CIFS by DNS: Samba still to blame?

[officerwafl]

Hello everyone!

I've seen similar threads relating to the 9.2 series with this issue, and some even earlier - basically, I can access my CIFS shares by IP just fine, but they do not appear in the Windows Network listing, and browsing by \\freenas\ or \\freenas\share results in an authentication error.

I can get the matchname xxx.xxx.xxx.xxx != (NULL) errors in the syslog to stop if I disable hostname lookups in the CIFS service settings, but that just suppresses those errors, while the problem persists. Otherwise, the share is totally fine, it's Guest Access Only, full rwx, Windows 7, 8.1, Server 2012, and Server 2008 clients all able to access fine... this DNS thing is just weirding me out.

The DNS is provided by our DC, a Windows Server 2012R2 box, and hostname resolution from SSH works fine; clients are also able to resolve freenas.domain.local back to the proper static IP. This must be something to do with NetBIOS/NetBEUI, but I'm afraid I'm too inexperienced in that regard to do any further research.

So, is this a Samba problem in 9.3-STABLE-201506042008? Should I report this as a bug to their tracker? I'm sorry if this is a naive question, I'm totally new to reaching out to the open source community, even though I've used it in a hobbyist capacity for years - everything's different when you suddenly have a boss yelling at you about it since you're the dork who made the recommendation 8I

Thanks in advance!

 

[anodos]

Hello everyone!

I've seen similar threads relating to the 9.2 series with this issue, and some even earlier - basically, I can access my CIFS shares by IP just fine, but they do not appear in the Windows Network listing, and browsing by \\freenas\ or \\freenas\share results in an authentication error.

I can get the matchname xxx.xxx.xxx.xxx != (NULL) errors in the syslog to stop if I disable hostname lookups in the CIFS service settings, but that just suppresses those errors, while the problem persists. Otherwise, the share is totally fine, it's Guest Access Only, full rwx, Windows 7, 8.1, Server 2012, and Server 2008 clients all able to access fine... this DNS thing is just weirding me out.

The DNS is provided by our DC, a Windows Server 2012R2 box, and hostname resolution from SSH works fine; clients are also able to resolve freenas.domain.local back to the proper static IP. This must be something to do with NetBIOS/NetBEUI, but I'm afraid I'm too inexperienced in that regard to do any further research.

So, is this a Samba problem in 9.3-STABLE-201506042008? Should I report this as a bug to their tracker? I'm sorry if this is a naive question, I'm totally new to reaching out to the open source community, even though I've used it in a hobbyist capacity for years - everything's different when you suddenly have a boss yelling at you about it since you're the dork who made the recommendation 8I

Thanks in advance!

Is the FreeNAS server an AD member server? If not, verify that everything is in the same workgroup. Also verify that the network settings in FreeNAS are configured to use your DC for DNS.

 

[officerwafl]

The FreeNAS server has been joined to the domain, if that's what you mean. Not set up to be a fellow domain controller or anything like that, but it's authenticated, wbinfo -t passes, and wbinfo -u and -g are all correct. I can even set permission on my datasets to use AD credentials, like making the owner a domain administrator. Network settings are set to use the DC's IP as the primary nameserver, with our ISP's DNS for NS 2 & 3; it's also set to use the DC as it's only NTP source, so everything is in sync

 

[anodos]

Make sure that you have a properly configured reverse lookup zone in your DNS. In command prompt type "nbtstat -A <ip of FreeNAS>" to view the NetBIOS name table of your FreeNAS server.

 

[officerwafl]

Code:

Local Area Connection 3:
Node IpAddress: [0.0.0.0] Scope Id: []

  Host not found.

Local Area Connection:
Node IpAddress: [172.16.1.182] Scope Id: []

  NetBIOS Remote Machine Name Table

  Name  Type  Status
  ---------------------------------------------
  ADINAS  <00>  UNIQUE  Registered
  ADINAS  <03>  UNIQUE  Registered
  ADINAS  <20>  UNIQUE  Registered
  ADISERVICES  <00>  GROUP  Registered
  ADISERVICES  <1E>  GROUP  Registered

  MAC Address = 00-00-00-00-00-00

ADINAS being my NAS, and ADISERVICES being my domain (which I also have set as Samba's workgroup). There should be reverse lookup entries however, I'll consult my DC in a minute and double-check, but everything else is working fine in my environment - why is this affecting Samba so drastically?

 

[officerwafl]

OK, just checked on the domain controller, and reverse lookup zones are properly configured with an associated PTR record for each host in the forward zone - still no joy I'm afraid.

 

[anodos]

Code:

Local Area Connection 3:
Node IpAddress: [0.0.0.0] Scope Id: []

  Host not found.

