based DFS.

Below are the latest changes I made to smb.conf.

I also configured WINS-server on the client and enabled NetBIOS in the TCP/IP Control Panel.
When I enabled NetBIOS in the TCP/IP Control Panel I got the access error. I can't recall how I fixed that but it might be a good idea to edit ACLs on the DFS share.

And while you're at it, why not add WINS...

I'm wondering how much I'm violating the AD DC...

Perhaps it was the 'allow insecure wide links = yes' that made it work. Well... it's still working.

Regards
Davor

# Global parameters
[global]
host msdfs = yes
interfaces = 192.168.1.3/24
bind interfaces only = yes
wins support = yes
wins server = 192.168.1.3
allow insecure wide links = yes
[files]
path = /data/files
comment = "H?r finns allt!"
read only = No
vfs objects = acl_xattr
msdfs root = yes
Post by Henrik Langos
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-07-02 12:40:21 UTC
Permalink
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
Post by steve
Post by L.P.H. van Belle
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Is it an IPv6 issue? I know Windows XP does not speak IPv6 out-of-the-box.
But...

I have turned off IPv6 on the AD DC. And installed Microsoft Fixit 50409 on
my Win 7.

Regards
Davor
Post by steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Daniel Müller
2014-07-02 12:54:42 UTC
Permalink
As I mnetioned since the end of the beta versions no longer possible
(smb3!?).
If you have an old sama4 style domain running and you do as member
\\younewsamba4.domainame\share (or)dfs
it will work certain.
I can proof it with my production running samba pdc domain and a samba4
domain side by side


EDV Daniel M?ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de





-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Davor Vusir
Gesendet: Mittwoch, 2. Juli 2014 14:40
An: steve
Cc: samba at lists.samba.org
Betreff: Re: [Samba] domain-based DFS ?
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
Post by steve
Post by L.P.H. van Belle
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare' /export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME Unable to follow dfs
NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying
the
patch.
Post by steve
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on
a proper cluster instead. I get the feeling that this was always going
to be second best, and it only works with windows clients anyway.
Cheers,
Steve
Is it an IPv6 issue? I know Windows XP does not speak IPv6 out-of-the-box.
But...

I have turned off IPv6 on the AD DC. And installed Microsoft Fixit 50409 on
my Win 7.

Regards
Davor
Post by steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-07-03 07:54:17 UTC
Permalink
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare'
/export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im not trying the patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming, undocumented dead
end. I'm really tempted to drop it at this point and spend the time on a
proper cluster instead. I get the feeling that this was always going to
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Is it an IPv6 issue? I know Windows XP does not speak IPv6 out-of-the-box.
But...
I have turned off IPv6 on the AD DC. And installed Microsoft Fixit 50409 on
my Win 7.
Regards
Davor
Back again! :)
First of all, I refuse to believe that I'm the only one that got
domain-based DFS to work.

I want to share some final thoughts in this matter.

This link, https://wiki.samba.org/index.php/WIP/Beginner_HowTo_-_SOHO_business_server,
is a transcript of how I installed and configured Samba. To make
domain-based DFS work I simply put 'host msdfs = yes' to the global
section, added the required share definition, created the links,
restarted Samba end rebooted the Windows client.

If you take a few minutes and read the wiki page, you'll see a section
about turning off IPv6 on the host. This might be what differs in my
and your setup. And what makes the difference.

My thoughts:
The host is IPv6 capable. Samba understands and responds to requests
over both IPv4 and IPv6. An IPv4-only host, like Windows XP or Windows
7 with Microsoft Fixit 50409 installed, sends a request. Samba, or the
DFS-module, recieves it and processess it but as the host is IPv6
capable, Samba, or the DFS-module, returns an answer over a valid
adapter. May it be IPv4 or IPv6. Is the IPv6 adapter prioritized? For
Samba, or the DFS-module, it doesn't seem to matter. If samba, or the
DFS-module, just makes the check 'if ValidAdapter == true send
response;' it might just be sent over IPv6 and there is no one on the
other end to recieve the message. Or if the DFS code doesn't support
IPv6, it simply drops it.

Would 'bind interfaces only',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#BINDINTERFACESONLY,
be a better alternative to turning off IPv6 on the host? In
co-operation with 'interfaces',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#INTERFACES?

Regards
Davor
L.P.H. van Belle
2014-07-03 09:38:21 UTC
Permalink
some extra info.

