Samba and symlinks

[Ram Set]

I currently have samba to point to a symlink in smb.conf
It’s pointing to an hourly backup /current folder

Example path in smb.conf

/mnt/sdb2/Backup/BACKUP1/current

While this works when samba is restarted, within the Network/samba config from the admint interface i always see mnt/sdb2/Backup/BACKUP1/backup-date

It does seem that the interface is following the symlink and it auto changes to whatever it was pointing at the time of samba start.

Isnt there away to actually force the interface to use only /current and not change the folder name from /current to whatever folder name is pointing at?

Even if i try to manually put it in undr he web settigns, uppon saving it’s updated ...

What's interesting is that smb.conf does not have the path of the share updated. It still points to /current

I'm running Alt-F 1.0

[João Cardoso]

On Monday, 19 March 2018 04:56:50 UTC, Ram Set wrote:

I currently have samba to point to a symlink in smb.conf
It’s pointing to an hourly backup /current folder

Example path in smb.conf

/mnt/sdb2/Backup/BACKUP1/current

While this works when samba is restarted, within the Network/samba config from the admint interface i always see mnt/sdb2/Backup/BACKUP1/backup-date

It does seem that the interface is following the symlink

Yes, the samba webUI displays the real folder the symlink points to.

I don't remember why it was make that way, perhaps to visually show to the user the real path?

[Ram Set]

The thing is that for some reason, samba itself points to that actual link despite smb.conf pointing the share to the "current" folder.

So the share actually works until a new update is performed and the folder name that the symlink points to, changes. 

Update info:

It seems to be affecting ONLY Windows. 

If the share itself is mapped, after a new backup is ran, it wont connect to it any more. It says access denied. However, trying the share from a linux box and even an IOS device, pulls up the content of that share (and it's up-to-date).

i'll try to dig some more info and post it here for future reference if i find a fix.

[Ram Set]

is there a way to run a command when a specific backup is complete?

let's say Backup 3...

it seems that if i restart samba, the issue resolves itself on windows ...

I re tried it on linux and that for some odd reason works. 

Here's the behavior:

Mapped network drive in Windows - After Backup process - Not working Entry in the log still calling the old path.

Mapped network drive in Ubuntu - After Backup - No issues

The IOS app has to be re-freshed and that pulls up the updated path.

I was wondering if i can run a samba restart after the backup is complete.

[Ram Set]

it turns out samba is creating a lock file under a pid when a device connects to the share,

Samba version 3.6.25

PID     Username      Group         Machine

-------------------------------------------------------------------

2247      share         users         mezel        (192.168.1.8)

Service      pid     machine       Connected at

-------------------------------------------------------

Store     2247   mezel         Wed Mar 21 14:56:39 2018

Locked files:

Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time

--------------------------------------------------------------------------------------------------

2247         1000       DENY_NONE  0x100080    RDONLY     NONE             /mnt/sdb2/Backup/MEZELBFG10KL_Store/2018-03-21_14-27-04   .   Wed Mar 21 14:56:40 2018

This locked pid actually serves that path to the machine that initially requested the connection.

when samba is restarted that locked file get's released. 

Or when the pid is killed.

i think i'll write crontab to run every minute and kill that pid if the path under is is different (stale) from the current one.

Any other ideas are welcome :)

LE:

I wrote this simple script and minute run it via crontab : 

#!/bin/sh

path1="/mnt/sdb2/Backup/MEZELBFG10KL_Store/"
path2="/mnt/sdb2/Backup/MEZELBFG10KL_Store/current/"
host="mezel"
pid="$(smbstatus | grep $host | sed '1!d' | sed 's/ .*//')"
lockfolder="$(smbstatus | grep $path1 | sed '1!d' | sed 's/^.*\(\/mnt.*.\).*$/\1/' | sed 's/ .*//')"
currentfolder="$(readlink -f $path2)"

# control
#echo "Pid: $pid"
#echo "Lock Folder = $lockfolder"
#echo "Current folder = $currentfolder"

#check for valid locked path
if [ -z "$lockfolder" ]; then
        echo "No lock path string - Exiting"
        exit 0
else
        #path comparison
        if [ "$lockfolder" == "$currentfolder" ]; then
        echo "Identical paths - All good"
        else
                #different paths? Kill the PID with old path
                kill $pid
                echo "Path was stale - PID killed"
        fi
fi

I think it's a lot cleaner than killing and restarting samba - from an existing connection to different shares perspective since those shares will not be affected.

if anyone needs this, remember to change the paths and the host to your situation.

