SMB borked after migration

[Glorious1]

I migrated from CORE to SCALE Cobia. SMB worked at first, but my user didn't work as it did before. When I tried to edit the user, there were bunch of "no, you can't do that until something else". One of the messages said "SMB users may not be configured while SMB service backend is unitialized." ;-) I didn't know if that was supposed to be "initialized" or "uninitialized". So I turned off SMB.

Now when I try to start the service, I get this:

error Error starting service SMB.​

[EFAULT] net conf setparm [['net', '--json', 'conf', 'setparm', '{"service": "GLOBAL", "parameters": {"guest account": {"parsed": "nobody", "raw": "nobody"}, "fruit:posix_rename ": {"parsed": " yes ", "raw": " yes "}, "# oplocks": {"parsed": "no # breaks Time Machine", "raw": "no # breaks Time Machine"}, "fruit:delete_empty_adfiles ": {"parsed": " yes ", "raw": " yes "}, "winbind request timeout": {"parsed": 2}, "streams_xattr:prefix": {"parsed": "user.", "raw": "user."}, "workgroup": {"parsed": "WORKGROUP", "raw": "WORKGROUP"}, "netbios aliases": {"parsed": ["Tabernacle_SMB"], "raw": "Tabernacle_SMB"}, "strict sync ": {"parsed": " no", "raw": " no"}, "mangled names ": {"parsed": " no", "raw": " no"}, "logging": {"parsed": "file", "raw": "file"}, "max log size": {"parsed": 5120}, "strict locking": {"parsed": "auto", "raw": "auto"}, "bind interfaces only": {"parsed": true, "raw": "True"}, "fruit:zero_file_id": {"parsed": false}, "unix charset": {"parsed": "UTF-8", "raw": "UTF-8"}, "fruit:nfs_aces": {"parsed": false}, "fruit:metadata": {"parsed": "netatalk", "raw": "netatalk"}, "unix charset ": {"parsed": " UTF-8", "raw": " UTF-8"}, "create mask": {"parsed": "0775", "raw": "0775"}, "server min protocol": {"parsed": "SMB2_02", "raw": "SMB2_02"}, "local master": {"parsed": true, "raw": "True"}, "syslog only": {"parsed": false, "raw": "False"}, "ntlm auth": {"parsed": false, "raw": "False"}, "server multi channel support": {"parsed": false, "raw": "False"}, "disable spoolss": {"parsed": true}, "fruit:resource": {"parsed": "file", "raw": "file"}, "log level": {"parsed": "2 auth_json_audit:3@/var/log/samba4/auth_audit.log", "raw": "2 auth_json_audit:3@/var/log/samba4/auth_audit.log"}, "dns proxy": {"parsed": false}, "passdb backend": {"parsed": "tdbsam:/var/run/samba-cache/private/passdb.tdb"}, "vfs objects ": {"parsed": " fruit streams_xattr ", "raw": " fruit streams_xattr "}, "fruit:model ": {"parsed": " MacSamba", "raw": " MacSamba"}, "fruit:veto_appledouble ": {"parsed": " no", "raw": " no"}, "# spotlight": {"parsed": "yes # invalid without further config", "raw": "yes # invalid without further config"}, "dos charset ": {"parsed": " CP850", "raw": " CP850"}, "fruit:locking": {"parsed": "none", "raw": "none"}, "netbios name": {"parsed": "Tabernacle_SMB", "raw": "Tabernacle_SMB"}, "load printers": {"parsed": false}, "restrict anonymous": {"parsed": 2}, "streams_xattr:store_stream_type": {"parsed": "no", "raw": "no"}, "printcap name": {"parsed": "/dev/null"}, "directory mask": {"parsed": "0775", "raw": "0775"}, "server string": {"parsed": "TrueNAS Server", "raw": "TrueNAS Server"}, "fruit:wipe_intentionally_left_blank_rfork ": {"parsed": " yes ", "raw": " yes "}, "min protocol ": {"parsed": " SMB2", "raw": " SMB2"}, "# level2 oplocks": {"parsed": "no # breaks TM?", "raw": "no # breaks TM?"}}}']] failed with error: Unknown parameter encountered: "# oplocks" Error setting parameter # oplocks to no # breaks Time Machine: SBC_ERR_INVALID_PARAM

Rebooting allowed SMB to start, but I'm still prevented from enabling SMB for my user. First I get a message that says password has to be changed to allow SMB, then when I change the password, I get the weird "unitialized" error above.

