cifs SRV record

cifs SRV record

[steve]

Hi
Is it possible to have cifs SRV rrs like ldap and kerberos where clients
can look for the service themselves? We'd like to be able to offer
shares on more than one server without the cluster stuff.

ATM we have e.g.
mount -t cifs //server/share -owhatever

Our question is, would having cifs SRV be a  way around having to
specify a specific server?
Cheers,
Steve

Re: cifs SRV record

[Bob Balsover]

Why not just use DFS? I believe that this is what it was designed for.

-Bob

> Hi
> Is it possible to have cifs SRV rrs like ldap and kerberos where clients
> can look for the service themselves? We'd like to be able to offer
> shares on more than one server without the cluster stuff.
>
> ATM we have e.g.
> mount -t cifs //server/share -owhatever
>
> Our question is, would having cifs SRV be a  way around having to
> specify a specific server?
> Cheers,
> Steve
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: cifs SRV record

[Steve French]

On Wed, Jun 18, 2014 at 5:01 PM, Bob Balsover <cifs-MPfZBXey4klWk0Htik3J/w@public.gmane.org> wrote:
> Why not just use DFS? I believe that this is what it was designed for.
>
> -Bob


Yes.  DFS should be used for this.  Fairly easy to setup on server
(Samba or Windows or NetApp, although very different setup on Samba
than Windows) and the client supports it (whether Linux or Windows).



>> Hi
>> Is it possible to have cifs SRV rrs like ldap and kerberos where clients
>> can look for the service themselves? We'd like to be able to offer
>> shares on more than one server without the cluster stuff.
>>
>> ATM we have e.g.
>> mount -t cifs //server/share -owhatever
>>
>> Our question is, would having cifs SRV be a  way around having to
>> specify a specific server?



-- 
Thanks,

Steve

Re: cifs SRV record

[steve]

On Wed, 2014-06-18 at 18:10 -0500, Steve French wrote:
> On Wed, Jun 18, 2014 at 5:01 PM, Bob Balsover <cifs-MPfZBXey4klWk0Htik3J/w@public.gmane.org> wrote:
> > Why not just use DFS? I believe that this is what it was designed for.
> >
> > -Bob
> 
> 
> Yes.  DFS should be used for this.  Fairly easy to setup on server
> (Samba or Windows or NetApp, although very different setup on Samba
> than Windows) and the client supports it (whether Linux or Windows).

Hi
Thanks. I know I can do that for windows clients but our Linux boxes (in
the same domain) use autofs e.g.
* -fstype=cifs,sec=krb5,multiuser ://server/share/&
Will the automounter still work from a DFS share and will it still do
the wild card like vanilla cifs?

What we'd like to do is add a second samba file server and sync the data
between them. Is DFS the way to go for this?
Cheers,
Steve
 
> 
> 
> 
> >> Hi
> >> Is it possible to have cifs SRV rrs like ldap and kerberos where clients
> >> can look for the service themselves? We'd like to be able to offer
> >> shares on more than one server without the cluster stuff.
> >>
> >> ATM we have e.g.
> >> mount -t cifs //server/share -owhatever
> >>
> >> Our question is, would having cifs SRV be a  way around having to
> >> specify a specific server?
> 
> 
> 

Re: cifs SRV record

[Bob Balsover]

Steve, DFS should still work.  The server address is resolved by the
kernel cifs code and the share will be resolved correctly.

