• [6.10.3] Intermittent SMB Issues After 6.10.2 Upgrade


    Geoff Bland
    • Urgent

    Myself and many other users are experiencing many issues with SMB shares using Windows Active Directory since upgrading to 6.10.2. Upgrading to 6.10.3 has not fixed this.

     

    This are all listed in the forum thread 

     

    My own issue is that for most of the time since upgrading to 6.10.2 I cannot access any UNRAID share with my own user account - however this is intermittent and occasionally access works fine for a day or two. A few other user accounts are affected but also some accounts are fine and have no problems.

     

    My log drive is 98% full due to very large syslog files. The syslog shows continual refused mount requests for my account and this seems to be as it cannot convert my SID to a UID.
     

    Jul 15 21:58:49 UNRAID01 smbd[****]:   check_account: Failed to convert SID S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 to a UID (dom_user[DOMAIN\username)
    

     

    The  /var/log/samba/log.smbd log file is also full of the same error message.

     

    I also note this 

     

    root@UNRAID01:~# wbinfo -i myuser
    failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
    Could not get info for user myuser
    root@UNRAID01:~# wbinfo -i okuser
    okuser:*:NNNNNNNN:NNNNNNNNNN:okuser:/home/DOMAIN/okuser:/bin/false

     

    I can call wbinfo for all users on the UNRAID server and this gets the correct SIDs for all.

    • Upvote 2



    User Feedback

    Recommended Comments



    I should also mention the Samba mailing list https://lists.samba.org/mailman/listinfo/samba

    It was the guys on this mailing list that helped me work out what was going on and gave some great advice - all I learnt and posted above was based on responses I got from this mailing list - I got fairly quick responses from the list and the guys on this list know far more than I about Samba.

     

    4 hours ago, R.M.H said:

    What does concern me is a distinct lack of engagement from Unraid Devs on what is an issue impacting multiple paying customers of their product. I guess the only positive is there is a very helpful community trying to solve this but the lack of product owner input is bad.

     

    Quoted for truth.

    Edited by Geoff Bland
    Link to comment
    1 hour ago, Geoff Bland said:

    It's a long shot but does "smbstatus -S" show anything unexpected?

    No, theres nothing unexpected.

     

    1 hour ago, Geoff Bland said:

    I can't see an error in your set-up. All looks correct.

    Thanks, that at least confirms that the error is not on my side.

     

     

    1 hour ago, Geoff Bland said:

    I should also mention the Samba mailing list https://lists.samba.org/mailman/listinfo/samba

    It was the guys on this mailing list that helped me work out what was going on and gave some great advice - all I learnt and posted above was based on responses I got from this mailing list - I got fairly quick responses from the list and the guys on this list know far more than I about Samba.

    I agree with @R.M.H here.
    This is a feature that by its nature is aimed at business customers and is actually part of the standard functionality of the software for which we have paid a licence fee.

    The experiences described here show that this is not an isolated case, but rather a general software problem on the part of Unraid.

    Accordingly, it should be the task of the developers to search for errors and, if necessary, make use of the Samba mailing list.

     

    Edited by psychofaktory
    Link to comment

    I had on 25.07.  opened a ticket: Unraid User Bug Report (ID #3918) the support is aware of this entry.  I asked again to support the post.  Since apparently no progress can be seen without further help.  I hope we will get support soon.

    Link to comment

    I don't know if it helps, since I don't know how this in Unraid behind the scenes works....

     

    But I have noticed that

    getent group

    displays only local Unraid groups.

     

    However, if the group is specifically requested, it is found and the ID is also displayed correctly:

    getent group lehrer
    lehrer:x:11132:

     

    Conversely, the group membership can be displayed for a user with the id command:

    id Scan
    uid=11325(scan) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),11325(scan),1001(BUILTIN\users)

     

     

    Link to comment
    1 hour ago, LHBL2003 said:

    I had on 25.07.  opened a ticket: Unraid User Bug Report (ID #3918) the support is aware of this entry.

     

    I assumed this forum section itself was where we raised bug reports and the developers would be aware of anything posted here. The description of this forum section is "Formal bug and defect reports." - so I assume this is monitored by Lime Tech.

     

    Where did you find to raise a ticket - I have looked, so it seems it is not made easy to find?

     

    Link to comment
    11 hours ago, Geoff Bland said:

     

    I can't see an error in your set-up. All looks correct.

     

    When I access UNRAID shares from my Windows server with an account that has access I don't see anything in the log.

    If I access an UNRAID share with an account that does not have access I get "Permission denied" warnings such as yours in the logs.

