Solaris CIFS Service Troubleshooting
The following are troubleshooting issues for the Solaris CIFS service.
File Name Case-Sensitivity Issues
Sometimes you might experience unexpected behavior when performing basic file operations. This
behavior might be related to the file system being unable to handle
case-insensitive operations.
CIFS clients usually expect a case-insensitive file system for correct operation. The
use of a ZFS file system that has been created in mixed-case
or case-insensitive mode should allow you to circumvent these problems.
To create such a ZFS file system, use the following command:
# zfs create -o casesensitivity=mixed fsname
Cannot Join a Windows Domain
To authenticate users from a Windows domain, the Solaris CIFS service must
locate a domain controller, authenticate, and then add a computer account to
the domain.
Users from the domain are not able to establish a connection to
the Solaris CIFS service unless this process succeeds.
The following sections describe configuration issues you might have when you cannot
successfully join a Windows domain:
Checking the DNS Configuration
The Solaris CIFS service must be running for the smbadm join command to
succeed.
If Active Directory (AD) is configured, the Solaris CIFS service attempts to
locate the domain controller by means of DNS. If the service cannot
locate the domain controller, configure DNS properly.
The following configuration issues might prevent you from configuring the Solaris CIFS
service in domain mode:
Missing DNS domain. Ensure that the fully qualified AD domain name has been added to the search list or as the local domain in /etc/resolv.conf.
If your configuration is incorrect, you might see the failed to join domain domain-name (INVALID_PARAMETER) error when attempting to join the domain.
Missing DNS server. Ensure that the IP address of the AD DNS server is added as the name server in /etc/resolv.conf.
If your configuration is incorrect, you might see the failed to find any domain controllers error when attempting to join the domain.
DNS host lookup not used. Ensure that DNS is used for host lookup in the /etc/nsswitch.conf file.
Checking the Kerberos Configuration
You might see the following error messages, which indicate that Kerberos is
not correctly configured:
k5_kinit: KDC has no support for encryption type
When this error occurs, you must reset the Domain Administrator password by re-entering the original password.
This error is a known issue on Windows where DES encryption keys are not created for the administrator under certain circumstances. For more information, see Microsoft knowledge base article 248808.
k5_kinit: getting initial credentials (KDC reply did not match expectations)
Ensure that the Kerberos Realm specified in the /etc/krb5/krb5.conf uses uppercase characters.
k5_kinit: getting initial credentials (Cannot resolve network address for KDC in requested realm)
This problem can be corrected by ensuring that the configuration is correct in one of these ways:
Ensure that DNS is used for host lookup in the /etc/nsswitch.conf file.
Ensure that the IP address of the DNS server is added as the name server in the /etc/resolv.conf file.
Check the resolve.conf file if you also see the following log entries:
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 290708 daemon.debug] NS Found 10.1.98.13 name server
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 290708 daemon.debug] NS Found 10.1.98.12 name server
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 327122 daemon.debug] NS Found 2 name servers
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 995127 daemon.error] dyndns: UDP send error (Bad file number)
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 342079 daemon.error] smb_ads: send/receive error
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 995127 daemon.error] dyndns: UDP send error (Bad file number)
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 342079 daemon.error] smb_ads: send/receive error
Jan 4 10:27:58 pb-49 smbd[101148]: [ID 327097 daemon.error] smb_ads: No ADS host found from configured
nameservers
Ensuring That You Specify the Correct Password for Your Domain User
The user that you specify on the smbadm join command line must have
the correct password and the authority to create computer accounts. Typically, you
must specify a user account that is a member of the Domain
Administrators global group.
The following error message only appears if you supply the wrong password
for the administrative user:
failed to join domain-name (LOGON_FAILURE)
This error message might also appear if packet signing is enabled on
the domain controller. So, you must disable packet signing on the domain
controller before you can successfully join a domain.
If you attempt to join as a domain user who does not
have administrative privileges, the join fails with insufficient access error messages.
Ensuring That Your Domain User Has Sufficient Administrative Privileges
The user that you specify on the smbadm join command line must be
a member of the Domain Administrators global group.
The following error message only appears if you attempt to join as
a domain user who does not have administrative privileges. The join fails
with insufficient access error messages.
smbd: failed joining domain-name (UNSUCCESSFUL)
Checking Intermittent Domain Connectivity
Checking the Domain Controller Selection
Sometimes the Solaris CIFS service might lose its connection to the domain
controller. In such a situation, Windows users are denied access to the
Solaris CIFS service.
