Since past the beta-times of samba 4 (and it worked in former times!!) it never worked like this: \\yourdomain\share or \\yourdomain \dfs-share. The only thing working along witch your domain is: \\yourdomain\netlogon. I had another thread open on this case some times ago. Greetings Daniel EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 Email: mueller at tropenklinik.de www.tropenklinik.de www.bauen-sie-mit.tropenklinik.de -----Ursprüngliche Nachricht----- Von: Jeremy Allison via samba [mailto:samba at lists.samba.org] Gesendet: Freitag, 21. April 2017 01:27 An: Jonathan Hunter <jmhunter1 at gmail.com> Cc: samba <samba at lists.samba.org> Betreff: Re: [Samba] Domain DFS on new share On Fri, Apr 21, 2017 at 12:09:25AM +0100, Jonathan Hunter via samba wrote:> Hi, > > I am trying to configure domain DFS (I think that's the correct term) > as below, using the guide on the wiki: > https://wiki.samba.org/index.php/Distributed_File_System_(DFS)#Configu > re_domain-based_DFS_in_Samba > > I am aware that the wiki says that this doesn't quite work... however > it feels to me that it's very close, nearly working, and I might be > able to get it going (hopefully?!) by means of a simple fix.. I can > dream, can't I? > > My goal is not to enable DFS-R (that's a whole other conversation - > and I use lsyncd for sysvol etc. at the moment, anyway) but rather to > simply use the redirection features so that (for example) > \\mydomain\dfs\publishedshare goes to \\myserver\realshare. > > My setup is as follows. > > On each of my four DCs, I have added the following to smb.conf: > > [dfs] > path = /usr/local/samba/dfsroot > msdfs root = Yes > > And in /usr/local/samba/dfsroot, again on all four DCs, I have a symlink: > lrwxrwxrwx 1 root root 38 Apr 15 01:14 test -> > msdfs:testserver.mydomain.org.uk\test > > The DCs already have the following (confirmed using testparm) : > > [global] > vfs objects = dfs_samba4 acl_xattr > > > This new 'dfs' share works fine from my test Windows 7 and Windows 10 > clients, if I access it via \\dc1\dfs, \\dc1\dfs\test, \\dc2\dfs\test, > \\dc3\dfs and so on. > > However, if I access the very same share via \\mydomain\dfs or > \\mydomain\dfs\test instead, then it fails with the following error: > Windows cannot access \\mydomain\dfs. Error code 0x80070035 The > network path was not found.Wireshark trace needed I think. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi, On 21 April 2017 at 06:46, Mueller <mueller at tropenklinik.de> wrote:> Since past the beta-times of samba 4 (and it worked in former times!!) it never worked like this: \\yourdomain\share or \\yourdomain \dfs-share. > The only thing working along witch your domain is: \\yourdomain\netlogon. > > I had another thread open on this case some times ago.Thank you Daniel - at least I am not going crazy and it did work in the past :) \\mydomain\sysvol does work, as well as \\mydomain\netlogon. But, there is some issue with any \\mydomain\newshare. I am not even sure that this is purely DFS related, as such, now. Just to check things, I added the following share definition to all my DCs (i.e. a simple share, without "msdfs root = yes"), and I can't access this share either, via \\mydomain\notdfs - albeit I get a different error from this. [notdfs] path = /usr/local/samba/dfsroot>From Windows Explorer (Windows 7 VM, domain member):\\mydomain\notdfs --> "\\mydomain\notdfs is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.">From cmd.exe on the same Windows 7 VM:C:\>net use * \\mydomain\notdfs Drive Y: is now connected to \\mydomain\notdfs. (Very weird! Y: does work, I can see an empty folder with no issues (presumably the msdfs symlink in there is ignored by default). Still no luck from Windows Explorer even if I try \\mydomain\notdfs again) When I try the same for my DFS share, though, still no luck, even with "net use" : C:\>net use * \\mydomain\dfs System error 67 has occurred. The network name cannot be found. I have also shared some packet captures with Jeremy; perhaps he might spot something simple that's going on.