• Access DFS Shares from Mac OS X

    Posted on July 14th, 2011 Jorge Escala 11 comments

    The storage admins where I work have gone DFS mad. But if you’re a Mac user, that would just make you plain old mad. That’s because as great as DFS is for Windows users on an Active Directory domain, Mac OS X 10.6 Snow Leopard doesn’t know what to do with DFS paths.

    The rumor is that Lion 10.7, due any day now, will finally support DFS, but that doesn’t help me now. So I created a command line tool to help deal with Active Directory DFS shares from a Mac. No need for GroupLogic’s expensive ExtremeZ-IP DFSConnect!

    Here is some output to give you a taste:

    ~ $ dfstool -h
    dfstool (1.0)
    (c) 2011 Jorge Escala <http://jescala.com>
    usage: dfstool [option] [<dfspath>]
    options:
        -d <dc>      use <dc> domain controller to enumerate DFS shares
        -h           display this usage screen
        -l           display the complete dfs list
        -m <mntpnt>  mount the dfs path at <mntpnt>
        -M           mount the dfs path in ~/Network/
        -v           display version
    ~ $ dfstool -M '\\ad\dfs\shared\files'
    ~ $ df -h | tail -1
    //server/shared/files    1.3Ti  827Gi  551Gi    61%    /Users/jescala/Network/shared/files

    This code is available under the BSD license and can be downloaded here:

    dfstool-1.0.tgz
    MD5: eccd511ab256224f9bc1214396e0e0ae

    UPDATE: I’ve received some feedback about the -d switch not working and the need for a -u switch. I developed and tested dfstool almost exclusively on AD joined Macs since that is what we have in our environment. I’m going to setup a test environment next week and work out all the kinks for non-AD-joined Macs. In the meantime, modify the adserver variable in line 40 of the script to point to your domain controller and post your feedback here.

    UPDATE 2: I posted version 1.1 of dfstool. Visit this post for more info and discussion.

     

    11 responses to “Access DFS Shares from Mac OS X” RSS icon

    • What if you’re using standalone (non-domain based) namespace servers? anyway to get this tool to work?

      • We’re using this on Macs joined to an Active Directory domain. Users are AD accounts and they are able to connect to the shares without authentication using Kerberos. If you’re not logged in with an AD account, you’ll need to provide a user and password. I can add an option to provide your user ID but I think you’ll get prompted for the password once for the DFS lookup and again for the mount if you used the -m or -M options. Alternatively, you might be able to use Kerberos if you grab a ticket with kinit or /System/Library/CoreServices/Ticket Viewer.app. Try them out and let me know how it goes. I’ll use your feedback to improve the script.

        • Hi Jorge,

          I’m not sure if you understood my question. There are two types of DFS shares

          1. The most “common” type which is domain-based DFS namespaces that are accessed directly from the domain controller \\dc\share\etc

          2. The second is called a “standalone” namespace server. Essentially, this is just a regular server (ie: Windows 2008 R2) that has the “DFS Namespace” role attached to it. You access the DFS shares by using \\server\share\etc

          The “Stand alone” servers are most commonly used within smaller departments, etc who don’t have access to modify the central DC and add shares (so they create standalone servers). This means you can’t enumerate the shares on the DC like in your code (I’ve briefly looked through it).

          Ideally, while your solution works, it still does not solve the problem of being able to dynamically resolve DFS target links (this is a mac os x issue, not necessarily your program). This means in a situation where you would have a DFS “Namespace” (or more commonly known as a Share) and mount the root of the share (which contains DFS target links to other servers), you would not be able to resolve those links when you “cd” into the folder. This is where Thursby and Z-IP provide solutions (I Know with ADMitMac, you can mount a root share with tons of DFS links and the new cifs stack provided by Thursby will resolve those).

          Nice little work-around though, I wish it would work for our situation as we have a lot of macs but not a lot of budget to purchase licenses of Thursby or Extreme Z-IP

          • You’re right. I thought you meant standalone clients. It had not occurred to me that it was possible to use the DFS Namespace role on a standalone server. What happens if you use this command with the standalone server instead of a domain controller?

            rpcclient -k --command='dfsenum 3' dfs.server.fqdn

    • Jorge,

      Awesome stuff.

      thanks,

      macguitarman@gmail.com

    • Sinbad the coder July 15th, 2011 at 18:13

      Thursby software’s DAVE and ADmitMac have included DFS support for Macs for the past decade. No changes in data center infrastructure are required to deploy it.

