samba - Oct 2009 - 2 questions: Linux filesystems that truly compare to NTFS / winbind causes Linux to lockup when connectivity to AD is lost

Hello samba gurus,

I have a couple of questions regarding Linux file systems, and their
ability to mimic NTFS, and the other question is regarding winbind and its
uncanny ability to virtually lock up a samba AD member server once
connectivity to the AD is lost. I apologize if anyone gets annoyed by this
question.

Environment:
I am using samba 3.2 with XFS+ACL support joined as a AD domain member and
all UID/GIDs are using the winbind  idmap backend 


First, XFS seems to work well for me until it was discovered it has a
limited amount of ACLs that can be set in the file system, (25! ) and
extended attribute support is kinda kludged in with the same space the ACLs
take up? which can lead to all sorts of issues when dealing with
inheritance and the importing of ACLs/EAs etc from files stored on NTFS.
Thus I feel that XFS is somewhat poor FS to mimic NTFS.
My question:
Is there any Linux file system out there that can compare accurately with
NTFS? I want seemingly unlimited ACLs, EAs and stream support that can
meet, if not exceed the capabilities of NTFS.
This is basically a requirement that is a deal breaker for me?
Am I asking too much? What file systems do you use? How do they compare to
NTFS? 



(disclaimer: advice asking me to contribute to the development of a file
system is moot as I am not a coder)




Now, my other curiosity is the problem I am having with winbind. If I am
joined to a domain with samba on my test network, and then I power off my
domain controllers, winbind is still alive but I cannot log into my local
terminal, I cannot SSH to the server, I cannot run commands such as   ?man
smb.conf? or ?ls? etc etc till I kill winbind. It is very hard to recover
from this and basically will render the system unusable.
Lets say I mess up my DNS settings on my linux box after being joined to
the domain? then the problem can be even harder to fix as the server is
locked up, the AD domain is fine, and I cant log into the Linux box via
SSH, local terminal etc to fix the DNS settings! There are other scenarios
I could imagine how this condition could occur, so this is a huge concern
for me?

I have played with the ?disable caching? with winbind and that is not
really a healthy solution to the issue. I am stuck with what decision is
best here as there seems to be no solution.


Thank you for your help, and keep up the good work! 


Thanks,
Chill

On Mon, Oct 12, 2009 at 06:21:07PM -0600, admin at ateamonsite.com wrote:
> First, XFS seems to work well for me until it was discovered it has a
> limited amount of ACLs that can be set in the file system, (25! ) and
> extended attribute support is kinda kludged in with the same space the ACLs
> take up??? which can lead to all sorts of issues when dealing with
> inheritance and the importing of ACLs/EAs etc from files stored on NTFS.
> Thus I feel that XFS is somewhat poor FS to mimic NTFS.
> My question:
> Is there any Linux file system out there that can compare accurately with
> NTFS? I want seemingly unlimited ACLs, EAs and stream support that can
> meet, if not exceed the capabilities of NTFS.
> This is basically a requirement that is a deal breaker for me???
> Am I asking too much? What file systems do you use? How do they compare to
> NTFS? 
No, there is currently no Linux filesystem with the NTFS semantics.
I think ext4 might have larger EA support, but there is no Linux
filesystem I know of with unlimited EA's and ACL support.

No Linux filesystem supports streams that I know of. Streams
are a really bad idea. Ted Tso convinced me of this when he
showed me a Windows machine running README.txt as a
binary (containing a virus of course). Streams are pretty
dangerous and mostly used to hide malware from admins.

Jeremy.

<admin <at> ateamonsite.com> writes:
> First, XFS seems to work well for me until it was discovered it has a
> limited amount of ACLs that can be set in the file system, (25! ) and
> extended attribute support is kinda kludged in with the same space the ACLs
> take up? which can lead to all sorts of issues when dealing with
> inheritance and the importing of ACLs/EAs etc from files stored on NTFS.
> Thus I feel that XFS is somewhat poor FS to mimic NTFS.
> My question:
> Is there any Linux file system out there that can compare accurately with
> NTFS? 
NTFS-3G has unlimited support for them (since version 2009.10.5-RC or
using the advanced branch):

http://www.tuxera.com/community/ntfs-3g-advanced/extended-attributes/
http://www.tuxera.com/community/ntfs-3g-advanced/ownership-and-permissions/

However most often we have to limit possibilities to the Windows NTFS 
level otherwise Windows would BSOD.

Regards,  Szaka

On Fri, Oct 23, 2009 at 2:45 PM, Jeremy Allison <jra at samba.org> wrote:
> On Fri, Oct 23, 2009 at 02:34:45PM -0600, Robert LeBlanc wrote:
> > 3.4.2
>
> Ok, what does your smb.conf look like. What is the
> configured winbindd backend ?
>
We have switched to hash for the increased flexibility. I have flushed the
idmap cache and everything resolves perfectly when a DC is contactable.