The connection might be lost if the network experiences connectivity problems or
if the primary domain controller fails.
The solution to any of these problems is to rejoin the Windows
domain. See How to Configure the Solaris CIFS Service in Domain Mode.
idmapd Unable to Contact AD When in Workgroup Mode
The idmapd server attempts to contact AD even if the Solaris CIFS
service is in workgroup mode. As a result, idmapd issues errors.
To work around this problem, remove all rule-based mappings and ignore any
errors from idmapd about its failure to contact AD.
Viewing Solaris CIFS Service Property Settings
Much of the Solaris CIFS service configuration uses the sharectl(1M) command to
set properties. Before you change property values, you should view the current
property settings by running the sharectl get smb command.
Excluding IP Addresses From WINS Name Resolution
When using WINS/NetBIOS, Windows domain controllers (DC) do not automatically respond to
the IP address from which they received a request. They perform a
WINS or NetBIOS cache lookup and for multihomed servers the DC can
respond to a different IP address belonging to the server. If the
IP address is not accessible to the DC, it will appear as
if the DC has not responded to the server. Thus, it may
be necessary to exclude some IP addresses when a multihomed server registers
with WINS.
The following example shows how to configure the Solaris CIFS service as
a WINS client. The primary WINS server is set to IP address
172.16.48.20, the secondary WINS server is set to IP address 172.16.48.21, and
IP addresses 172.16.48.22 and 172.16.48.23 are excluded from WINS resolution.
# sharectl set -p wins_server_1=172.16.48.20 smb
# sharectl set -p wins_server_2=172.16.48.21 smb
# sharectl set -p wins_exclude=192.168.48.22,192.168.48.23 smb
Changes to Windows Group Membership and to User Mapping Do Not Take Effect
Windows clients use an access token to assign user data and group
membership. This token is assigned when the client connects to the CIFS
service. Any changes made to this token are not reflected until the
next time the user connects.
To force changes to take effect immediately, the user must disconnect from
the CIFS service by logging out of all connected workstations.
Windows Clients Cannot Connect by NetBIOS Name or Are Missing From Browse List or Network Neighborhood
A master browser is a server that is configured to manage CIFS/SMB
browse lists and to respond to client requests for them. A Windows
server is configured as a master browser by default.
The Solaris CIFS service is not configured as a master browser. The
Solaris CIFS service dedicates all of its resources to file sharing.
For browsing to function correctly, each subnet or physical network segment must
have a master browser. To make the Solaris CIFS service available through
browse lists, the system on which it runs should be located on
the same segment and subnet as a Windows server.
Configuring a Windows server improves the performance of browsing and might compensate
for the lack of a master browser on some segments.
Cannot Set Share Security, All Shares Inherit the Security of the Directory Object
The security implementation of the Solaris CIFS service only secures files and
directories. The effective security of a CIFS share is always the security
of the directory to which it points.
Older Versions of Windows Cannot Copy Files Larger Than 4 Gbytes
You might see this problem if your client is running Windows 2000
or an older version of Windows.
If you are running a Windows 2000 client, apply the latest service pack.
If you are running a version older than Windows 2000, you might be able to work around the problem by using the Windows backup utility or by using a similar third-party product.
Cannot Use CIFS to Map Drives
To map a drive or to connect to a share, you must
have read access to the directory to which the share points.
If the Solaris CIFS service is in domain mode, you must also
be logged in to the domain.
To ensure that a user can connect to a share, do the
following to check and modify permissions:
Log in to the system that is running the Solaris CIFS service.
Become superuser.
Obtain the user name and group name of the owner.
# ls -l pathname
For example, the following output indicates that the share is a directory with 750 permissions. The owner is root and the group is sys.
# ls -ld /vol1/data
drwxr-x--- 41 root sys 1024 Jan 2 23:19 /vol1/data
Determine the permissions necessary for the user to access the directory.
Use the chmod command to change the permissions of the directory.
Cannot See the Security Tab From Windows Clients
Some Windows clients do not show the security tab unless you have
permission to view or change security.
For information about how to view and modify share permissions, see Cannot Use CIFS to Map Drives.
