We Want to Hear Your Ideas

[diskdiddler]

Ok, let's talk NAS ony. I think FreeNAS is getting worse for reliability when adding too much features.

No it's not. FreeNAS10 was an anomaly, it was a mistake and has been fully erased.
There was a minor SMB bug (?) in 11.1 U1 or something which caused some problems for users with a memory leak.
There was another very minor bug which reset users passwords, permissions or something with AD.

These are the 3 main things I can think of, in the past 18 months. The latter 2 really don't relate to them adding features.

Our case is using FreeNAS Mini box as storage server for our remote offices over the world providing local storage and backups. replicate data between head office and remote sites. Joining windows domain was a pain during 6 years of supporting remote offices. sometimes works, sometimes dosen't. sometimes out of domain after reboot or upgrade.

I believe this is a lot better now, it's a core feature and I guess you're right to complain. I don't use it but I saw a youtube video discussing this with the head dev the other day and the interviewer said how much improvement there had been.

sometimes VMs or jails not working that I have to recreated. sometimes I have to reinstall FreeNAS or reset to factory and then I can join to the domain. that's why I have to be a FreeBSD expert that can modify your code or run shell commands to join to domain manually. even not counting how many times I have to manually run commands to replace a dead disk, while other products just need plug out a disk and then put in new one then rest will be done by system to recover a disk.

They've been in a transition period, a real mess. There's a very good chance stuff is going back to 'just plain old working' over the coming 1 - 6 months.
I wouldn't bother with VMs for mission critical stuff, maybe for fun but it sounds like right now, that's not quite ready for primetime, not in a business anyhow.

 

[mbalsam]

Ease of AD integration - don't 90% of installs run AD? Or add an optional simple AD server a la Synology

I would assume so. But there is horrible support for SMB/AD. Im about to give up and buy Synology.

If they were serious about it, there would be a real documentation and a checklist of things to verify when having problems. They keep adding features and not fixing their existing problems.

I just migrated off of a Nexenta box. Never had a single problem with SMB/AD after it was setup. They're going to blame the Samba team, bla bla. They just can't be bothered to write documentation and fix their bugs.

A GUI method of syncing to the cloud, esp Backblaze

There is support for that and it works very well.

 

[danb35]

don't 90% of installs run AD?

I'd be surprised if it were 1/3 that many. What makes you think the number is so high?

 

[Ericloewe]

90% of TrueNAS installations, possibly. Definitely not even close to 90% of FreeNAS installations.

 

[diskdiddler]

That makes more sense, TrueNAS sure, FreeNAS no.
I mean nothing wrong with improving it if it needs it, I personally couldn't care less.

I would like to see the new UI worked on to be more coherent, compact, etc. That being said, it's slowly slowly improving, but it makes me wish I owned a 48" 4k monitor, that's not a good thing.

 

[marian78]

It would be nice to have samba ransomware protection. ;)

 

[Ericloewe]

It would be nice to have samba ransomware protection. ;)

You mean snapshots?

 

[marian78]

Snapshots are good things, but are still like offline backup. We dont have any "online" mechanism to detect abnormal users activityes.

For example, if you detect infected user after 1 hour of activity, it can be too late (yes, i have snapshots, but not with 5 min period). Another users, that also work on same share, can produce after that critical hour many files, that will be lost, if i revert snapshot. :( Or?

 

[Ericloewe]

We don't have any "online" mechanism to detect abnormal users activityes.

It's an NP problem. Solving that would have profound implications throughout life, philosophy and society. It may very well be impossible, to both human and machine.

Unless of course you implement a simple set of rules, which is far more likely to piss off legitimate users than it is to ever catch malicious users.

yes, i have snapshots, but not with 5 min period

Why not? If it is such a concern, the solution is well within reach.

 

[marian78]

For example, fail2ban, that look to samba extended log and search for specific regex strings (like pread, realpath, open,...). Or make script, that create "fake user files" with known calculated hash and will periodicly test, if hash is changed.....

edit: or simply counting ips/users per 10 mins and if some treshold will reach, block ip...

 

[danb35]

...or frequent snapshots, which already exist, and will completely mitigate the problem.

