• [6.10.3] Intermittent SMB Issues After 6.10.2 Upgrade


    Geoff Bland
    • Urgent

    Myself and many other users are experiencing many issues with SMB shares using Windows Active Directory since upgrading to 6.10.2. Upgrading to 6.10.3 has not fixed this.

     

    This are all listed in the forum thread 

     

    My own issue is that for most of the time since upgrading to 6.10.2 I cannot access any UNRAID share with my own user account - however this is intermittent and occasionally access works fine for a day or two. A few other user accounts are affected but also some accounts are fine and have no problems.

     

    My log drive is 98% full due to very large syslog files. The syslog shows continual refused mount requests for my account and this seems to be as it cannot convert my SID to a UID.
     

    Jul 15 21:58:49 UNRAID01 smbd[****]:   check_account: Failed to convert SID S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-1105 to a UID (dom_user[DOMAIN\username)
    

     

    The  /var/log/samba/log.smbd log file is also full of the same error message.

     

    I also note this 

     

    root@UNRAID01:~# wbinfo -i myuser
    failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
    Could not get info for user myuser
    root@UNRAID01:~# wbinfo -i okuser
    okuser:*:NNNNNNNN:NNNNNNNNNN:okuser:/home/DOMAIN/okuser:/bin/false

     

    I can call wbinfo for all users on the UNRAID server and this gets the correct SIDs for all.

    • Upvote 2



    User Feedback

    Recommended Comments



    I should also mention the Samba mailing list https://lists.samba.org/mailman/listinfo/samba

    It was the guys on this mailing list that helped me work out what was going on and gave some great advice - all I learnt and posted above was based on responses I got from this mailing list - I got fairly quick responses from the list and the guys on this list know far more than I about Samba.

     

    4 hours ago, R.M.H said:

    What does concern me is a distinct lack of engagement from Unraid Devs on what is an issue impacting multiple paying customers of their product. I guess the only positive is there is a very helpful community trying to solve this but the lack of product owner input is bad.

     

    Quoted for truth.

    Edited by Geoff Bland
    Link to comment
    1 hour ago, Geoff Bland said:

    It's a long shot but does "smbstatus -S" show anything unexpected?

    No, theres nothing unexpected.

     

    1 hour ago, Geoff Bland said:

    I can't see an error in your set-up. All looks correct.

    Thanks, that at least confirms that the error is not on my side.

     

     

    1 hour ago, Geoff Bland said:

    I should also mention the Samba mailing list https://lists.samba.org/mailman/listinfo/samba

    It was the guys on this mailing list that helped me work out what was going on and gave some great advice - all I learnt and posted above was based on responses I got from this mailing list - I got fairly quick responses from the list and the guys on this list know far more than I about Samba.

    I agree with @R.M.H here.
    This is a feature that by its nature is aimed at business customers and is actually part of the standard functionality of the software for which we have paid a licence fee.

    The experiences described here show that this is not an isolated case, but rather a general software problem on the part of Unraid.

    Accordingly, it should be the task of the developers to search for errors and, if necessary, make use of the Samba mailing list.

     

    Edited by psychofaktory
    Link to comment

    I had on 25.07.  opened a ticket: Unraid User Bug Report (ID #3918) the support is aware of this entry.  I asked again to support the post.  Since apparently no progress can be seen without further help.  I hope we will get support soon.

    Link to comment

    I don't know if it helps, since I don't know how this in Unraid behind the scenes works....

     

    But I have noticed that

    getent group

    displays only local Unraid groups.

     

    However, if the group is specifically requested, it is found and the ID is also displayed correctly:

    getent group lehrer
    lehrer:x:11132:

     

    Conversely, the group membership can be displayed for a user with the id command:

    id Scan
    uid=11325(scan) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),11325(scan),1001(BUILTIN\users)

     

     

    Link to comment
    1 hour ago, LHBL2003 said:

    I had on 25.07.  opened a ticket: Unraid User Bug Report (ID #3918) the support is aware of this entry.

     

    I assumed this forum section itself was where we raised bug reports and the developers would be aware of anything posted here. The description of this forum section is "Formal bug and defect reports." - so I assume this is monitored by Lime Tech.