I applied Microsoft Fixit 50409.
Domain based dfs still not working.
turned of IPV6, still not working.

run the following in window 7 pc. :
dfsutil /pktinfo

5 entries...
Entry: \dc1\dfs\someshare
ShortEntry: \dc1\dfs\someshare
Expires in 0 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\rtd-mem1.internal.domain.tld\someshare] AccessStatus: 0 ( ACTIVE )

Entry: \internal.domain.tld\dfs
ShortEntry: \internal.domain.tld\dfs
Expires in 0 seconds
UseCount: 0 Type:0x10 ( OUTSIDE_MY_DOM )
0:[\internal.domain.tld\dfs]

Entry: \internal.domain.tld\netlogon
ShortEntry: \internal.domain.tld\netlogon
Expires in 179 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\dc1.internal.domain.tld\netlogon] AccessStatus: 0 ( ACTIVE TARGETSET)
1:[\dc2.internal.domain.tld\netlogon]

Entry: \internal.domain.tld\sysvol
ShortEntry: \internal.domain.tld\sysvol
Expires in 133 seconds
UseCount: 0 Type:0x1 ( DFS )
0:[\dc1.internal.domain.tld\sysvol] AccessStatus: 0 ( ACTIVE TARGETSET )
1:[\dc2.internal.domain.tld\sysvol]

Entry: \dc1\dfs
ShortEntry: \dc1\dfs
Expires in 0 seconds
UseCount: 0 Type:0x81 ( REFERRAL_SVC DFS )
0:[\dc1\dfs] AccessStatus: 0 ( ACTIVE )


Im wondering why the domain base dfs is outside the domain?

anyone?

Greetz,

Louis
-----Oorspronkelijk bericht-----
Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
Namens L.P.H. van Belle
Verzonden: donderdag 3 juli 2014 11:06
Aan: samba at lists.samba.org
Onderwerp: Re: [Samba] domain-based DFS ?
Thanks Davor...
you found at least one problem, adding the interfaces and bind
options fixed at least 1 thing.
No changes on the windows 7 pc.
in smb.conf i added
interfaces = 127.0.0.1 192.168.1.1/24
bind interfaces only = yes
( Ubuntu users dont use eth or lo, this is buggy )
added
[dfs]
comment = DFS Root Share
path = /export/dfsroot
browsable = yes
msdfs root = yes
read only = no
smbclient //localhost/dfs -U 'DOMAIN\administrator'
cd someshare
works
windows7 pc to \\servername\dfs\someshare
works
...
now working on the domain based dfs
Greetz,
Louis
-----Oorspronkelijk bericht-----
Van: davortvusir at gmail.com
[mailto:samba-bounces at lists.samba.org] Namens Davor Vusir
Verzonden: donderdag 3 juli 2014 9:54
Aan: steve
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] domain-based DFS ?
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare'
/export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im
not trying the
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming,
undocumented dead
Post by Davor Vusir
Post by steve
end. I'm really tempted to drop it at this point and spend
the time on a
Post by Davor Vusir
Post by steve
proper cluster instead. I get the feeling that this was
always going to
Post by Davor Vusir
Post by steve
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Is it an IPv6 issue? I know Windows XP does not speak IPv6
out-of-the-box.
Post by Davor Vusir
But...
I have turned off IPv6 on the AD DC. And installed Microsoft
Fixit 50409 on
Post by Davor Vusir
my Win 7.
Regards
Davor
Back again! :)
First of all, I refuse to believe that I'm the only one that got
domain-based DFS to work.
I want to share some final thoughts in this matter.
This link,
https://wiki.samba.org/index.php/WIP/Beginner_HowTo_-_SOHO_busi
ness_server,
is a transcript of how I installed and configured Samba. To make
domain-based DFS work I simply put 'host msdfs = yes' to the global
section, added the required share definition, created the links,
restarted Samba end rebooted the Windows client.
If you take a few minutes and read the wiki page, you'll see a section
about turning off IPv6 on the host. This might be what differs in my
and your setup. And what makes the difference.
The host is IPv6 capable. Samba understands and responds to requests
over both IPv4 and IPv6. An IPv4-only host, like Windows XP or Windows
7 with Microsoft Fixit 50409 installed, sends a request. Samba, or the
DFS-module, recieves it and processess it but as the host is IPv6
capable, Samba, or the DFS-module, returns an answer over a valid
adapter. May it be IPv4 or IPv6. Is the IPv6 adapter prioritized? For
Samba, or the DFS-module, it doesn't seem to matter. If samba, or the
DFS-module, just makes the check 'if ValidAdapter == true send
response;' it might just be sent over IPv6 and there is no one on the
other end to recieve the message. Or if the DFS code doesn't support
IPv6, it simply drops it.
Would 'bind interfaces only',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#
BINDINTERFACESONLY,
be a better alternative to turning off IPv6 on the host? In
co-operation with 'interfaces',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#
INTERFACES?
Regards
Davor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2014-07-03 09:05:41 UTC
Permalink
Thanks Davor...