What the heck?

 

[anodos]

Looks like a parser error on some comments you wrote in your auxiliary parameters in Services->SMB. Try removing those.

 

[anodos]

I don't mind expanding tests for oddball user configurations for our aux param parsers. If you don't mind, can you post output of `midclt call smb.config`.

 

[Glorious1]

Thanks @anodos I didn't change any parameters from CORE. Everything worked fine there.

Here's what I got:

Code:

Tabernacle:~$ midclt call smb.config
{"id": 1, "netbiosname": "Tabernacle_SMB", "netbiosalias": ["Tabernacle_SMB"], "workgroup": "WORKGROUP", "description": "TrueNAS Server", "unixcharset": "UTF-8", "loglevel": "NORMAL", "syslog": false, "aapl_extensions": true, "localmaster": true, "guest": "nobody", "filemask": "", "dirmask": "", "smb_options": "mangled names = no\ndos charset = CP850\nunix charset = UTF-8\nstrict sync = no\n\nmin protocol = SMB2\nvfs objects = fruit streams_xattr  \nfruit:model = MacSamba\nfruit:posix_rename = yes \nfruit:veto_appledouble = no\nfruit:wipe_intentionally_left_blank_rfork = yes \nfruit:delete_empty_adfiles = yes \n\nfruit:locking=none\nfruit:metadata=netatalk\nfruit:resource=file\nstreams_xattr:prefix=user.\nstreams_xattr:store_stream_type=no\nstrict locking=auto\n# oplocks=no  # breaks Time Machine\n# level2 oplocks=no  #  breaks TM?\n# spotlight=yes  # invalid without further config\n", "bindip": [], "cifs_SID": "S-1-5-21-1648345819-729275465-1653058147", "ntlmv1_auth": false, "enable_smb1": false, "admin_group": "jim", "next_rid": 1007, "multichannel": false, "netbiosname_local": "Tabernacle_SMB"}

 

[anodos]

Thanks @anodos I didn't change any parameters from CORE. Everything worked fine there.

Here's what I got:

Code:

Tabernacle:~$ midclt call smb.config
{"id": 1, "netbiosname": "Tabernacle_SMB", "netbiosalias": ["Tabernacle_SMB"], "workgroup": "WORKGROUP", "description": "TrueNAS Server", "unixcharset": "UTF-8", "loglevel": "NORMAL", "syslog": false, "aapl_extensions": true, "localmaster": true, "guest": "nobody", "filemask": "", "dirmask": "", "smb_options": "mangled names = no\ndos charset = CP850\nunix charset = UTF-8\nstrict sync = no\n\nmin protocol = SMB2\nvfs objects = fruit streams_xattr  \nfruit:model = MacSamba\nfruit:posix_rename = yes \nfruit:veto_appledouble = no\nfruit:wipe_intentionally_left_blank_rfork = yes \nfruit:delete_empty_adfiles = yes \n\nfruit:locking=none\nfruit:metadata=netatalk\nfruit:resource=file\nstreams_xattr:prefix=user.\nstreams_xattr:store_stream_type=no\nstrict locking=auto\n# oplocks=no  # breaks Time Machine\n# level2 oplocks=no  #  breaks TM?\n# spotlight=yes  # invalid without further config\n", "bindip": [], "cifs_SID": "S-1-5-21-1648345819-729275465-1653058147", "ntlmv1_auth": false, "enable_smb1": false, "admin_group": "jim", "next_rid": 1007, "multichannel": false, "netbiosname_local": "Tabernacle_SMB"}

Different OS and difference in how running configuration is stored. The nested comments in single lines in the auxiliary parameters is breaking the parser (but to be fair, that's a very odd choice).

 

[Glorious1]

Looks like a parser error on some comments you wrote in your auxiliary parameters in Services->SMB. Try removing those.

I'm feeling pretty dense now, but I can't find those auxiliary parameters. I looked in
Shares > Windows Shares > ⋮ > Config Service > Advanced Settings, but find none there. Also in
System Settings > Services > SMB > Configure (same as above), and
Credentials > Local Users > [my user] > Edit.

Where are auxiliary parameters?

 

[anodos]

I'm feeling pretty dense now, but I can't find those auxiliary parameters. I looked in
Shares > Windows Shares > ⋮ > Config Service > Advanced Settings, but find none there. Also in
System Settings > Services > SMB > Configure (same as above), and
Credentials > Local Users > [my user] > Edit.