     

    Where did you find to raise a ticket - I have looked, so it seems it is not made easy to find?

     

    Link to comment
    11 hours ago, Geoff Bland said:

     

    I can't see an error in your set-up. All looks correct.

     

    When I access UNRAID shares from my Windows server with an account that has access I don't see anything in the log.

    If I access an UNRAID share with an account that does not have access I get "Permission denied" warnings such as yours in the logs.

     

    It's a long shot but does "smbstatus -S" show anything unexpected?

     

     

    Interesting - although the current version on UNRAID 6.10.3 is not that old and uses Samba 4.15.7.

    It'd be good to see if they have also replaced the end-of-life (over 5 years ago) idmap_hash ID mapper. 


     

    From support:

    feedback@support.unraid.net

     

    DanL has replied to your support request.
     

    Re: Re: Unraid User Bug Report (ID #3918)

    Hello,

     

    There is a potential solution here: 

    https://forums.unraid.net/bug-reports/stable-releases/log-file-idmap_hash_initialize-the-idmap_hash-module-is-deprecated-and-should-not-be-used-r1501/?tab=comments&comment=20593&do=findComment#comment-20593

     

     

    Please review that solution and see if it applies to your situation.

     

    Dan




    — Unraid 

    Link to comment
    On 9/19/2022 at 9:15 PM, Holmesware said:

    Modify your /boot/config/smb-extra.conf file like this:

     

        idmap config * : backend = tdb <-- Used to be hash>
        idmap config * : range = 3000-7999 <-- Range enough for local users>
        idmap config <SHORTDOMAINNAME> : backend = rid
        idmap config <SHORTDOMAINNAME> : range = 10000-4000000000

    So basically this is the same solution approach as presented here in the thread.

    I applied it like this. But that didn't solve my problem.

     

     

    On 9/19/2022 at 9:15 PM, Holmesware said:

    * CAUTION * Making these changes you will have to re-apply all permissions on files/folder that are Domain related

    The adjustments had even affected all share folders.
    How does Unraid differentiate between domain-related and non-domain-related?

     

    Link to comment

    I still don't know what relevance it has that "getent group" only shows local Unraid groups, but because of this I have investigated further.

    I went through the tests as described in this article and found out that the Kerberos authentication does not seem to work:

    kinit Scan
    kinit: Configuration file does not specify default realm when parsing name Scan

     

    Based on this error message, I searched further and found that the default realm should be entered in the Kerberos configuration file under /etc/krb5.conf as described here.

     

    Could this be a potential solution?

    Link to comment
    6 hours ago, psychofaktory said:

    Based on this error message, I searched further and found that the default realm should be entered in the Kerberos configuration file under /etc/krb5.conf as described here.

    Could this be a potential solution?

     

    My krb5.conf is just the UNRAID default which uses DNS:

     

    root@UNRAID:~# cat /etc/krb5.conf 
    [libdefaults]
        dns_lookup_kdc = true
        dns_lookup_realm = false
    
    

     

    My UNRAID server has a static IP and a static address for DNS server - one of the AD domain controllers is the DNS server used.

     

    Also getent group only shows UNRAID groups on my UNRAID server too. 

    Edited by Geoff Bland
    Link to comment

    So there seems to be no difference to my configuration here.
    But why it isn't working as expected here?

     

    By the way, the problem still exists with the new Unraid 6.11 and Samba 4.17.0.

    Link to comment

    My last mail to the support.

    Either you get active help, or I'll get rid of the mix disks and buy a big RAID and carry on as before.
     

    ——————

     

    Hi Dan,

     

     thank you very much that you seem to have released version 6.11.

     From what I've read, this version is mainly for system improvements and less for new features.  I think this is very good, because new functions are useless if existing ones don't work properly.

     

     The first one could already find out in the forum that the Samba theme still does not work in this new version either.

     

     I and all Windows users would be happy if support actively participated in the topic in the forum mentioned.  There are some active people there who will no doubt help you with the error analysis.

     

     As others have mentioned in the post, UNRAID is a very nice system.  Personally, I'm happy that you can use different hard drives.  But without rights management with a Windows directory, this system cannot be used in schools and companies.

