[Samba] Samba Shares based on NFS

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jan 29 21:46:38 UTC 2020 

This question has come up in the past. I think you are just setting your 
self up for failure.      The samba / NFS permissions can cause 
issues.    And who knows what the mix of file locking mechanisms will do.


Just to clarify -  you have an NFS server exporting files systems to a 
samba server, and the samba server is resharing those?

What is the NFS server ?  ZFS indicates it is Solaris or maybe an  
OpenSolaris-based appliance.

So I think you have the following options

  * Is the ZFS/NFS  (nfs.lan..)  server itself capable of running Samba
    and joining the domain ?    If so, this should be running Samba not
    "fs1."
  * Alternately if the nfs server is nfs ownly,  then you would want to
    have a new share from ZFS that is mounted by your vmware server (or
    whatever is doing virtualization.)   You would then use vmware to
    create a VMDK/virtual disk file that would be used by the Samba
    VM.    As far as the samba VM is concerned, the disk is a local disk.
  * If the nfs server is a VM -   maybe it is simplest to just delete it
    and assign the disk capacity to fs1 directly






On 1/29/20 4:04 PM, Tobias Kirchhofer via samba wrote:
> Hi, this is my first time posting in this group. I hope you'll be 
> patient with me :-)
>
> We prepare a next gen setup replacing Samba 3 with Samba 4. First time 
> with a Domain Controller (DC1) and a joined Fileserver (FS1). We have 
> around 30 macOS, 5 Windows and a few Linux machines which are all 
> going to be integrated in the new DC.
>
> Our test setup is quite promising. We can join all types of clients 
> without problems so far. Fun! But now we're faced with a problem that 
> we can't seem to solve. The NFS based Samba shares are not stable. We 
> can perfectly connect as an AD user to the file server and start 
> copying files, but after a short time Input/Output errors appear or 
> Permission denied messages arise. This happens only on macOS machines.
>
> CentOS 8 VMs:
>
> - dc1.ad.example.com
> - fs1.ad.example.com
> - nfs.lan.example.com
>
> FS1 shares are realized with a NFS mount which is an exported ZFS 
> dataset from the dedicated machine.
>
> Versions:
> - CentOS 8.1.1911
> - Sernet Samba 4.11.6
> - NFS 4.2
> - macOS 10.15.3
>
> We invested a whole day for debugging and read a lot postings and 
> tried this and that (nolock, vfs_fruit, NFS options a.s.o) with no 
> luck. It seems to be something fundamentally. We can copy files 
> sometimes. But all of a sudden Finder reports errors. "The process 
> could not be completed. Access denied." or "The process could not be 
> completed. input/output error." In the folder on the share we can then 
> see .smbdeleteXXX files for each failed transaction, these files are 
> orphaned. We think these files are symptoms not reasons. In another 
> folder again we can copy files until the errors come up. All in all it 
> feels quite erratic.
>
> Logfiles. We examined Samba log files (log level >= 3). Amazing 
> content! Or awfull. Depends on perspective ;) Nothing in it that would 
> give us any idea WHAT happens.
>
> NFS as base for Samba shares is being discussed in various ways. From 
> "has been running for years" to "not recommended“. We had little 
> effort with Samba 3 and NFS based shares for years.
>
> Does anyone has a best practice for a setup like ours? Would someone 
> please have a look?
>
> ```
> nfs.lan.example.com:/etc/exports
>
> /tank/nfs 
> 172.16.0.0/24(ro,sync,no_subtree_check,no_root_squash,fsid=root)
> /tank/nfs/samba 172.16.0.7(rw,async,no_subtree_check,no_root_squash)
> […]
> ```
>
> ```
> fs1.ad.example.com:/etc/fstab
>
> 172.16.0.8:samba /mnt/samba nfs4 defaults,nolock 0 0
> ```
>
> ```
> fs1.ad.example.com:/etc/samba/smb.conf
>
> [global]
>     workgroup = WALD
>     security = ADS
>     realm = AD.EXAMPLE.COM
>
>     ; Create Kerberos keytab entries
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>
>     ; No need to add SAMBA\ to each user
>     winbind use default domain = yes
>
>     ; No printing
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config WALD : backend = rid
>     idmap config WALD : range = 10000-999999
>
>     veto files = /._*/.DS_Store/
>     delete veto files = yes
>
>     ; getent passwd/group show all users and groups. NOT recommended!
>     winbind enum users = yes
>     winbind enum groups = yes
>
>     winbind refresh tickets = yes
>     map acl inherit = yes
>
>     socket options = TCP_NODELAY IPTOS_LOWDELAY
>     write cache size = 262144
>
>         oplocks = No
>         posix locking = No
>         strict locking = No
>         kernel oplocks = No
>         level2 oplocks = No
>
>     #mangled names = no
>     #dos charset = CP850
>     #unix charset = UTF-8
>
>     log level = 1
>     max log size = 5000
>     log file = /var/log/samba/samba.log
>
>     server min protocol = SMB3_00
>     registry shares = yes
>
>     ea support = yes
>     vfs objects = acl_xattr catia fruit streams_xattr full_audit
>
>     #vfs objects = worm
>     #worm:grace_period = 86400     # 1 day
>
>     ; Audit
>     full_audit:prefix = %u|%I|%m|%S
>     full_audit:success = connect mkdir rename unlink rmdir pread 
> pwrite read write
>     full_audit:failure = connect mkdir rename unlink rmdir pread 
> pwrite read write
>     full_audit:syslog = yes
>     full_audit:facility = local7
>     full_audit:priority = NOTICE
>
>     fruit:aapl = yes
>     fruit:encoding = native
>     fruit:locking = none
>     fruit:metadata = stream
>     fruit:resource = stream
>     fruit:model = MacSamba
>     #fruit:posix_rename = yes
>     #fruit:veto_appledouble = no
>     #fruit:wipe_intentionally_left_blank_rfork = yes
>     #fruit:delete_empty_adfiles = yes
>
>     # Local share - works!
>     [test]
>       comment = test
>       path = /srv/test
>       include = /etc/samba/include/default.conf
>       browseable = yes
>       valid users = @wald
>
>     # NFS share - buggy!
>     [Exchange]
>       comment = Exchange
>       path = /mnt/samba/Exchange
>       include = /etc/samba/include/default.conf
>       browseable = yes
>       valid users = @team
> ```
>
> ```
> fs1.ad.example.com:/etc/samba/include/default.conf
>
> hide files           = /lost+found/
> read only            = no
> writeable            = yes
> nt acl support       = no
> create mask          = 660
> force create mode    = 660
> directory mask       = 2770
> force directory mode = 2770
> force group          = +team
> ```
>
> ```
> root at fs1.ad.example.com:~ # ls -la /mnt/samba/
> drwxrws---. 13 root team 13 Jan 29 18:19 Exchange
> ```
>
> ```
> Excerpts from samba.log:
> ```
> […]
> check_reduced_name: Folder1/test/file1.txt reduced to 
> /mnt/samba/Exchange/Folder1/test/file1.txt
> […]
> open_file_ntcreate: FILE_OPEN requested for file 
> Folder1/test/file1.txt and file doesn't exist.
> […]
> get_ea_dos_attribute: Cannot get attribute from EA on file Folder1: 
> Error = Operation not supported
> […]
> get_ea_dos_attribute: Cannot get attribute from EA on file 
> Folder1/test: Error = Operation not supported
> […]
> fruit_pwrite_meta_stream: On-demand create 
> [Folder1/test/file1.txt:AFP_AfpInfo] in write failed: No such file or 
> directory
> […]
> […]
>
>

More information about the samba mailing list