Where are auxiliary parameters?

Right, they were removed from the UI in SCALE. You can set via CLI there are instructions in the TruenNAS docs.

 

[Glorious1]

Right, they were removed from the UI in SCALE. You can set via CLI there are instructions in the TruenNAS docs.

EDIT:
Okay, I am able to see the problem area in CLI with "service smb config". But how do I edit it? "service smb update" gives an error.

I guess if I can remove the second # in those three lines I should be good?

One more question. Would service smb update smb_options="" remove all of the aux parameters? Is there any there I should keep?

Code:

[Tabernacle]> service smb config
+-------------------+---------------------------------------------------+
|                id | 1                                                 |
|       netbiosname | Tabernacle_SMB                                    |
|      netbiosalias | Tabernacle_SMB                                    |
|         workgroup | WORKGROUP                                         |
|       description | TrueNAS Server                                    |
|       unixcharset | UTF-8                                             |
|          loglevel | NORMAL                                            |
|            syslog | false                                             |
|   aapl_extensions | true                                              |
|       localmaster | true                                              |
|             guest | nobody                                            |
|          filemask |                                                   |
|           dirmask |                                                   |
|       smb_options | mangled names = no                                |
|                   | dos charset = CP850                               |
|                   | unix charset = UTF-8                              |
|                   | strict sync = no                                  |
|                   |                                                   |
|                   | min protocol = SMB2                               |
|                   | vfs objects = fruit streams_xattr                 |
|                   | fruit:model = MacSamba                            |
|                   | fruit:posix_rename = yes                          |
|                   | fruit:veto_appledouble = no                       |
|                   | fruit:wipe_intentionally_left_blank_rfork = yes   |
|                   | fruit:delete_empty_adfiles = yes                  |
|                   |                                                   |
|                   | fruit:locking=none                                |
|                   | fruit:metadata=netatalk                           |
|                   | fruit:resource=file                               |
|                   | streams_xattr:prefix=user.                        |
|                   | streams_xattr:store_stream_type=no                |
|                   | strict locking=auto                               |
|                   | # oplocks=no  # breaks Time Machine               |
|                   | # level2 oplocks=no  #  breaks TM?                |
|                   | # spotlight=yes  # invalid without further config |
|                   |                                                   |
|            bindip | <empty list>                                      |
|          cifs_SID | S-. . .           |
|       ntlmv1_auth | false                                             |
|       enable_smb1 | false                                             |
|       admin_group | jim                                               |
|          next_rid | 1007                                              |
|      multichannel | false                                             |
| netbiosname_local | Tabernacle_SMB                                    |
+-------------------+---------------------------------------------------+

 

[anodos]

EDIT:
Okay, I am able to see the problem area in CLI with "service smb config". But how do I edit it? "service smb update" gives an error.

I guess if I can remove the second # in those three lines I should be good?

One more question. Would service smb update smb_options="" remove all of the aux parameters? Is there any there I should keep?

You've set auxiliary parameters that affect the on-disk format of your file metadata for files written over SMB. You will need to preserve these if you care about it (which you probably do). You can roll back and wait for .0 where I'm fixing how we sanitize auxiliary parameters before insertion via libsmbconf or _carefully_ tweak your auxiliary parameters.

 

[anodos]

Since your auxiliary parameters change how metadata is written to disk, you should also keep note of how you have configured this server in case you are ever in a disaster recovery situation or decide you want to change up what server is hosting this data.

 

[Glorious1]

You've set auxiliary parameters that affect the on-disk format of your file metadata for files written over SMB. You will need to preserve these if you care about it (which you probably do). You can roll back and wait for .0 where I'm fixing how we sanitize auxiliary parameters before insertion via libsmbconf or _carefully_ tweak your auxiliary parameters.

Thanks @anodos. Well, I still don't know how to edit them, or to wipe them. I don't know what kind of metadata you're talking about. And it sounds like I should care, but it's hard to care about something when you don't know about it. When I fiddled with those in CORE, it was a total trial-and-error guessing game.

Some of my files were written via AFP before I switched over to SMB. I don't see any difference in how they behave, so I wonder if the metadata format is important?

 

[anodos]

Thanks @anodos. Well, I still don't know how to edit them, or to wipe them. I don't know what kind of metadata you're talking about. And it sounds like I should care, but it's hard to care about something when you don't know about it. When I fiddled with those in CORE, it was a total trial-and-error guessing game.

