[Samba] Samba Shares based on NFS
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Jan 29 21:46:38 UTC 2020
This question has come up in the past. I think you are just setting your
self up for failure. The samba / NFS permissions can cause
issues. And who knows what the mix of file locking mechanisms will do.
Just to clarify - you have an NFS server exporting files systems to a
samba server, and the samba server is resharing those?
What is the NFS server ? ZFS indicates it is Solaris or maybe an
OpenSolaris-based appliance.
So I think you have the following options
* Is the ZFS/NFS (nfs.lan..) server itself capable of running Samba
and joining the domain ? If so, this should be running Samba not
"fs1."
* Alternately if the nfs server is nfs ownly, then you would want to
have a new share from ZFS that is mounted by your vmware server (or
whatever is doing virtualization.) You would then use vmware to
create a VMDK/virtual disk file that would be used by the Samba
VM. As far as the samba VM is concerned, the disk is a local disk.
* If the nfs server is a VM - maybe it is simplest to just delete it
and assign the disk capacity to fs1 directly
On 1/29/20 4:04 PM, Tobias Kirchhofer via samba wrote:
> Hi, this is my first time posting in this group. I hope you'll be
> patient with me :-)
>
> We prepare a next gen setup replacing Samba 3 with Samba 4. First time
> with a Domain Controller (DC1) and a joined Fileserver (FS1). We have
> around 30 macOS, 5 Windows and a few Linux machines which are all
> going to be integrated in the new DC.
>
> Our test setup is quite promising. We can join all types of clients
> without problems so far. Fun! But now we're faced with a problem that
> we can't seem to solve. The NFS based Samba shares are not stable. We
> can perfectly connect as an AD user to the file server and start
> copying files, but after a short time Input/Output errors appear or
> Permission denied messages arise. This happens only on macOS machines.
>
> CentOS 8 VMs:
>
> - dc1.ad.example.com
> - fs1.ad.example.com
> - nfs.lan.example.com
>
> FS1 shares are realized with a NFS mount which is an exported ZFS
> dataset from the dedicated machine.
>
> Versions:
> - CentOS 8.1.1911
> - Sernet Samba 4.11.6
> - NFS 4.2
> - macOS 10.15.3
>
> We invested a whole day for debugging and read a lot postings and
> tried this and that (nolock, vfs_fruit, NFS options a.s.o) with no
> luck. It seems to be something fundamentally. We can copy files
> sometimes. But all of a sudden Finder reports errors. "The process
> could not be completed. Access denied." or "The process could not be
> completed. input/output error." In the folder on the share we can then
> see .smbdeleteXXX files for each failed transaction, these files are
> orphaned. We think these files are symptoms not reasons. In another
> folder again we can copy files until the errors come up. All in all it
> feels quite erratic.
>
> Logfiles. We examined Samba log files (log level >= 3). Amazing
> content! Or awfull. Depends on perspective ;) Nothing in it that would
> give us any idea WHAT happens.
>
> NFS as base for Samba shares is being discussed in various ways. From
> "has been running for years" to "not recommended“. We had little
> effort with Samba 3 and NFS based shares for years.
>
> Does anyone has a best practice for a setup like ours? Would someone
> please have a look?
>
> ```
> nfs.lan.example.com:/etc/exports
>
> /tank/nfs
> 172.16.0.0/24(ro,sync,no_subtree_check,no_root_squash,fsid=root)
> /tank/nfs/samba 172.16.0.7(rw,async,no_subtree_check,no_root_squash)
> […]
> ```
>
> ```
> fs1.ad.example.com:/etc/fstab
>
> 172.16.0.8:samba /mnt/samba nfs4 defaults,nolock 0 0
> ```
>
> ```
> fs1.ad.example.com:/etc/samba/smb.conf
>
> [global]
> workgroup = WALD
> security = ADS
> realm = AD.EXAMPLE.COM
>
> ; Create Kerberos keytab entries
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> ; No need to add SAMBA\ to each user
> winbind use default domain = yes
>
> ; No printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config WALD : backend = rid
> idmap config WALD : range = 10000-999999
>
> veto files = /._*/.DS_Store/
> delete veto files = yes
>
> ; getent passwd/group show all users and groups. NOT recommended!
> winbind enum users = yes
> winbind enum groups = yes
>
> winbind refresh tickets = yes
> map acl inherit = yes
>
> socket options = TCP_NODELAY IPTOS_LOWDELAY
> write cache size = 262144
>
> oplocks = No
> posix locking = No
> strict locking = No
> kernel oplocks = No
> level2 oplocks = No
>
> #mangled names = no
> #dos charset = CP850
> #unix charset = UTF-8
>
> log level = 1
> max log size = 5000
> log file = /var/log/samba/samba.log
>
> server min protocol = SMB3_00
> registry shares = yes
>
> ea support = yes
> vfs objects = acl_xattr catia fruit streams_xattr full_audit
>
> #vfs objects = worm
> #worm:grace_period = 86400 # 1 day
>
> ; Audit
> full_audit:prefix = %u|%I|%m|%S
> full_audit:success = connect mkdir rename unlink rmdir pread
> pwrite read write
> full_audit:failure = connect mkdir rename unlink rmdir pread
> pwrite read write
> full_audit:syslog = yes
> full_audit:facility = local7
> full_audit:priority = NOTICE
>
> fruit:aapl = yes
> fruit:encoding = native
> fruit:locking = none
> fruit:metadata = stream
> fruit:resource = stream
> fruit:model = MacSamba
> #fruit:posix_rename = yes
> #fruit:veto_appledouble = no
> #fruit:wipe_intentionally_left_blank_rfork = yes
> #fruit:delete_empty_adfiles = yes
>
> # Local share - works!
> [test]
> comment = test
> path = /srv/test
> include = /etc/samba/include/default.conf
> browseable = yes
> valid users = @wald
>
> # NFS share - buggy!
> [Exchange]
> comment = Exchange
> path = /mnt/samba/Exchange
> include = /etc/samba/include/default.conf
> browseable = yes
> valid users = @team
> ```
>
> ```
> fs1.ad.example.com:/etc/samba/include/default.conf
>
> hide files = /lost+found/
> read only = no
> writeable = yes
> nt acl support = no
> create mask = 660
> force create mode = 660
> directory mask = 2770
> force directory mode = 2770
> force group = +team
> ```
>
> ```
> root at fs1.ad.example.com:~ # ls -la /mnt/samba/
> drwxrws---. 13 root team 13 Jan 29 18:19 Exchange
> ```
>
> ```
> Excerpts from samba.log:
> ```
> […]
> check_reduced_name: Folder1/test/file1.txt reduced to
> /mnt/samba/Exchange/Folder1/test/file1.txt
> […]
> open_file_ntcreate: FILE_OPEN requested for file
> Folder1/test/file1.txt and file doesn't exist.
> […]
> get_ea_dos_attribute: Cannot get attribute from EA on file Folder1:
> Error = Operation not supported
> […]
> get_ea_dos_attribute: Cannot get attribute from EA on file
> Folder1/test: Error = Operation not supported
> […]
> fruit_pwrite_meta_stream: On-demand create
> [Folder1/test/file1.txt:AFP_AfpInfo] in write failed: No such file or
> directory
> […]
> […]
>
>
More information about the samba
mailing list