Solaris CIFS Service Troubleshooting
The following are troubleshooting issues for the Solaris CIFS service.
File Name Case-Sensitivity Issues
Sometimes you might experience unexpected behavior when performing basic file operations. This behavior might be related to the file system being unable to handle case-insensitive operations.
CIFS clients usually expect a case-insensitive file system for correct operation. The use of a ZFS file system that has been created in mixed-case or case-insensitive mode should allow you to circumvent these problems.
To create such a ZFS file system, use the following command:
# zfs create -o casesensitivity=mixed fsname
Cannot Join a Windows Domain
To authenticate users from a Windows domain, the Solaris CIFS service must locate a domain controller, authenticate, and then add a computer account to the domain.
Users from the domain are not able to establish a connection to the Solaris CIFS service unless this process succeeds.
The following sections describe configuration issues you might have when you cannot successfully join a Windows domain:
Checking the DNS Configuration
The Solaris CIFS service must be running for the smbadm join command to succeed.
If Active Directory (AD) is configured, the Solaris CIFS service attempts to locate the domain controller by means of DNS. If the service cannot locate the domain controller, configure DNS properly.
The following configuration issues might prevent you from configuring the Solaris CIFS service in domain mode:
Checking the Kerberos Configuration
You might see the following error messages, which indicate that Kerberos is not correctly configured:
Ensuring That You Specify the Correct Password for Your Domain User
The user that you specify on the smbadm join command line must have the correct password and the authority to create computer accounts. Typically, you must specify a user account that is a member of the Domain Administrators global group.
The following error message only appears if you supply the wrong password for the administrative user:
failed to join domain-name (LOGON_FAILURE)
This error message might also appear if packet signing is enabled on the domain controller. So, you must disable packet signing on the domain controller before you can successfully join a domain.
If you attempt to join as a domain user who does not have administrative privileges, the join fails with insufficient access error messages.
Ensuring That Your Domain User Has Sufficient Administrative Privileges
The user that you specify on the smbadm join command line must be a member of the Domain Administrators global group.
The following error message only appears if you attempt to join as a domain user who does not have administrative privileges. The join fails with insufficient access error messages.
smbd: failed joining domain-name (UNSUCCESSFUL)
Checking Intermittent Domain Connectivity
Checking the Domain Controller Selection
Sometimes the Solaris CIFS service might lose its connection to the domain controller. In such a situation, Windows users are denied access to the Solaris CIFS service.
The connection might be lost if the network experiences connectivity problems or if the primary domain controller fails.
The solution to any of these problems is to rejoin the Windows domain. See How to Configure the Solaris CIFS Service in Domain Mode.
idmapd Unable to Contact AD When in Workgroup Mode
The idmapd server attempts to contact AD even if the Solaris CIFS service is in workgroup mode. As a result, idmapd issues errors.
To work around this problem, remove all rule-based mappings and ignore any errors from idmapd about its failure to contact AD.
Viewing Solaris CIFS Service Property Settings
Much of the Solaris CIFS service configuration uses the sharectl(1M) command to set properties. Before you change property values, you should view the current property settings by running the sharectl get smb command.
Excluding IP Addresses From WINS Name Resolution
When using WINS/NetBIOS, Windows domain controllers (DC) do not automatically respond to the IP address from which they received a request. They perform a WINS or NetBIOS cache lookup and for multihomed servers the DC can respond to a different IP address belonging to the server. If the IP address is not accessible to the DC, it will appear as if the DC has not responded to the server. Thus, it may be necessary to exclude some IP addresses when a multihomed server registers with WINS.
The following example shows how to configure the Solaris CIFS service as a WINS client. The primary WINS server is set to IP address 172.16.48.20, the secondary WINS server is set to IP address 172.16.48.21, and IP addresses 172.16.48.22 and 172.16.48.23 are excluded from WINS resolution.
# sharectl set -p wins_server_1=172.16.48.20 smb # sharectl set -p wins_server_2=172.16.48.21 smb # sharectl set -p wins_exclude=192.168.48.22,192.168.48.23 smb
Changes to Windows Group Membership and to User Mapping Do Not Take Effect
Windows clients use an access token to assign user data and group membership. This token is assigned when the client connects to the CIFS service. Any changes made to this token are not reflected until the next time the user connects.
To force changes to take effect immediately, the user must disconnect from the CIFS service by logging out of all connected workstations.
Windows Clients Cannot Connect by NetBIOS Name or Are Missing From Browse List or Network Neighborhood
A master browser is a server that is configured to manage CIFS/SMB browse lists and to respond to client requests for them. A Windows server is configured as a master browser by default.
The Solaris CIFS service is not configured as a master browser. The Solaris CIFS service dedicates all of its resources to file sharing.
For browsing to function correctly, each subnet or physical network segment must have a master browser. To make the Solaris CIFS service available through browse lists, the system on which it runs should be located on the same segment and subnet as a Windows server.