     

    It's a long shot but does "smbstatus -S" show anything unexpected?

     

     

    Interesting - although the current version on UNRAID 6.10.3 is not that old and uses Samba 4.15.7.

    It'd be good to see if they have also replaced the end-of-life (over 5 years ago) idmap_hash ID mapper. 


     

    From support:

    [email protected]

     

    DanL has replied to your support request.
     

    Re: Re: Unraid User Bug Report (ID #3918)

    Hello,

     

    There is a potential solution here: 

    https://forums.unraid.net/bug-reports/stable-releases/log-file-idmap_hash_initialize-the-idmap_hash-module-is-deprecated-and-should-not-be-used-r1501/?tab=comments&comment=20593&do=findComment#comment-20593

     

     

    Please review that solution and see if it applies to your situation.

     

    Dan




    — Unraid 

    Link to comment
    On 9/19/2022 at 9:15 PM, Holmesware said:

    Modify your /boot/config/smb-extra.conf file like this:

     

        idmap config * : backend = tdb <-- Used to be hash>
        idmap config * : range = 3000-7999 <-- Range enough for local users>
        idmap config <SHORTDOMAINNAME> : backend = rid
        idmap config <SHORTDOMAINNAME> : range = 10000-4000000000

    So basically this is the same solution approach as presented here in the thread.

    I applied it like this. But that didn't solve my problem.

     

     

    On 9/19/2022 at 9:15 PM, Holmesware said:

    * CAUTION * Making these changes you will have to re-apply all permissions on files/folder that are Domain related

    The adjustments had even affected all share folders.
    How does Unraid differentiate between domain-related and non-domain-related?

     

    Link to comment

    I still don't know what relevance it has that "getent group" only shows local Unraid groups, but because of this I have investigated further.

    I went through the tests as described in this article and found out that the Kerberos authentication does not seem to work:

    kinit Scan
    kinit: Configuration file does not specify default realm when parsing name Scan

     

    Based on this error message, I searched further and found that the default realm should be entered in the Kerberos configuration file under /etc/krb5.conf as described here.

     

    Could this be a potential solution?

    Link to comment
    6 hours ago, psychofaktory said:

    Based on this error message, I searched further and found that the default realm should be entered in the Kerberos configuration file under /etc/krb5.conf as described here.

    Could this be a potential solution?

     

    My krb5.conf is just the UNRAID default which uses DNS:

     

    root@UNRAID:~# cat /etc/krb5.conf 
    [libdefaults]
        dns_lookup_kdc = true
        dns_lookup_realm = false
    
    

     

    My UNRAID server has a static IP and a static address for DNS server - one of the AD domain controllers is the DNS server used.

     

    Also getent group only shows UNRAID groups on my UNRAID server too. 

    Edited by Geoff Bland
    Link to comment

    So there seems to be no difference to my configuration here.
    But why it isn't working as expected here?

     

    By the way, the problem still exists with the new Unraid 6.11 and Samba 4.17.0.

    • Like 1
    Link to comment

    My last mail to the support.

    Either you get active help, or I'll get rid of the mix disks and buy a big RAID and carry on as before.
     

    ——————

     

    Hi Dan,

     

     thank you very much that you seem to have released version 6.11.

     From what I've read, this version is mainly for system improvements and less for new features.  I think this is very good, because new functions are useless if existing ones don't work properly.

     

     The first one could already find out in the forum that the Samba theme still does not work in this new version either.

     

     I and all Windows users would be happy if support actively participated in the topic in the forum mentioned.  There are some active people there who will no doubt help you with the error analysis.

     

     As others have mentioned in the post, UNRAID is a very nice system.  Personally, I'm happy that you can use different hard drives.  But without rights management with a Windows directory, this system cannot be used in schools and companies.

     

     For this reason, I would like to ask you to take an active part in the contribution.  I don't want to play silent mail to somehow try to give support information, only to send half information to them shortly afterwards.

     

     The fact is that we have all had problems assigning rights with Windows AD in combination with Unraid since version 6.10.  But no problems with other systems such as QNAP.

     

     Kind regards

     denis


    ———-

     

    Hi LHBL2003, 
    psychofaktory has posted a comment on a report, [6.10.3] Intermittent SMB Issues After 6.10.2 Upgrade 
     

    Posted in [6.10.3] Intermittent SMB Issues After 6.10.2 Upgrade

    So there seems to be no difference to my configuration here. But why it isn't working as expected here?   By the way, the problem still ex...

