Domain DFS on new share

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Domain DFS on new share

Samba - General mailing list
Hi,

I am trying to configure domain DFS (I think that's the correct term)
as below, using the guide on the wiki:
https://wiki.samba.org/index.php/Distributed_File_System_(DFS)#Configure_domain-based_DFS_in_Samba

I am aware that the wiki says that this doesn't quite work... however
it feels to me that it's very close, nearly working, and I might be
able to get it going (hopefully?!) by means of a simple fix.. I can
dream, can't I?

My goal is not to enable DFS-R (that's a whole other conversation -
and I use lsyncd for sysvol etc. at the moment, anyway) but rather to
simply use the redirection features so that (for example)
\\mydomain\dfs\publishedshare goes to \\myserver\realshare.

My setup is as follows.

On each of my four DCs, I have added the following to smb.conf:

[dfs]
        path = /usr/local/samba/dfsroot
        msdfs root = Yes

And in /usr/local/samba/dfsroot, again on all four DCs, I have a symlink:
lrwxrwxrwx  1 root root   38 Apr 15 01:14 test ->
msdfs:testserver.mydomain.org.uk\test

The DCs already have the following (confirmed using testparm) :

[global]
        vfs objects = dfs_samba4 acl_xattr


This new 'dfs' share works fine from my test Windows 7 and Windows 10
clients, if I access it via \\dc1\dfs, \\dc1\dfs\test, \\dc2\dfs\test,
\\dc3\dfs and so on.

However, if I access the very same share via \\mydomain\dfs or
\\mydomain\dfs\test instead, then it fails with the following error:
Windows cannot access \\mydomain\dfs. Error code 0x80070035 The
network path was not found.

Interestingly, accessing "smb://mydomain/dfs/test" from my Mac mini
does work perfectly well - it just seems to be Windows that has an
issue with it.

I don't think it is anything to do with the contents of the dfsroot
directory on the server at all, because Windows doesn't even get as
far as showing me \\mydomain\dfs as an empty directory or similar; it
just fails with the error above every time.

My theory is that there is clearly something different about 'domain
DFS' when accessed as \\domain\share rather than directly as
\\dc\share - but I haven't yet been able to track down exactly what it
is, and what I might be able to do in order to fix it. It does work
for sysvol, after all..

The closest I could find was this old post from 2013, but I couldn't
find mention of a resolution.
https://lists.samba.org/archive/samba/2013-May/173548.html

There is a Microsoft KB article that makes mention of domain DFS using
entries in AD to control DFS, but I am pretty sure that's a
MS-specific thing - sysvol does work perfectly well as
\\mydomain\sysvol, and there is nothing in my AD in the DFS
configuration part at all. (I haven't looked at a real MS AD setup to
compare, admittedly)
CN=Dfs-Configuration,CN=System,DC=mydomain,DC=org,DC=uk

FWIW, all my DCs are on 4.6.0, and the Mac Mini that works is running
OSX 10.10.5. The Windows machines failing are fully-patched Windows 7
Pro and Windows 10 Pro.

Has anybody got this to work - or can offer any pointers for what I
might be able to try next?

Cheers,

Jonathan

--
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Domain DFS on new share

Samba - General mailing list
On Fri, Apr 21, 2017 at 12:09:25AM +0100, Jonathan Hunter via samba wrote:

> Hi,
>
> I am trying to configure domain DFS (I think that's the correct term)
> as below, using the guide on the wiki:
> https://wiki.samba.org/index.php/Distributed_File_System_(DFS)#Configure_domain-based_DFS_in_Samba
>
> I am aware that the wiki says that this doesn't quite work... however
> it feels to me that it's very close, nearly working, and I might be
> able to get it going (hopefully?!) by means of a simple fix.. I can
> dream, can't I?
>
> My goal is not to enable DFS-R (that's a whole other conversation -
> and I use lsyncd for sysvol etc. at the moment, anyway) but rather to
> simply use the redirection features so that (for example)
> \\mydomain\dfs\publishedshare goes to \\myserver\realshare.
>
> My setup is as follows.
>
> On each of my four DCs, I have added the following to smb.conf:
>
> [dfs]
>         path = /usr/local/samba/dfsroot
>         msdfs root = Yes
>
> And in /usr/local/samba/dfsroot, again on all four DCs, I have a symlink:
> lrwxrwxrwx  1 root root   38 Apr 15 01:14 test ->
> msdfs:testserver.mydomain.org.uk\test
>
> The DCs already have the following (confirmed using testparm) :
>
> [global]
>         vfs objects = dfs_samba4 acl_xattr
>
>
> This new 'dfs' share works fine from my test Windows 7 and Windows 10
> clients, if I access it via \\dc1\dfs, \\dc1\dfs\test, \\dc2\dfs\test,
> \\dc3\dfs and so on.
>
> However, if I access the very same share via \\mydomain\dfs or
> \\mydomain\dfs\test instead, then it fails with the following error:
> Windows cannot access \\mydomain\dfs. Error code 0x80070035 The
> network path was not found.