Configuring a Windows server improves the performance of browsing and might compensate for the lack of a master browser on some segments.
Cannot Set Share Security, All Shares Inherit the Security of the Directory Object
The security implementation of the Solaris CIFS service only secures files and directories. The effective security of a CIFS share is always the security of the directory to which it points.
Older Versions of Windows Cannot Copy Files Larger Than 4 Gbytes
You might see this problem if your client is running Windows 2000 or an older version of Windows.
Cannot Use CIFS to Map Drives
To map a drive or to connect to a share, you must have read access to the directory to which the share points.
If the Solaris CIFS service is in domain mode, you must also be logged in to the domain.
To ensure that a user can connect to a share, do the following to check and modify permissions:
Cannot See the Security Tab From Windows Clients
Some Windows clients do not show the security tab unless you have permission to view or change security.
For information about how to view and modify share permissions, see Cannot Use CIFS to Map Drives.
Microsoft Access or SQL Server Sessions Time Out After a Period of Inactivity
Applications can send SMB echo requests periodically to keep idle sessions open or to reconnect, as required, if a session times out due to inactivity. If an application appears unable to deal with an idle session timeout, the CIFS service keep_alive property can be set to 0 to disable the session inactivity timer.
# sharectl set -p keep_alive=0 smb
Cannot Add Windows Local Groups to Access Control List
Windows local groups cannot be used to assign security on remote systems. A local group can only be used on the individual computer on which it is created. A local group is not stored in the domain SAM database.
Windows domain controllers are an exception to this behavior. Domain controllers share a set of local groups that can only be shared with other domain controllers. To make security assignments to the Solaris CIFS service, use global groups.
The Solaris CIFS service has its own set of local groups that are provided for Windows compatibility purposes. These local groups permit a limited set of privileges, and they can also be used for security assignments to individual files and folders.
Note - Windows domain local groups are not supported.
CIFS Browsing Fails When sharesmb=on Is Set on a ZFS Pool
If you have a ZFS pool with datasets and you run the zfs set sharesmb=on command on the pool, the pool and all its datasets are shared, but unavailable for browsing by Windows systems.
To work around this problem, do the following:
Samba or CIFS Service Cannot Bind Various Ports
You will see errors if you attempt to run both the Samba service, svc:/network/samba:default, and the Solaris CIFS service, svc:/network/smb/server:default, simultaneously.
The Samba and Solaris CIFS services are mutually exclusive because they both attempt to listen on the same ports. Only one service should be enabled at any time.
To disable either the Samba or Solaris CIFS service, do one of the following:
CIFS Shares on ZFS Are Inaccessible After a Reboot
CIFS shares on ZFS might be inaccessible to CIFS clients if you reboot the Solaris CIFS server.
Run the following command to reshare the ZFS shares:
# sharemgr start -P smb zfs
invalid password Errors Appear When Mapping a Drive or Browsing Computers in the Workgroup
When you map a drive or browse computers in your workgroup, you might see invalid password errors. If you see these errors, check to see that the /var/smb/smbpasswd file includes information for the appropriate users.
Also, ensure that the pam_smb_passwd.so.1 entry is in the /etc/pam.conf file and that you use the passwd command to set your password.
For more information, see How to Configure the Solaris CIFS Service in Workgroup Mode.
Access Control List Inheritance Issues
Access control list (ACL) behavior differs between Windows systems and ZFS on Solaris systems. You might experience Windows ACL inheritance problems because of the access control entry (ACE) ordering used by the default ZFS ACL.
The default ZFS ACL is designed to comply with POSIX, which results in the interleaving of allow and deny ACEs. Windows expects all deny ACEs to precede all allow ACEs.
You can override the default ZFS behavior by changing the ACL on the root directory to provide the equivalent of Everyone:FullControl as follows:
# chmod 777 /pool-name # chmod [email protected]:rwxpdDaARWcCos:fd:allow /pool/fs-name
For information about the chmod options, see the chmod(1) man page.
You can verify the ACL by viewing it on Windows or by running the following command on a Solaris system:
# ls -V -d /pool-name/fs-name
You can apply this ACL recursively to all subdirectories and files for existing file systems from Windows or from the Solaris OS.
If you apply the ACL when the file system is first created, the ACL will be propagated according to the normal inheritance rules.
If a directory has a default ZFS ACL, when a file or folder is created under this directory from Windows, it has two ACEs: one for the owner and one for SYSTEM. To change this behavior, update the root directory's ACL by running the chmod commands shown previously.
Missing Security Tab on XP Clients
You might not see the security tab for a file or folder when using an XP client for the following reasons:
To disable simplified file sharing, go to Control Panel->Folder Options->View, and unselect Use Simple File Sharing (Recommended), and click Apply.
For more information about disabling simplified file sharing and setting permissions on a shared folder, see Microsoft knowledge base article 307874.