On Thu, 2014-06-19 at 12:17 -0700, Bob Balsover wrote: > Steve, you appear to be beating a dead horse. Assuming you are using a > somewhat current kernel just place the DFS share in your client's > configuration file and try it. I am currently working with this kernel > code and it works fine. OK, here's our first attempt: [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = system keytab host msdfs = yes [users] path = /home/users read only = No [dfs] path = /home/samba/dfs msdfs root = yes - - - alfaz:/home/samba/dfs # ls -l total 0 lrwxrwxrwx 1 root root 17 Jun 20 13:57 users -> msdfs:alfaz\users - - - klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/alfaz.hh3.site@xxxxxxxx 1 host/alfaz.hh3.site@xxxxxxxx 1 host/alfaz.hh3.site@xxxxxxxx 1 host/alfaz.hh3.site@xxxxxxxx 1 host/alfaz.hh3.site@xxxxxxxx 1 host/alfaz@xxxxxxxx 1 host/alfaz@xxxxxxxx 1 host/alfaz@xxxxxxxx 1 host/alfaz@xxxxxxxx 1 host/alfaz@xxxxxxxx 1 ALFAZ$@HH3.SITE 1 ALFAZ$@HH3.SITE 1 ALFAZ$@HH3.SITE 1 ALFAZ$@HH3.SITE 1 ALFAZ$@HH3.SITE 1 cifsuser@xxxxxxxx This works fine: mount -t cifs //alfaz/dfs/users /mnt -osec=krb5,username=cifsuser,multiuser cifsuser gets a ticket: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: cifsuser@xxxxxxxx Valid starting Expires Service principal 06/20/2014 13:20:31 06/20/2014 23:20:31 krbtgt/HH3.SITE@xxxxxxxx renew until 06/21/2014 13:20:31 06/20/2014 13:35:32 06/20/2014 23:20:31 cifs/alfaz@ renew until 06/21/2014 13:20:31 06/20/2014 13:35:32 06/20/2014 23:20:31 cifs/alfaz@xxxxxxxx renew until 06/21/2014 13:20:31 And the share is mounted: ls /mnt Administrator br2 cifsuser julie julie2 lynn2 steve2 steve3 However, there's no advantage in using dfs for that becaause we've had to specify the server. But that's not what we want. So, after some googling, we include the domain: mount -t cifs //hh3.site/dfs/users /mnt -osec=krb5,username=cifsuser,multiuser mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) It doesn't mount. And the KDC responds: Kerberos: TGS-REQ cifsuser@xxxxxxxx from ipv4:192.168.1.102:51585 for cifs/hh3.site@xxxxxxxx [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server cifs/hh3.site@xxxxxxxx that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/SITE@xxxxxxxx: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51585 Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: TGS-REQ cifsuser@xxxxxxxx from ipv4:192.168.1.102:51586 for krbtgt/SITE@xxxxxxxx [renewable] Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/SITE@xxxxxxxx: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51586 How do we tell cifs to look in the domain for a dfs share server? Samba4 DC running samba with Samba4 file server running smbd all on openSUSE 13.1 Thanks for your patience. Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