Wireshark trace needed I think.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Domain DFS on new share

Samba - General mailing list
Since  past the beta-times of samba 4  (and it worked in former times!!) it never worked like this: \\yourdomain\share or \\yourdomain \dfs-share.
The only thing working along witch your domain is: \\yourdomain\netlogon.

I had another thread open on this case some times ago.

Greetings
Daniel

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
 Email: [hidden email]
 www.tropenklinik.de
 www.bauen-sie-mit.tropenklinik.de                                                                                                                                              




-----Ursprüngliche Nachricht-----
Von: Jeremy Allison via samba [mailto:[hidden email]]
Gesendet: Freitag, 21. April 2017 01:27
An: Jonathan Hunter <[hidden email]>
Cc: samba <[hidden email]>
Betreff: Re: [Samba] Domain DFS on new share

On Fri, Apr 21, 2017 at 12:09:25AM +0100, Jonathan Hunter via samba wrote:

> Hi,
>
> I am trying to configure domain DFS (I think that's the correct term)
> as below, using the guide on the wiki:
> https://wiki.samba.org/index.php/Distributed_File_System_(DFS)#Configu
> re_domain-based_DFS_in_Samba
>
> I am aware that the wiki says that this doesn't quite work... however
> it feels to me that it's very close, nearly working, and I might be
> able to get it going (hopefully?!) by means of a simple fix.. I can
> dream, can't I?
>
> My goal is not to enable DFS-R (that's a whole other conversation -
> and I use lsyncd for sysvol etc. at the moment, anyway) but rather to
> simply use the redirection features so that (for example)
> \\mydomain\dfs\publishedshare goes to \\myserver\realshare.
>
> My setup is as follows.
>
> On each of my four DCs, I have added the following to smb.conf:
>
> [dfs]
>         path = /usr/local/samba/dfsroot
>         msdfs root = Yes
>
> And in /usr/local/samba/dfsroot, again on all four DCs, I have a symlink:
> lrwxrwxrwx  1 root root   38 Apr 15 01:14 test ->
> msdfs:testserver.mydomain.org.uk\test
>
> The DCs already have the following (confirmed using testparm) :
>
> [global]
>         vfs objects = dfs_samba4 acl_xattr
>
>
> This new 'dfs' share works fine from my test Windows 7 and Windows 10
> clients, if I access it via \\dc1\dfs, \\dc1\dfs\test, \\dc2\dfs\test,
> \\dc3\dfs and so on.
>
> However, if I access the very same share via \\mydomain\dfs or
> \\mydomain\dfs\test instead, then it fails with the following error:
> Windows cannot access \\mydomain\dfs. Error code 0x80070035 The
> network path was not found.

Wireshark trace needed I think.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Domain DFS on new share

Samba - General mailing list
Hi,

On 21 April 2017 at 06:46, Mueller <[hidden email]> wrote:
> Since  past the beta-times of samba 4  (and it worked in former times!!) it never worked like this: \\yourdomain\share or \\yourdomain \dfs-share.
> The only thing working along witch your domain is: \\yourdomain\netlogon.
>
> I had another thread open on this case some times ago.

Thank you Daniel - at least I am not going crazy and it did work in the past :)

\\mydomain\sysvol does work, as well as \\mydomain\netlogon. But,
there is some issue with any \\mydomain\newshare.

I am not even sure that this is purely DFS related, as such, now. Just
to check things, I added the following share definition to all my DCs
(i.e. a simple share, without "msdfs root = yes"), and I can't access
this share either, via \\mydomain\notdfs - albeit I get a different
error from this.

[notdfs]
        path = /usr/local/samba/dfsroot

From Windows Explorer (Windows 7 VM, domain member):
\\mydomain\notdfs --> "\\mydomain\notdfs is not accessible. You might
not have permission to use this network resource. Contact the
administrator of this server to find out if you have access
permissions."

From cmd.exe on the same Windows 7 VM:
C:\>net use * \\mydomain\notdfs
Drive Y: is now connected to \\mydomain\notdfs.
(Very weird! Y: does work, I can see an empty folder with no issues
(presumably the msdfs symlink in there is ignored by default). Still
no luck from Windows Explorer even if I try \\mydomain\notdfs again)

When I try the same for my DFS share, though, still no luck, even with
"net use" :
C:\>net use * \\mydomain\dfs
System error 67 has occurred.
The network name cannot be found.