    Go to this Report Comment

     

    https://forums.unraid.net/bug-reports/stable-releases/6103-intermittent-smb-issues-after-6102-upgrade-r2028/page/3/?tab=comments#

    Link to comment

    I could provide a VMWare test system.  Consisting of AD, Client and Unraid.  So that you can jointly investigate the error on a system.  I could provide access via TeamViewer.  Snapshots can also be used to reset changes.  However, that would be with an unraid test license.  Because if the support doesn't actively help, I won't buy a license.  Maybe we'll get a license for the analysis that allows for a longer test period.  But the support would have to actively report here first.  To everyone involved, what do you think of a common test system?

    Link to comment
    On 9/22/2022 at 11:57 AM, psychofaktory said:

    I don't know if it helps, since I don't know how this in Unraid behind the scenes works....

     

    But I have noticed that

    getent group

    displays only local Unraid groups.

     

    However, if the group is specifically requested, it is found and the ID is also displayed correctly:

    getent group lehrer
    lehrer:x:11132:

     

    Conversely, the group membership can be displayed for a user with the id command:

    id Scan
    uid=11325(scan) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),11325(scan),1001(BUILTIN\users)

     

     

    Not sure if this will help or not, as I haven't had time to read the previous entries in detail. If not, sorry that it isn't of more assistance.

    One of the things I discovered in my testing was that the user needed to at LEAST have permissions to read the directory to be able to have access to the ACLs in the folder. No permissions to the directory at all and they don't even have permissions to see the ACL. This required me to set two groups in AD for access, for instance a "Media RO" and a "Media RW" group. The "Media RW" group was a member of the "Media RO".

    Gave the "Media RO" group ownership but set the permissions to 0750, owner was my domain administrator account.

    Then used setfacl to assign write permissions (rwx) to the "Media RW" group and default group. The final acl looks more like this:
     file: Media
    # owner: admin
    # group: software\040ro
    # flags: -s-
    user::rwx
    group::r-x
    group:media\040rw:rwx
    mask::rwx
    other::---
    default:user::rwx
    default:group::r-x
    default:group:media\040rw:rwx
    default:mask::rwx
    default:other::---

    Essentially, every share needed two groups for the base, a RO and a RW group. For anyone else in the domain, I just left them out of the group.

     

    Additionally, I'm running server 2022 for my domain controllers and have disabled Samba 1 and told the domain members to use SMB 3 whenever possible.  My smb-extra.conf file has the following:
    [global]
     min protocol = SMB2_10
     client min protocol = SMB2_10
     idmap config <domain>: range = 100000-999999
     idmap config <domain>: backend = rid
     idmap config * : range = 3001-7999
     idmap config * : backend = tdb

    • Thanks 1
    Link to comment

    I have a feedback that the support is analysing this issue.
    ————-

    Re: Re: Unraid User Bug Report (ID #3918)

    Denis,

     

    Please be patient while we work through these issues.  As you can appreciate, Microsoft is continually making changes to SMB to address security and the Samba team is doing its best to keep up with those changes.  Unraid is the tail being wagged by the dog.  We come in after the fact and do what we can to address the changes in SMB and Samba.  We do a lot of internal testing and RC releases to try to get as much addressed as possible before release.  AD is an enterprise feature and we have limited internal capability to test.  That being said, we are working on this issue.

     

    Dan

    • Like 1
    Link to comment

    I've been using Unraid since 2018, always within a domain. After upgrading to 6.10.x, i've been having the same problem as the others. Passing here just for registration. Waiting for a definitive solution from unraid.

    Edited by danilodino
    Link to comment

    Yep, add me to the list a affected users now too.

    Zentyal 6.1 as a domain controller

    Windows 10 workstations

    Multiple Unraid Machines with ZFS

    Only the heavily used Fileserver (smb) being affected for the last 5 days.

    Starts with me (the heaviest user) getting forgotten about first, then it forgets some groups, then it's end user chaos.

    Reach out to me if you want a test environment of 60 users.

    Link to comment

    If anyone has Multichannel turned on, turn it off and try.  There has been a report of a problem with Multichannel.

    Link to comment

    My one machine with multichannel on was the affected machine, turning it off didn't help.

     

    I have a funny bug now with Unassigned Devices putting it's config at the bottom of the smb-extra.conf file and fully commenting it out. My other machines don't do this. There is nothing in the smb-setting.conf file but this started after I removed teh multichannel setting from smb-extra.conf.