      ZIP is server-based and is usually seen in organizations where legacy AFP is the main driver rather than native integration with Windows Servers, NAS and Samba under DFS and SMB/CIFS.

      Would recommend trying evaluation copies rather than simply believing marketing or hype from any vendor, especially Apple which is 99.999% consumer rather than enterprise focused.

      Charts with check boxes on web pages are easy to fill but scalable, performing, well-supported solutions are somewhat harder to deliver and can take years to get right.

      Apple’s Enterprise OS X support runs $50,000/year, which isn’t that affordable especially on machines at $1,500 but everyone has their own view on what’s affordable or not.

      The most expensive solutions are ones that don’t work, cause lots of down time and have IT folks spending hours on forums tracking down this script and work-around or that, with costs moving from the software bucket to staff bucket.

      • Hi Sinbad,

        Thanks for the response! In the past, we used older releases of ADmitMac and it is a fine solution for AD integration. We also evaluated ExtremeZ-IP about a year ago, and if you want AFP, it is better than what Apple has to offer especially now that Apple has no real server solution. (I don’t want to get started on that tangent.) But GroupLogic’s Zidget with it’s indexing server requirement seemed like an expensive kludge since we didn’t have a need for their AFP services. I’ve not tried DAVE so I can’t really comment on it, but it certainly seems like a viable tool worth trying.

    • After reading your posts, I’m not sure if this is the same thing and if not you seem to know more about the MAC O.S. than most forums I have read. However, I will still ask because I have yet been able to find anything else to help with this subject. In our office we support both MAC and Windows. We have a Windows Small Business Server 2003 that everyone on the network has access to its shared drives. Here is my situation, We just purchased a MacBook Pro with the Lion O.S. The employee using this computer has ran into the following problem: When she saves a file on her desktop and then tries to save the file to the Graphics drive (G:)on the server it saves fine. If she tries to re-open that file from the server it gives her an error message that the file is locked or she does not have permission to view this file. If someone else tries to open this file from their computer they get the same message. The file on the server is then completely locked and cannot be moved, deleted, or opened. Any idea as to why this is happening and is it because of the new Lion O.S.? Her computer has been joined to the Active Directory for our server and everything was setup identical to the other MACs in the office. (Those MACs are running Snow Leopard and Leopard.)Any help on this issue would greatly be appreciated.

      • Seeing as how the problem occurs with Lion but not with Leopard or Snow Leopard, it seems like there may be a bug with Lion. And this is not surprising because Apple basically reimplemented the SMB client for OS X Lion. Before Lion, Apple used the open source Samba client for SMB access. But in Lion, they replaced it with their own code. (Side note: This is why Lion now supports accessing DFS shares.)

        I’ve personally not had a chance to test Lion in our environment due to a nasty bug in our NAS that causes it to crash if a Lion client attempts to connect to it. However, it would be interesting to see if the files are somehow getting locked when they are getting copied to the SMB share from the Lion client. Try the “ls -lO” command to see if the uchg (user immutable) or schg (system immutable) flags are getting applied to the files. For example:

        jescala$ ls -lO
total 24
-rw-r--r--  1 jescala  staff  -    6 Aug  9 10:00 file1
-rw-r--r--  1 jescala  staff  uchg 6 Aug  9 10:07 file2
-rw-r--r--  1 jescala  staff  schg 6 Aug  9 10:07 file3

        If so, you can use the chflags command to remove those locks.

        • Sorry, it took so long to respond back to you. I did not try this because I actually found a work around. I did not add a mobileme account to the new MAC like I did all the others. Instead I let the employee just use the main administrator account and everything is working fine. The only other this I had to do was to add the share drives to the launch at login option so she would not have to manually connect to the server everyday she turned her computer on.

          By deleting the mobileme account it helped and bypassed my problem.

          Thanks again for your help though.

    • Like a small businessperson, you don’t have any greater leverage as opposed to truth.
      A group or even an artist shouldn’t get his money until his boss gets his.

Creative Commons License
© 2011 Jorge Escala
Amor Meus Crucifixus Est