SMB-related changes in 11.2-U2

[anodos]

Hi all, this is a quick message about 11.2-U2. We introduced some significant changes related to our SMB implementation:
1) The samba version was bumped from effectively 4.7.6 + security fixes to 4.9.4. There are _significant_ performance improvements in the 4.9 branch.
2) We introduced a currently _experimental_ VFS module (ixnas) that introduces support for ZFS user quotas (using the NT quota tool in File Explorer), some ACL-related improvements.
3) We introduced support for Time Machine over SMB.
There are probably other relevant things that I can't remember at 5:40 AM :)
I can't keep an eye on everything SMB-related on the forums, but I will track this thread carefully. If you have problems after the upgrade, post here and I'll try to work with you to sort it out.

 

[anodos]

I may have introduced a regression in zfsacl due to some fixes I put in related to sysvol acl checks for the DC role. I'm in the process of fixing the problem. In the meantime, if you encounter permissions issues try replacing "zfsacl" with "ixnas", which does not have the regression. If that fixes the issue, then a fix is forthcoming. You can continue to test "ixnas", revert to the previous version, or send me a PM for a fixed zfsacl binary.

 

[MatthewSteinhoff]

Do you have a recommendation for how to benchmark before and after the SMB upgrade? Can you put a number to '_significant_ '?

Cheers,
Matt

 

[anodos]

Do you have a recommendation for how to benchmark before and after the SMB upgrade? Can you put a number to '_significant_ '?

Cheers,
Matt

Improvements are mostly due to threading / AIO. I don't know what details I'm allowed to share about the particular tests, but some of our benchmarks on 40GB network exhibited close to double the performance of what we were seeing on 4.7. Winbind scalability and stability are also significantly improved. If you're using in an AD environment I recommend evaluating for potential upgrade (of course do your own testing before upgrading).

 

[agent_kith]

I may have introduced a regression in zfsacl due to some fixes I put in related to sysvol acl checks for the DC role. I'm in the process of fixing the problem. In the meantime, if you encounter permissions issues try replacing "zfsacl" with "ixnas", which does not have the regression. If that fixes the issue, then a fix is forthcoming. You can continue to test "ixnas", revert to the previous version, or send me a PM for a fixed zfsacl binary.

I also need to restart SMB, and then relogin again. And then it works. Wouldn't even be the last place I looked, thanks for this tip.

 

[anodos]

Another 4.9-related gremlin. Authentication to [homes] is broken in AD environments. Fix is here: https://github.com/freenas/freenas/commit/e59676e467b3af462ffb19a44926abea9eab6c08

It's a two-character fix in /usr/local/libexec/nas/generate_smb4_conf.py. Once you have _carefully_ made the change, run the following two commands:

Code:

service ix-pre-samba start
service samba_server restart

This should only be done if you are affected by the bug.

 

[anodos]

In the upcoming 11.2-U2.1 release, the following SMB-related issues have been fixed:
- Missing delete permissions when using zfsacl when "delete child" permission is absent.
- User validation errors under Active Directory in some domains (depending on what the short-form of the name is).

What is not fixed:
- SMB failing to start when LDAP is enabled in an environment with read-only bind account. I just fixed this yesterday and it didn't make the cut for the out-of-band release. Current mitigations are 1) allow samba to write the guest alias to your LDAP server by temporarily using a read-write account 2) set "winbind nested groups = no". This one will have to wait until U3.

 

[hervon]

I confirm the issue with zfsacl is fixed. Thanks!

 

[9d0ecc]

I have a FreeNAS server configured as a Active Directory DC and ran into problems with the upgrade from 11.2-U1 to 11.2-U2.

All Domain Controller clients failed to authenticate after the upgrade, with "log.samba" showing many errors. I believe this is related to the Samba version change from 4.7.6 to 4.9.4.

The issue also persists with 11.2-U2.1 and I had to roll back to to 11.2-U1.

I filed a bug report with more details in the FreeNAS Issue tracker: Bug #78663

 

[anodos]

The new version of samba has a new ldb version that might be more sensitive to errors. Can you perform a samba-tool dbcheck on your current install to make sure there are no inconsistencies in the database.

 

[9d0ecc]

Thanks for the feedback! Regarding samba-tool dbcheck, I did run it after the failed upgrade and to my surprise it reported (0 errors), if I recall correctly.

It's a production system, which I rolled back to 11.2-U1. I might not be able run any further tests before the weekend so.

Are there any other checks I should run?

 

[9d0ecc]

Is there any chance that 11.2-U3 or the upcoming 11.2-U4 will address the issue of upgrading a Samba DC from 11.2-RELEASE-U1.

I reported the issue here https://redmine.ixsystems.com/issues/78663

When I upgrade to 11.2-U4 and there are still issues, what tests can I run to generated output for pinning down the problem.

Thanks for any pointers!