I have also shared some packet captures with Jeremy; perhaps he might
spot something simple that's going on.

> -----Ursprüngliche Nachricht-----
> Von: Jeremy Allison via samba [mailto:[hidden email]]
> Gesendet: Freitag, 21. April 2017 01:27
> [...]
>
> Wireshark trace needed I think.

--
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Domain DFS on new share

Samba - General mailing list
Hai,

Did you configure mutual authentication and integrity for the new share?

I suspect something related to this, since you posted :
> \\mydomain\sysvol does work, as well as \\mydomain\netlogon.
> But, there is some issue with any \\mydomain\newshare.

Good info here :
https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/ 


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Jonathan Hunter via samba
> Verzonden: vrijdag 21 april 2017 11:47
> Aan: [hidden email]
> CC: samba; Jeremy Allison
> Onderwerp: Re: [Samba] Domain DFS on new share
>
> Hi,
>
> On 21 April 2017 at 06:46, Mueller <[hidden email]> wrote:
> > Since  past the beta-times of samba 4  (and it worked in
> former times!!) it never worked like this: \\yourdomain\share
> or \\yourdomain \dfs-share.
> > The only thing working along witch your domain is:
> \\yourdomain\netlogon.
> >
> > I had another thread open on this case some times ago.
>
> Thank you Daniel - at least I am not going crazy and it did
> work in the past :)
>
> \\mydomain\sysvol does work, as well as \\mydomain\netlogon.
> But, there is some issue with any \\mydomain\newshare.
>
> I am not even sure that this is purely DFS related, as such,
> now. Just to check things, I added the following share
> definition to all my DCs (i.e. a simple share, without "msdfs
> root = yes"), and I can't access this share either, via
> \\mydomain\notdfs - albeit I get a different error from this.
>
> [notdfs]
>         path = /usr/local/samba/dfsroot
>
> From Windows Explorer (Windows 7 VM, domain member):
> \\mydomain\notdfs --> "\\mydomain\notdfs is not accessible.
> You might not have permission to use this network resource.
> Contact the administrator of this server to find out if you
> have access permissions."
>
> From cmd.exe on the same Windows 7 VM:
> C:\>net use * \\mydomain\notdfs
> Drive Y: is now connected to \\mydomain\notdfs.
> (Very weird! Y: does work, I can see an empty folder with no
> issues (presumably the msdfs symlink in there is ignored by
> default). Still no luck from Windows Explorer even if I try
> \\mydomain\notdfs again)
>
> When I try the same for my DFS share, though, still no luck,
> even with "net use" :
> C:\>net use * \\mydomain\dfs
> System error 67 has occurred.
> The network name cannot be found.
>
> I have also shared some packet captures with Jeremy; perhaps
> he might spot something simple that's going on.
>
> > -----Ursprüngliche Nachricht-----
> > Von: Jeremy Allison via samba [mailto:[hidden email]]
> > Gesendet: Freitag, 21. April 2017 01:27 [...]
> >
> > Wireshark trace needed I think.
>
> --
> "If we knew what it was we were doing, it would not be called
> research, would it?"
>       - Albert Einstein
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Domain DFS on new share

Samba - General mailing list
Thanks Louis, some good info there!

On 21 April 2017 at 10:58, L.P.H. van Belle via samba
<[hidden email]> wrote:
> Did you configure mutual authentication and integrity for the new share?
> [..]
> Good info here :
> https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/

This led me to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
which, on my Windows 7 VM, was completely empty.
Adding "\\*\dfs" and "\\*\notdfs" keys as string values, with
"RequireMutualAuthentication=0" as data, hasn't helped, unfortunately.
I also tried \\mydomain\dfs, and restarted the Windows machine each
time - no change.

I would have thought that if there are no registry values in the
HardenedPaths section, then this hasn't been configured.. not sure
though. One of the comments here indicates that this is off by default
on Windows 7, anyway:
https://social.technet.microsoft.com/Forums/en-US/6a20e3f6-728a-4aa9-831a-6133f446ea08/gpos-do-not-apply-on-windows-10-enterprise-x64?forum=winserverGP

Have you had to configure these explicitly on Windows 7 machines? Mine
are all effectively on 'defaults' as far as this is concerned.

J

--
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Domain DFS on new share

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai,

Hmm i did a good review on the subject.

As far as i can tell, on samba dfs works but not with \\your.domain.tld  
Just tested this also on my 4.5.8 DC's and member servers.
\\DC1\dfs
\\DC2\dfs
Etc. works fine.

