[Samba] Samba Shares based on NFS

Tobias Kirchhofer collect at shift.agency
Wed Jan 29 21:04:35 UTC 2020 

Hi, this is my first time posting in this group. I hope you'll be 
patient with me :-)

We prepare a next gen setup replacing Samba 3 with Samba 4. First time 
with a Domain Controller (DC1) and a joined Fileserver (FS1). We have 
around 30 macOS, 5 Windows and a few Linux machines which are all going 
to be integrated in the new DC.

Our test setup is quite promising. We can join all types of clients 
without problems so far. Fun! But now we're faced with a problem that we 
can't seem to solve. The NFS based Samba shares are not stable. We can 
perfectly connect as an AD user to the file server and start copying 
files, but after a short time Input/Output errors appear or Permission 
denied messages arise. This happens only on macOS machines.

CentOS 8 VMs:

- dc1.ad.example.com
- fs1.ad.example.com
- nfs.lan.example.com

FS1 shares are realized with a NFS mount which is an exported ZFS 
dataset from the dedicated machine.

Versions:
- CentOS 8.1.1911
- Sernet Samba 4.11.6
- NFS 4.2
- macOS 10.15.3

We invested a whole day for debugging and read a lot postings and tried 
this and that (nolock, vfs_fruit, NFS options a.s.o) with no luck. It 
seems to be something fundamentally. We can copy files sometimes. But 
all of a sudden Finder reports errors. "The process could not be 
completed. Access denied." or "The process could not be completed. 
input/output error." In the folder on the share we can then see 
.smbdeleteXXX files for each failed transaction, these files are 
orphaned. We think these files are symptoms not reasons. In another 
folder again we can copy files until the errors come up. All in all it 
feels quite erratic.

Logfiles. We examined Samba log files (log level >= 3). Amazing content! 
Or awfull. Depends on perspective ;) Nothing in it that would give us 
any idea WHAT happens.

NFS as base for Samba shares is being discussed in various ways. From 
"has been running for years" to "not recommended“. We had little 
effort with Samba 3 and NFS based shares for years.

Does anyone has a best practice for a setup like ours? Would someone 
please have a look?

```
nfs.lan.example.com:/etc/exports

/tank/nfs         
172.16.0.0/24(ro,sync,no_subtree_check,no_root_squash,fsid=root)
/tank/nfs/samba   172.16.0.7(rw,async,no_subtree_check,no_root_squash)
[…]
```

```
fs1.ad.example.com:/etc/fstab

172.16.0.8:samba /mnt/samba nfs4 defaults,nolock 0 0
```

```
fs1.ad.example.com:/etc/samba/smb.conf

[global]
     workgroup = WALD
     security = ADS
     realm = AD.EXAMPLE.COM

     ; Create Kerberos keytab entries
     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab

     ; No need to add SAMBA\ to each user
     winbind use default domain = yes

     ; No printing
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

     idmap config * : backend = tdb
     idmap config * : range = 3000-7999
     idmap config WALD : backend = rid
     idmap config WALD : range = 10000-999999

     veto files = /._*/.DS_Store/
     delete veto files = yes

     ; getent passwd/group show all users and groups. NOT recommended!
     winbind enum users = yes
     winbind enum groups = yes

     winbind refresh tickets = yes
     map acl inherit = yes

     socket options = TCP_NODELAY IPTOS_LOWDELAY
     write cache size = 262144

         oplocks = No
         posix locking = No
         strict locking = No
         kernel oplocks = No
         level2 oplocks = No

     #mangled names = no
     #dos charset = CP850
     #unix charset = UTF-8

     log level = 1
     max log size = 5000
     log file = /var/log/samba/samba.log

     server min protocol = SMB3_00
     registry shares = yes

     ea support = yes
     vfs objects = acl_xattr catia fruit streams_xattr full_audit

     #vfs objects = worm
     #worm:grace_period = 86400     # 1 day

     ; Audit
     full_audit:prefix = %u|%I|%m|%S
     full_audit:success = connect mkdir rename unlink rmdir pread pwrite 
read write
     full_audit:failure = connect mkdir rename unlink rmdir pread pwrite 
read write
     full_audit:syslog = yes
     full_audit:facility = local7
     full_audit:priority = NOTICE

     fruit:aapl = yes
     fruit:encoding = native
     fruit:locking = none
     fruit:metadata = stream
     fruit:resource = stream
     fruit:model = MacSamba
     #fruit:posix_rename = yes
     #fruit:veto_appledouble = no
     #fruit:wipe_intentionally_left_blank_rfork = yes
     #fruit:delete_empty_adfiles = yes

     # Local share - works!
     [test]
       comment = test
       path = /srv/test
       include = /etc/samba/include/default.conf
       browseable = yes
       valid users = @wald

     # NFS share - buggy!
     [Exchange]
       comment = Exchange
       path = /mnt/samba/Exchange
       include = /etc/samba/include/default.conf
       browseable = yes
       valid users = @team
```

```
fs1.ad.example.com:/etc/samba/include/default.conf

hide files           = /lost+found/
read only            = no
writeable            = yes
nt acl support       = no
create mask          = 660
force create mode    = 660
directory mask       = 2770
force directory mode = 2770
force group          = +team
```

```
root at fs1.ad.example.com:~ # ls -la /mnt/samba/
drwxrws---. 13 root team 13 Jan 29 18:19 Exchange
```

```
Excerpts from samba.log:
```
[…]
check_reduced_name: Folder1/test/file1.txt reduced to 
/mnt/samba/Exchange/Folder1/test/file1.txt
[…]
open_file_ntcreate: FILE_OPEN requested for file Folder1/test/file1.txt 
and file doesn't exist.
[…]
get_ea_dos_attribute: Cannot get attribute from EA on file Folder1: 
Error = Operation not supported
[…]
get_ea_dos_attribute: Cannot get attribute from EA on file Folder1/test: 
Error = Operation not supported
[…]
fruit_pwrite_meta_stream: On-demand create 
[Folder1/test/file1.txt:AFP_AfpInfo] in write failed: No such file or 
directory
[…]
[…]


-- 
Tobias Kirchhofer

collect at shift.agency

More information about the samba mailing list