On Fri, 2014-06-20 at 14:14 +0200, steve wrote: > On Thu, 2014-06-19 at 12:17 -0700, Bob Balsover wrote: > > Steve, you appear to be beating a dead horse. Assuming you are using a > > somewhat current kernel just place the DFS share in your client's > > configuration file and try it. I am currently working with this kernel > > code and it works fine. > > OK, here's our first attempt: > > [global] > workgroup = HH3 > realm = HH3.SITE > security = ADS > kerberos method = system keytab > host msdfs = yes > > [users] > path = /home/users > read only = No > > [dfs] > path = /home/samba/dfs > msdfs root = yes > - - - > > alfaz:/home/samba/dfs # ls -l > total 0 > lrwxrwxrwx 1 root root 17 Jun 20 13:57 users -> msdfs:alfaz\users > - - - > > klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/alfaz.hh3.site@xxxxxxxx > 1 host/alfaz.hh3.site@xxxxxxxx > 1 host/alfaz.hh3.site@xxxxxxxx > 1 host/alfaz.hh3.site@xxxxxxxx > 1 host/alfaz.hh3.site@xxxxxxxx > 1 host/alfaz@xxxxxxxx > 1 host/alfaz@xxxxxxxx > 1 host/alfaz@xxxxxxxx > 1 host/alfaz@xxxxxxxx > 1 host/alfaz@xxxxxxxx > 1 ALFAZ$@HH3.SITE > 1 ALFAZ$@HH3.SITE > 1 ALFAZ$@HH3.SITE > 1 ALFAZ$@HH3.SITE > 1 ALFAZ$@HH3.SITE > 1 cifsuser@xxxxxxxx > > > This works fine: > mount -t cifs //alfaz/dfs/users /mnt > -osec=krb5,username=cifsuser,multiuser > > cifsuser gets a ticket: > klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: cifsuser@xxxxxxxx > > Valid starting Expires Service principal > 06/20/2014 13:20:31 06/20/2014 23:20:31 krbtgt/HH3.SITE@xxxxxxxx > renew until 06/21/2014 13:20:31 > 06/20/2014 13:35:32 06/20/2014 23:20:31 cifs/alfaz@ > renew until 06/21/2014 13:20:31 > 06/20/2014 13:35:32 06/20/2014 23:20:31 cifs/alfaz@xxxxxxxx > renew until 06/21/2014 13:20:31 > > And the share is mounted: > ls /mnt > Administrator br2 cifsuser julie julie2 lynn2 steve2 steve3 > However, there's no advantage in using dfs for that becaause we've had > to specify the server. > > But that's not what we want. So, after some googling, we include the > domain: > mount -t cifs //hh3.site/dfs/users /mnt > -osec=krb5,username=cifsuser,multiuser > mount error(126): Required key not available > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) > It doesn't mount. > > And the KDC responds: > Kerberos: TGS-REQ cifsuser@xxxxxxxx from ipv4:192.168.1.102:51585 for > cifs/hh3.site@xxxxxxxx [canonicalize, renewable] > Kerberos: Searching referral for hh3.site > Kerberos: Returning a referral to realm SITE for server > cifs/hh3.site@xxxxxxxx that was not found > Failed find a single entry for > (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got > 0 > Kerberos: samba_kdc_fetch: could not find principal in DB > Kerberos: Server not found in database: krbtgt/SITE@xxxxxxxx: no such > entry found in hdb > Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51585 > Terminating connection - 'kdc_tcp_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() > - NT_STATUS_CONNECTION_DISCONNECTED] > Kerberos: TGS-REQ cifsuser@xxxxxxxx from ipv4:192.168.1.102:51586 for > krbtgt/SITE@xxxxxxxx [renewable] > Failed find a single entry for > (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got > 0 > Kerberos: samba_kdc_fetch: could not find principal in DB > Kerberos: Server not found in database: krbtgt/SITE@xxxxxxxx: no such > entry found in hdb > Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51586 > > How do we tell cifs to look in the domain for a dfs share server? > > Samba4 DC running samba with Samba4 file server running smbd all on > openSUSE 13.1 > > Thanks for your patience. > Steve Our second try with the Microsoft ad dfs tools: https://lists.samba.org/archive/samba/2014-June/182387.html Third attempt: We add a second file server to the domain called villena: lrwxrwxrwx 1 root root 17 Jun 20 13:57 users -> msdfs:villena \users,msdfs:alfaz\users We can mount shares fine from villena but if villena is not available and we call alfaz for the share (exactly as before): mount -t cifs //alfaz/dfs/users /mnt-osec=krb5,username=cifsuser,multiuser it fails to mount: Unable to find address. It seems that if the first file server is unavailable, the second one is not consulted. Any comments or guidance on what should work and what we can and cannot expect to work with samba/dfs/cifs would be most welcome. Thanks for your patience, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