Some of my files were written via AFP before I switched over to SMB. I don't see any difference in how they behave, so I wonder if the metadata format is important?

We're talking about things like color tags in finder, resource forks, etc.

 

[Glorious1]

Okay, thanks. To answer my own question, for posterity yes, service smb update smb_options="" does wipe all smb_options (AKA auxiliary parameters). And you can't add them back one at a time, it has to be one fell swoop, with newline \n between each one. So here's what I did after entering the CLI and wiping them (probably not necessary):
service smb update smb_options="mangled names = no\nvfs objects = fruit streams_xattr\nfruit:veto_appledouble = no\nfruit:wipe_intentionally_left_blank_rfork = yes\nfruit:delete_empty_adfiles = yes\nfruit:locking = none\nfruit:metadata = netatalk\nfruit:resource = file\nstreams_xattr:prefix = user\nstreams_xattr:store_stream_type = no"

And then service smb config shows (among other things):
EDIT: don't put spaces around the '=' as I did. It breaks SMB.

Code:

|       smb_options | mangled names = no                              |
|                   | vfs objects = fruit streams_xattr               |
|                   | fruit:veto_appledouble = no                     |
|                   | fruit:wipe_intentionally_left_blank_rfork = yes |
|                   | fruit:delete_empty_adfiles = yes                |
|                   | fruit:locking = none                            |
|                   | fruit:metadata = netatalk                       |
|                   | fruit:resource = file                           |
|                   | streams_xattr:prefix = user                     |
|                   | streams_xattr:store_stream_type = no            |

But I still can't log in over SMB. I see that the users have a setting at the end "Samba Authentication" that is UNchecked. When I check it and try to save, it says to do this you must change the password. So I do that and try to save again. Then next to Samba Authentication it says, "This attribute cannot be changed."

After reboot I was able to check Samba Authentication and save, but still couldn't log in. Now I find that Time Machine, which had been working through this, can't connect after I edited smb_options. I'm in a nightmare.

 

[anodos]

Okay, thanks. To answer my own question, for posterity yes, service smb update smb_options="" does wipe all smb_options (AKA auxiliary parameters). And you can't add them back one at a time, it has to be one fell swoop, with newline \n between each one. So here's what I did after entering the CLI and wiping them (probably not necessary):
service smb update smb_options="mangled names = no\nvfs objects = fruit streams_xattr\nfruit:veto_appledouble = no\nfruit:wipe_intentionally_left_blank_rfork = yes\nfruit:delete_empty_adfiles = yes\nfruit:locking = none\nfruit:metadata = netatalk\nfruit:resource = file\nstreams_xattr:prefix = user\nstreams_xattr:store_stream_type = no"

And then service smb config shows (among other things):

Code:

|       smb_options | mangled names = no                              |
|                   | vfs objects = fruit streams_xattr               |
|                   | fruit:veto_appledouble = no                     |
|                   | fruit:wipe_intentionally_left_blank_rfork = yes |
|                   | fruit:delete_empty_adfiles = yes                |
|                   | fruit:locking = none                            |
|                   | fruit:metadata = netatalk                       |
|                   | fruit:resource = file                           |
|                   | streams_xattr:prefix = user                     |
|                   | streams_xattr:store_stream_type = no            |

But I still can't log in over SMB. I see that the users have a setting at the end "Samba Authentication" that is UNchecked. When I check it and try to save, it says to do this you must change the password. So I do that and try to save again. Then next to Samba Authentication it says, "This attribute cannot be changed."

After reboot I was able to check Samba Authentication and save, but still couldn't log in. Now I find that Time Machine, which had been working through this, can't connect after I edited smb_options. I'm in a nightmare.

Can you please PM me a debug?

 

[Glorious1]

Can you please PM me a debug?

Done, thank you.

 

[Glorious1]

Folks, @anodos is a gentleman and a genius when it comes to SMB. He found several problems with my smb_options (AKA auxiliary parameters). First I had an incorrect parameter value in there, so deleted that. It worked a bit better (I could log in over SMB, but not open a share), so I tried deleting the rest. It seemed to work great then, I could open shares as before in CORE.

Then he noticed I had added spaces around the '=' in the options. Apparently that causes <technobabble>. So if I need to add any back (and I don't know if I do), it would be without the extra spaces.