Solaris CIFS Service Troubleshooting

The following are troubleshooting issues for the Solaris CIFS service.

File Name Case-Sensitivity Issues

Sometimes you might experience unexpected behavior when performing basic file operations. This behavior might be related to the file system being unable to handle case-insensitive operations.

CIFS clients usually expect a case-insensitive file system for correct operation. The use of a ZFS file system that has been created in mixed-case or case-insensitive mode should allow you to circumvent these problems.

To create such a ZFS file system, use the following command:

# zfs create -o casesensitivity=mixed fsname

Cannot Join a Windows Domain

To authenticate users from a Windows domain, the Solaris CIFS service must locate a domain controller, authenticate, and then add a computer account to the domain.

Users from the domain are not able to establish a connection to the Solaris CIFS service unless this process succeeds.

The following sections describe configuration issues you might have when you cannot successfully join a Windows domain:

• Checking the DNS Configuration

• Checking the Kerberos Configuration

• Ensuring That You Specify the Correct Password for Your Domain User

• Ensuring That Your Domain User Has Sufficient Administrative Privileges

Checking the DNS Configuration

The Solaris CIFS service must be running for the smbadm join command to succeed.

If Active Directory (AD) is configured, the Solaris CIFS service attempts to locate the domain controller by means of DNS. If the service cannot locate the domain controller, configure DNS properly.

The following configuration issues might prevent you from configuring the Solaris CIFS service in domain mode:

• Missing DNS domain. Ensure that the fully qualified AD domain name has been added to the search list or as the local domain in /etc/resolv.conf.

  If your configuration is incorrect, you might see the failed to join domain domain-name (INVALID_PARAMETER) error when attempting to join the domain.

• Missing DNS server. Ensure that the IP address of the AD DNS server is added as the name server in /etc/resolv.conf.

  If your configuration is incorrect, you might see the failed to find any domain controllers error when attempting to join the domain.

• DNS host lookup not used. Ensure that DNS is used for host lookup in the /etc/nsswitch.conf file.

Checking the Kerberos Configuration

You might see the following error messages, which indicate that Kerberos is not correctly configured:

• k5_kinit: KDC has no support for encryption type

  When this error occurs, you must reset the Domain Administrator password by re-entering the original password.

  This error is a known issue on Windows where DES encryption keys are not created for the administrator under certain circumstances. For more information, see Microsoft knowledge base article 248808.

• k5_kinit: getting initial credentials (KDC reply did not match expectations)

  Ensure that the Kerberos Realm specified in the /etc/krb5/krb5.conf uses uppercase characters.

• k5_kinit: getting initial credentials (Cannot resolve network address for KDC in requested realm)

  This problem can be corrected by ensuring that the configuration is correct in one of these ways:

  • Ensure that DNS is used for host lookup in the /etc/nsswitch.conf file.

  • Ensure that the IP address of the DNS server is added as the name server in the /etc/resolv.conf file.

    Check the resolve.conf file if you also see the following log entries:

    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 290708 daemon.debug] NS Found 10.1.98.13 name server
    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 290708 daemon.debug] NS Found 10.1.98.12 name server
    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 327122 daemon.debug] NS Found 2 name servers
    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 995127 daemon.error] dyndns: UDP send error (Bad file number)
    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 342079 daemon.error] smb_ads: send/receive error
    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 995127 daemon.error] dyndns: UDP send error (Bad file number)
    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 342079 daemon.error] smb_ads: send/receive error
    Jan  4 10:27:58 pb-49 smbd[101148]: [ID 327097 daemon.error] smb_ads: No ADS host found from configured
    nameservers

Ensuring That You Specify the Correct Password for Your Domain User

The user that you specify on the smbadm join command line must have the correct password and the authority to create computer accounts. Typically, you must specify a user account that is a member of the Domain Administrators global group.

The following error message only appears if you supply the wrong password for the administrative user:

failed to join domain-name (LOGON_FAILURE)

This error message might also appear if packet signing is enabled on the domain controller. So, you must disable packet signing on the domain controller before you can successfully join a domain.

If you attempt to join as a domain user who does not have administrative privileges, the join fails with insufficient access error messages.

Ensuring That Your Domain User Has Sufficient Administrative Privileges

The user that you specify on the smbadm join command line must be a member of the Domain Administrators global group.

