2011/03/21
1. Use case:
some time you need to transfer large data files (e.g. vmware image files) between a windows system and a linux system, what i did before is to use the winscp client to transfer the data from windows to linux, or use winscp client to get the data from linux to windows. Since it is a big sized file (2 GB), it will take about 30-60 minutes depending on your LAN speed.
The new Solution is to use a windows DFS shared drive in windows environment, and mount the windows DFS with kerberos in Linux Systems. So you can write and get the file from all of your systems. And it is very fast (10MB/s) in the file transfer.
2. Package needed:
smbclient, pam_krb5, krb5-client are needed for using kerberos to mount DFS.
In SLES11 just click kerberos client and smbclient in yast2, the package will be installed automatically.
3. Configure Kerberos in Linux:
/etc/krb5.conf:
[libdefaults]
default_realm = <your domain name in upper case>
udp_preference_limit = 0
[realms]
<your domain name in upper case> = {
kdc = <your Active Directory server name>.<your domain name>
}
[logging]
kdc = <FILE:/var/log/krb5/krb5kdc.log>
admin_server =<FILE:/var/log/krb5/kadmind.log>
default = SYSLOG:NOTICE:DAEMON
4. To apply for a TGT in Shell:
$root> kinit <Username>
Mostly the first letter of your active directory Username should be in Uppercase.
klist checks, if you have a TGT (ticket granting ticket), as result you should get the following in shell:
klist
Ticket cache:<FILE:/tmp/krb5cc_500>
Default principal: < your username >@ < your domain name >Valid starting Expires Service principal
08/30/10 12:21:22 08/30/10 22:21:25 krbtgt/<your domain name>@<your domain name>
renew until 08/31/10 12:21:22
Becarefull in using the tgt for authetication, the client should have the same NTP time Server as the TGT Server.
5.a Mount as “root” Windows DFS shared drive with mount.cifs :
Mount Command:
/sbin/mount.cifs <share path> <mount path> -o user=<Username>,dom=<domain name in Uppercase>,{sec=krb5|password=xxxxxx}
e.g. /sbin/mount.cifs //dfs/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5
in this case die windows share is unter “//dfs/Home/Dummy” reachable, and the mount path is /windowsShare in your linux, which should be created with “mkdir” before you mount DFS share, the user has the name “Dummy”. There should be NO files in the /windowsShare directory, otherwise the share directory will NOT be mounted.
5.b Access the Windows DFS shared drive as “no root user”:
If you don’t want to use root, you have to run “chmod u+s /sbin/mount.cifs” to allow user to call mount.cifs with setting the setuid-Bit (there should be no security issues about using this setuid-Bit). And then you can mount as “no root user” the windows DFS shared drive following the steps which are discripted in section 4.
If it is still not working for your linux system. Mount the DFS shared drive as “root” with the following command:
/sbin/mount.cifs <share path> <mount path> -o user=<Username>,dom=<domain name in Uppercase>,{sec=krb5|password=xxxxxx},uid=<read/write userid>
e.g.: /sbin/mount.cifs //dfs/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5,uid=Dummy
In this Example the option “uid=Dummy” allowed user Dummy to access the DFS shared drive after the root user managed to mount it.
6. Make alias for the mount commands
in Dummy/home/.alias
$Dummy> vi .alias
insert the followint line to the .alias file:
alias mws=”/sbin/mount.cifs //dfs1/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5″
alias ad=”kinit Dummy”
with this alias you only need to use the following commands to mount a windows DFS share:
$ Dummy> ad
$ Dummy> mws
I wanted to access a full DFS tree of shared folders from my Windows Server 2008R2 network from an Ubuntu Linux 12.04 machine running on the same network.
My first attempt at using “sudo mount –t cifs …blah-blah-blah… “ simply would not work. Sometimes it *seemed* to connect, but the folders were always empty. I wasted hours trying to figure out how to solve this.
Here is the original post I made on ServerFault.com asking for help, back in March 2012: http://serverfault.com/questions/370338/ubuntu-linux-cannot-see-files-in-folders-when-connected-to-a-dfs-tree-on-windo
I never solved the problem, that is, until I tried again in October 2012. I’m now running Ubuntu 12.04. So, I started all over… I tried a bunch of things from Google… And I finally got it working, even from “Connect to Server” in Nautilus!!!
These are the steps that finally made it work:
1. Enable/configure proper WINS resolution
Follow this discussion to enable WINS resolution of Windows computer names on the network http://askubuntu.com/questions/93302/windows-hostnames-are-not-resolved
Basically, it boils down to making this change:
2. Install SMBFS and KeyUtils
Every time I tried to call the MOUNT command, I was getting some error like “cifs_mount failed w/ return code = -22” that I could see by running dmesg | tail
So, some posts lead me to install these things:
|
sudo apt—get install smbfs sudo apt—get install keyutils |
See: http://thats-not-working.blogspot.com/2008/02/cifssmb-mount-problem-on-debian.html
and http://technopragmatica.blogspot.com/2011/03/connecting-to-dfs-shares-with-ubuntu.html?m=1
Some posts state that the Samba stuff on Ubuntu is now deprecated or replaced by the newer CIFS stuff, and for some things, CIFS is the only thing needed, but I assure you that the original Samba package is also required to connect to a DFS tree on a Windows server.
You will notice that “smbfs” will also install “cifs-utils” if it’s not already installed.
3. Configure smb.conf
I also made a few tweaks in /etc/samba/smb.conf. Uncomment these lines, and enter the correct values for your network:
4. Finally – a very important discovery…
This is the magic that finally made this work for me!!! Changing one little parameter…
I happened to notice this teensy little difference in one of my files compared to a blog post referenced in the only reply to my original question on SeverFault.
