Hi,
i manage almost exactly same env. like you.
RHEL 6.5 with 3.6.9 Samba, with 389 directory server as backend for
authentication procedures.
I also have a mixed env. with MS windows 7 and linux desktops (lin.
desktops all SL 6.5).
I think problem might lie somewhere in your smb.conf and/or in a way how
you propagate shares.
Q: do you have you FS that you propagate mounted with user_xattr and acl
options? If not your windows rights are not correctly propagated.
One difference there is though - i run it all on ext4 FS, i still dont
have enough experience to put it to production.
If you do eg:
df -mT
/dev/mapper/homelibvg-officelv ext4 23819 18730
3881 83% /office
tune2fs -l /dev/mapper/homelibvg-officelv
Default mount options: acl
Mount options: user_xattr
^you should see above options (not sure with xfs) if tune2fs is the
right command though
Also in mixed env. cifs/nfs, as i said, kernel oplocks *must* be 'yes'
(it is by def.) or your files get corrupted.
As for turning off the oplocks and level2oplocks, i'm not sure, i dont
have exp. with your problem myself, but IMHO, this wont help you because
these options manage locking and opportunistic locking of files (read
smb.conf on these options) and it should not make files read only for
some type of clients.
Also (i'm very sure of it) you face (big) drop in samba performance if
you turn it off.
Also here is my smb.conf - maybe it will help you have a look on my
working config. with a few notes
cat smb.conf
#======================= Global Settings
=====================================
[global]
# ----------------------- Network Related Options -------------------------
#
workgroup = design
server string = PDC controller %h
netbios name = srv100
interfaces = lo eth0
hosts allow = 127. 192.168.100.0/23
#*******************************************************************************************#
# TUNNING:
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072
SO_SNDBUF=131072
# min receivefile size = 16384
# use sendfile = yes
# aio read size = 16384
# aio write size = 16384
# max protocol = SMB2 ! this option is not working in our network
setup because of clients win7
# Kernel Oplocks option
# can be used unfortunatelly only in env. where samba and NFS shares are
NOT intermixed
# it speeds up Samba operation, but if 'no' used then on mixed share the
locks on files wouldn't be controlled
# meaning someone opens file through Samba and also other can open same
file thorough NFS because file is
# not locked -> total mess (default value is 'yes')
# kernel oplocks = no
#
#*******************************************************************************************#
# --------------------------- Logging Options
-----------------------------
# Max Log Size let you specify the max size log files should reach
# logs split per user and machine (for finegrain logging of problems)
log file = /var/log/samba/%m.log
# max 100KB per log file, then rotate
max log size = 2048
# log level for normal usage 2 debug 3 (4-10 for developers)
log level = 3
# ----------------------- Domain Controller Options ------------------------
#
# NOTE:guest shares donĀ“t work in user level security without allowing
the server to automatically
# map unknown users into the guest account. See the map to guest
parameter for details on doing this
# NOTE: ID mapping for winbind - we dont use it
# algorithmic rid base = 10000
# idmap backend = ldap:"ldaps://localhost"
# idmap uid = 5000-50000
# idmap gid = 5000-50000
security = user
admin users = droot, wroot
passdb backend = ldapsam:ldaps://localhost
#
# NOTE: resolve order is important! we have 'wins support = yes' in smb.conf
# so we use it at 1st place! also 'host' is misconfiguration from poor
# smb.conf manpage - it must be 'hosts'! also 'wins' options is usefull for
# BDC servers, where we point them via 'wins server = 192.168.2.245'
name resolve order = wins hosts bcast lmhosts
time server = yes
unix extensions = no
nt acl support = yes
map acl inherit = yes
hide files = desktop.ini
ldapsam:trusted=yes
ldapsam:editposix=yes
ldap suffix = dc=design,dc=com
ldap machine suffix = ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn =
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
ldap ssl = off
ldap passwd sync = yes
domain master = yes
domain logons = yes
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/sbin/smbldap-groupmod -x
'%g' '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
#
# NOTE: 'unix password sync = yes' can NOT be used together with 'ldap
passwd sync = yes'
# and that means 'passwd program' and 'passwd chat'are useless as
well
#
# passwd chat = "Changing*\nNew password*" %n\n "*Retype new
password*" %n\n"
# passwd program = /usr/sbin/smbldap-passwd -s '%u'
# unix password sync = yes
# Fixing incorrect reported disk space from HOME to windows clients
# windows dont report linux quotas, but report whole FS
# get quota command = /usr/local/bin/query_quota.sh
# fixed by editing 'logon home' directive and [home] definition!!!!
# Login Options:
logon script = netlogon.bat
# logon home = \\%L\home\%U
logon home = \\%L\home
logon path = \\%L\profiles\%a
logon drive = H:
# Winbind Options:
# not needed, as the winbind is for unix OS to recognize domain users
and grps when account
# information is held on Windows server. With LDAP backend on Linux OS,
unix OS already recognize the
# the account the windows clients use
# template homedir = /home/%D/%U
# template shell = /bin/bash
# winbind use default domain = no
# ----------------------- Browser Control Options
----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on
startup
# and gives it a slightly higher chance of winning the election
local master = yes
os level = 128
preferred master = yes
#----------------------------- Name Resolution
-------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS
Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.
wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option
load printers = yes
cups options = raw
printing = cups
printcap name = cups
; printcap name = /etc/printcap
# obtain list of printers automatically on SystemV
; printcap name = lpstat
# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions
==============================
# admin users have administrative privileges on the share, they're able
to do
# anything they like on the share, irrespective of file permissions
# NOTE!!:
# FS must be mounted with the mount option user_xattr in order for dos
extended attributes to work
# eg. find out if user_xattr is used: 'tune2fs -l
/dev/mapper/rootvg-homelv'
#
# NOTE: IPC$ is builtin share, it's path is to whatever the environment
# variable TMPDIR is set to. If TMPDIR env variable is NOT set,
# then it defaults to /tmp
[home]
comment = Home Directories
path = /home/%U
browseable = yes
writable = yes
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
valid users = @users @admins
admin users = droot, wroot
veto oplock files = /*.PST/*.pst/
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
create mask = 0600
printable = yes
[print$]
comment = printer driver storage area
path = /etc/samba/printer-drivers
browseable = yes
guest ok = yes
read only = yes
write list = @admins
#[MyDemoPrinter]
# path = /var/spool/samba/
# browseable = yes
# printable = yes
# printer name = Printername_in_backend
[IPC$]
path = /tmp
# hosts allow = 192.168.33. 127.0.0.1
[netlogon]
comment = Network Logon Service
path = /etc/samba/scripts/%g
guest ok = yes
write list = @admins
[profiles]
path = /home/%U/windows_directory
browseable = yes
writeable = yes
guest ok = yes
read only = no
create mask = 0600
directory mask = 0700
valid users = @users @admins @it @manage
admin users = droot, wroot
[catlib_v5]
comment = Catlib_v5
path = /catlib_v5
read only = yes
public = yes
browseable = yes
write list = droot, wroot
fake oplocks = yes
# Warning: 'fake oplocks' option only usable for read-only FS!! man
smb.conf !!
On 10/15/2014 05:43 PM, Werf, C.G. van der (Carel) wrote:
Thanks for this explanation, but you can see that this confuses me more, since
your suggestions contradict the settings suggested by Ray.
In a live file-server it is hardly an option to experiment with settings.
I'm just responding to level-3 log-messages ...
Carel
-----Original Message-----
From: Karel Lang AFD [mailto:[email protected]]
Sent: woensdag 15 oktober 2014 17:32
To: Ray Van Dolson; Werf, C.G. van der (Carel)
Cc: '[email protected]'
Subject: Re: Samba and Oplocks
Hi,
as far as i'm concerned (take this with grain of solt, i'm not a dev, just mere
admin :])
locks - grant exclusive right to access to file for the process
(selfexplainable)
oplocks - if lock is granted, then samba server can grant to client oplock
(opportunity lock) meaning that client (eg windows pc) can cache the file
locally and do the changes to file only locally (which is as anyone can imagine
is multiple times faster), if some other process want access the same file,
oplock is removed and client has to flush cahnges done locally back to file
share
result: leave always on (it is on by def.)
level2 oplocks - allow Windows clients that have an oplock on a file to
downgrade from a read-write oplock to a read-only oplock once a second client
opens the file
result: leave always on (on by def.)
kernel oplocks - this is a way the Linux grants oplocks - and not only Samba, it
is always 'on' by default, it has to be in place, when file share is accessed from
unix, same as from samba (windows) so eg. if your file share is shared throught
unix (NFS) and throught Samba (Cifs) then linux kernel has to control balance
between windows and unix => kernel oplocks yes always or you face corruption of
files if your file share is accessed only! and exclusively through Samba - then
you can gain considerable speeds gain with 'kernel oplocks = no'
(disabled) (samba doesn't have to wait for kernel to say 'go')
posix locking - similar like kernel oplocks - again, propagate Samba locks to
unix world, so again mandatory when eg. NFS / Samba access to one share
fake oplocks = can be used on only! on 'r' (read only) file systems, Samba
acts (or better said pretending) like the file is always accessed by only one
process and grants the oplock to anyone who asks for the file - corruption can
not happen, because FS is only *r* this way on 'r'
FS you again gain considerably, as file is always cached locally example some
share with libraries for app:
[lib_v5]
read only = yes
fake oplocks = yes
veto oplock files - this is for files that you dont want to be oplocked,
meaning you dont want them be cached locally on client - example is eg.
placing MS outlook .pst files on netshared FS (which is not supported by MS in
the first place) adn in my experience this causes .pst corruption if more
often, so i use it like:
[home]
path = /home/%U
veto oplock files = /*.PST/*.pst/
As resume, in my scenario i left most on default, because my shares are
accessed by NFS and Samba at same time.
Yours might be different, so to disable kernel oplocks and posix locks might be
an option. I dont see any benefit in disabling oplocks or
level2 oplocks generally for all files (i disabled them for .pst files because
they're like database files and caching is not good for it).
hope this helps,
Karel
On 10/15/2014 03:07 PM, Ray Van Dolson wrote:
On Wed, Oct 15, 2014 at 08:50:06AM +0000, Werf, C.G. van der (Carel) wrote:
Hi All,
We are in the process of transfering our fileservers to a new
OS-version.
Installed latest OS 6.5 and the current Samba3-version, which is
Samba 3.6.9. Data folders are on XFS filesystem. Data folders are
exported as NFS3-shares to an SSL-login server
Data folders are exported as Samba-shares to several different
clients: - windows7, ubuntu, SL6x, MacOSX
Now it seems that some of the windows7-clients see files as being
read-only because they seem to be locked. I've read a lot of
different info about file locking in Samba, but information seems
very confusing.
So,my question is, considering the environment of mixed clients over
CIFS and NFS, what is the preferable Samba-setting for locks,
Kernel_oplocks, Oplocks etc ?
If anyone has a lot of samba experience, please share your thoughts
on this subject.
Regards,
Carel van der Werf
This has been discussed a few times on the Samba mailing list.
My recommendations are to disable oplocks and level2 oplocks
explicitly at the global level.
In some cases you'll want to disable posix locks at the share level.
Ray
--
*Karel Lang*
*Unix/Linux Administration*
[email protected] | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