> -----Ursprüngliche Nachricht----- > Von: Jeremy Allison via samba [mailto:samba at lists.samba.org] > Gesendet: Freitag, 21. April 2017 01:27 > [...] > > Wireshark trace needed I think.-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Hai, Did you configure mutual authentication and integrity for the new share? I suspect something related to this, since you posted :> \\mydomain\sysvol does work, as well as \\mydomain\netlogon. > But, there is some issue with any \\mydomain\newshare.Good info here : https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/ Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jonathan Hunter via samba > Verzonden: vrijdag 21 april 2017 11:47 > Aan: mueller at tropenklinik.de > CC: samba; Jeremy Allison > Onderwerp: Re: [Samba] Domain DFS on new share > > Hi, > > On 21 April 2017 at 06:46, Mueller <mueller at tropenklinik.de> wrote: > > Since past the beta-times of samba 4 (and it worked in > former times!!) it never worked like this: \\yourdomain\share > or \\yourdomain \dfs-share. > > The only thing working along witch your domain is: > \\yourdomain\netlogon. > > > > I had another thread open on this case some times ago. > > Thank you Daniel - at least I am not going crazy and it did > work in the past :) > > \\mydomain\sysvol does work, as well as \\mydomain\netlogon. > But, there is some issue with any \\mydomain\newshare. > > I am not even sure that this is purely DFS related, as such, > now. Just to check things, I added the following share > definition to all my DCs (i.e. a simple share, without "msdfs > root = yes"), and I can't access this share either, via > \\mydomain\notdfs - albeit I get a different error from this. > > [notdfs] > path = /usr/local/samba/dfsroot > > From Windows Explorer (Windows 7 VM, domain member): > \\mydomain\notdfs --> "\\mydomain\notdfs is not accessible. > You might not have permission to use this network resource. > Contact the administrator of this server to find out if you > have access permissions." > > From cmd.exe on the same Windows 7 VM: > C:\>net use * \\mydomain\notdfs > Drive Y: is now connected to \\mydomain\notdfs. > (Very weird! Y: does work, I can see an empty folder with no > issues (presumably the msdfs symlink in there is ignored by > default). Still no luck from Windows Explorer even if I try > \\mydomain\notdfs again) > > When I try the same for my DFS share, though, still no luck, > even with "net use" : > C:\>net use * \\mydomain\dfs > System error 67 has occurred. > The network name cannot be found. > > I have also shared some packet captures with Jeremy; perhaps > he might spot something simple that's going on. > > > -----Ursprüngliche Nachricht----- > > Von: Jeremy Allison via samba [mailto:samba at lists.samba.org] > > Gesendet: Freitag, 21. April 2017 01:27 [...] > > > > Wireshark trace needed I think. > > -- > "If we knew what it was we were doing, it would not be called > research, would it?" > - Albert Einstein > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Thanks Louis, some good info there! On 21 April 2017 at 10:58, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:> Did you configure mutual authentication and integrity for the new share? > [..] > Good info here : > https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guidance-on-deployment-of-ms15-011-and-ms15-014/This led me to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths which, on my Windows 7 VM, was completely empty. Adding "\\*\dfs" and "\\*\notdfs" keys as string values, with "RequireMutualAuthentication=0" as data, hasn't helped, unfortunately. I also tried \\mydomain\dfs, and restarted the Windows machine each time - no change. I would have thought that if there are no registry values in the HardenedPaths section, then this hasn't been configured.. not sure though. One of the comments here indicates that this is off by default on Windows 7, anyway: https://social.technet.microsoft.com/Forums/en-US/6a20e3f6-728a-4aa9-831a-6133f446ea08/gpos-do-not-apply-on-windows-10-enterprise-x64?forum=winserverGP Have you had to configure these explicitly on Windows 7 machines? Mine are all effectively on 'defaults' as far as this is concerned. J -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Hai, Hmm i did a good review on the subject. As far as i can tell, on samba dfs works but not with \\your.domain.tld Just tested this also on my 4.5.8 DC's and member servers. \\DC1\dfs \\DC2\dfs Etc. works fine. Reading again : https://wiki.samba.org/index.php/Distributed_File_System_(DFS) And my conclusion is, domain-based dfs does not work (yet) in samba. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Mueller [mailto:mueller at tropenklinik.de] > Verzonden: vrijdag 21 april 2017 13:09 > Aan: 'L.P.H. van Belle' > Onderwerp: AW: [Samba] Domain DFS on new share > > I myself tried this kind of authentication and it did not > work either. > It is lost past beta and earlier versions. > > > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > Tel.: 07071/206-463, Fax: 07071/206-499 > Email: mueller at tropenklinik.de > www.tropenklinik.de > www.bauen-sie-mit.tropenklinik.de > > > > > > > -----Ursprüngliche Nachricht----- > Von: L.P.H. van Belle via samba [mailto:samba at lists.samba.org] > Gesendet: Freitag, 21. April 2017 11:59 > An: samba at lists.samba.org > Betreff: Re: [Samba] Domain DFS on new share > > Hai, > > Did you configure mutual authentication and integrity for the > new share? > > I suspect something related to this, since you posted : > > \\mydomain\sysvol does work, as well as \\mydomain\netlogon. > > But, there is some issue with any \\mydomain\newshare. > > Good info here : > https://blogs.technet.microsoft.com/askpfeplat/2015/02/22/guid > ance-on-deployment-of-ms15-011-and-ms15-014/ > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jonathan > > Hunter via samba > > Verzonden: vrijdag 21 april 2017 11:47 > > Aan: mueller at tropenklinik.de > > CC: samba; Jeremy Allison > > Onderwerp: Re: [Samba] Domain DFS on new share > > > > Hi, > > > > On 21 April 2017 at 06:46, Mueller <mueller at tropenklinik.de> wrote: > > > Since past the beta-times of samba 4 (and it worked in > > former times!!) it never worked like this: \\yourdomain\share or > > \\yourdomain \dfs-share. > > > The only thing working along witch your domain is: > > \\yourdomain\netlogon. > > > > > > I had another thread open on this case some times ago. > > > > Thank you Daniel - at least I am not going crazy and it did work in > > the past :) > > > > \\mydomain\sysvol does work, as well as \\mydomain\netlogon. > > But, there is some issue with any \\mydomain\newshare. > > > > I am not even sure that this is purely DFS related, as > such, now. Just > > to check things, I added the following share definition to > all my DCs > > (i.e. a simple share, without "msdfs root = yes"), and I > can't access > > this share either, via \\mydomain\notdfs - albeit I get a different > > error from this. > > > > [notdfs] > > path = /usr/local/samba/dfsroot > > > > From Windows Explorer (Windows 7 VM, domain member): > > \\mydomain\notdfs --> "\\mydomain\notdfs is not accessible. > > You might not have permission to use this network resource. > > Contact the administrator of this server to find out if you have > > access permissions." > > > > From cmd.exe on the same Windows 7 VM: > > C:\>net use * \\mydomain\notdfs > > Drive Y: is now connected to \\mydomain\notdfs. > > (Very weird! Y: does work, I can see an empty folder with no issues > > (presumably the msdfs symlink in there is ignored by > default). Still > > no luck from Windows Explorer even if I try \\mydomain\notdfs again) > > > > When I try the same for my DFS share, though, still no > luck, even with > > "net use" : > > C:\>net use * \\mydomain\dfs > > System error 67 has occurred. > > The network name cannot be found. > > > > I have also shared some packet captures with Jeremy; > perhaps he might > > spot something simple that's going on. > > > > > -----Ursprüngliche Nachricht----- > > > Von: Jeremy Allison via samba [mailto:samba at lists.samba.org] > > > Gesendet: Freitag, 21. April 2017 01:27 [...] > > > > > > Wireshark trace needed I think. > > > > -- > > "If we knew what it was we were doing, it would not be called > > research, would it?" > > - Albert Einstein > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >