CIFS, AD, Time and Shadow copies

[KimmoJ]

Hello. I have a grab bag of questions that are all rather interrelated so I thought I'd fire them off here. I'm not very FreeBSD versed so if some questions seem asinine, my apologies. I have AD and file shares working (mostly), I have passthrough of ACL's working and I can access files through CIFS and so far so good.

However; I rebooted and went to access the file share and got access denied. The log shows:

Code: Select all

winbindd[2746]: [2016/02/02 13:24:25.772363, 0] ../source3/libads/sasl.c:1025(ads_sasl_spnego_bind)
winbindd[2746]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Miscellaneous failure (see text) : Clock skew too great

Now, the NTP options in Nas4Free seem rather crap at first glance. Why does it use a primitive method like running ntpdate every 300 minutes instead of having the already installed ntpd run continuously and tracking clock skew on its own? My system comes up some 524 seconds off, which is way past the 5 minute kerberos window. I suppose 300 minutes after boot the ntpdate would fire and sort this out, but I suspect my users may want to get at files before 300 minutes has run after a boot.

The system shows UTC times in all logs though even though I've entered a timezone, is that correct? I'd vastly prefer the actual local EET time in the web UI though.

I also installed zfsnap and am using it to generate snapshots and they should be shadow copy compatible the way I set it up according to a thread from last year, but trying to access previous versions does this:

Code: Select all

smbd[4661]: FSCTL_GET_SHADOW_COPY_DATA: connectpath /mnt/storage/it, failed - NT_STATUS_ACCESS_DENIED.
smbd[4669]: [2016/02/02 13:54:45.111276, 0] ../source3/modules/vfs_shadow_copy2.c:1211(check_access_snapdir)
smbd[4669]: user does not have list permission on snapdir /mnt/storage/it/.zfs/snapshot
smbd[4669]: [2016/02/02 13:54:45.111352, 0] ../source3/modules/vfs_shadow_copy2.c:1380(shadow_copy2_get_shadow_copy_data)
smbd[4669]: access denied on listing snapdir /mnt/storage/it/.zfs/snapshot
smbd[4669]: [2016/02/02 13:54:45.111371, 0] ../source3/modules/vfs_default.c:1145(vfswrap_fsctl)
smbd[4669]: FSCTL_GET_SHADOW_COPY_DATA: connectpath /mnt/storage/it, failed - NT_STATUS_ACCESS_DENIED.

I was trying to do it as the Administrator account on Windows; said account is owner and has full access to the share itself for this test install. What user is being denied here, ie which user is trying to access the snapdir?

Does the .zfs dir have to be visible to users to expose the shadow copies in windows? I would prefer it not be accessible to not confuse my users.

[Onichan]

All OS's get their initial clock from BIOS, sounds like that is off. No idea why it NTP doesn't update right away though.

Snapshot issue viewtopic.php?f=78&t=10305#p64627

[KimmoJ]

Ah, so the snapshot/shadow copy issue is an actual bona fide Samba issue in this release? That's a bit annoying, but I suppose Nas4Free is rather at Samba's mercy if they break it.

So I guess the answer to this one is "sit tight, the next release after Samba fixes it will work"? I suppose it's not a showstopper for me proceeding but quite annoying.

(Btw, about the time thing - I'm running it virtualized and for some reason the underlying host had its NTPD shut down, so it was drifting off on the time. But not using ntpd is still wrong for nas4free, especially as the ntpd daemon is actually on the system, just not configured.)

[Onichan]

Yeah the snapshot issue is annoying, if you need to restore from a snapshot you can do it from CLI, they are stored at

Code: Select all

/mnt/<pool>/<dataset>/.zfs/snapshot/<snapshot_name>

Also you can change the NTP update frequency to 1 minute if you wanted.

[KimmoJ]

Yeah, the snapshots can be recovered manually by me, but it would be much more user friendly of course if users could recover them via the shadow copy function. Though I suppose I could expose the .zfs directory, but there's still a lot of searching. I plan to snapshot very frequently.

With the shadow copy function, another version is only offered if there is another version - you don't have to go through hundreds of snapshot directories, if the file is identical in all snapshots there is no previous version on offer in Windows.

But hopefully this will get sorted in a later patch. Having snapshots is worthwhile even if finding stuff in them is a pain.

As for time sync (though this is the wrong forum) the only really good solution is NTPD. Not only will that keep the time correct to the microsecond, it will learn how much the system drifts and use that to check less frequently. It would also make it possible to use the NAS as a time source for machines on the network (for other than Windows Time, which is something entirely different, though appropriate in this forum).