Newbie - An existing CIFS share stopped showing

[Ariel M]

Hello,
I have installed FreeNas about 6-7 months ago, setup a CIFS share that was used by some of my Network users with no unusual problems.
Since this morning the share cannot be accessed, running "net use x: \\freenas\Share" results with "There are currently no logon servers available to service the logon request".

Freenas version is 9.3-Stable, the DC is Windows 2008R2 and the workstations are Windows 7. Naturally all updates have been done.
Any Idea what to look for, what to do to solve this?

 

[anodos]

Hello,
I have installed FreeNas about 6-7 months ago, setup a CIFS share that was used by some of my Network users with no unusual problems.
Since this morning the share cannot be accessed, running "net use x: \\freenas\Share" results with "There are currently no logon servers available to service the logon request".

Freenas version is 9.3-Stable, the DC is Windows 2008R2 and the workstations are Windows 7. Naturally all updates have been done.
Any Idea what to look for, what to do to solve this?

Can you access it by "\\<ip-address>\share"? Is FreeNAS an AD member server? Any interesting messages in:
/var/log/messages
/var/log/samba4/log.smbd
/var/log/samba4/log.wb-*

 

[Ariel M]

I cannot access it by "\\<ip-address>\share".
The FreeNas is cofigured as a computer in the AD, nothing changed there since I installed it.
Sorry but as a LINUX newbie I am not sure how to check those directories and what to look in them. Could you guide me please?

 

[anodos]

I cannot access it by "\\<ip-address>\share".
The FreeNas is cofigured as a computer in the AD, nothing changed there since I installed it.
Sorry but as a LINUX newbie I am not sure how to check those directories and what to look in them. Could you guide me please?

You can view the logs by using the commands (of course there are more options) "less", "tail", "cat".

For instance, you can enter the console and type "tail /var/log/messages" and it will show you the last 10 log entries. If you type "less /var/log/messages" you will have a somewhat interactive session where you can use PgUp and PgDn to scroll through the log files and check for problems.

I'd start by doing the following:
0) Check the various log files under /var/log/samba/ My best guess is that the credentials for the domain account you used to join the domain are expired, locked, or otherwise changed. The log files should confirm this.

1) Log into server and type "testparm". press "enter" and paste output here enclosed in [ code ] tags.

2) Log into server console and type "wbinfo -g", "wbinfo -u", and "wbinfo -t". The former two commands should output your AD groups and users respectively. The latter will check the status of trust secrets. They probably won't show any results.

3) For the sake of completeness, verify that you haven't had any other major changes to your network (DCs changed, DNS servers changed, etc.).

 

[Mirfster]

Freenas version is 9.3-Stable, the DC is Windows 2008R2

Have either of these machines been rebooted lately? If so, did FreeNas come up before the DC? Might be able to simply restart the CIFS Service and see if that resolves it. Otherwise, you may be able to just restart FreeNas.

Give those a quick try and let us know.

 

[Ariel M]

the result of "tail /var/log/messages":
[root@freenas] ~# tail /var/log/messages Mar 15 14:33:10 freenas smbd[6401]: [2016/03/15 14:33:10.449871, 0] ../libcli/nbt/lmhosts.c:99(getlmhostsent)
Mar 15 14:33:10 freenas smbd[6401]: getlmhostsent: too many columns in lmhosts file (obsolete syntax)
Mar 15 14:33:11 freenas smbd[6413]: STATUS=daemon 'smbd' finished starting up and ready to serve connectionsmatchname: host name/name mismatch: 192.168.0.28 != (NULL)
Mar 15 14:33:11 freenas smbd[6413]: [2016/03/15 14:33:11.461504, 0] ../source3/lib/util_sock.c:1199(get_remote_hostname)
Mar 15 14:33:11 freenas smbd[6413]: matchname failed on 192.168.0.28
Mar 15 14:33:11 freenas smbd[6413]: [2016/03/15 14:33:11.574263, 0] ../libcli/nbt/lmhosts.c:99(getlmhostsent)
Mar 15 14:33:11 freenas smbd[6413]: getlmhostsent: too many columns in lmhosts file (obsolete syntax)
Mar 15 14:33:12 freenas smbd[6413]: [2016/03/15 14:33:12.576830, 0] ../libcli/nbt/lmhosts.c:99(getlmhostsent)
Mar 15 14:33:12 freenas smbd[6413]: getlmhostsent: too many columns in lmhosts file (obsolete syntax)
Mar 15 14:35:09 freenas sshd[6069]: in openpam_check_error_code(): pam_sm_setcred(): unexpected return value 12
[root@freenas] ~#

 

[Ariel M]

the result of ""testparm":

[root@freenas] ~# testparm
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[Shiva]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
dos charset = CP437
workgroup = NETPOSITION
server string = FreeNAS Server
server role = member server
security = DOMAIN
map to guest = Bad User
obey pam restrictions = Yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
username map = /usr/local/etc/smbusers
max log size = 51200
deadtime = 15
max open files = 116912
hostname lookups = Yes
load printers = No
printcap name = /dev/null
disable spoolss = Yes
lm announce = Yes
local master = No
domain master = No
dns proxy = No
pid directory = /var/run/samba
panic action = /usr/local/libexec/samba/samba-backtrace
template shell = /bin/sh
winbind cache time = 7200
winbind enum users = Yes
winbind enum groups = Yes
winbind offline logon = Yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
idmap config NETPOSITION: range = 20000-90000000
idmap config NETPOSITION: backend = rid
idmap config *: range = 20000-90000000
idmap config * : backend = tdb
acl allow execute always = Yes
create mask = 0666
directory mask = 0777
ea support = Yes
directory name cache size = 0
kernel change notify = No
store dos attributes = Yes
strict locking = No
dfree command = /usr/local/libexec/samba/dfree
dos filemode = Yes