you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.

No changes on the windows 7 pc.

in smb.conf i added

interfaces = 127.0.0.1 192.168.1.1/24
bind interfaces only = yes

( Ubuntu users dont use eth or lo, this is buggy )

added
[dfs]
comment = DFS Root Share
path = /export/dfsroot
browsable = yes
msdfs root = yes
read only = no


now my test :

smbclient //localhost/dfs -U 'DOMAIN\administrator'
cd someshare

works

windows7 pc to \\servername\dfs\someshare
works

...
now working on the domain based dfs


Greetz,

Louis
-----Oorspronkelijk bericht-----
Van: davortvusir at gmail.com
[mailto:samba-bounces at lists.samba.org] Namens Davor Vusir
Verzonden: donderdag 3 juli 2014 9:54
Aan: steve
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] domain-based DFS ?
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare'
/export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im
not trying the
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming,
undocumented dead
Post by Davor Vusir
Post by steve
end. I'm really tempted to drop it at this point and spend
the time on a
Post by Davor Vusir
Post by steve
proper cluster instead. I get the feeling that this was
always going to
Post by Davor Vusir
Post by steve
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Is it an IPv6 issue? I know Windows XP does not speak IPv6
out-of-the-box.
Post by Davor Vusir
But...
I have turned off IPv6 on the AD DC. And installed Microsoft
Fixit 50409 on
Post by Davor Vusir
my Win 7.
Regards
Davor
Back again! :)
First of all, I refuse to believe that I'm the only one that got
domain-based DFS to work.
I want to share some final thoughts in this matter.
This link,
https://wiki.samba.org/index.php/WIP/Beginner_HowTo_-_SOHO_busi
ness_server,
is a transcript of how I installed and configured Samba. To make
domain-based DFS work I simply put 'host msdfs = yes' to the global
section, added the required share definition, created the links,
restarted Samba end rebooted the Windows client.
If you take a few minutes and read the wiki page, you'll see a section
about turning off IPv6 on the host. This might be what differs in my
and your setup. And what makes the difference.
The host is IPv6 capable. Samba understands and responds to requests
over both IPv4 and IPv6. An IPv4-only host, like Windows XP or Windows
7 with Microsoft Fixit 50409 installed, sends a request. Samba, or the
DFS-module, recieves it and processess it but as the host is IPv6
capable, Samba, or the DFS-module, returns an answer over a valid
adapter. May it be IPv4 or IPv6. Is the IPv6 adapter prioritized? For
Samba, or the DFS-module, it doesn't seem to matter. If samba, or the
DFS-module, just makes the check 'if ValidAdapter == true send
response;' it might just be sent over IPv6 and there is no one on the
other end to recieve the message. Or if the DFS code doesn't support
IPv6, it simply drops it.
Would 'bind interfaces only',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#
BINDINTERFACESONLY,
be a better alternative to turning off IPv6 on the host? In
co-operation with 'interfaces',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#
INTERFACES?
Regards
Davor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-07-03 09:51:14 UTC
Permalink
Post by L.P.H. van Belle
Thanks Davor...
you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
No changes on the windows 7 pc.
in smb.conf i added
interfaces = 127.0.0.1 192.168.1.1/24
bind interfaces only = yes
( Ubuntu users dont use eth or lo, this is buggy )
added
[dfs]
comment = DFS Root Share
path = /export/dfsroot
browsable = yes
msdfs root = yes
read only = no
smbclient //localhost/dfs -U 'DOMAIN\administrator'
cd someshare
works
windows7 pc to \\servername\dfs\someshare
works
...
now working on the domain based dfs
Greetz,
Louis
Hi
Yes, I can confirm this. Specifying the server works but not on a load
balancing or failover share where two servers offer the same share. If
the first server is unavailable the second server is not consulted.
Cheers,
Steve
Davor Vusir
2014-07-06 03:35:45 UTC
Permalink
Post by steve
Post by L.P.H. van Belle
Thanks Davor...
you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
No changes on the windows 7 pc.
in smb.conf i added
interfaces = 127.0.0.1 192.168.1.1/24
bind interfaces only = yes
( Ubuntu users dont use eth or lo, this is buggy )
added
[dfs]
comment = DFS Root Share
path = /export/dfsroot
browsable = yes
msdfs root = yes
read only = no
smbclient //localhost/dfs -U 'DOMAIN\administrator'
cd someshare
works
windows7 pc to \\servername\dfs\someshare
works
...
now working on the domain based dfs
Greetz,
Louis
Hi
Yes, I can confirm this. Specifying the server works but not on a load
balancing or failover share where two servers offer the same share. If