Local Area Connection:
Node IpAddress: [172.16.1.182] Scope Id: []

  NetBIOS Remote Machine Name Table

  Name  Type  Status
  ---------------------------------------------
  ADINAS  <00>  UNIQUE  Registered
  ADINAS  <03>  UNIQUE  Registered
  ADINAS  <20>  UNIQUE  Registered
  ADISERVICES  <00>  GROUP  Registered
  ADISERVICES  <1E>  GROUP  Registered

  MAC Address = 00-00-00-00-00-00

ADINAS being my NAS, and ADISERVICES being my domain (which I also have set as Samba's workgroup). There should be reverse lookup entries however, I'll consult my DC in a minute and double-check, but everything else is working fine in my environment - why is this affecting Samba so drastically?

Save a debug file [system - > advanced -> save debug], extract the tgz, and upload the CIFS dump file. (This includes a bit more info than just an smb.conf file by itself). Also upload log.smbd and log.nmbd from the debug file.

 

[officerwafl]

Oh dear, I must have bigger problems than Samba:

Code:

Traceback:
File "/usr/local/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
  107.  response = middleware_method(request, callback, callback_args, callback_kwargs)
File "/usr/local/www/freenasUI/../freenasUI/freeadmin/middleware.py" in process_view
  158.  return login_required(view_func)(request, *view_args, **view_kwargs)
File "/usr/local/lib/python2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  22.  return view_func(request, *args, **kwargs)
File "/usr/local/www/freenasUI/../freenasUI/system/views.py" in debug
  692.  wrapper = FileWrapper(file(dump))

Exception Type: IOError at /system/debug/
Exception Value: [Errno 2] No such file or directory: u'/mnt/alpha/.system/ixdiagnose/ixdiagnose.tgz'

So... any other way to get you the CIFS debug? I noticed that even though I have the log setting to Debug, and it's supposed to report to syslog, there's nothing about CIFS on my syslog server... but the NAS has to be communicating to it, because there are messages from other services about disk health, etc.

 

[officerwafl]

Whoop, didn't see your bit about log.smbd and nmbd!

Code:

[root@ADINAS] /var/log/samba4# cat log.smbd
[2015/06/24 10:56:41,  0] ../source3/smbd/server.c:1189(main)
  smbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 10:56:41,  2] ../source3/lib/tallocmsg.c:124(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2015/06/24 10:56:41,  2] ../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED

It repeats those few lines ad-nausea a couple of times until 14:14 since I was making tweaks and restarting the service from that initial ~10:56 boot.
Same story for nmbd:

Code:

[root@ADINAS] /var/log/samba4# cat log.nmbd
[2015/06/24 10:56:41,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 10:57:17,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:01:04,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:01:20,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:02:33,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:02:48,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:03:39,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:03:54,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:06:45,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:11:01,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:13:31,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:16:43,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:16:53,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 13:28:41,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 14:14:52,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013

 

[anodos]

Whoop, didn't see your bit about log.smbd and nmbd!

Code:

[root@ADINAS] /var/log/samba4# cat log.smbd
[2015/06/24 10:56:41,  0] ../source3/smbd/server.c:1189(main)
  smbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 10:56:41,  2] ../source3/lib/tallocmsg.c:124(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2015/06/24 10:56:41,  2] ../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED

It repeats those few lines ad-nausea a couple of times until 14:14 since I was making tweaks and restarting the service from that initial ~10:56 boot.
Same story for nmbd:

Code:

[root@ADINAS] /var/log/samba4# cat log.nmbd
[2015/06/24 10:56:41,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 10:57:17,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:01:04,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:01:20,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:02:33,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:02:48,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:03:39,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:03:54,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:06:45,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:11:01,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:13:31,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:16:43,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 11:16:53,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 13:28:41,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/06/24 14:14:52,  0] ../source3/nmbd/nmbd.c:904(main)
  nmbd version 4.1.12 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013

It looks like nmbd keeps restarting, possibly crashing.

Post the following:

• /usr/local/etc/smb4.conf
• Increase logging verbosity and check /var/log/samba4/log.nmbd

 

[officerwafl]

If I could push the verbosity beyond debug I would, but that's all I've got, sorry.
As for my smb4.conf...

