SMB access issues

This topic describes how to analyze and resolve SMB access issues.

Analyzing SMB access issues

The most common issue with ACLs is getting an unexpected Access Denied message. Check the following points:

  1. ID Mapping: Check whether a user that gets an Access Denied message, has proper ID mappings:
    • Username <-> user SID <-> uid
    • Primary group name <-> group SID <-> gid
    • And the same for all other groups the user must be in.
  2. Export ACLs: Check whether the share allows access for the logged in user by using the MMC tool or the mmsmb exportacl command.
  3. File system object ACLs: Use the Windows Explorer ACL dialog or use the mmgetacl command to make sure the correct ACLs are in place on all components in the path.
  4. Make sure that the READ_ATTR is set correctly on the folders to be traversed.
  5. Make sure that even when the READ_NAMED and WRITE_NAMED are not enforced by the file system, the SMB server enforces them.
  6. Export settings: Check the export settings by running mmsmb export list --all so that export options like read only = no or available = no do not restrict access.
  7. Make sure your clients try to negotiate a supported protocol level.
  8. For smbclient: Make sure the option -m SMB2 is used and supported by your version of smbclient (smbclient -L localhost -U<user>%<password> -m SMB2).
  9. Windows XP, Windows Server 2003 and older Windows versions are not supported because they support only SMB1.
  10. For the Linux® kernel client, make sure you check the version option to use smb2.
Note: For known issues in the Linux kernel client, see the documentation for your Linux distribution.

If the root cause cannot be narrowed down, then the following steps help to do a detailed analysis.

  1. Provide exact information about what happened.
  2. Provide screen captures of Windows ACL dialogs.
  3. Provide the output of mmgetacl for all files and folders that are related to the ACL or permission problem.
  4. You can force reconnect by stopping the smbd process that serves that connection.
  5. Describe how the user mounted the export.
  6. List all users and groups that are in the test along with their memberships.
  7. Collect export information by running: mmsmb export list --all.
  8. Provide the version of Windows used for each client.
  9. Provide a Samba level 10 trace for the test by running the mmprotocoltrace tool command.
  10. Provide IBM Storage Scale traces for the test by running the mmtracectl --start and --stop command.
  11. Collect the network trace of the re-create by running the mmprotocoltrace command.

Resolving SMB access issues

Check the health status of all protocol nodes as incoming SMB connections can be handled by any protocol node. The health status of all protocol nodes can be checked by using the following command:

mmhealth node show -N CesNodes

If GPFS, network, or file system are reported as DEGRADED, then investigate the issue and fix the problem. In addition, you can also check the /var/adm/ras/log.smbd log file on all protocol nodes.

An entry of vfs_gpfs_connect: SMB share fs1, path /ibm/fs1 not in GPFS file system. statfs magic: 0x58465342 in the log file indicates that the SMB share path does not point to a GPFS file system or that the file system is not mounted. If the file system is not mounted, then you must mount the file system again on the affected nodes.