samba - Oct 2015 - widelinks_warning - but unix extensions *are* off

Hi all

Since we changed our installation from Samba 3.x to 4.x (currently 4.2.5 on
Solaris 11.1), we repeatedly encounter the following
'widelinks_warning', originating from Windows Server 2012 R2 RDS
clients:

[2015/10/29 15:50:38.837702,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
  Share 'data' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
[2015/10/29 15:50:38.838518,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
  Share 'group' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
[2015/10/29 15:50:38.839070,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
  Share 'web' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.

The strange thing is: "unix extensions" *are* actually off. "wide
links" are on, since we use them for vfs_shadow_copy2 (but not on the
affected shares):

# testparm -sv 2>/dev/null |egrep 'wide links|unix extensions'
        unix extensions = No
        allow insecure wide links = No
        wide links = Yes

The affected shares (data, group, web) are distinct from "working"
ones, by the fact that "hide unreadable" is set to "Yes" on
the affected shares only. This is how the affected shares are configured:

[data]
        path = /pool1/data
        read only = No
        acl map full control = No
        ea support = Yes
        nt acl support = No
        hide unreadable = Yes
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = zfsacl full_audit

Unfortunately, we can't trigger the behaviour. It's all pretty fuzzy,
but maybe someone out there has an idea what's going on?

Best, Thomas

On Thu, Oct 29, 2015 at 05:27:49PM +0100, Thomas Werschlein
wrote:
> Hi all
> 
> Since we changed our installation from Samba 3.x to 4.x (currently 4.2.5 on
Solaris 11.1), we repeatedly encounter the following
'widelinks_warning', originating from Windows Server 2012 R2 RDS
clients:
> 
> [2015/10/29 15:50:38.837702,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
>   Share 'data' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
> [2015/10/29 15:50:38.838518,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
>   Share 'group' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
> [2015/10/29 15:50:38.839070,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
>   Share 'web' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
> 
> The strange thing is: "unix extensions" *are* actually off.
"wide links" are on, since we use them for vfs_shadow_copy2 (but not
on the affected shares):
> 
> # testparm -sv 2>/dev/null |egrep 'wide links|unix extensions'
>         unix extensions = No
>         allow insecure wide links = No
>         wide links = Yes
> 
> The affected shares (data, group, web) are distinct from
"working" ones, by the fact that "hide unreadable" is set to
"Yes" on the affected shares only. This is how the affected shares are
configured:
> 
> [data]
>         path = /pool1/data
>         read only = No
>         acl map full control = No
>         ea support = Yes
>         nt acl support = No
>         hide unreadable = Yes
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         vfs objects = zfsacl full_audit
> 
> Unfortunately, we can't trigger the behaviour. It's all pretty
fuzzy, but maybe someone out there has an idea what's going on?
That message is coming from here:

void widelinks_warning(int snum)
{
        if (lp_allow_insecure_wide_links()) {
                return;
        }

        if (lp_unix_extensions() && lp_wide_links(snum)) {
                DEBUG(0,("Share '%s' has wide links and unix
extensions enabled. "
                        "These parameters are incompatible. "
                        "Wide links will be disabled for this
share.\n",
                         lp_servicename(talloc_tos(), snum) ));
        }
}

so it's pretty simple. Both must be being seen to emit the message.
Can you get this reproducible ?

> On 29 Oct 2015, at 23:22, Jeremy Allison <jra at samba.org> wrote:
> 
> On Thu, Oct 29, 2015 at 05:27:49PM +0100, Thomas Werschlein wrote:
>> Hi all
>> 
>> Since we changed our installation from Samba 3.x to 4.x (currently
4.2.5 on Solaris 11.1), we repeatedly encounter the following
'widelinks_warning', originating from Windows Server 2012 R2 RDS
clients:
>> 
>> [2015/10/29 15:50:38.837702,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
>>  Share 'data' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
>> [2015/10/29 15:50:38.838518,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
>>  Share 'group' has wide links and unix extensions enabled.
These parameters are incompatible. Wide links will be disabled for this share.
>> [2015/10/29 15:50:38.839070,  0]
../source3/param/loadparm.c:4306(widelinks_warning)
>>  Share 'web' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.
>> 
>> The strange thing is: "unix extensions" *are* actually off.
"wide links" are on, since we use them for vfs_shadow_copy2 (but not
on the affected shares):
>> 
>> # testparm -sv 2>/dev/null |egrep 'wide links|unix
extensions'
>>        unix extensions = No
>>        allow insecure wide links = No
>>        wide links = Yes
>> 
>> The affected shares (data, group, web) are distinct from
"working" ones, by the fact that "hide unreadable" is set to
"Yes" on the affected shares only. This is how the affected shares are
configured:
>> 
>> [data]
>>        path = /pool1/data
>>        read only = No
>>        acl map full control = No
>>        ea support = Yes
>>        nt acl support = No
>>        hide unreadable = Yes
>>        map archive = No
>>        map readonly = no
>>        store dos attributes = Yes
>>        vfs objects = zfsacl full_audit
>> 
>> Unfortunately, we can't trigger the behaviour. It's all pretty
fuzzy, but maybe someone out there has an idea what's going on?
> 
> That message is coming from here:
> 
> void widelinks_warning(int snum)
> {
>        if (lp_allow_insecure_wide_links()) {
>                return;
>        }
> 
>        if (lp_unix_extensions() && lp_wide_links(snum)) {
>                DEBUG(0,("Share '%s' has wide links and unix
extensions enabled. "
>                        "These parameters are incompatible. "
>                        "Wide links will be disabled for this
share.\n",
>                         lp_servicename(talloc_tos(), snum) ));
>        }
> }
> 
> so it's pretty simple. Both must be being seen to emit the message.
> Can you get this reproducible ?
I am aware of the code above. What I don't grasp is: what is turning on
"unix extensions", under what circumstances? I can access all the
affected shares from the same clients without triggering the warning (no
surprise, since "unix extensions" is globally turned off). So no, I am
not able to reproduce it.

I increased the log level, but since this is a pretty busy production system and
the warning appears every second day only, it was not feasible (at least I did
not find a way yet). But thanks for your pointer!