[Ram Set]

The above script only kills the connection for the "host". 

All the other devices connected to the share/shares, stay active.

If one has more than one windows PC with this issue, the code needs to be adapted for more hosts.

[João Cardoso]

There are some info regarding that on the manual page, that I don't know if it applies to your use case:

       follow symlinks (S)

           This parameter allows the Samba administrator to stop smbd(8) from following

           symbolic links in a particular share. Setting this parameter to no prevents any

           file or directory that is a symbolic link from being followed (the user will

           get an error). This option is very useful to stop users from adding a symbolic

           link to /etc/passwd in their home directory for instance. However it will slow

           filename lookups down slightly.

           This option is enabled (i.e.  smbd will follow symbolic links) by default.

           Default: follow symlinks = yes

...

      allow insecure wide links (G)

           In normal operation the option wide links which allows the server to follow

           symlinks outside of a share path is automatically disabled when unix extensions

           are enabled on a Samba server. This is done for security purposes to prevent

           UNIX clients creating symlinks to areas of the server file system that the

           administrator does not wish to export.

           Setting allow insecure wide links to true disables the link between these two

           parameters, removing this protection and allowing a site to configure the

           server to follow symlinks (by setting wide links to "true") even when unix

           extensions is turned on.

           If is not recommended to enable this option unless you fully understand the

           implications of allowing the server to follow symbolic links created by UNIX

           clients. For most normal Samba configurations this would be considered a

           security hole and setting this parameter is not recommended.

           This option was added at the request of sites who had deliberately set Samba up

           in this way and needed to continue supporting this functionality without having

           to patch the Samba code.

           Default: allow insecure wide links = no

and several questions regarding following or not following symlinks.

When you hit Submit in the samba webUI, the running samba is notified that its configuration file has changed using 'rcsmb reload' (in the log: Reloading services after SIGHUP), but if the server sees no changes, probably it will do nothing.

If you want the webUI to not follow symlinks, look at line 144 in /usr/www/cgi-bin/smb.cgi

[Ram Set]

I did set-up samba to follow symlinks and it does work, however a samba pid stays locked with the old path, even when i SIGHUP the pid with the locked path (no change in path).

I'm fine with it (killing the pid) but one drawback is that any share that's opened from that machine falls under the same pid, thus killing all the current connections from that 1 machine.

It does not affect any other machines since all incoming connections to samba seem to get a different pid for each IP:

Samba version 3.6.25
PID     Username      Group         Machine
-------------------------------------------------------------------

3610      blah         users         mezel        (192.168.1.8)
551       blah         users         mezelbfg10kl (192.168.1.26)

Service      pid     machine       Connected at
-------------------------------------------------------

Store     3610   mezel         Tue Mar 27 10:31:24 2018
Store     551   mezelbfg10kl  Tue Mar 27 11:17:31 2018
IPC$         549   mezelbfg10kl  Tue Mar 27 11:17:29 2018
Storage      3610   mezel         Mon Mar 26 11:18:52 2018

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------

3610         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/sdb2/Backup/MEZELBFG10KL_Store/2018-03-27_10-00-03   .   Tue Mar 27 10:31:24 2018
3610         1000       DENY_NONE  0x1000a0    RDONLY     NONE             /mnt/sdb2/Backup/MEZELBFG10KL_Store/2018-03-27_10-00-03   .   Tue Mar 27 11:02:22 2018
3610         1000       DENY_NONE  0x1000a0    RDONLY     NONE             /mnt/sda2/storage   .   Tue Mar 27 11:13:33 2018
3610         1000       DENY_NONE  0x100081    RDONLY     NONE             /mnt/sda2/storage   .   Tue Mar 27 11:00:40 2018

What's really strange is that the locked files and the afferent pids only seem to originate and appear from windows based connections.

From linux they don't seem to appear on linux originating inbound connections (as in I can access that share from linux and browse within it's contents and a locked file never gets created for that)

 

[Ram Set]

I thought I found the issue, related to SMB2, oplocks and windows environment.

I disabled smb2 in the nas and on the windows machine.

Locked pids were no longer an issue however windows does not seem to know how to request and update from the samba server when the (somewhere cached) path no longer matches (the cache). Tries several registry edits, forgot how many and where. It just spits out a "access denied" and that's that.

I give up on trying to fix this whole winblows/samba issue. I'm back to pid killing (for now - it does suck when movies are streamed from that nas onto the windows machine. Killing the locked path pid actually kills the whole stuff for that windows machine).