     

    image.png.b5837152b832678383b3a6a9a4a7c7ce.png

     

    I'm down to just my own account being the only one that my affected server can't recognize so I'm able to live this with. 

     

    Oct  6 13:50:50 <SERVERNAME>  smbd[22464]:   check_account: Failed to convert SID S-1-5-21-2194464868-3260781856-949890820-1145 to a UID (dom_user[<DOMAIN>\<USERNAME>])

    Link to comment
    55 minutes ago, Holmesware said:

    I have a funny bug now with Unassigned Devices putting it's config at the bottom of the smb-extra.conf file and fully commenting it out. My other machines don't do this. There is nothing in the smb-setting.conf file but this started after I removed teh multichannel setting from smb-extra.conf.

    That shouldn't happen.  UD never comments out the include line.  Maybe you did a manual edit and commented it out while testing.  Uncomment it or your UD shares won't work.

    Link to comment

    I manually edited the smb-settings.conf file to what it should be, restarted samba and *something* put it back at the bottom fully commented out. I've only seen it at the top like this.

     

    I'll try it again after hours and post video if needed.

     

     

    [global]
    #unassigned_devices_start
    #Unassigned devices share includes
       include = /tmp/unassigned.devices/smb-settings.conf
    #unassigned_devices_end
    [usershares]
    path = /pool/usershares
    hide unreadable = yes
    guest ok = yes
    writeable = yes
    read only = no
    create mask = 0770
    directory mask = 0770
    vfs object = recycle,shadow_copy2
    recycle:repository = .recycle
    recycle:keeptree = yes
    recycle:versions = yes
    shadow: snapdir = .zfs/snapshot
    shadow: sort = desc
    shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
    shadow: localtime = yes
    [it]
    path = /pool/it
    guest ok = yes
    writeable = yes
    read only = no
    create mask = 0775
    directory mask = 0775
    vfs object = recycle,shadow_copy2
    recycle:repository = .recycle
    recycle:keeptree = yes
    recycle:versions = yes
    shadow: snapdir = .zfs/snapshot
    shadow: sort = desc
    shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
    shadow: localtime = yes
    [shares]
    path = /pool/shares
    hide unreadable = yes
    browseable = yes
    guest ok = yes
    writeable = yes
    read only = no
    create mask = 0775
    directory mask = 0775
    vfs object = recycle,shadow_copy2
    recycle:repository = .recycle
    recycle:keeptree = yes
    recycle:versions = yes
    shadow: snapdir = .zfs/snapshot
    shadow: sort = desc
    shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
    shadow: localtime = yes
    [AVMTEST]
    path = /pool/AVMTEST
    browseable = no
    guest ok = no
    writeable = yes
    read only = no
    create mask = 0775
    directory mask = 0775
    [interchange]
    path = /pool/interchange
    hide unreadable = yes
    browseable = yes
    guest ok = yes
    writeable = yes
    read only = no
    create mask = 0770
    directory mask = 0770

    #unassigned_devices_start
    #Unassigned devices share includes
    #   include = /tmp/unassigned.devices/smb-settings.conf
    #unassigned_devices_end

    Edited by Holmesware
    Link to comment

    ok, just spit balling here....  This issue is for an unraid box connected to a domain. I've been having issues with Windows Store apps being corrupted and having to reinstall them (calculator, snip & sketch, etc.) as the affected user with admin permissions Real pain. Been digging around on this and found that there are updates to GPO templates that will fix this.

     

    https://social.technet.microsoft.com/Forums/en-US/aa006d8f-9f01-44bb-bf90-ac0456a42153/group-policy-breaks-start-menu-modern-apps?forum=win10itprosecurity

     

    https://www.microsoft.com/en-us/download/confirmation.aspx?id=103667

     

    I'm running Zentyal for a Domain Controller for many reasons including cost, but this issue sounds like it affects Windows and Linux based domains. Could this be part of the problem? I'm trying it out myself but not really confidient I'm going to get it right. Anyone else been down this path?

    Edited by Holmesware
    Link to comment

    I have also been experiencing this issue for quite a while. I don't have a lot to add that others haven't already said but I wanted to register my voice anyway.

     

    The only thing I can suggest to everyone experiencing the problem where Samba forgets users exist after ~ a week and you need to leave/join. I have found that giving the command 'net cache flush' a few times on the unraid console solves this problem.

     

    I did use tdb for a while but switched back because I was having other issues using that. I may go back and try that again.

    Hope we get an official fix soon; we've been dealing with this problem for months and I'm really getting tired. FreeNAS may be in my future.

    • Like 1
    Link to comment



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.