#======================= Global Settings ======================
[global]
   workgroup = byu
   realm = BYU.LOCAL
   preferred master = no
   server string = %h server
   dns proxy = no

#### Debugging/Accounting ####

   log file = /cluster/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

####### Authentication #######

   security = ADS
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
   pam password change = yes

########## Printing ##########

   load printers = no
   printing = bsd
   printcap name = /dev/null
   show add printer wizard = no
   disable spoolss = yes

############ Misc ############

  socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#  allow trusted domains = No
#  idmap backend = rid:BYU=10000-100000000
#  idmap config BYU:backend = rid
#  idmap config BYU:range = 10000-100000000
#  idmap uid = 10000-100000000
#  idmap gid = 10000-100000000
  idmap backend = hash
  winbind nss info = hash
  winbind use default domain = yes
  winbind separator = +
  winbind enum groups = no
  winbind enum users = no
  winbind nested groups = yes
  template homedir = /home/%U
  template shell = /bin/bash
  winbind refresh tickets = yes
#  use kerberos keytab = yes
#  kerberos method = system keytab # should work after bug is fixed
  winbind offline logon = yes

#======================= Share Definitions ======================


Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University

Ok folks,

Got ya some log level 10 of this fun stuff..

Steps:
First everything is normal. DCs are up.
Log level 10 is set.

I run 
wbinfo -t

I run 
net ads info

I run 
net ads testjoin

then I bring the DC down.

Now I run
time getfacl /xymount/tera


HSA-PFX10101001:/var/log/samba # time getfacl /xymount/tera
getfacl: Removing leading '/' from absolute path names
# file: xymount/tera
# owner: root
# group: root
user::rwx
user:webadmin:rwx
group::r-x
group:webadmin:r-x
group:2000512:rwx
group:2000513:rwx
mask::rwx
other::r--
default:user::rwx
default:group::r-x
default:group:webadmin:r-x
default:group:2000512:rwx
default:group:2000513:rwx
default:mask::rwx
default:other::r--


real    29m10.058s
user    0m0.020s
sys     0m0.008s



Then I bring the DCs back up

then I run again

getfacl /xymount/tera

All is well - winbind recovered after the DCs were back up. This must be
because Im on 3.4.2 now instead of 3.2.X or earlier which would not recover
quickly after the DCs were back.

LOGS here:  ftp://djfuq.org/logs10.tar


Cheers,
-Clayton
> 
> 
> 
> 
> On Fri, 23 Oct 2009 14:51:03 -0600, Robert LeBlanc <robert at
leblancnet.us>
> wrote:
>> On Fri, Oct 23, 2009 at 2:45 PM, Jeremy Allison <jra at
samba.org> wrote:
>> 
>>> On Fri, Oct 23, 2009 at 02:34:45PM -0600, Robert LeBlanc wrote:
>>> > 3.4.2
>>>
>>> Ok, what does your smb.conf look like. What is the
>>> configured winbindd backend ?
>>>
>> 
>> We have switched to hash for the increased flexibility. I have flushed
> the
>> idmap cache and everything resolves perfectly when a DC is contactable.
>> 
>> #======================= Global Settings ======================>>
>> [global]
>>    workgroup = byu
>>    realm = BYU.LOCAL
>>    preferred master = no
>>    server string = %h server
>>    dns proxy = no
>> 
>> #### Debugging/Accounting ####
>> 
>>    log file = /cluster/log/samba/log.%m
>>    max log size = 1000
>>    syslog = 0
>>    panic action = /usr/share/samba/panic-action %d
>> 
>> ####### Authentication #######
>> 
>>    security = ADS
>>    encrypt passwords = true
>>    passdb backend = tdbsam
>>    obey pam restrictions = yes
>>    invalid users = root
>>    unix password sync = yes
>>    passwd program = /usr/bin/passwd %u
>>    passwd chat = *Enter\snew\s*\spassword:* %n\n
>>    *Retype\snew\s*\spassword:*
>> %n\n *password\supdated\ssuccessfully* .
>>    pam password change = yes
>> 
>> ########## Printing ##########
>> 
>>    load printers = no
>>    printing = bsd
>>    printcap name = /dev/null
>>    show add printer wizard = no
>>    disable spoolss = yes
>> 
>> ############ Misc ############
>> 
>>   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>> #  allow trusted domains = No
>> #  idmap backend = rid:BYU=10000-100000000
>> #  idmap config BYU:backend = rid
>> #  idmap config BYU:range = 10000-100000000
>> #  idmap uid = 10000-100000000
>> #  idmap gid = 10000-100000000
>>   idmap backend = hash
>>   winbind nss info = hash
>>   winbind use default domain = yes
>>   winbind separator = +
>>   winbind enum groups = no
>>   winbind enum users = no
>>   winbind nested groups = yes
>>   template homedir = /home/%U
>>   template shell = /bin/bash
>>   winbind refresh tickets = yes
>> #  use kerberos keytab = yes
>> #  kerberos method = system keytab # should work after bug is fixed
>>   winbind offline logon = yes
>> 
>> #======================= Share Definitions
======================>>
>> 
>> 
>> Robert LeBlanc
>> Life Sciences & Undergraduate Education Computer Support
>> Brigham Young University