Freenas 11.3 U4 SMB Samba

[Kanky]

Hi Guys,

I updated our production server to 11.3 U4 and now our scanner cannot reach the scanner folder for depositing documents.

The scanner supports SMB1 and SMB2. I have tried enabling SMB1 support for SMB services. I also tried adding `min protocol = SMB2` and restarting but it still fails.

When I roll back to 11.3 U3 it works fine. Is there something else I can try?

 

[Alecmascot]

Upgrade to 11.3-U4.1.

 

[spiceygas]

More specifically, if you read this thread then you'll see the issue was reported pretty quickly as an ACL problem, and a fix was just released.

 

[Kanky]

Thanks for the info guys.

Even after upgrade, the issue remains. I have a look in the samba log and can see:

Code:

[2020/07/30 08:39:54.549694,  1] ../../source3/smbd/files.c:227(file_init_global)
  file_init_global: Information only: requested 941688 open files, 59392 are available.
[2020/07/30 08:39:54.554944,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
[2020/07/30 08:39:54.675148,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/07/30 08:40:03.103450,  0] ../../source3/smbd/server.c:1788(main)
  smbd version 4.10.16 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2019
[2020/07/30 08:40:03.107158,  1] ../../source3/profile/profile_dummy.c:30(set_profile_level)
  INFO: Profiling support unavailable in this build.
[2020/07/30 08:40:03.349638,  1] ../../source3/smbd/files.c:227(file_init_global)
  file_init_global: Information only: requested 941688 open files, 59392 are available.
[2020/07/30 08:40:03.354764,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
[2020/07/30 08:40:03.519193,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/07/30 08:41:01.197390,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/07/30 08:41:01.203487,  0] ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
  Bad SMB2 signature for message
[2020/07/30 08:41:01.203551,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[2020/07/30 08:41:01.203599,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 15 51 39 FC 19 CA C3 4C   C6 FD 45 25 97 08 B0 25   .Q9....L ..E%...%
[2020/07/30 08:41:01.204107,  0] ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
  Bad SMB2 signature for message
[2020/07/30 08:41:01.204146,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[2020/07/30 08:41:01.204193,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 27 6E FE 94 AE A8 94 D1   67 75 DD 05 B2 3D 9E 02   'n...... gu...=..
[2020/07/30 08:41:06.463254,  1] ../../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)
  ../../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed (No such file or directory)
[2020/07/30 08:41:06.469710,  0] ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
  Bad SMB2 signature for message
[2020/07/30 08:41:06.469767,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[2020/07/30 08:41:06.469815,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 30 E9 6D FB 1C 65 D6 90   23 43 39 BA 0D DE 45 95   0.m..e.. #C9...E.
[2020/07/30 08:41:06.470334,  0] ../../libcli/smb/smb2_signing.c:169(smb2_signing_check_pdu)
  Bad SMB2 signature for message
[2020/07/30 08:41:06.470374,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[2020/07/30 08:41:06.470421,  0] ../../lib/util/util.c:511(dump_data)
  [0000] 4C 5B 19 61 C8 1F 02 EE   F2 DE 4D 0C F1 7F 82 E4   L[.a.... ..M.....

 

[anodos]

Post output of "testparm -s".

 

[przemo]

I have the same problem. Here is output for testparam -s

Code:

Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        aio max threads = 2
        allow trusted domains = No
        bind interfaces only = Yes
        client NTLMv2 auth = No
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        enable web service discovery = Yes
        kerberos method = secrets and keytab
        kernel change notify = No
        load printers = No
        local master = No
        logging = file
        map to guest = Bad User
        max log size = 51200
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        ntlm auth = ntlmv1-permitted
        preferred master = No
        realm = Domain_Name_Changed.LOCAL
        security = ADS
        server min protocol = NT1
        server role = member server
        server string = FreeNAS Server
        template shell = /bin/sh
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        winbind status fifo = Yes
        workgroup = Name_changed
        idmap config *: range = 90000001-100000000
        idmap config Name_changed: range = 20000-90000000
        idmap config Name_changed: backend = rid
        idmap config * : backend = tdb
        allocation roundup size = 0
        directory name cache size = 0
        dos filemode = Yes
        ea support = No
        include = /usr/local/etc/smb4_share.conf
        map archive = No
        store dos attributes = No

[Skaner]
        aio write size = 0
        mangled names = illegal
        path = /mnt/NameCHangedPool/Skaner
        read only = No
        vfs objects = streams_xattr zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true

 

[anodos]

I have the same problem. Here is output for testparam -s

Code:

Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        aio max threads = 2
        allow trusted domains = No
        bind interfaces only = Yes
        client NTLMv2 auth = No
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        enable web service discovery = Yes
        kerberos method = secrets and keytab
        kernel change notify = No
        load printers = No
        local master = No
        logging = file
        map to guest = Bad User
        max log size = 51200
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        ntlm auth = ntlmv1-permitted
        preferred master = No
        realm = Domain_Name_Changed.LOCAL
        security = ADS
        server min protocol = NT1
        server role = member server
        server string = FreeNAS Server
        template shell = /bin/sh
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        winbind status fifo = Yes
        workgroup = Name_changed
        idmap config *: range = 90000001-100000000
        idmap config Name_changed: range = 20000-90000000
        idmap config Name_changed: backend = rid
        idmap config * : backend = tdb
        allocation roundup size = 0
        directory name cache size = 0
        dos filemode = Yes
        ea support = No
        include = /usr/local/etc/smb4_share.conf
        map archive = No
        store dos attributes = No

[Skaner]
        aio write size = 0
        mangled names = illegal
        path = /mnt/NameCHangedPool/Skaner
        read only = No
        vfs objects = streams_xattr zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true

Try following command sequence:
wbinfo -c and then service samba_server onerestart

 

[Kanky]

My output of testparm -s:

Code:

root@FileServer:~ # testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        aio max threads = 2
        allow trusted domains = No
        bind interfaces only = Yes
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        enable web service discovery = Yes
        kerberos method = secrets and keytab
        kernel change notify = No
        load printers = No
        local master = No
        logging = file
        map to guest = Bad User
        max log size = 51200
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        preferred master = No
        realm = MEDICORE.LOCAL
        security = ADS
        server min protocol = SMB2_02
        server role = member server
        server string = FreeNAS Server
        template shell = /bin/sh
        unix extensions = No
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        winbind status fifo = Yes
        workgroup = MEDICORE
        idmap config *: range = 90000001-100000000
        idmap config medicore: range = 20000-90000000
        idmap config medicore: backend = rid
        idmap config * : backend = tdb
        allocation roundup size = 0
        directory name cache size = 0
        dos filemode = Yes
        include = /usr/local/etc/smb4_share.conf


[AD-Store]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/AD Store
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Business Manager]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/Main/BusinessManager
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Operational]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/Main/Operational
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[SSD Disk]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/SSD
        read only = No
        vfs objects = streams_xattr zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Scanner]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/Main/Scanner
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl crossrename recycle
        nfs4:acedup = merge
        nfs4:chown = true
        recycle:subdir_mode = 0700
        recycle:directory_mode = 0777
        recycle:touch = yes
        recycle:keepversions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle/%D/%U


[VM-SSD]
        aio write size = 0
        ea support = No
        guest ok = Yes
        mangled names = illegal
        path = /mnt/VM-SSD
        read only = No
        vfs objects = streams_xattr zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true

I tired wbinfo -c and then service samba_server onerestart but it had no effect.

 

[anodos]

My output of testparm -s:

Code:

root@FileServer:~ # testparm -s
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        aio max threads = 2
        allow trusted domains = No
        bind interfaces only = Yes
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        enable web service discovery = Yes
        kerberos method = secrets and keytab
        kernel change notify = No
        load printers = No
        local master = No
        logging = file
        map to guest = Bad User
        max log size = 51200
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        preferred master = No
        realm = MEDICORE.LOCAL
        security = ADS
        server min protocol = SMB2_02
        server role = member server
        server string = FreeNAS Server
        template shell = /bin/sh
        unix extensions = No
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        winbind status fifo = Yes
        workgroup = MEDICORE
        idmap config *: range = 90000001-100000000
        idmap config medicore: range = 20000-90000000
        idmap config medicore: backend = rid
        idmap config * : backend = tdb
        allocation roundup size = 0
        directory name cache size = 0
        dos filemode = Yes
        include = /usr/local/etc/smb4_share.conf


[AD-Store]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/AD Store
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Business Manager]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/Main/BusinessManager
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Operational]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/Main/Operational
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[SSD Disk]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/SSD
        read only = No
        vfs objects = streams_xattr zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true


[Scanner]
        aio write size = 0
        ea support = No
        mangled names = illegal
        path = /mnt/Main/Main/Scanner
        read only = No
        vfs objects = streams_xattr shadow_copy_zfs zfs_space zfsacl crossrename recycle
        nfs4:acedup = merge
        nfs4:chown = true
        recycle:subdir_mode = 0700
        recycle:directory_mode = 0777
        recycle:touch = yes
        recycle:keepversions = yes
        recycle:keeptree = yes
        recycle:repository = .recycle/%D/%U


[VM-SSD]
        aio write size = 0
        ea support = No
        guest ok = Yes
        mangled names = illegal
        path = /mnt/VM-SSD
        read only = No
        vfs objects = streams_xattr zfs_space zfsacl
        nfs4:acedup = merge
        nfs4:chown = true

I tired wbinfo -c and then service samba_server onerestart but it had no effect.

Does ktutil list show a kerberos keytab for your server? (should be of the form "<hostname>$").

 

[Kanky]

This is what is output.