-Bob

> On Wed, 2014-06-18 at 18:10 -0500, Steve French wrote:
>> On Wed, Jun 18, 2014 at 5:01 PM, Bob Balsover <cifs-MPfZBXey4klWk0Htik3J/w@public.gmane.org> wrote:
>> > Why not just use DFS? I believe that this is what it was designed for.
>> >
>> > -Bob
>>
>>
>> Yes.  DFS should be used for this.  Fairly easy to setup on server
>> (Samba or Windows or NetApp, although very different setup on Samba
>> than Windows) and the client supports it (whether Linux or Windows).
>
> Hi
> Thanks. I know I can do that for windows clients but our Linux boxes (in
> the same domain) use autofs e.g.
> * -fstype=cifs,sec=krb5,multiuser ://server/share/&
> Will the automounter still work from a DFS share and will it still do
> the wild card like vanilla cifs?
>
> What we'd like to do is add a second samba file server and sync the data
> between them. Is DFS the way to go for this?
> Cheers,
> Steve
>
>>
>>
>>
>> >> Hi
>> >> Is it possible to have cifs SRV rrs like ldap and kerberos where
>> clients
>> >> can look for the service themselves? We'd like to be able to offer
>> >> shares on more than one server without the cluster stuff.
>> >>
>> >> ATM we have e.g.
>> >> mount -t cifs //server/share -owhatever
>> >>
>> >> Our question is, would having cifs SRV be a  way around having to
>> >> specify a specific server?
>>
>>
>>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: cifs SRV record

[steve]

On Thu, 2014-06-19 at 09:39 -0700, Bob Balsover wrote:
> Steve, DFS should still work.  The server address is resolved by the
> kernel cifs code and the share will be resolved correctly.
> 
> -Bob
> 
Hi
But we don't want to have to specify the server. We want the share to be
either of the servers in the domain containing our synced data. Hence (I
think) your suggestion of DFS.

I know that on windows you can specify
\\domain\share
and dfs will find any server in the domain that has the share.

1. Can samba/cifs servers be configured to do that?
2. Can Linux clients mount such configurations?
3. Is there a howto?

Thanks,
Steve


> > On Wed, 2014-06-18 at 18:10 -0500, Steve French wrote:
> >> On Wed, Jun 18, 2014 at 5:01 PM, Bob Balsover <cifs-MPfZBXey4klWk0Htik3J/w@public.gmane.org> wrote:
> >> > Why not just use DFS? I believe that this is what it was designed for.
> >> >
> >> > -Bob
> >>
> >>
> >> Yes.  DFS should be used for this.  Fairly easy to setup on server
> >> (Samba or Windows or NetApp, although very different setup on Samba
> >> than Windows) and the client supports it (whether Linux or Windows).
> >
> > Hi
> > Thanks. I know I can do that for windows clients but our Linux boxes (in
> > the same domain) use autofs e.g.
> > * -fstype=cifs,sec=krb5,multiuser ://server/share/&
> > Will the automounter still work from a DFS share and will it still do
> > the wild card like vanilla cifs?
> >
> > What we'd like to do is add a second samba file server and sync the data
> > between them. Is DFS the way to go for this?
> > Cheers,
> > Steve
> >
> >>
> >>
> >>
> >> >> Hi
> >> >> Is it possible to have cifs SRV rrs like ldap and kerberos where
> >> clients
> >> >> can look for the service themselves? We'd like to be able to offer
> >> >> shares on more than one server without the cluster stuff.
> >> >>
> >> >> ATM we have e.g.
> >> >> mount -t cifs //server/share -owhatever
> >> >>
> >> >> Our question is, would having cifs SRV be a  way around having to
> >> >> specify a specific server?
> >>
> >>
> >>
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> 

Re: cifs SRV record

[Bob Balsover]

Why don't you try it and tell us if you have a problem.