In the /etc/request-key.conf, I changed this line:
create cifs.spnego * * /usr/sbin/cifs.upcall <font style=«background-color: #ffff00»>—c</font> %k
to this:
create cifs.spnego * * /usr/sbin/cifs.upcall <font style=«background-color: #ffff00»>—t</font> %k
Note: This file is created by the “keyutils” install. It was not present before, as I looked for it. I noticed that it appeared after installing keyutils via apt-get.
Two things to note here…
1. According to http://www.samba.org/samba/docs/man/manpages-3/cifs.upcall.8.html, the –c option is deprecated and is currently ignored. So, I don’t know why that option is included in the file in first place.
2. Warning: The suggested –t option has something to do with “trusting” the DNS server to resolve and retrieve kerberos session keys. I really don’t understand what it all means, but it is explained in the link listed right above here. All I know is, from my trial-and-error testing, this allows Windows DFS tree mounting to work, and it DOES NOT work without –t on this one line.
So, read the above link to learn more about this and make sure it’s safe for your environment. I tried several times to make it work without the –t option, but whenever it connected It gave me folder names from the DFS tree, but they were empty when viewed in Nautilus.
You need to restart your terminal window after making these changes and before going to the final step below:
Finally, let’s connect to a DFS tree or any other shared folder on the server.
Open a new Terminal window, and type the following:
|
mount —t cifs //servername/sharename /mnt/temp –-verbose -o username=my_user_name,password=my_password,workgroup=DOMAIN_NAME |
The –verbose option adds logging info about the mount, which you can read from this command:
Or, from Nautilus file browser, you can use “Connect to Server” from the File menu, and make these entries in the dialog window:
Kaboom!!! It worked. At least for me.
Good luck to others who need this.
Created: April 2nd 2013
Last updated: May 1st 2020
Categories: Linux
Author: Marcus Fleuti
Donate with
82uymVXLkvVbB4c4JpTd1tYm1yj1cKPKR2wqmw3XF8YXKTmY7JrTriP4pVwp2EJYBnCFdXhLq4zfFA6ic7VAWCFX5wfQbCC
Howto mount a Windows DFS share on Debian Linux correctly
In order to being able to mount a DFS share correctly you need to install the following tools on your Debian host:
aptitude install smbfs cifs-utils keyutils
After the installation of the tools you will be able to mount the share using on of these methods:
#1 manual mounting a CIFS/SMB directory:
mount.cifs //myDomain.com/dfs_root/Sharename /mnt/cifs_mountpoint -o username=UserName,password=Passw0rd
#2 mounting with AUTOFS (automatic mounting)
Edit the file /etc/auto.master:
nano /etc/auto.master
Enter a line like this (timeout means: unmount after xx seconds):
/mnt/MyShare /etc/auto.smb --timeout 600
Edit the file /etc/auto.smb:
nano /etc/auto.smb
Enter the command to mount your directory (in the example we directly connect the DFS share on the domain controller):
MySMBShareName -fstype=smbfs,rw,soft,username=MyUsername,password=MyPassword ://servername/dfs/folder/subfolder
Save the file and change its permissions (Attention! The file MAY NOT be executable. If it is the AUTOFS daemon won’t parse it):
chmod a-x /etc/auto.smb chmod 600 /etc/auto.smb
Restart the AUTOFS daemon
/etc/init.d/autofs restart
Check if you can access your share:
cd /mnt/MyShare/MySMBShareName
Done.
To mount DFS shares in Linux, the following lines must be appended to the file /etc/request-key.conf.
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
Once these lines have been appended, you may proceed with the following commands to mount the path.
Perform the folowing steps from within a terminal:
- You will probably want to specify the same uid and gid as the user account you are currently logged with. The following command can be used to determine these values.
id <username>Replace username with the actual name of your user.
- Make a directory where you will mount the DFS network share path.
mkdir dfs-drive - Mount command should be entered as one continuous line.
sudo mount.cifs -o username=,domain=wolftech,uid=,gid=ncsu //wolftech.ad.ncsu.edu/<rest of the DFS path> dfs-drive
Because you’re using sudo, you will be asked for a password twice. One will be to authenticate for sudo and again to authenticate for active directory access to your network share.After mounting the network share, you will be able to use commands like cp or rsync to copy files back and forth. - When you are finished, you should unmount with the following command.
sudo umount dfs-drive
Resources:
Mike’s Technology and Finance Blog: How to Mount a DFS Share in Linux
I’ve kicked this around a few times and resigned myself to just using the non-DFS path to attach to. But we’ve recently changed some of the servers around and the paths have changed – obviously the DFS paths haven’t. So I thought I’d have a go at fixing the problem.
SMB is obviously working as I can connect to the share using the traditional path //servername/sharename. But when trying to use the DFS version //domain.local/shares/sharename it would fail to find the share.
This post provided the answer to my problems: http://mattslay.com/connecting-ubuntu-to-windows-shares-and-dfs-trees/
I added wins into my /etc/nsswitch.conf:
hosts: files wins dns mdns4_minimal [NOTFOUND=return]
I know, I’m not using wins, we don’t have wins, but let’s go there.
Then I edited my /etc/samba/smb.conf and added/amended some wins details under the [global] section. Using one of the domain controllers as the IP address.
wins server = 192.168.0.55 name resolve order = host wins bcast
Finally changed the -c option in /etc/request-key.conf to -t on the cifs.spnego line.:
create cifs.spnego * * /usr/sbin/cifs.upcall -t %kcreate cifs.spnego * * /usr/sbin/cifs.upcall -t %k
Now I can connect to the DFS path using the GUI file manager smb://domain.local/shares/sharename or using the command line to mount the share.
$ sudo mount -t cifs //domain.local/shares/sharename /mnt/sharename --verbose -o username=myuser,vers=2.0