Code:

Vno  Type                     Principal                                      Ali                                                                                                                                      ases
 20  des-cbc-crc              host/fileserver.medicore.local@MEDICORE.LOCAL
 20  des-cbc-crc              host/FILESERVER@MEDICORE.LOCAL
 20  des-cbc-md5              host/fileserver.medicore.local@MEDICORE.LOCAL
 20  des-cbc-md5              host/FILESERVER@MEDICORE.LOCAL
 20  aes128-cts-hmac-sha1-96  host/fileserver.medicore.local@MEDICORE.LOCAL
 20  aes128-cts-hmac-sha1-96  host/FILESERVER@MEDICORE.LOCAL
 20  aes256-cts-hmac-sha1-96  host/fileserver.medicore.local@MEDICORE.LOCAL
 20  aes256-cts-hmac-sha1-96  host/FILESERVER@MEDICORE.LOCAL
 20  arcfour-hmac-md5         host/fileserver.medicore.local@MEDICORE.LOCAL
 20  arcfour-hmac-md5         host/FILESERVER@MEDICORE.LOCAL
 20  des-cbc-crc              FILESERVER$@MEDICORE.LOCAL
 20  des-cbc-md5              FILESERVER$@MEDICORE.LOCAL
 20  aes128-cts-hmac-sha1-96  FILESERVER$@MEDICORE.LOCAL
 20  aes256-cts-hmac-sha1-96  FILESERVER$@MEDICORE.LOCAL
 20  arcfour-hmac-md5         FILESERVER$@MEDICORE.LOCAL
 21  des-cbc-crc              host/fileserver.medicore.local@MEDICORE.LOCAL
 21  des-cbc-crc              host/FILESERVER@MEDICORE.LOCAL
 21  des-cbc-md5              host/fileserver.medicore.local@MEDICORE.LOCAL
 21  des-cbc-md5              host/FILESERVER@MEDICORE.LOCAL
 21  aes128-cts-hmac-sha1-96  host/fileserver.medicore.local@MEDICORE.LOCAL
 21  aes128-cts-hmac-sha1-96  host/FILESERVER@MEDICORE.LOCAL
 21  aes256-cts-hmac-sha1-96  host/fileserver.medicore.local@MEDICORE.LOCAL
 21  aes256-cts-hmac-sha1-96  host/FILESERVER@MEDICORE.LOCAL
 21  arcfour-hmac-md5         host/fileserver.medicore.local@MEDICORE.LOCAL
 21  arcfour-hmac-md5         host/FILESERVER@MEDICORE.LOCAL
 21  des-cbc-crc              FILESERVER$@MEDICORE.LOCAL
 21  des-cbc-md5              FILESERVER$@MEDICORE.LOCAL
 21  aes128-cts-hmac-sha1-96  FILESERVER$@MEDICORE.LOCAL
 21  aes256-cts-hmac-sha1-96  FILESERVER$@MEDICORE.LOCAL
 21  arcfour-hmac-md5         FILESERVER$@MEDICORE.LOCAL

 

[anodos]

What do you see with `klist`? Do you have a valid kerberos ticket there?

 

[Kanky]

Credentials cache: FILE:/tmp/krb5cc_0
Principal: nasadmin@MEDICORE.LOCAL

Issued Expires Principal
Jul 31 10:30:00 2020 Jul 31 20:30:00 2020 krbtgt/MEDICORE.LOCAL@MEDICORE.LOCAL


I can access all of the shared via WIN10 PC. Just not via the printer scan to SMB function.

 

[anodos]

Credentials cache: FILE:/tmp/krb5cc_0
Principal: nasadmin@MEDICORE.LOCAL

Issued Expires Principal
Jul 31 10:30:00 2020 Jul 31 20:30:00 2020 krbtgt/MEDICORE.LOCAL@MEDICORE.LOCAL


I can access all of the shared via WIN10 PC. Just not via the printer scan to SMB function.

Interesting. Please PM me a debug from your FreeNAS server. (System->Advanced->Save Debug).

 

[Kanky]

Thanks. Message sent.

 

[przemo]

...
I can access all of the shared via WIN10 PC. Just not via the printer scan to SMB function.

Same in my network.
I've revert to previous release u3.2 and everything working fine.

 

[Kanky]

Hi @anodos did you manage to get any further with this?

 

[anodos]

Hi @anodos did you manage to get any further with this?

No. Haven't had the time yet to do it. If you can get a pcap of the behavior "tcpdump -w /tmp/smb.pcap -i <interface> host <ip of printer>", I can take a closer look at it. If you can get the printer to write to an 11.2 VM and get a pcap of that as well, it would be helpful.

 

[Kanky]

Hi Anodos,

I have upgraded to TrueNAS-12.0-U1 and am still experiencing the same issue. I have managed to capture a pcap file. Can I send it on?

 

[anodos]

Hi Anodos,

I have upgraded to TrueNAS-12.0-U1 and am still experiencing the same issue. I have managed to capture a pcap file. Can I send it on?

There's an issue with SMB1 in 12.0-U1. If you want to try a dev snapshot where it's fixed and see if your issue goes away, you can send me a PM. Otherwise the next release (that fixes this and other issues) is coming soon.

 

[Kanky]

Thanks. Ill keep an eye for the next release.