[Samba] Samba Shares based on NFS
Tobias Kirchhofer
collect at shift.agency
Wed Jan 29 21:04:35 UTC 2020
Hi, this is my first time posting in this group. I hope you'll be
patient with me :-)
We prepare a next gen setup replacing Samba 3 with Samba 4. First time
with a Domain Controller (DC1) and a joined Fileserver (FS1). We have
around 30 macOS, 5 Windows and a few Linux machines which are all going
to be integrated in the new DC.
Our test setup is quite promising. We can join all types of clients
without problems so far. Fun! But now we're faced with a problem that we
can't seem to solve. The NFS based Samba shares are not stable. We can
perfectly connect as an AD user to the file server and start copying
files, but after a short time Input/Output errors appear or Permission
denied messages arise. This happens only on macOS machines.
CentOS 8 VMs:
- dc1.ad.example.com
- fs1.ad.example.com
- nfs.lan.example.com
FS1 shares are realized with a NFS mount which is an exported ZFS
dataset from the dedicated machine.
Versions:
- CentOS 8.1.1911
- Sernet Samba 4.11.6
- NFS 4.2
- macOS 10.15.3
We invested a whole day for debugging and read a lot postings and tried
this and that (nolock, vfs_fruit, NFS options a.s.o) with no luck. It
seems to be something fundamentally. We can copy files sometimes. But
all of a sudden Finder reports errors. "The process could not be
completed. Access denied." or "The process could not be completed.
input/output error." In the folder on the share we can then see
.smbdeleteXXX files for each failed transaction, these files are
orphaned. We think these files are symptoms not reasons. In another
folder again we can copy files until the errors come up. All in all it
feels quite erratic.
Logfiles. We examined Samba log files (log level >= 3). Amazing content!
Or awfull. Depends on perspective ;) Nothing in it that would give us
any idea WHAT happens.
NFS as base for Samba shares is being discussed in various ways. From
"has been running for years" to "not recommended“. We had little
effort with Samba 3 and NFS based shares for years.
Does anyone has a best practice for a setup like ours? Would someone
please have a look?
```
nfs.lan.example.com:/etc/exports
/tank/nfs
172.16.0.0/24(ro,sync,no_subtree_check,no_root_squash,fsid=root)
/tank/nfs/samba 172.16.0.7(rw,async,no_subtree_check,no_root_squash)
[…]
```
```
fs1.ad.example.com:/etc/fstab
172.16.0.8:samba /mnt/samba nfs4 defaults,nolock 0 0
```
```
fs1.ad.example.com:/etc/samba/smb.conf
[global]
workgroup = WALD
security = ADS
realm = AD.EXAMPLE.COM
; Create Kerberos keytab entries
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
; No need to add SAMBA\ to each user
winbind use default domain = yes
; No printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config WALD : backend = rid
idmap config WALD : range = 10000-999999
veto files = /._*/.DS_Store/
delete veto files = yes
; getent passwd/group show all users and groups. NOT recommended!
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
map acl inherit = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
write cache size = 262144
oplocks = No
posix locking = No
strict locking = No
kernel oplocks = No
level2 oplocks = No
#mangled names = no
#dos charset = CP850
#unix charset = UTF-8
log level = 1
max log size = 5000
log file = /var/log/samba/samba.log
server min protocol = SMB3_00
registry shares = yes
ea support = yes
vfs objects = acl_xattr catia fruit streams_xattr full_audit
#vfs objects = worm
#worm:grace_period = 86400 # 1 day
; Audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = connect mkdir rename unlink rmdir pread pwrite
read write
full_audit:failure = connect mkdir rename unlink rmdir pread pwrite
read write
full_audit:syslog = yes
full_audit:facility = local7
full_audit:priority = NOTICE
fruit:aapl = yes
fruit:encoding = native
fruit:locking = none
fruit:metadata = stream
fruit:resource = stream
fruit:model = MacSamba
#fruit:posix_rename = yes
#fruit:veto_appledouble = no
#fruit:wipe_intentionally_left_blank_rfork = yes
#fruit:delete_empty_adfiles = yes
# Local share - works!
[test]
comment = test
path = /srv/test
include = /etc/samba/include/default.conf
browseable = yes
valid users = @wald
# NFS share - buggy!
[Exchange]
comment = Exchange
path = /mnt/samba/Exchange
include = /etc/samba/include/default.conf
browseable = yes
valid users = @team
```
```
fs1.ad.example.com:/etc/samba/include/default.conf
hide files = /lost+found/
read only = no
writeable = yes
nt acl support = no
create mask = 660
force create mode = 660
directory mask = 2770
force directory mode = 2770
force group = +team
```
```
root at fs1.ad.example.com:~ # ls -la /mnt/samba/
drwxrws---. 13 root team 13 Jan 29 18:19 Exchange
```
```
Excerpts from samba.log:
```
[…]
check_reduced_name: Folder1/test/file1.txt reduced to
/mnt/samba/Exchange/Folder1/test/file1.txt
[…]
open_file_ntcreate: FILE_OPEN requested for file Folder1/test/file1.txt
and file doesn't exist.
[…]
get_ea_dos_attribute: Cannot get attribute from EA on file Folder1:
Error = Operation not supported
[…]
get_ea_dos_attribute: Cannot get attribute from EA on file Folder1/test:
Error = Operation not supported
[…]
fruit_pwrite_meta_stream: On-demand create
[Folder1/test/file1.txt:AFP_AfpInfo] in write failed: No such file or
directory
[…]
[…]
--
Tobias Kirchhofer
collect at shift.agency
More information about the samba
mailing list