the first server is unavailable the second server is not consulted.
Cheers,
Steve
The information about possible failover hosts are in the AD part of
the AD DC. I don't think it will work until there is a endpointmapper
in place that handles DFS.
Post by steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Davor Vusir
2014-07-06 03:33:08 UTC
Permalink
Post by L.P.H. van Belle
Thanks Davor...
you found at least one problem, adding the interfaces and bind options fixed at least 1 thing.
No changes on the windows 7 pc.
in smb.conf i added
interfaces = 127.0.0.1 192.168.1.1/24
bind interfaces only = yes
( Ubuntu users dont use eth or lo, this is buggy )
Thanks for the info. I didn't know that.
Post by L.P.H. van Belle
added
[dfs]
comment = DFS Root Share
path = /export/dfsroot
browsable = yes
msdfs root = yes
read only = no
smbclient //localhost/dfs -U 'DOMAIN\administrator'
cd someshare
works
windows7 pc to \\servername\dfs\someshare
works
...
now working on the domain based dfs
Greetz,
Louis
-----Oorspronkelijk bericht-----
Van: davortvusir at gmail.com
[mailto:samba-bounces at lists.samba.org] Namens Davor Vusir
Verzonden: donderdag 3 juli 2014 9:54
Aan: steve
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] domain-based DFS ?
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
well..
I just did a test with this for steve also.
same result.
\\domain.name\sysvol and netlogon accessable no problems.
\\domain.name\dfs Access denied again? "Network path cannot be
found...", 0x8xxxyy35?
\\server1.domain.name\dfs works, but someshare not.
\\server1.domain.name\dfs\someshare
my steps.
mkdir -p /export/dfsroot
chown root:root /export/dfsroot
chmod 755 /export/dfsroot
ln -s 'msdfs:mem1.internal.domain.tld\someshare'
/export/dfsroot/someshare
also tried : ln -s 'msdfs:mem1.internal.domain.tld\\someshare'
/export/dfsroot/someshare
smbclient //localhost/dfs -U 'administrator'
cd someshare
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Unable to follow dfs referral [\mem1.internal.domain.tld\]
cd \somewhare\: NT_STATUS_BAD_NETWORK_NAME
so far for me..
found this one
https://groups.google.com/forum/#!topic/linux.samba/mi4O5lHE8Vc
so i think this is not fixed yet...
there is a patch in this link, but since im on sernet im
not trying the
Post by Davor Vusir
Post by steve
Post by L.P.H. van Belle
patch.
Yeah, thanks Louis.
This is looking more and more like a time consuming,
undocumented dead
Post by Davor Vusir
Post by steve
end. I'm really tempted to drop it at this point and spend
the time on a
Post by Davor Vusir
Post by steve
proper cluster instead. I get the feeling that this was
always going to
Post by Davor Vusir
Post by steve
be second best, and it only works with windows clients anyway.
Cheers,
Steve
Is it an IPv6 issue? I know Windows XP does not speak IPv6
out-of-the-box.
Post by Davor Vusir
But...
I have turned off IPv6 on the AD DC. And installed Microsoft
Fixit 50409 on
Post by Davor Vusir
my Win 7.
Regards
Davor
Back again! :)
First of all, I refuse to believe that I'm the only one that got
domain-based DFS to work.
I want to share some final thoughts in this matter.
This link,
https://wiki.samba.org/index.php/WIP/Beginner_HowTo_-_SOHO_busi
ness_server,
is a transcript of how I installed and configured Samba. To make
domain-based DFS work I simply put 'host msdfs = yes' to the global
section, added the required share definition, created the links,
restarted Samba end rebooted the Windows client.
If you take a few minutes and read the wiki page, you'll see a section
about turning off IPv6 on the host. This might be what differs in my
and your setup. And what makes the difference.
The host is IPv6 capable. Samba understands and responds to requests
over both IPv4 and IPv6. An IPv4-only host, like Windows XP or Windows
7 with Microsoft Fixit 50409 installed, sends a request. Samba, or the
DFS-module, recieves it and processess it but as the host is IPv6
capable, Samba, or the DFS-module, returns an answer over a valid
adapter. May it be IPv4 or IPv6. Is the IPv6 adapter prioritized? For
Samba, or the DFS-module, it doesn't seem to matter. If samba, or the
DFS-module, just makes the check 'if ValidAdapter == true send
response;' it might just be sent over IPv6 and there is no one on the
other end to recieve the message. Or if the DFS code doesn't support
IPv6, it simply drops it.
Would 'bind interfaces only',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#
BINDINTERFACESONLY,
be a better alternative to turning off IPv6 on the host? In
co-operation with 'interfaces',
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#
INTERFACES?
Regards
Davor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2014-07-01 12:46:45 UTC
Permalink
Hai steve,