The following error message only appears if you attempt to join as a domain user who does not have administrative privileges. The join fails with insufficient access error messages.

smbd: failed joining domain-name (UNSUCCESSFUL)

Checking Intermittent Domain Connectivity

Checking the Domain Controller Selection

Sometimes the Solaris CIFS service might lose its connection to the domain controller. In such a situation, Windows users are denied access to the Solaris CIFS service.

The connection might be lost if the network experiences connectivity problems or if the primary domain controller fails.

The solution to any of these problems is to rejoin the Windows domain. See How to Configure the Solaris CIFS Service in Domain Mode.

idmapd Unable to Contact AD When in Workgroup Mode

The idmapd server attempts to contact AD even if the Solaris CIFS service is in workgroup mode. As a result, idmapd issues errors.

To work around this problem, remove all rule-based mappings and ignore any errors from idmapd about its failure to contact AD.

Viewing Solaris CIFS Service Property Settings

Much of the Solaris CIFS service configuration uses the sharectl(1M) command to set properties. Before you change property values, you should view the current property settings by running the sharectl get smb command.

Excluding IP Addresses From WINS Name Resolution

When using WINS/NetBIOS, Windows domain controllers (DC) do not automatically respond to the IP address from which they received a request. They perform a WINS or NetBIOS cache lookup and for multihomed servers the DC can respond to a different IP address belonging to the server. If the IP address is not accessible to the DC, it will appear as if the DC has not responded to the server. Thus, it may be necessary to exclude some IP addresses when a multihomed server registers with WINS.

The following example shows how to configure the Solaris CIFS service as a WINS client. The primary WINS server is set to IP address 172.16.48.20, the secondary WINS server is set to IP address 172.16.48.21, and IP addresses 172.16.48.22 and 172.16.48.23 are excluded from WINS resolution.

# sharectl set -p wins_server_1=172.16.48.20 smb
# sharectl set -p wins_server_2=172.16.48.21 smb
# sharectl set -p wins_exclude=192.168.48.22,192.168.48.23 smb

Changes to Windows Group Membership and to User Mapping Do Not Take Effect

Windows clients use an access token to assign user data and group membership. This token is assigned when the client connects to the CIFS service. Any changes made to this token are not reflected until the next time the user connects.

To force changes to take effect immediately, the user must disconnect from the CIFS service by logging out of all connected workstations.

Windows Clients Cannot Connect by NetBIOS Name or Are Missing From Browse List or Network Neighborhood

A master browser is a server that is configured to manage CIFS/SMB browse lists and to respond to client requests for them. A Windows server is configured as a master browser by default.

The Solaris CIFS service is not configured as a master browser. The Solaris CIFS service dedicates all of its resources to file sharing.

For browsing to function correctly, each subnet or physical network segment must have a master browser. To make the Solaris CIFS service available through browse lists, the system on which it runs should be located on the same segment and subnet as a Windows server.

Configuring a Windows server improves the performance of browsing and might compensate for the lack of a master browser on some segments.

Cannot Set Share Security, All Shares Inherit the Security of the Directory Object

The security implementation of the Solaris CIFS service only secures files and directories. The effective security of a CIFS share is always the security of the directory to which it points.

Older Versions of Windows Cannot Copy Files Larger Than 4 Gbytes

You might see this problem if your client is running Windows 2000 or an older version of Windows.

• If you are running a Windows 2000 client, apply the latest service pack.

• If you are running a version older than Windows 2000, you might be able to work around the problem by using the Windows backup utility or by using a similar third-party product.

Cannot Use CIFS to Map Drives

To map a drive or to connect to a share, you must have read access to the directory to which the share points.

If the Solaris CIFS service is in domain mode, you must also be logged in to the domain.

To ensure that a user can connect to a share, do the following to check and modify permissions:

1. Log in to the system that is running the Solaris CIFS service.

2. Become superuser.

3. Obtain the user name and group name of the owner.

   # ls -l pathname

   For example, the following output indicates that the share is a directory with 750 permissions. The owner is root and the group is sys.

   # ls -ld /vol1/data
   drwxr-x---  41 root     sys         1024 Jan  2 23:19 /vol1/data

4. Determine the permissions necessary for the user to access the directory.

5. Use the chmod command to change the permissions of the directory.

Cannot See the Security Tab From Windows Clients

Some Windows clients do not show the security tab unless you have permission to view or change security.

For information about how to view and modify share permissions, see Cannot Use CIFS to Map Drives.

Microsoft Access or SQL Server Sessions Time Out After a Period of Inactivity

Applications can send SMB echo requests periodically to keep idle sessions open or to reconnect, as required, if a session times out due to inactivity. If an application appears unable to deal with an idle session timeout, the CIFS service keep_alive property can be set to 0 to disable the session inactivity timer.

