Distributed File System (DFS)

# Using FQDNs in referrals

In order to make DFS namespaces work correctly with Linux clients, one has to enable FQDNs in DFS referrals (see [KB244380](https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-dfs-use-domain-names)).

6

7

If there is only a single namespace server, the process is slightly different than what is described in the article above (all of the following commands have to be run in a PowerShell with elevated privileges):

8

9

First, we have to get a list of all the domain-based namespaces:

10

11

Get-DfsnRoot -ComputerName myfileserver.ad.example.com | Where type -NotMach "Standalone"

12

13

For each of the namespaces we have to create a backup of the meta-data (because the meta-data is going to be lost when the only target is deleted), and then we delete the target:

14

15

dfsutil.exe root export \\ad.example.com\MyNamespace MyNamespace.txt

16

Remove-DfsnRootTarget -TargetPath \\myfileserver.ad.example.com\MyNamespace

17

18

After all the DFS targets on the server have been deleted, the configuration can be changed, and the DFS service can be restarted:

19

20

Set-DfsnServerConfiguration -ComputerName myfileserver.ad.example.com -UseFqdn $true

Stop-Service dfs

Start-Service dfs

Now, the DFS namespace can be created again and the meta-data can be reimported (if this wasn’t the only namespace server, this isn’t necessary and it is sufficient to recreate the target).

25

26

New-DfsnRoot -Path \\ad.example.com\MyNamespace -TargetPath \\myfileserver.ad.example.com\MyNamespace -Type DomainV2

27

dfsutil.exe root import set MyNamespace.txt \\ad.example.com\MyNamespace

28

29

If the target paths where not specified using FQDNs before, it is necessary to edit the meta-data, changing the hostnames to FQDNs, before reimporting the meta-data.

30

31

# Mounting a DFS root on Linux

32

33

In `/etc/fstab` place something like this:

34

35

//ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0

36

37

In this example, the UID and GID of the user who is supposed to use this share is `1000` and Kerberos authentication is used. The mount command should be executed as the user, because the root user will usually not have the required Kerberos ticket.

38

39

If mounting the share fails with an error message like:

40

41

mount error(126): Required key not available

42

43

You will have to edit `/etc/request-key.conf` or `/etc/request-key.d/cifs.spnego.conf` and look for a line like this:

44

45

create cifs.spnego * * /usr/sbin/cifs.upcall %k

46

47

You have to add the `-t` option to the `/usr/sbin/cifs.upcall` command. For example:

48

49

create cifs.spnego * * /usr/sbin/cifs.upcall -t %k

50

51

Using this option has security implications, so be sure to read the man page of `cifs.upcall` before doing this.

52

53

If you don’t mind explicitly specifying the target server instead of referring to the DFS root through the domain, you won’t have to add the `-t` parameter. In this case, use a slightly different line in `/etc/fstab`:

54

55

//myfileserver.ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0

56

57

It is still necessary to configure the DFS namespace server to use FQDNs in referrals, though.

version	line-number	content
1.1	1	{{toc/}}
	2
	3	# Using FQDNs in referrals
	4
	5	In order to make DFS namespaces work correctly with Linux clients, one has to enable FQDNs in DFS referrals (see [KB244380](https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/configure-dfs-use-domain-names)).
	6
	7	If there is only a single namespace server, the process is slightly different than what is described in the article above (all of the following commands have to be run in a PowerShell with elevated privileges):
	8
	9	First, we have to get a list of all the domain-based namespaces:
	10
	11	Get-DfsnRoot -ComputerName myfileserver.ad.example.com \| Where type -NotMach "Standalone"
	12
	13	For each of the namespaces we have to create a backup of the meta-data (because the meta-data is going to be lost when the only target is deleted), and then we delete the target:
	14
	15	dfsutil.exe root export \\ad.example.com\MyNamespace MyNamespace.txt
	16	Remove-DfsnRootTarget -TargetPath \\myfileserver.ad.example.com\MyNamespace
	17
	18	After all the DFS targets on the server have been deleted, the configuration can be changed, and the DFS service can be restarted:
	19
	20	Set-DfsnServerConfiguration -ComputerName myfileserver.ad.example.com -UseFqdn $true
	21	Stop-Service dfs
	22	Start-Service dfs
	23
	24	Now, the DFS namespace can be created again and the meta-data can be reimported (if this wasn’t the only namespace server, this isn’t necessary and it is sufficient to recreate the target).
	25
	26	New-DfsnRoot -Path \\ad.example.com\MyNamespace -TargetPath \\myfileserver.ad.example.com\MyNamespace -Type DomainV2
	27	dfsutil.exe root import set MyNamespace.txt \\ad.example.com\MyNamespace
	28
	29	If the target paths where not specified using FQDNs before, it is necessary to edit the meta-data, changing the hostnames to FQDNs, before reimporting the meta-data.
	30
	31	# Mounting a DFS root on Linux
	32
	33	In `/etc/fstab` place something like this:
	34
	35	//ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0
	36
	37	In this example, the UID and GID of the user who is supposed to use this share is `1000` and Kerberos authentication is used. The mount command should be executed as the user, because the root user will usually not have the required Kerberos ticket.
	38
	39	If mounting the share fails with an error message like:
	40
	41	mount error(126): Required key not available
	42
	43	You will have to edit `/etc/request-key.conf` or `/etc/request-key.d/cifs.spnego.conf` and look for a line like this:
	44
	45	create cifs.spnego * * /usr/sbin/cifs.upcall %k
	46
	47	You have to add the `-t` option to the `/usr/sbin/cifs.upcall` command. For example:
	48
	49	create cifs.spnego * * /usr/sbin/cifs.upcall -t %k
	50
	51	Using this option has security implications, so be sure to read the man page of `cifs.upcall` before doing this.
	52
	53	If you don’t mind explicitly specifying the target server instead of referring to the DFS root through the domain, you won’t have to add the `-t` parameter. In this case, use a slightly different line in `/etc/fstab`:
	54
	55	//myfileserver.ad.example.com/MyNamespace /path/to/mointpoint cifs noauto,user,nosuid,nodev,noserverino,sec=krb5i,guest,uid=1000,gid=1000,soft,file_mode=0640,dir_mode=0750,iocharset=utf8,cruid=1000,forceuid,forcegid,noperm,nounix,vers=3.0 0 0
	56
	57	It is still necessary to configure the DFS namespace server to use FQDNs in referrals, though.

Wiki source code of Distributed File System (DFS)