what does

ping hh3.site

for me it resolves back to one of my DCs

Louis
-----Oorspronkelijk bericht-----
Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
Namens steve
Verzonden: dinsdag 1 juli 2014 14:41
Aan: Davor Vusir
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] domain-based DFS ?
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
Post by steve
Post by L.P.H. van Belle
Post by L.P.H. van Belle
Post by Davor Vusir
To the [global] section on the AD DC I added
host msdfs = yes <- the trick?
No, not in my oppinion.
samba-tool testparm -vv | grep dfs
host msdfs = Yes
testparm -vv | grep dfs
host msdfs = No
msdfs root = No
msdfs proxy =
host msdfs = Yes
vfs objects = dfs_samba4 # plus whatever else you need
msdfs root = Yes
HTH
Steve
Oh, and the root has to be on the DC:(
Hi
Nah, false alarm.
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc,
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/hh3.site/scripts
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
hh16:/home/dfsroot # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users ->
msdfs:altea\users
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
\\altea\users
\\hh3.site\dfs
and
\\hh3.site\dfs\users
Gives us the infamous '...you may not have permission
to access...'
Post by Davor Vusir
Post by steve
Post by Davor Vusir
Post by steve
popup.
Did you restart the Windows client?
Yes.
\\hh16.hh3.site\dfs\users
works fine (hh16 is the DC with the dfs root) I get a
security tab and a
Post by Davor Vusir
Post by steve
DFS tab.
\\hh3.site\dfs
Nothing: access denied
\\hh3.site
shows the dfs folder which gives me a DFS tab but no security tab.
I've tried giving Administrator access to /home/dfsroot as
fs level (our
Post by Davor Vusir
Post by steve
Administrator has uid:gid in AD) but still nada. I've tried giving
Administrator access to the same using the security tab as
above. Nada.
Post by Davor Vusir
Post by steve
Not giving up just yet.
Any thoughts as you go through the day most welcome. I get
the feeling
Post by Davor Vusir
Post by steve
that not many have been this way before.
Cheers,
Steve
Post by Davor Vusir
Post by steve
Is this the acl stuff Davor was mentioning?
Thanks,
Steve
A vague memory from one posting aeons ago just came to mind. If
changes are made to the [global] section, Samba has to restarted to
activate the changes. Did you restart samba?
Hi
OK
I removed all the non default vfs objects, to leave this on the DC,
hh16.hh3.site
s
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
host msdfs = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
steve at hh16:/home/dfsroot> ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 30 16:45 users -> msdfs:altea\users
Here is the fileserver, altea.hh3.site
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
[users]
path = /home/users
read only = No
Restart samba DC then file server the a xp client.
We can browse to \\altea\users
but not to \\hh3.site\dfs\users
Here are the windows sceenshots.
1. \\hh3.site
https://db.tt/3ksfq7qV
2. \\hh16.hh3.site
https://db.tt/9C8xtFnT
Conclusion: server dfs works, domain dfs doesn't. But do please tell us
we're wrong. Is there anything in our config we've missed?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2014-07-01 13:46:36 UTC
Permalink
Post by L.P.H. van Belle
Hai steve,
what does
ping hh3.site
for me it resolves back to one of my DCs
Yep. Same here.
Klaus Hartnegg
2014-06-30 18:10:57 UTC
Permalink
Post by steve
Oh, and the root has to be on the DC:(
"the" DC? Which DC? What if I have three DCs, and a client has logged in
via another one?
Davor Vusir
2014-06-30 18:15:31 UTC
Permalink
Post by steve
Oh, and the root has to be on the DC:(
"the" DC? Which DC? What if I have three DCs, and a client has logged in via
another one?
On Windows you have to define the domain DFS on every DC. I guess it's
the same on the Samba AD DC.