# sharectl set -p keep_alive=0 smb

Cannot Add Windows Local Groups to Access Control List

Windows local groups cannot be used to assign security on remote systems. A local group can only be used on the individual computer on which it is created. A local group is not stored in the domain SAM database.

Windows domain controllers are an exception to this behavior. Domain controllers share a set of local groups that can only be shared with other domain controllers. To make security assignments to the Solaris CIFS service, use global groups.

The Solaris CIFS service has its own set of local groups that are provided for Windows compatibility purposes. These local groups permit a limited set of privileges, and they can also be used for security assignments to individual files and folders.

---

Note - Windows domain local groups are not supported.

---

CIFS Browsing Fails When sharesmb=on Is Set on a ZFS Pool

If you have a ZFS pool with datasets and you run the zfs set sharesmb=on command on the pool, the pool and all its datasets are shared, but unavailable for browsing by Windows systems.

To work around this problem, do the following:

1. Determine whether your zpool and zfs versions support CIFS shares.

   # zpool get version pool
   # zfs get version dataset

   Support for CIFS shares requires that ZFS pools be at least Version 9 and that ZFS datasets be at least Version 3.

2. (Optional) Upgrade zpool and zfs.

   # zpool upgrade pool
   # zfs upgrade dataset

   For more information, see the zpool(1M) and zfs(1M) man pages.

3. Map the shares in one of the following ways:

   • Run the zfs set sharesmb=on command on any of the lower-level datasets instead of the pool.

   • Map the shares directly.

Samba or CIFS Service Cannot Bind Various Ports

You will see errors if you attempt to run both the Samba service, svc:/network/samba:default, and the Solaris CIFS service, svc:/network/smb/server:default, simultaneously.

The Samba and Solaris CIFS services are mutually exclusive because they both attempt to listen on the same ports. Only one service should be enabled at any time.

To disable either the Samba or Solaris CIFS service, do one of the following:

• Disable the Samba service. Use the svcadm disable svc:/network/samba command.

• Disable the Solaris CIFS service. Use the svcadm disable smb/server command.

CIFS Shares on ZFS Are Inaccessible After a Reboot

CIFS shares on ZFS might be inaccessible to CIFS clients if you reboot the Solaris CIFS server.

Run the following command to reshare the ZFS shares:

# sharemgr start -P smb zfs

invalid password Errors Appear When Mapping a Drive or Browsing Computers in the Workgroup

When you map a drive or browse computers in your workgroup, you might see invalid password errors. If you see these errors, check to see that the /var/smb/smbpasswd file includes information for the appropriate users.

Also, ensure that the pam_smb_passwd.so.1 entry is in the /etc/pam.conf file and that you use the passwd command to set your password.

For more information, see How to Configure the Solaris CIFS Service in Workgroup Mode.

Access Control List Inheritance Issues

Access control list (ACL) behavior differs between Windows systems and ZFS on Solaris systems. You might experience Windows ACL inheritance problems because of the access control entry (ACE) ordering used by the default ZFS ACL.

The default ZFS ACL is designed to comply with POSIX, which results in the interleaving of allow and deny ACEs. Windows expects all deny ACEs to precede all allow ACEs.

You can override the default ZFS behavior by changing the ACL on the root directory to provide the equivalent of Everyone:FullControl as follows:

# chmod 777 /pool-name
# chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/fs-name

For information about the chmod options, see the chmod(1) man page.

You can verify the ACL by viewing it on Windows or by running the following command on a Solaris system:

# ls -V -d /pool-name/fs-name

You can apply this ACL recursively to all subdirectories and files for existing file systems from Windows or from the Solaris OS.

If you apply the ACL when the file system is first created, the ACL will be propagated according to the normal inheritance rules.

If a directory has a default ZFS ACL, when a file or folder is created under this directory from Windows, it has two ACEs: one for the owner and one for SYSTEM. To change this behavior, update the root directory's ACL by running the chmod commands shown previously.

Missing Security Tab on XP Clients

You might not see the security tab for a file or folder when using an XP client for the following reasons:

• You do not have enough permissions to see the security settings of the file or folder

• Simplified file sharing is enabled on your client

To disable simplified file sharing, go to Control Panel->Folder Options->View, and unselect Use Simple File Sharing (Recommended), and click Apply.

For more information about disabling simplified file sharing and setting permissions on a shared folder, see Microsoft knowledge base article 307874.