Reading again :
https://wiki.samba.org/index.php/Distributed_File_System_(DFS)

And my conclusion is, domain-based dfs does not work (yet) in samba.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: Mueller [mailto:[hidden email]]
> Verzonden: vrijdag 21 april 2017 13:09
> Aan: 'L.P.H. van Belle'
> Onderwerp: AW: [Samba] Domain DFS on new share
>
> I myself tried this kind of  authentication and it  did not
> work either.
> It is lost past beta and earlier versions.
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
>  Email: [hidden email]
>  www.tropenklinik.de
>  www.bauen-sie-mit.tropenklinik.de                            
>                                                              
>                                                      
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: L.P.H. van Belle via samba [mailto:[hidden email]]
> Gesendet: Freitag, 21. April 2017 11:59
> An: [hidden email]
> Betreff: Re: [Samba] Domain DFS on new share
>
> Hai,
>
> Did you configure mutual authentication and integrity for the
> new share?
>
> I suspect something related to this, since you posted :
> > \\mydomain\sysvol does work, as well as \\mydomain\netlogon.
> > But, there is some issue with any \\mydomain\newshare.
>
> Good info here :
> https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guid
> ance-on-deployment-of-ms15-011-and-ms15-014/
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens Jonathan
> > Hunter via samba
> > Verzonden: vrijdag 21 april 2017 11:47
> > Aan: [hidden email]
> > CC: samba; Jeremy Allison
> > Onderwerp: Re: [Samba] Domain DFS on new share
> >
> > Hi,
> >
> > On 21 April 2017 at 06:46, Mueller <[hidden email]> wrote:
> > > Since  past the beta-times of samba 4  (and it worked in
> > former times!!) it never worked like this: \\yourdomain\share or
> > \\yourdomain \dfs-share.
> > > The only thing working along witch your domain is:
> > \\yourdomain\netlogon.
> > >
> > > I had another thread open on this case some times ago.
> >
> > Thank you Daniel - at least I am not going crazy and it did work in
> > the past :)
> >
> > \\mydomain\sysvol does work, as well as \\mydomain\netlogon.
> > But, there is some issue with any \\mydomain\newshare.
> >
> > I am not even sure that this is purely DFS related, as
> such, now. Just
> > to check things, I added the following share definition to
> all my DCs
> > (i.e. a simple share, without "msdfs root = yes"), and I
> can't access
> > this share either, via \\mydomain\notdfs - albeit I get a different
> > error from this.
> >
> > [notdfs]
> >         path = /usr/local/samba/dfsroot
> >
> > From Windows Explorer (Windows 7 VM, domain member):
> > \\mydomain\notdfs --> "\\mydomain\notdfs is not accessible.
> > You might not have permission to use this network resource.
> > Contact the administrator of this server to find out if you have
> > access permissions."
> >
> > From cmd.exe on the same Windows 7 VM:
> > C:\>net use * \\mydomain\notdfs
> > Drive Y: is now connected to \\mydomain\notdfs.
> > (Very weird! Y: does work, I can see an empty folder with no issues
> > (presumably the msdfs symlink in there is ignored by
> default). Still
> > no luck from Windows Explorer even if I try \\mydomain\notdfs again)
> >
> > When I try the same for my DFS share, though, still no
> luck, even with
> > "net use" :
> > C:\>net use * \\mydomain\dfs
> > System error 67 has occurred.
> > The network name cannot be found.
> >
> > I have also shared some packet captures with Jeremy;
> perhaps he might
> > spot something simple that's going on.
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Jeremy Allison via samba [mailto:[hidden email]]
> > > Gesendet: Freitag, 21. April 2017 01:27 [...]
> > >
> > > Wireshark trace needed I think.
> >
> > --
> > "If we knew what it was we were doing, it would not be called
> > research, would it?"
> >       - Albert Einstein
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Domain DFS on new share

Samba - General mailing list
On 21 April 2017 at 14:08, L.P.H. van Belle via samba
<[hidden email]> wrote:
> Hmm i did a good review on the subject.
>
> As far as i can tell, on samba dfs works but not with \\your.domain.tld
> Just tested this also on my 4.5.8 DC's and member servers.
>[...]
> Reading again :
> https://wiki.samba.org/index.php/Distributed_File_System_(DFS)
>
> And my conclusion is, domain-based dfs does not work (yet) in samba.

Agreed, currently it does not. The frustrating thing is, it used to
work with Samba, and it's frustrating that it does not work any longer
:)

I'm not a great coder in Samba internals, but I am keen to help as
much as I can to at least figure out what would need to be fixed in
order to get this working once more. I do appreciate that without
somebody more experienced than me looking at it, the answer might be
that it simply won't get fixed in the foreseeable future, though.

Thanks! :)

J

--
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...