 

[Ericloewe]

For example, fail2ban, that look to samba extended log and search for specific regex strings (like pread, realpath, open,...).

That doesn't accomplish anything. None of that brings you any closer to determining a remote user's intent.

 

[Bgadd]

I would stop adding any features and put four people on your documentation full time. What should they do? Document every one of the recurring issues found in the forums. The developers should fix all of the reoccurring issues that are found.

- Active directory integration is a mess. Consolidate the existing samba documentation from Samba. NFS Permissions are horrible. I guess that's a unix thing, not really your issue.
- I searched for ZFS and got nothing. It's just an indexing issue, but really? ZFS primer is section 29? The link to your ZFS documentation is Oracle's broken link?
- Expand the (I) icons text in all areas.
- You need context-sensitive help, that appears outside of the main window.
- You need a list of all error messages and what needs to be done when each error is encountered.
- There is no log where you can track error messages seen in the UI in the file system logs.
- When do you look in /var/log/messages vs /var/log/debug vs /var/log/samba4/log.smbd etc.etc.

I don't really know the rest of the sections but I'm guessing that documentation is just as lacking..

I'm a developer so I can say this. Your letting developers design your product. Don't do it. You need a Product Manager who knows other products in the market to design your product. don't use the "add features that are cool to the product" as your design. You need a solid, UI, Administration and authentication and error management.

You are so close to having an enterprise product, but skimping on documentation and assuming your SI partners will train the users is not a great strategy.

Sorry, it's tough love.

No apology is needed. We have been working hard the past few months to redo our processes to allow us to do just that. Good news, we are on the path we need to be to improve the stability of Free/TrueNAS. Thanks again for the post and I look forward to your reply in the coming months as we push out new versions.

Thanks,
Ben

 

[marian78]

That doesn't accomplish anything. None of that brings you any closer to determining a remote user's intent.

example:
1. company with 50 users
2. average "clean" user make 1 file/10MiB for 6 minutes, or 50 and more rows in samba extended log (based on log settings), infected user will access about 1400 files/14GiB for 6 minutes on 1Gbps link to NAS. That is (1400-1)x50 more rows in samba log per infected user against to normal user
3. all users make files in same share (work space), in 6TiB volume with over 300k files
4. time to discover infected user, for example 1 hour for examining all network stations logs, and physical disconnecting infected from network


Average "clean" user make 10 files for 1 hour, 50 users = 500 files for 1 hour. Infected user start crypting somewhere on share, so admin must thinking, that all data ,on volume, from last 1hour is lost. Is better revert snapshots 1 hour back (no matter if i take snapshot every 5 min) and lost potencialy 500 files or having some active protection, that stop this activity as soon as possible, after samba log reach some activity treshold for infected user? And shorting this incident from 1 hour to minutes ,than look to samba log, what files write infected user and only that file revert?


Maybe i am wrong, but in real administrator life i need stop all suspition activity as soon as possible not only on users stations, but also in server, event better, if server send me some alerts about suspition activity from users.

edit: as you know, in EU we have GDPR, so administrators must have data under control.....

 

[Dalba]

Hello, i don't if it has been already suggested as i didn't read all pages, here's what i would like to see in a near future :

- Being able to use Fusefs (sshfs) in a jail ! This way we could mount remote directory inside a jail.
For now it's not flagged as jail compatible when you type "lsvfs" command in console...

 

[mbalsam]

I think all of these new feature ideas are great, but it means nothing unless FREENAS can do the basics.

I cant get Samba working reliably when its integrated to Active Directory. We know the knowledge exists because the TRUENAS has stable samba support.

I think the mistake here is, FREENAS should only provide the basics but have them all actually work.

If they want to charge for more advanced features, Jails, VM's, etc.etc. That makes sense, but the basics have to work. It just not right for IXSystems to claim that Samba integration with AD works, and then in reality I see the services are unstable.

How do I know that Freenas Samba support is defective and it's not my lack of skill? I hired the recommended FREENAS consultant who looked over my configuration and said it appeared correct.

My guess is IXsystems has no interest in getting Samba working correctly since it would compete with their TrueNAS offering. So, from my perspective, FREENAS is not a viable opensource solution.