[Shiva]
path = /mnt/Vol1/Shiva
read only = No
veto files = /.snapshot/.windows/.mac/.zfs/
vfs objects = recycle, shadow_copy2, zfsacl, aio_pthread, streams_xattr
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special
shadow:snapdirseverywhere = yes
shadow:format = auto-%Y%m%d.%H%M-2w
shadow:localtime = yes
shadow:sort = desc
shadow:snapdir = .zfs/snapshot
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U
[root@freenas] ~#

 

[Ariel M]

the result of wbinfo -g and wbinfo -u is Error looking up domain users
the result of wbinfo -t is:
[root@freenas] ~# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret

 

[Ariel M]

Have either of these machines been rebooted lately? If so, did FreeNas come up before the DC? Might be able to simply restart the CIFS Service and see if that resolves it. Otherwise, you may be able to just restart FreeNas.

Give those a quick try and let us know.

naturally I already rebooted both the DC and the FreeNas, in the right order.

 

[Mirfster]

naturally I already rebooted both the DC and the FreeNas, in the right order.

K, was just going after the "low hanging fruit"... :)

 

[anodos]

Speaking of low-hanging fruit, try re-configuring AD integration.

1) Go to Network -> Global Configuration.
- Verify that hostname, domain name, default gateway, and name servers are set correctly.

2) Go to System -> General -> then click on "NTP Servers"
- Make sure that NTP is configured correctly and that time on DC and FreeNAS server is the same.

3) Go to Directory Services -> Active Directory and click on "Advanced Mode"
I typically fill in the following fields:

• Domain Name (Foo.com)
• Domain Account Name (typically a Domain Admin)
• Domain Account Password (you will need to enter the password here before hitting 'Save')
• NetBios Name (ex: "kung" where server's FQDN is "kung.foo.com")
• Verbose logging (checked)
• Use Default Domain (checked)
• Allow DNS updates (checked)
• Domain Controller (FQDN of DC)
• Global Catalog Server (FQDN of global catalog server)
• Kerberos Realm (typically "foo.com")
• Idmap backend (rid)
• SASL wrapping (plain)
• Enable (checked)

Then click "save"

Assuming you don't see any errors, go to the CLI and type "wbinfo -u" or "wbinfo -g" and see if you are getting your AD users or groups.

 

[Ariel M]

question is if I re-configure the AD integration, will all the files remain accessible just as they were?

 

[anodos]

question is if I re-configure the AD integration, will all the files remain accessible just as they were?

The RID idmap backend uses an algorithmic mapping scheme to map uids/gids to SIDS. This means that as long as you don't touch the idmap range, nothing should change permissions-wise.

 

[Ariel M]

Speaking of low-hanging fruit, try re-configuring AD integration.

1) Go to Network -> Global Configuration.
- Verify that hostname, domain name, default gateway, and name servers are set correctly.

2) Go to System -> General -> then click on "NTP Servers"
- Make sure that NTP is configured correctly and that time on DC and FreeNAS server is the same.

3) Go to Directory Services -> Active Directory and click on "Advanced Mode"
I typically fill in the following fields:

• Domain Name (Foo.com)
• Domain Account Name (typically a Domain Admin)
• Domain Account Password (you will need to enter the password here before hitting 'Save')
• NetBios Name (ex: "kung" where server's FQDN is "kung.foo.com")
• Verbose logging (checked)
• Use Default Domain (checked)
• Allow DNS updates (checked)
• Domain Controller (FQDN of DC)
• Global Catalog Server (FQDN of global catalog server)
• Kerberos Realm (typically "foo.com")
• Idmap backend (rid)
• SASL wrapping (plain)
• Enable (checked)

Then click "save"

Assuming you don't see any errors, go to the CLI and type "wbinfo -u" or "wbinfo -g" and see if you are getting your AD users or groups.

The "Enable" checkbox is disabled...

 

[Ariel M]

Assuming you don't see any errors, go to the CLI and type "wbinfo -u" or "wbinfo -g" and see if you are getting your AD users or groups.

I run "wbinfo -u" and receive "Error looking up domain users".
"wbinfo -g" i get "failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE. Error looking up domain groups"

 

[anodos]

Check "directory service" -> "NT4"
Make sure that it "Enable" is NOT checked. If it is checked, then uncheck it, click save, then perform the steps I listed above to join your AD domain.

Also verify the following:

1) the Idmap range under "services" -> "CIFS" does NOT overlap the idmap range set under "Directory Service" -> "Active Directory".
2) no one has tried to generate an lmhosts file for samba on this server.

Are you the only administrator for this server? It sounds an awful lot like someone was mucking around with it.

 

[Ariel M]

Thanks a lot, it worked, all the files are there.
Appreciate the patience :)

 

[Ariel M]

So weird...
The share is there, visible and I can access it with full permissions.
But a specific user (the only user who actually uses this share), she can view all the files but only as read-only. She cannot save or create new files/folders.
What do I have to check in order to troubleshoot this? Her FreeNas user seems to me exactly like mine...
Please assist ;)

 

[Ariel M]

ok...an update:
Neither I cannot save or create new files/folders

 

[anodos]

Generate a debug tarball by clicking "system" -> "advanced" -> "save debug" and post here or PM it to me.