Wiki source code of Distributed File System (DFS)
Last modified by Sebastian Marsching on 2022/05/30 12:18
Hide last authors
author | version | line-number | content |
---|---|---|---|
![]() |
1.1 | 1 | {{toc/}} |
2 | |||
3 | # Using FQDNs in referrals | ||
4 | |||
5 | In order to make DFS namespaces work correctly with Linux clients, one has to enable FQDNs in DFS referrals (see [KB244380](https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-dfs-use-domain-names)). | ||
6 | |||
7 | If there is only a single namespace server, the process is slightly different than what is described in the article above (all of the following commands have to be run in a PowerShell with elevated privileges): | ||
8 | |||
9 | First, we have to get a list of all the domain-based namespaces: | ||
10 | |||
11 | Get-DfsnRoot -ComputerName myfileserver.ad.example.com | Where type -NotMach "Standalone" | ||
12 | |||
13 | For each of the namespaces we have to create a backup of the meta-data (because the meta-data is going to be lost when the only target is deleted), and then we delete the target: | ||
14 | |||
15 | dfsutil.exe root export \\ad.example.com\MyNamespace MyNamespace.txt | ||
16 | Remove-DfsnRootTarget -TargetPath \\myfileserver.ad.example.com\MyNamespace | ||
17 | |||
18 | After all the DFS targets on the server have been deleted, the configuration can be changed, and the DFS service can be restarted: | ||
19 | |||
20 | Set-DfsnServerConfiguration -ComputerName myfileserver.ad.example.com -UseFqdn $true | ||
21 | Stop-Service dfs | ||
22 | Start-Service dfs | ||
23 | |||
24 | Now, the DFS namespace can be created again and the meta-data can be reimported (if this wasn’t the only namespace server, this isn’t necessary and it is sufficient to recreate the target). | ||
25 | |||
26 | New-DfsnRoot -Path \\ad.example.com\MyNamespace -TargetPath \\myfileserver.ad.example.com\MyNamespace -Type DomainV2 | ||
27 | dfsutil.exe root import set MyNamespace.txt \\ad.example.com\MyNamespace | ||
28 | |||
29 | If the target paths where not specified using FQDNs before, it is necessary to edit the meta-data, changing the hostnames to FQDNs, before reimporting the meta-data. | ||
30 | |||
31 | # Mounting a DFS root on Linux | ||
32 | |||
33 | In `/etc/fstab` place something like this: | ||
34 | |||
35 | //ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0 | ||
36 | |||
37 | In this example, the UID and GID of the user who is supposed to use this share is `1000` and Kerberos authentication is used. The mount command should be executed as the user, because the root user will usually not have the required Kerberos ticket. | ||
38 | |||
39 | If mounting the share fails with an error message like: | ||
40 | |||
41 | mount error(126): Required key not available | ||
42 | |||
43 | You will have to edit `/etc/request-key.conf` or `/etc/request-key.d/cifs.spnego.conf` and look for a line like this: | ||
44 | |||
45 | create cifs.spnego * * /usr/sbin/cifs.upcall %k | ||
46 | |||
47 | You have to add the `-t` option to the `/usr/sbin/cifs.upcall` command. For example: | ||
48 | |||
49 | create cifs.spnego * * /usr/sbin/cifs.upcall -t %k | ||
50 | |||
51 | Using this option has security implications, so be sure to read the man page of `cifs.upcall` before doing this. | ||
52 | |||
53 | If you don’t mind explicitly specifying the target server instead of referring to the DFS root through the domain, you won’t have to add the `-t` parameter. In this case, use a slightly different line in `/etc/fstab`: | ||
54 | |||
55 | //myfileserver.ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0 | ||
56 | |||
57 | It is still necessary to configure the DFS namespace server to use FQDNs in referrals, though. |