Regards
Davor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Klaus Hartnegg
2014-06-30 19:11:09 UTC
Permalink
Post by Davor Vusir
"the" DC? Which DC? What if I have three DCs, and a client has logged in via
another one?
On Windows you have to define the domain DFS on every DC.
No. In Windows DFS works great with just one single DFS server running
on a pure file server, in a domain with four DCs. Running more DFS
servers just increases the reliability and spreads the load.

"The namespace server can be a member server or a domain controller."
(http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx)

"You can increase the availability of a domain-based namespace by
specifying additional namespace servers to host the namespace."
(http://msdn.microsoft.com/en-us/library/cc732807.aspx)

"When a DFS client first attempts to access a domain-based namespace, a
domain controller provides a list of root servers to the client. This
list of root servers is known as a root referral."
(http://technet.microsoft.com/en-us/library/cc782417%28v=ws.10%29.aspx)
Davor Vusir
2014-07-01 03:41:22 UTC
Permalink
Post by Davor Vusir
"the" DC? Which DC? What if I have three DCs, and a client has logged in via
another one?
On Windows you have to define the domain DFS on every DC.
No. In Windows DFS works great with just one single DFS server running on a
pure file server, in a domain with four DCs. Running more DFS servers just
increases the reliability and spreads the load.
"The namespace server can be a member server or a domain controller."
(http://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx)
"You can increase the availability of a domain-based namespace by specifying
additional namespace servers to host the namespace."
(http://msdn.microsoft.com/en-us/library/cc732807.aspx)
"When a DFS client first attempts to access a domain-based namespace, a
domain controller provides a list of root servers to the client. This list
of root servers is known as a root referral."
(http://technet.microsoft.com/en-us/library/cc782417%28v=ws.10%29.aspx)
"Domain controllers store DFS metadata in Active Directory about
domain-based namespaces. DFS metadata consists of information about
entire namespace, including the root, root targets, links, link
targets, and settings. By default, root servers that host domain-based
namespaces periodically poll the domain controller acting as the
primary domain controller (PDC) emulator master to obtain an updated
version of the DFS metadata and store this metadata in memory."

http://technet.microsoft.com/sv-se/library/cc782417(v=ws.10).aspx

As the endpointmapper for DFS is not implemented in Samba, there is no
way for the DFS management MMC to store and manipulate the settings in
AD and for the DFS client to retrieve it. Which leaves you no option
but add the requiered settings on every AD DC.

Regards
Davor
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Klaus Hartnegg
2014-06-30 18:06:53 UTC
Permalink
Post by steve
vfs objects = dfs_samba4
Oh great, another undefined option.

On 30.06.2014 17:08, steve wrote;
Post by steve
[global]
vfs objects = dfs_samba4, acl_xattr
[dfs]
path = /home/dfsroot
read only = No
msdfs root = Yes
vfs objects = acl_xattr
Attention, vfs objects is a very special beast!
If you do this, then in the [dfs] share the option dfs_samba4 is NOT
active, only acl_xattr. You might need both.
Iñigo Martinez Lasala
2014-06-30 07:41:14 UTC
Permalink
Post by Klaus Hartnegg
- Win7 join to AD still requires two registry changes.
No, it's not needed.
Post by Klaus Hartnegg
- Joining an AD requires one of its DCs in the same subnet?
No, only requirement is your DNS stuff and visibility between your
subnet and DCs (wherever they are).
--
I?igo Martinez Lasala
Vector Ignite
Parque Empresarial Cerro de Los Gamos
Camino del Cerro de los Gamos, 1, Edificio 6, Planta 1
28224 Pozuelo de Alarc?n - Madrid
www.vector-itcgroup.com
Loading...