> On Thu, 2014-06-19 at 09:39 -0700, Bob Balsover wrote:
>> Steve, DFS should still work.  The server address is resolved by the
>> kernel cifs code and the share will be resolved correctly.
>>
>> -Bob
>>
> Hi
> But we don't want to have to specify the server. We want the share to be
> either of the servers in the domain containing our synced data. Hence (I
> think) your suggestion of DFS.
>
> I know that on windows you can specify
> \\domain\share
> and dfs will find any server in the domain that has the share.
>
> 1. Can samba/cifs servers be configured to do that?
> 2. Can Linux clients mount such configurations?
> 3. Is there a howto?
>
> Thanks,
> Steve
>
>
>> > On Wed, 2014-06-18 at 18:10 -0500, Steve French wrote:
>> >> On Wed, Jun 18, 2014 at 5:01 PM, Bob Balsover <cifs-MPfZBXey4klWk0Htik3J/w@public.gmane.org>
>> wrote:
>> >> > Why not just use DFS? I believe that this is what it was designed
>> for.
>> >> >
>> >> > -Bob
>> >>
>> >>
>> >> Yes.  DFS should be used for this.  Fairly easy to setup on server
>> >> (Samba or Windows or NetApp, although very different setup on Samba
>> >> than Windows) and the client supports it (whether Linux or Windows).
>> >
>> > Hi
>> > Thanks. I know I can do that for windows clients but our Linux boxes
>> (in
>> > the same domain) use autofs e.g.
>> > * -fstype=cifs,sec=krb5,multiuser ://server/share/&
>> > Will the automounter still work from a DFS share and will it still do
>> > the wild card like vanilla cifs?
>> >
>> > What we'd like to do is add a second samba file server and sync the
>> data
>> > between them. Is DFS the way to go for this?
>> > Cheers,
>> > Steve
>> >
>> >>
>> >>
>> >>
>> >> >> Hi
>> >> >> Is it possible to have cifs SRV rrs like ldap and kerberos where
>> >> clients
>> >> >> can look for the service themselves? We'd like to be able to offer
>> >> >> shares on more than one server without the cluster stuff.
>> >> >>
>> >> >> ATM we have e.g.
>> >> >> mount -t cifs //server/share -owhatever
>> >> >>
>> >> >> Our question is, would having cifs SRV be a  way around having to
>> >> >> specify a specific server?
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe linux-cifs"
>> in
>> > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> >
>>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: cifs SRV record

[steve]

On Thu, 2014-06-19 at 10:12 -0700, Bob Balsover wrote:
> Why don't you try it and tell us if you have a problem.
Whilst we can find this:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/msdfs.html
There seems to be nothing on domain dfs.
Could you give us a pointer?
If it's not possible, no problem. Just that we'd rather use samba
servers.
Thanks.


> 
> > On Thu, 2014-06-19 at 09:39 -0700, Bob Balsover wrote:
> >> Steve, DFS should still work.  The server address is resolved by the
> >> kernel cifs code and the share will be resolved correctly.
> >>
> >> -Bob
> >>
> > Hi
> > But we don't want to have to specify the server. We want the share to be
> > either of the servers in the domain containing our synced data. Hence (I
> > think) your suggestion of DFS.
> >
> > I know that on windows you can specify
> > \\domain\share
> > and dfs will find any server in the domain that has the share.
> >
> > 1. Can samba/cifs servers be configured to do that?
> > 2. Can Linux clients mount such configurations?
> > 3. Is there a howto?
> >
> > Thanks,
> > Steve
> >
> >
> >> > On Wed, 2014-06-18 at 18:10 -0500, Steve French wrote:
> >> >> On Wed, Jun 18, 2014 at 5:01 PM, Bob Balsover <cifs-MPfZBXey4klWk0Htik3J/w@public.gmane.org>
> >> wrote:
> >> >> > Why not just use DFS? I believe that this is what it was designed
> >> for.
> >> >> >
> >> >> > -Bob
> >> >>
> >> >>
> >> >> Yes.  DFS should be used for this.  Fairly easy to setup on server
> >> >> (Samba or Windows or NetApp, although very different setup on Samba
> >> >> than Windows) and the client supports it (whether Linux or Windows).
> >> >
> >> > Hi
> >> > Thanks. I know I can do that for windows clients but our Linux boxes
> >> (in
> >> > the same domain) use autofs e.g.
> >> > * -fstype=cifs,sec=krb5,multiuser ://server/share/&
> >> > Will the automounter still work from a DFS share and will it still do
> >> > the wild card like vanilla cifs?
> >> >
> >> > What we'd like to do is add a second samba file server and sync the
> >> data
> >> > between them. Is DFS the way to go for this?
> >> > Cheers,
> >> > Steve
> >> >
> >> >>
> >> >>
> >> >>
> >> >> >> Hi
> >> >> >> Is it possible to have cifs SRV rrs like ldap and kerberos where
> >> >> clients
> >> >> >> can look for the service themselves? We'd like to be able to offer
> >> >> >> shares on more than one server without the cluster stuff.
> >> >> >>
> >> >> >> ATM we have e.g.
> >> >> >> mount -t cifs //server/share -owhatever
> >> >> >>
> >> >> >> Our question is, would having cifs SRV be a  way around having to
> >> >> >> specify a specific server?
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> > --
> >> > To unsubscribe from this list: send the line "unsubscribe linux-cifs"
> >> in
> >> > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> >> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >> >
> >>
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> 

Re: cifs SRV record

[Bob Balsover]

Steve, you appear to be beating a dead horse. Assuming you are using a
somewhat current kernel just place the DFS share in your client's
configuration file and try it. I am currently working with this kernel
code and it works fine.

> On Thu, 2014-06-19 at 10:12 -0700, Bob Balsover wrote:
>> Why don't you try it and tell us if you have a problem.
> Whilst we can find this:
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/msdfs.html
> There seems to be nothing on domain dfs.
> Could you give us a pointer?
> If it's not possible, no problem. Just that we'd rather use samba
> servers.
> Thanks.
>
>
>>
>> > On Thu, 2014-06-19 at 09:39 -0700, Bob Balsover wrote:
>> >> Steve, DFS should still work.  The server address is resolved by the
>> >> kernel cifs code and the share will be resolved correctly.
>> >>
>> >> -Bob
>> >>
>> > Hi
>> > But we don't want to have to specify the server. We want the share to
>> be
>> > either of the servers in the domain containing our synced data. Hence
>> (I
>> > think) your suggestion of DFS.
>> >
>> > I know that on windows you can specify
>> > \\domain\share
>> > and dfs will find any server in the domain that has the share.
>> >
>> > 1. Can samba/cifs servers be configured to do that?
>> > 2. Can Linux clients mount such configurations?
>> > 3. Is there a howto?
>> >
>> > Thanks,
>> > Steve
>> >
>> >
>> >> > On Wed, 2014-06-18 at 18:10 -0500, Steve French wrote:
>> >> >> On Wed, Jun 18, 2014 at 5:01 PM, Bob Balsover <cifs-MPfZBXey4klWk0Htik3J/w@public.gmane.org>
>> >> wrote:
>> >> >> > Why not just use DFS? I believe that this is what it was
>> designed
>> >> for.
>> >> >> >
>> >> >> > -Bob
>> >> >>
>> >> >>
>> >> >> Yes.  DFS should be used for this.  Fairly easy to setup on server
>> >> >> (Samba or Windows or NetApp, although very different setup on
>> Samba
>> >> >> than Windows) and the client supports it (whether Linux or
>> Windows).
>> >> >
>> >> > Hi
>> >> > Thanks. I know I can do that for windows clients but our Linux
>> boxes
>> >> (in
>> >> > the same domain) use autofs e.g.
>> >> > * -fstype=cifs,sec=krb5,multiuser ://server/share/&
>> >> > Will the automounter still work from a DFS share and will it still
>> do
>> >> > the wild card like vanilla cifs?
>> >> >
>> >> > What we'd like to do is add a second samba file server and sync the
>> >> data
>> >> > between them. Is DFS the way to go for this?
>> >> > Cheers,
>> >> > Steve
>> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> >> Hi
>> >> >> >> Is it possible to have cifs SRV rrs like ldap and kerberos
>> where
>> >> >> clients
>> >> >> >> can look for the service themselves? We'd like to be able to
>> offer
>> >> >> >> shares on more than one server without the cluster stuff.
>> >> >> >>
>> >> >> >> ATM we have e.g.
>> >> >> >> mount -t cifs //server/share -owhatever
>> >> >> >>
>> >> >> >> Our question is, would having cifs SRV be a  way around having
>> to
>> >> >> >> specify a specific server?
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > To unsubscribe from this list: send the line "unsubscribe
>> linux-cifs"
>> >> in
>> >> > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> >> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> >> >
>> >>
>> >
>> >
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe linux-cifs"
>> in
>> > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> >
>>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: cifs SRV record

[steve]

On Thu, 2014-06-19 at 12:17 -0700, Bob Balsover wrote:
> Steve, you appear to be beating a dead horse. Assuming you are using a
> somewhat current kernel just place the DFS share in your client's
> configuration file and try it. I am currently working with this kernel
> code and it works fine.

OK, here's our first attempt:

[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
host msdfs = yes

[users]
path = /home/users
read only = No

[dfs]
path = /home/samba/dfs
msdfs root = yes
- - -

alfaz:/home/samba/dfs # ls -l
total 0
lrwxrwxrwx 1 root root 17 Jun 20 13:57 users -> msdfs:alfaz\users
- - -

klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
   1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
   1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
   1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
   1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
   1 host/alfaz-UiqEU/D402Y@public.gmane.org
   1 host/alfaz-UiqEU/D402Y@public.gmane.org
   1 host/alfaz-UiqEU/D402Y@public.gmane.org
   1 host/alfaz-UiqEU/D402Y@public.gmane.org
   1 host/alfaz-UiqEU/D402Y@public.gmane.org
   1 ALFAZ$@HH3.SITE
   1 ALFAZ$@HH3.SITE
   1 ALFAZ$@HH3.SITE
   1 ALFAZ$@HH3.SITE
   1 ALFAZ$@HH3.SITE
   1 cifsuser-UiqEU/D402Y@public.gmane.org


This works fine:
 mount -t cifs //alfaz/dfs/users /mnt
-osec=krb5,username=cifsuser,multiuser

cifsuser gets a ticket:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cifsuser-UiqEU/D402Y@public.gmane.org

Valid starting       Expires              Service principal
06/20/2014 13:20:31  06/20/2014 23:20:31  krbtgt/HH3.SITE-UiqEU/D402Y@public.gmane.org
	renew until 06/21/2014 13:20:31
06/20/2014 13:35:32  06/20/2014 23:20:31  cifs/alfaz@
	renew until 06/21/2014 13:20:31
06/20/2014 13:35:32  06/20/2014 23:20:31  cifs/alfaz-UiqEU/D402Y@public.gmane.org
	renew until 06/21/2014 13:20:31

And the share is mounted:
ls /mnt
Administrator  br2  cifsuser  julie  julie2  lynn2  steve2  steve3 
However, there's no advantage in using dfs for that becaause we've had
to specify the server.

But that's not what we want. So, after some googling, we include the
domain:
mount -t cifs //hh3.site/dfs/users /mnt
-osec=krb5,username=cifsuser,multiuser
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
It doesn't mount.

And the KDC responds:
Kerberos: TGS-REQ cifsuser-UiqEU/D402Y@public.gmane.org from ipv4:192.168.1.102:51585 for
cifs/hh3.site-UiqEU/D402Y@public.gmane.org [canonicalize, renewable]
Kerberos: Searching referral for hh3.site
Kerberos: Returning a referral to realm SITE for server
cifs/hh3.site-UiqEU/D402Y@public.gmane.org that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got
0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE-UiqEU/D402Y@public.gmane.org: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51585
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ cifsuser-UiqEU/D402Y@public.gmane.org from ipv4:192.168.1.102:51586 for
krbtgt/SITE-UiqEU/D402Y@public.gmane.org [renewable]
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got
0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database: krbtgt/SITE-UiqEU/D402Y@public.gmane.org: no such
entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51586

How do we tell cifs to look in the domain for a dfs share server?

Samba4 DC running samba with Samba4 file server running smbd all on
openSUSE 13.1

Thanks for your patience.
Steve

Re: cifs SRV record

[steve]

