Freenas servers behaving differently

[Idiotzoo]

I'm wrestling with an odd and very frustrating problem. I have two Freenas servers. Both running 9.2.1.8. They're similar hardware, same MB and CPU (supermicro X10SLL-F with 1230V3 cpu). One is our main server, the other is a replication backup.

On the main server I cannot assign Creator/Owner permission on a cifs share. On the backup I can, and it works correctly. When I try on the main server, the creator/owner just disappears from the permissions list.

In log.smbd on the main server I see

/source3/modules/nfs4_acls.c:749(smbacl4_fill_ace4)
nfs4_acls.c: file [.]: could not convert S-1-3-0 to uid or gid

If I run sbinfo -s S-1-3-0 I get the right result on both servers.

I've been through the config of both servers side by side with the finest toothed comb I have and I cannot see a difference. Apart from having different shares setup the smb4.conf is exactly the same, apart from necessary variations like server name.

This particular problem has been driving me mad for some time. I previously posted in another thread where I was told that I don't understand windows permission. I'm happy to be called an idiot, but it really does work on one box and not the other.

Any ideas how I might further debug this?

 

[Adam Bise]

Not sure. But I wonder, would the ACE for server1\creator_owner be the same as server2\creator_owner in samba? Would this be translated as the same thing on both servers? Also, are you using LDAP?

 

[Idiotzoo]

Both servers are using AD and are connected to the same domain. Creator owner should therefore be the same special Sid.

 

[Adam Bise]

I would double check that the problem server is successfully binding to LDAP

 

[Idiotzoo]

Never hurts to check but it's working fine in every other way. All users can authenticate successfully. No errors to suggest a problem.

 

[Idiotzoo]

Well.... As far as my knowledge goes the binding to our active directory server is just fine. Everything is working, users are being authenticated, but the creator/owner group will not work on the troublesome server.

Any ideas how I might debug what's happening here?

 

[Idiotzoo]

I've just updated both boxes to 9.2.1.9 and the problem persists. Having dug into the generated configs there's a difference between the two servers in /etc/directoryservice/ActiveDirectory/config

The problem server contains the lines:
ad_use_keytab="0"
ad_keytab="/data/krb5.keytab"

Where the working server has:
ad_use_keytab="False"
ad_keytab=""

I've never used a kerberos keytab so I'm not sure why there's a difference here. I can't see any reference to this in the GUI. Because it's a generated config, I can't change it of course. The referenced file /data/krb5.keytab doesn't exist.

 

[Idiotzoo]

Well, just to rule it out (and also because I wanted IPMI) I've replaced the hardware. The problem server is now running the same supermicro mainboard as the working one. Slightly different CPU but both intel. The problem persists. It's the most frustrating thing. There's clearly something wrong with the config of this box but I'm damned if I can find it. It would appear to be hidden from the gui.

Think I'll start a new thread with a different title, or maybe file a bug report, because I do have to fix this and rebuilding the entire server from scratch isn't an option.

 

[Idiotzoo]

This problem now appears to be solved after a long day of pain. Thought I'd post the outcome here for the searching benefit of others.

Turned to paid support from Michael at Gainframe who initially suggested, among other things, specifying the domain controller by IP. Did this and Directory services wouldn't start. I then spent hours digging through logs, performing ad diagnostics and getting nowhere. Tried an update to 9.3, same problem.

To prove it wasn't our ad at fault I setup a fresh install Freenas vm. That worked.

In the end I did a fresh install on a new usb stick and restored the config. All is now working so it would appear the problem was a corrupt install all along.

No other signs of it, everything else worked and nothing untoward in the logs. Whether it's something to do with having used an AMD cpu previously I don't know... But there we are.

If you have weird problems with Freenas, try restoring your config on to a fresh install first.