     

     For this reason, I would like to ask you to take an active part in the contribution.  I don't want to play silent mail to somehow try to give support information, only to send half information to them shortly afterwards.

     

     The fact is that we have all had problems assigning rights with Windows AD in combination with Unraid since version 6.10.  But no problems with other systems such as QNAP.

     

     Kind regards

     denis


    ———-

     

    Hi LHBL2003, 
    psychofaktory has posted a comment on a report, [6.10.3] Intermittent SMB Issues After 6.10.2 Upgrade 
     

    Posted in [6.10.3] Intermittent SMB Issues After 6.10.2 Upgrade

    So there seems to be no difference to my configuration here. But why it isn't working as expected here?   By the way, the problem still ex...

    Go to this Report Comment

     

    https://forums.unraid.net/bug-reports/stable-releases/6103-intermittent-smb-issues-after-6102-upgrade-r2028/page/3/?tab=comments#

    Link to comment

    I could provide a VMWare test system.  Consisting of AD, Client and Unraid.  So that you can jointly investigate the error on a system.  I could provide access via TeamViewer.  Snapshots can also be used to reset changes.  However, that would be with an unraid test license.  Because if the support doesn't actively help, I won't buy a license.  Maybe we'll get a license for the analysis that allows for a longer test period.  But the support would have to actively report here first.  To everyone involved, what do you think of a common test system?

    Link to comment
    On 9/22/2022 at 11:57 AM, psychofaktory said:

    I don't know if it helps, since I don't know how this in Unraid behind the scenes works....

     

    But I have noticed that

    getent group

    displays only local Unraid groups.

     

    However, if the group is specifically requested, it is found and the ID is also displayed correctly:

    getent group lehrer
    lehrer:x:11132:

     

    Conversely, the group membership can be displayed for a user with the id command:

    id Scan
    uid=11325(scan) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),11325(scan),1001(BUILTIN\users)

     

     

    Not sure if this will help or not, as I haven't had time to read the previous entries in detail. If not, sorry that it isn't of more assistance.

    One of the things I discovered in my testing was that the user needed to at LEAST have permissions to read the directory to be able to have access to the ACLs in the folder. No permissions to the directory at all and they don't even have permissions to see the ACL. This required me to set two groups in AD for access, for instance a "Media RO" and a "Media RW" group. The "Media RW" group was a member of the "Media RO".

    Gave the "Media RO" group ownership but set the permissions to 0750, owner was my domain administrator account.

    Then used setfacl to assign write permissions (rwx) to the "Media RW" group and default group. The final acl looks more like this:
     file: Media
    # owner: admin
    # group: software\040ro
    # flags: -s-
    user::rwx
    group::r-x
    group:media\040rw:rwx
    mask::rwx
    other::---
    default:user::rwx
    default:group::r-x
    default:group:media\040rw:rwx
    default:mask::rwx
    default:other::---

    Essentially, every share needed two groups for the base, a RO and a RW group. For anyone else in the domain, I just left them out of the group.

     

    Additionally, I'm running server 2022 for my domain controllers and have disabled Samba 1 and told the domain members to use SMB 3 whenever possible.  My smb-extra.conf file has the following:
    [global]
     min protocol = SMB2_10
     client min protocol = SMB2_10
     idmap config <domain>: range = 100000-999999
     idmap config <domain>: backend = rid
     idmap config * : range = 3001-7999
     idmap config * : backend = tdb

    Link to comment

    I have a feedback that the support is analysing this issue.
    ————-

    Re: Re: Unraid User Bug Report (ID #3918)

    Denis,

     

    Please be patient while we work through these issues.  As you can appreciate, Microsoft is continually making changes to SMB to address security and the Samba team is doing its best to keep up with those changes.  Unraid is the tail being wagged by the dog.  We come in after the fact and do what we can to address the changes in SMB and Samba.  We do a lot of internal testing and RC releases to try to get as much addressed as possible before release.  AD is an enterprise feature and we have limited internal capability to test.  That being said, we are working on this issue.

     

    Dan

    Link to comment



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.