Distributed File System (DFS)

Last modified by Sebastian Marsching on 2022/05/30 12:18

Using FQDNs in referrals

In order to make DFS namespaces work correctly with Linux clients,  one has to enable FQDNs in DFS referrals (see KB244380).

If there is only a single namespace server, the process is slightly different than what is described in the article above (all of the following commands have to be run in a PowerShell with elevated privileges):

First,  we have to get a list of all the domain-based namespaces:

Get-DfsnRoot -ComputerName myfileserver.ad.example.com | Where type -NotMach "Standalone"

For each of the namespaces we have to create a backup of the meta-data (because the meta-data is going to be lost when the only target is deleted),  and then we delete the target:

dfsutil.exe root export \\ad.example.com\MyNamespace MyNamespace.txt
Remove-DfsnRootTarget -TargetPath \\myfileserver.ad.example.com\MyNamespace

After all the DFS targets on the server have been deleted,  the configuration can be changed, and the DFS service can be restarted:

Set-DfsnServerConfiguration -ComputerName myfileserver.ad.example.com -UseFqdn $true
Stop-Service dfs
Start-Service dfs

Now,  the DFS namespace can be created again and the meta-data can be reimported (if this wasn’t the only namespace server,  this isn’t necessary and it is sufficient to recreate the target).

New-DfsnRoot -Path \\ad.example.com\MyNamespace -TargetPath \\myfileserver.ad.example.com\MyNamespace -Type DomainV2
dfsutil.exe root import set MyNamespace.txt \\ad.example.com\MyNamespace

If the target paths where not specified using FQDNs before,  it is necessary to edit the meta-data,  changing the hostnames to FQDNs,  before reimporting the meta-data.

Mounting a DFS root on Linux

In /etc/fstab place something like this:

//ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0

In this example, the UID and GID of the user who is supposed to use this share is 1000 and Kerberos authentication is used. The mount command should be executed as the user, because the root user will usually not have the required Kerberos ticket.

If mounting the share fails with an error message like:

mount error(126): Required key not available

You will have to edit /etc/request-key.conf or /etc/request-key.d/cifs.spnego.conf and look for a line like this:

create  cifs.spnego    * * /usr/sbin/cifs.upcall %k

You have to add the -t option to the /usr/sbin/cifs.upcall command. For example:

create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k

Using this option has security implications, so be sure to read the man page of cifs.upcall before doing this.

If you don’t mind explicitly specifying the target server instead of referring to the DFS root through the domain, you won’t have to add the -t parameter. In this case, use a slightly different line in /etc/fstab:

//myfileserver.ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0

It is still necessary to configure the DFS namespace server to use FQDNs in referrals, though.