I purchased a dirt cheap Synology box on eBay and when i have the time I will move my CIFS work to is.

BTW, I WON'T PURCHASE A TRUENAS BOX WHEN MY COMPANY HAS MORE MONEY.

 

[Ericloewe]

Your story simply does not add up. Plenty of people use AD with FreeNAS. If you can point to something that is not working, file a bug report instead of posting passive-aggressive comments.

 

[Johnny Fartpants]

I must say in iX's defence I generally don't find this an issue. I run many FreeNAS systems totalling multiple PBs and all are AD joined and 95% of the usage is samba with a little AFP and NFS and I have done this for about 3/4 years. Naturally there have been bugs over the years but nothing that has caused the service to break or become unreliable as suggested.

 

[Bgadd]

I think all of these new feature ideas are great, but it means nothing unless FREENAS can do the basics.

I can't get Samba working reliably when its integrated to Active Directory. We know the knowledge exists because the TRUENAS has stable samba support.

I think the mistake here is, FREENAS should only provide the basics but have them all actually work.

If they want to charge for more advanced features, Jails, VM's, etc.etc. That makes sense, but the basics have to work. It just not right for IXSystems to claim that Samba integration with AD works, and then in reality I see the services are unstable.

How do I know that Freenas Samba support is defective and it's not my lack of skill? I hired the recommended FREENAS consultant who looked over my configuration and said it appeared correct.

My guess is IXsystems has no interest in getting Samba working correctly since it would compete with their TrueNAS offering. So, from my perspective, FREENAS is not a viable opensource solution.

I purchased a dirt cheap Synology box on eBay and when i have the time I will move my CIFS work to is.

BTW, I WON'T PURCHASE A TRUENAS BOX WHEN MY COMPANY HAS MORE MONEY.

First off, thanks for the tough love and expressing your concerns. Information like this helps us improve the overall quality and stability of the product.

As far as your concerns with Samba, we are dedicated to addressing the Samba issues that are reported or found. We are changing the way we look at quality as whole and evaluating tickets as they are submitted into the product backlog. In the past, we did not schedule ourselves enough time to do this, but that is changing. I would encourage you to submit your issues to FreeNAS Project so we can better deal with them and ultimately help others as well. It will be hard to pinpoint the issue with Samba without a bug ticket. If you like, feel free to direct message me and we can discuss further.


Ben Gadd MBA CSM
Program Manager, Engineering
iXsystems

 

[mbalsam]

As far as turning a blind eye to the stability of your offering:

On the Active Directory screen, you have a checkbox called "enable monitoring" which sole function, as far as I can decern, is to restart SMB when it stops/crashes? In my book, this is an indication that you realize that the smb service is unstable and your approach is just simply to restart it.

If you were committed to providing a stable and documented Samba system you would include:

1) A single checklist of things to verify when using Samba.
2) A script to verify if your Samba environment was configured correctly.
3) A list of errors and simple steps to verify what to do when an error occurs.
4) A list of log files to monitor when having an issue.
5) A log file that shows a summary of all the alerts seen in the GUI console. I asked about this on the forum several times and eventually gave up. Recently someone showed me the undocumented? "Show console messages in the footer". My guess this is a tail of dmesg.today file?
6) A complete rewrite of your documentation using a wiki-like tool like Confluence.

The very fact that crucial parts of the documentation are just links to user posts on your forum should be an indication of the problem

https://forums.freenas.org/index.php?resources/smb-tips-and-tricks.15/

Your marketing campaign is: use our open-source product and eventually buy our commercial product.

If you were only open-source offering supported by students or volunteers, I would agree that my criticism to be over-the-top. But your not. You're a for-profit business with two product lines and a network of resellers.

I am annoyed since after reviewing your marketing materials and I bought in. I decommissioned my Nexenta system and brought up your environment to find that I could not make it stable. Then wasting another two weeks troubleshooting and hiring your smart but time-constrained consultants.

Regardless, I will wait for the next release and hope things improve. I am somewhat protected since the most critical parts of my source control system is currently running on Synology. For the other parts, I will continue to click "rebuilt directory service cache", and restarts the samba_services every few hours to keep my employees and developers running.

I do appreciate Ben's offer and will take you up on it once the next release is available.