Code:

[root@ADINAS] /usr/local/etc# cat smb4.conf
[global]
  server max protocol = SMB2
  interfaces = 127.0.0.1 172.16.1.22
  bind interfaces only = yes
  encrypt passwords = yes
  dns proxy = no
  strict locking = no
  oplocks = yes
  deadtime = 15
  max log size = 51200
  max open files = 11070
  syslog only = yes
  syslog = 1
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  getwd cache = yes
  guest account = samba
  map to guest = Bad User
  obey pam restrictions = Yes
  directory name cache size = 0
  kernel change notify = no
  panic action = /usr/local/libexec/samba/samba-backtrace
  server string = FreeNAS Server
  ea support = yes
  store dos attributes = yes
  null passwords = yes
  acl allow execute always = true
  acl check permissions = true
  dos filemode = yes
  idmap config *:backend = tdb
  idmap config *:range = 90000000-100000000
  server role = member server
  netbios name = ADINAS
  workgroup = ADISERVICES
  realm = ADISERVICES.LOCAL
  security = ADS
  client use spnego = yes
  cache directory = /var/tmp/.cache/.samba
  local master = no
  domain master = no
  preferred master = no
  winbind cache time = 7200
  winbind offline logon = yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind nested groups = yes
  winbind use default domain = no
  winbind refresh tickets = yes
  winbind nss info = rfc2307
  idmap config ADISERVICES: backend = ad
  idmap config ADISERVICES: schema_mode = rfc2307
  idmap config ADISERVICES: range = 10000-90000000
  allow trusted domains = yes
  template shell = /bin/sh
  template homedir = /home/%D/%U
  pid directory = /var/run/samba
  smb passwd file = /var/etc/private/smbpasswd
  private dir = /var/etc/private
  create mask = 0666
  directory mask = 0777
  client ntlmv2 auth = yes
  dos charset = CP437
  unix charset = UTF-8
  log level = 10


[NAS Private]
  path = /mnt/alpha/WINFS2
  printable = no
  veto files = /.snap/.windows/.zfs/
  writeable = yes
  browseable = no
  recycle:repository = .recycle/%U
  recycle:keeptree = yes
  recycle:versions = yes
  recycle:touch = yes
  recycle:directory_mode = 0777
  recycle:subdir_mode = 0700
  vfs objects = zfsacl streams_xattr aio_pthread
  hide dot files = no
  guest ok = yes
  guest only = yes
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = yes
  zfsacl:acesort = dontcare


[NAS Public]
  path = /mnt/alpha/WINFS1
  printable = no
  veto files = /.snap/.windows/.zfs/
  writeable = yes
  browseable = yes
  recycle:repository = .recycle/%U
  recycle:keeptree = yes
  recycle:versions = yes
  recycle:touch = yes
  recycle:directory_mode = 0777
  recycle:subdir_mode = 0700
  vfs objects = zfsacl streams_xattr aio_pthread
  hide dot files = no
  guest ok = yes
  guest only = yes
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = yes
  zfsacl:acesort = dontcare

 

[anodos]

Unless you have a specific reason to use "ad" for your idmap backend (under "Directory Service" -> "Active Directory" -> "Advanced"), switch to "rid".

 

[cyberjock]

it's also set to use the DC as it's only NTP source, so everything is in sync

Bad news... unless you setup the DC to act as the "compatible NTP" (some kind of registry hack or something is required, I forget exactly what it is) then it won't work on you FreeNAS.

Windows' NTP service isn't the NTP service that everyone else uses. It's proprietary enough to not work without some magic pixie dust or something.

It's easy to verify if this is working or not though.. change the time by 5 minutes and bootup the system and look in the logs after bootup and see if it logs an entry about clock needing adjustment. If it doesn't adjust then it's not working. ;)

 

[anodos]

Bad news... unless you setup the DC to act as the "compatible NTP" (some kind of registry hack or something is required, I forget exactly what it is) then it won't work on you FreeNAS.

Windows' NTP service isn't the NTP service that everyone else uses. It's proprietary enough to not work without some magic pixie dust or something.

It's easy to verify if this is working or not though.. change the time by 5 minutes and bootup the system and look in the logs after bootup and see if it logs an entry about clock needing adjustment. If it doesn't adjust then it's not working. ;)

I usually set all my servers to get time from the same external time source. Workstations get time from the DC. It's all close enough to keep AD happy.

 

[cyberjock]

I usually set all my servers to get time from the same external time source. Workstations get time from the DC. It's all close enough to keep AD happy.

Right, but you've worked the problem out. Your servers use external sources. His source is from a *nix NTP service trying to connect to a Windows NTP server. That doesn't work unfortunately. Yes, they may stay in sync good enough to never have a problem, but "good enough" isn't good enough in my book. :P

 

[officerwafl]

That very well may be the problem, as setting the idmap backend to 'rid' or 'autorid' with various idmap range settings (I've heard everything from 10,000 to 200,000, to 900,000,000) just doesn't do the trick. I'll have to look into this NTP business later. It looks like it's syncing up, but... oh, Windows

 

[officerwafl]

OK, I've changed the NAS's NTP to 0.us.pool.ntp.org, and issued

Code:

w32tm /config /manualpeerlist:"0.us.pool.ntp.org,0x1"

on the DC, so both are now pointing to external sources. Still nothing, but I'm also still using ad as my idmap backend, can't switch it out until end of business today, since I have a buncha people connected right now. I'll let you know if that's finally the magic combo