4

We run this pair of OpenSolaris servers that provide file storage. They run active/passive and stay in sync via snapshot replication every minute or so. Originally, they both ran OpenIndiana, but since development for OI seems to be stagnating, we decided to switch to the more actively developed OmniOS.

We upgraded the backup server first. Everything has gone mostly according to plan, except I cannot see my zfs file system shared from the system through SMB.

SMB sharing is enabled on the file system:

NAME        PROPERTY  VALUE                             SOURCE
zpool/data  sharesmb  abe=true,name=data,guestok=false  local

The smb/server service is online, as well as its dependencies:

fmri         svc:/network/smb/server:default
name         smbd daemon
enabled      true
state        online
next_state   none
state_time   Mon Mar  7 14:31:29 2016
logfile      /var/svc/log/network-smb-server:default.log
restarter    svc:/system/svc/restarter:default
contract_id  16253
dependency   require_any/error svc:/milestone/network (online)
dependency   require_all/error svc:/system/filesystem/local (online)
dependency   require_all/none svc:/system/idmap:default (online)
dependency   require_all/none svc:/network/smb/client:default (online)

Sharemgr is aware of the share

default nfs=()
smb smb=()
        * /var/smb/cvol
                  c$=/var/smb/cvol       smb=(abe="false" guestok="false")      "Default Share"
zfs smb=() nfs=()
    zfs/zpool/data smb=()
          /zpool/data    smb=(abe="true")
                  data=/zpool/data       smb=(guestok="false")

SMB is enabled in sharemgr:

default enabled nfs
smb     enabled smb
zfs     enabled smb nfs

However, I cannot view the share when when I browse to the server from a windows machine, nor when I query it with smbutil view.

The output of smbutil for the backup server compared to the primary is:

Backup:

Share        Type       Comment
-------------------------------
c$           disk       Default Share
IPC$         IPC        Remote IPC
vss$         disk       VSS

Primary:

Share        Type       Comment
-------------------------------
c$           disk       Default Share
data         disk
IPC$         IPC        Remote IPC
vss$         disk       VSS

ACLs on the folder are correct:

d---------+821 Administrators@BUILTIN 2147483650     823 Mar  4 14:52 data
    group:Domain Users@DOMAIN:r-x---a-R-c--s:-------:allow

ACLs on the share are correct:

-rwxrwxrwx+  1 root     root           0 Nov 30 08:57 /zpool/data/.zfs/shares/data
              everyone@:rwxpdDaARWcCos:-------:allow

I created another ZFS file system in the same zpool, shared it with SMB, and accessed it successfully. It seems to a problem with this file system.

These filesystems are using ZFS version 5.

Edit: smbutil view not smbutil show

Edit: I'm not sure if this is related, but I am also having an issue with kerberos. The keytab file at /etc/krb5/krb5.keytab was not generated when I joined the domain, kinit still works, but idmap does not seem happy about this:

tail /var/svc/log/system-idmap:default.log:

dc2.my.domain: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table file '/etc/krb5/krb5.keytab' not found)
LDAP: dc1.my.domain:389: Local error
dc1.my.domain: Local error
dc1.my.domain: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table file '/etc/krb5/krb5.keytab' not found)
LDAP: dc2.my.domain:389: Local error
dc2.my.domain: Local error
dc2.my.domain: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table file '/etc/krb5/krb5.keytab' not found)
LDAP: dc1.my.domain:389: Local error
dc1.my.domain: Local error
dc1.my.domain: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table file '/etc/krb5/krb5.keytab' not found)

My krb5.conf:

[libdefaults]
        default_realm = MY.DOMAIN

[realms]
        MY.DOMAIN = {
                kdc = <dc1 IP>
                kdc = <dc2 IP>
                admin_server = <dc1 IP>
                kpasswd_server = <dc1 IP>
                kpasswd_protocol = SET_CHANGE
        }
[domain_realm]
        .my.domain = MY.DOMAIN
        my.domain = MY.DOMAIN
[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
                period = 1d
                versions = 10
        }
[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }

My /etc/resolv.conf:

search my.domain
domain my.domain
nameserver <dc1 IP>

Running smbadm list shows it joined the domain:

[*] [DOMAIN]
[*] [MY.DOMAIN]
        [+dc1.MY.DOMAIN] [<dc1 IP>]
[.] [ZFS2] [S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXXX]
[*] [DOMAIN] [S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX]

The machine's name is ZFS2. I can also see the computer account on the domain controller.

Steve F
  • 321
  • 1
  • 2
  • 9

1 Answers1

2

This was a matter of file permissions. The ACLs that allowed Domain Users to access the file system are apparently sufficient for OpenIndiana, but not for OmniOS. The fix was to chmod 555 the /zpool/data directory.

As for the kerberos errors, I followed intructions at http://solariscat.blogspot.dk/2015/01/solaris-11-samba-zfs-configuration-with.html to manually generate a keytab file.

Steve F
  • 321
  • 1
  • 2
  • 9
  • What is the effect on privacy of the chmod 555? I guess everyone will be able to cd in it and list the files. Isn't this strange as a requirement to have the share working? – FarO Apr 21 '16 at 18:34
  • I agree, it is strange. I didn't dig into it any further since I intended for the share to be accessible by everybody. Access based enumeration takes over after that. – Steve F Apr 21 '16 at 18:53