Microsoft Access or SQL Server Sessions Time Out After a Period of Inactivity
Applications can send SMB echo requests periodically to keep idle sessions open
or to reconnect, as required, if a session times out due to
inactivity. If an application appears unable to deal with an idle session
timeout, the CIFS service keep_alive property can be set to 0 to
disable the session inactivity timer.
# sharectl set -p keep_alive=0 smb
Cannot Add Windows Local Groups to Access Control List
Windows local groups cannot be used to assign security on remote systems.
A local group can only be used on the individual computer on
which it is created. A local group is not stored in the
domain SAM database.
Windows domain controllers are an exception to this behavior. Domain controllers share
a set of local groups that can only be shared with other
domain controllers. To make security assignments to the Solaris CIFS service, use
global groups.
The Solaris CIFS service has its own set of local groups that
are provided for Windows compatibility purposes. These local groups permit a limited
set of privileges, and they can also be used for security assignments
to individual files and folders.
Note - Windows domain local groups are not supported.
CIFS Browsing Fails When sharesmb=on Is Set on a ZFS Pool
If you have a ZFS pool with datasets and you run the
zfs set sharesmb=on command on the pool, the pool and all its datasets are
shared, but unavailable for browsing by Windows systems.
To work around this problem, do the following:
Determine whether your zpool and zfs versions support CIFS shares.
# zpool get version pool
# zfs get version dataset
Support for CIFS shares requires that ZFS pools be at least Version 9 and that ZFS datasets be at least Version 3.
(Optional) Upgrade zpool and zfs.
# zpool upgrade pool
# zfs upgrade dataset
For more information, see the zpool(1M) and zfs(1M) man pages.
Map the shares in one of the following ways:
Samba or CIFS Service Cannot Bind Various Ports
You will see errors if you attempt to run both the Samba
service, svc:/network/samba:default, and the Solaris CIFS service, svc:/network/smb/server:default, simultaneously.
The Samba and Solaris CIFS services are mutually exclusive because they both
attempt to listen on the same ports. Only one service should be
enabled at any time.
To disable either the Samba or Solaris CIFS service, do one of
the following:
CIFS Shares on ZFS Are Inaccessible After a Reboot
CIFS shares on ZFS might be inaccessible to CIFS clients if you
reboot the Solaris CIFS server.
Run the following command to reshare the ZFS shares:
# sharemgr start -P smb zfs
invalid password Errors Appear When Mapping a Drive or Browsing Computers in the Workgroup
When you map a drive or browse computers in your workgroup, you
might see invalid password errors. If you see these errors, check to see
that the /var/smb/smbpasswd file includes information for the appropriate users.
Also, ensure that the pam_smb_passwd.so.1 entry is in the /etc/pam.conf file and
that you use the passwd command to set your password.
For more information, see How to Configure the Solaris CIFS Service in Workgroup Mode.
Access Control List Inheritance Issues
Access control list (ACL) behavior differs between Windows systems and ZFS on
Solaris systems. You might experience Windows ACL inheritance problems because of the
access control entry (ACE) ordering used by the default ZFS ACL.
The default ZFS ACL is designed to comply with POSIX, which results
in the interleaving of allow and deny ACEs. Windows expects all deny
ACEs to precede all allow ACEs.
You can override the default ZFS behavior by changing the ACL on
the root directory to provide the equivalent of Everyone:FullControl as follows:
# chmod 777 /pool-name
# chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/fs-name
For information about the chmod options, see the chmod(1) man page.
You can verify the ACL by viewing it on Windows or by
running the following command on a Solaris system:
# ls -V -d /pool-name/fs-name
You can apply this ACL recursively to all subdirectories and files for
existing file systems from Windows or from the Solaris OS.
If you apply the ACL when the file system is first created,
the ACL will be propagated according to the normal inheritance rules.
If a directory has a default ZFS ACL, when a file or
folder is created under this directory from Windows, it has two ACEs:
one for the owner and one for SYSTEM. To change this behavior,
update the root directory's ACL by running the chmod commands shown previously.
Missing Security Tab on XP Clients
You might not see the security tab for a file or folder
when using an XP client for the following reasons:
To disable simplified file sharing, go to Control Panel->Folder Options->View, and unselect
Use Simple File Sharing (Recommended), and click Apply.
For more information about disabling simplified file sharing and setting permissions on
a shared folder, see Microsoft knowledge base article 307874.