On Fri, 2014-06-20 at 14:14 +0200, steve wrote:
> On Thu, 2014-06-19 at 12:17 -0700, Bob Balsover wrote:
> > Steve, you appear to be beating a dead horse. Assuming you are using a
> > somewhat current kernel just place the DFS share in your client's
> > configuration file and try it. I am currently working with this kernel
> > code and it works fine.
> 
> OK, here's our first attempt:
> 
> [global]
> workgroup = HH3
> realm = HH3.SITE
> security = ADS
> kerberos method = system keytab
> host msdfs = yes
> 
> [users]
> path = /home/users
> read only = No
> 
> [dfs]
> path = /home/samba/dfs
> msdfs root = yes
> - - -
> 
> alfaz:/home/samba/dfs # ls -l
> total 0
> lrwxrwxrwx 1 root root 17 Jun 20 13:57 users -> msdfs:alfaz\users
> - - -
> 
> klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz.hh3.site-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz-UiqEU/D402Y@public.gmane.org
>    1 host/alfaz-UiqEU/D402Y@public.gmane.org
>    1 ALFAZ$@HH3.SITE
>    1 ALFAZ$@HH3.SITE
>    1 ALFAZ$@HH3.SITE
>    1 ALFAZ$@HH3.SITE
>    1 ALFAZ$@HH3.SITE
>    1 cifsuser-UiqEU/D402Y@public.gmane.org
> 
> 
> This works fine:
>  mount -t cifs //alfaz/dfs/users /mnt
> -osec=krb5,username=cifsuser,multiuser
> 
> cifsuser gets a ticket:
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: cifsuser-UiqEU/D402Y@public.gmane.org
> 
> Valid starting       Expires              Service principal
> 06/20/2014 13:20:31  06/20/2014 23:20:31  krbtgt/HH3.SITE-UiqEU/D402Y@public.gmane.org
> 	renew until 06/21/2014 13:20:31
> 06/20/2014 13:35:32  06/20/2014 23:20:31  cifs/alfaz@
> 	renew until 06/21/2014 13:20:31
> 06/20/2014 13:35:32  06/20/2014 23:20:31  cifs/alfaz-UiqEU/D402Y@public.gmane.org
> 	renew until 06/21/2014 13:20:31
> 
> And the share is mounted:
> ls /mnt
> Administrator  br2  cifsuser  julie  julie2  lynn2  steve2  steve3 
> However, there's no advantage in using dfs for that becaause we've had
> to specify the server.
> 
> But that's not what we want. So, after some googling, we include the
> domain:
> mount -t cifs //hh3.site/dfs/users /mnt
> -osec=krb5,username=cifsuser,multiuser
> mount error(126): Required key not available
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> It doesn't mount.
> 
> And the KDC responds:
> Kerberos: TGS-REQ cifsuser-UiqEU/D402Y@public.gmane.org from ipv4:192.168.1.102:51585 for
> cifs/hh3.site-UiqEU/D402Y@public.gmane.org [canonicalize, renewable]
> Kerberos: Searching referral for hh3.site
> Kerberos: Returning a referral to realm SITE for server
> cifs/hh3.site-UiqEU/D402Y@public.gmane.org that was not found
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got
> 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SITE-UiqEU/D402Y@public.gmane.org: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51585
> Terminating connection - 'kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED]
> Kerberos: TGS-REQ cifsuser-UiqEU/D402Y@public.gmane.org from ipv4:192.168.1.102:51586 for
> krbtgt/SITE-UiqEU/D402Y@public.gmane.org [renewable]
> Failed find a single entry for
> (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got
> 0
> Kerberos: samba_kdc_fetch: could not find principal in DB
> Kerberos: Server not found in database: krbtgt/SITE-UiqEU/D402Y@public.gmane.org: no such
> entry found in hdb
> Kerberos: Failed building TGS-REP to ipv4:192.168.1.102:51586
> 
> How do we tell cifs to look in the domain for a dfs share server?
> 
> Samba4 DC running samba with Samba4 file server running smbd all on
> openSUSE 13.1
> 
> Thanks for your patience.
> Steve

Our second try with the Microsoft ad dfs tools:
https://lists.samba.org/archive/samba/2014-June/182387.html

Third attempt:
We add a second file server to the domain called villena:

lrwxrwxrwx 1 root root 17 Jun 20 13:57 users -> msdfs:villena
\users,msdfs:alfaz\users

 We can mount shares fine from villena but if villena is not available
and we call alfaz for the share (exactly as before):

mount -t
cifs //alfaz/dfs/users /mnt-osec=krb5,username=cifsuser,multiuser

it fails to mount:
Unable to find address.
It seems that if the first file server is unavailable, the second one is
not consulted.

Any comments or guidance on what should work and what we can and cannot
expect to work with samba/dfs/cifs would be most welcome. 

Thanks for your patience,
Steve