epoch1970
Posts: 8577
Joined: Thu May 05, 2016 9:33 am
Location: France

Samba, trying to question the doxa

Fri Dec 01, 2023 11:06 am

Modern Mac computers look ever more like iPads, don’t care to support NFS and one day will ditch AFP. SMB is the chosen one.

I’m looking at a physical server that works for multiple tenants, i.e. VLAN, IP network, VMs/containers for each tenant (including a Netatalk server container.) The physical server fetches data from a single pool that internally exports via NFS to each tenant network and VMs/containers.

In the end, the physical server runs multiple instances of file servers, of simple and similar configurations, each isolated to a network. There is no ACLs for file management of any sort, and just one or two system user specific to the tenant.

Now, I’m contemplating moving to SMB, hence Samba. I’ve been looking at the web and even trying to discuss things with chatGPT, but my current understanding is that Samba is used the other way around: one single server, a complex configuration, plenty of individual users and probably file ACLs.

I’m not too fond of monoliths, and this is not at all an AD / Entreprise IT environment. I would like to know if multiple instances of Samba is a design pattern that’s valid, if not popular?

Thanks in advance!
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

hortimech
Posts: 914
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba, trying to question the doxa

Fri Dec 01, 2023 12:43 pm

From my understanding, netatalk is AFP and Apple no longers suports it.

Your other problem that you haven't mentioned is the bad implementation of SMB that Apple uses, it isn't Samba.

You can run Samba as individual servers, it is known as 'standalone server', which is okay, provided the number of users and computers doesn't get to large, about a dozen users is manageable, but after that, it gets hard. Want to change a users password, then you have to change it on every computer, this is why domain were created, central storage of users etc.
The original NT4-style domains were okay, but problems soon became apparent, which is why they were replaced with AD.

epoch1970
Posts: 8577
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Samba, trying to question the doxa

Fri Dec 01, 2023 7:16 pm

Thank you for that.

I don’t know if the SMB client in Mac is bad (yet), all I know is AAPL definitely dropped the ball on NFS and they keep saying AFP is deprecated…

A bunch of small servers is exactly the usecase, here. I’m glad you say it’s a possibility.
One of the 1st things I did was to look for an official Samba project image in Docker Hub, which I didn’t find, to my surprise. Then I started reading, and got lost in a forest more than anything else…

I think I’ll try giving a go at a lightweight smbd container.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

hortimech
Posts: 914
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba, trying to question the doxa

Sat Dec 02, 2023 9:28 am

epoch1970 wrote:
Fri Dec 01, 2023 7:16 pm

I don’t know if the SMB client in Mac is bad (yet), all I know is AAPL definitely dropped the ball on NFS and they keep saying AFP is deprecated…

A bunch of small servers is exactly the usecase, here. I’m glad you say it’s a possibility.
One of the 1st things I did was to look for an official Samba project image in Docker Hub, which I didn’t find, to my surprise. Then I started reading, and got lost in a forest more than anything else…

I think I’ll try giving a go at a lightweight smbd container.
Samba had to write a few VFS add-ons to work with the Apple OS, their smb is nowhere near as good as Samba.
Samba just provides the code to compile, nothing else, it is up to others to package it.
You could try reading this:
https://wiki.samba.org/index.php/Settin ... one_Server

swampdog
Posts: 1238
Joined: Fri Dec 04, 2015 11:22 am

Re: Samba, trying to question the doxa

Sun Dec 03, 2023 4:54 pm

Fwiw and nothing to do with apple (of which I know nothing)..

I have two smb servers. Not intentional. Box "smb" used to be a VM but (reasons) got translated into a physical HP server. This tied it to the size of its raid. Then, during an emergency, part of the backup HP server got allocated as "smb1" and the resources never released. Time passes. I start to retire. I'm left with this mess. Some windoze boxes come up expecting "smb", others expecting "smb1". You'd think it would be easy simply to add a CNAME to DNS but wierd stuff can happen let alone windoze itself balking over moving files "smb<->smb1".

So. One single (linux) smb server. Make it a VM. Use LVM as the underlying filesystem.so capacity can be changed.

That's assuming M$ don't keep fiddling with the protocol. If you want to do "work" use another protocol. All I use smb for is for accessing files common to windoze/linux (as opposed to editing them much).

hortimech
Posts: 914
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba, trying to question the doxa

Sun Dec 03, 2023 7:29 pm

swampdog wrote:
Sun Dec 03, 2023 4:54 pm
Fwiw and nothing to do with apple (of which I know nothing)..

I have two smb servers. Not intentional. Box "smb" used to be a VM but (reasons) got translated into a physical HP server. This tied it to the size of its raid. Then, during an emergency, part of the backup HP server got allocated as "smb1" and the resources never released. Time passes. I start to retire. I'm left with this mess. Some windoze boxes come up expecting "smb", others expecting "smb1". You'd think it would be easy simply to add a CNAME to DNS but wierd stuff can happen let alone windoze itself balking over moving files "smb<->smb1".

So. One single (linux) smb server. Make it a VM. Use LVM as the underlying filesystem.so capacity can be changed.

That's assuming M$ don't keep fiddling with the protocol. If you want to do "work" use another protocol. All I use smb for is for accessing files common to windoze/linux (as opposed to editing them much).
Sorry to be the barer of bad news, but Microsoft is now trying to totally remove NTLM.
The SMB protocol comes in three versions, SMBv1, SMBv2 and SMBv3. SMBV1 is very insecure is now deprecated. SMBv2 no longer uses Network Browsing and uses Network Discovery instead. SMBv3 is based on SMBv2 with a lot of improvements/updates.

swampdog
Posts: 1238
Joined: Fri Dec 04, 2015 11:22 am

Re: Samba, trying to question the doxa

Sun Dec 03, 2023 9:33 pm

hortimech wrote:
Sun Dec 03, 2023 7:29 pm
swampdog wrote:
Sun Dec 03, 2023 4:54 pm
Fwiw and nothing to do with apple (of which I know nothing)..

I have two smb servers. Not intentional. Box "smb" used to be a VM but (reasons) got translated into a physical HP server. This tied it to the size of its raid. Then, during an emergency, part of the backup HP server got allocated as "smb1" and the resources never released. Time passes. I start to retire. I'm left with this mess. Some windoze boxes come up expecting "smb", others expecting "smb1". You'd think it would be easy simply to add a CNAME to DNS but wierd stuff can happen let alone windoze itself balking over moving files "smb<->smb1".

So. One single (linux) smb server. Make it a VM. Use LVM as the underlying filesystem.so capacity can be changed.

That's assuming M$ don't keep fiddling with the protocol. If you want to do "work" use another protocol. All I use smb for is for accessing files common to windoze/linux (as opposed to editing them much).
Sorry to be the barer of bad news, but Microsoft is now trying to totally remove NTLM.
The SMB protocol comes in three versions, SMBv1, SMBv2 and SMBv3. SMBV1 is very insecure is now deprecated. SMBv2 no longer uses Network Browsing and uses Network Discovery instead. SMBv3 is based on SMBv2 with a lot of improvements/updates.
I use v1 internally. It worked fine until I tried (via win10) to move a load of stuff to a temporary "smb2". That failed. It left stuff behind. Moved what was moved back. Still getting random permission issues. It's almost like M$ wrote some code to randomly change the permissions on some files when smb1 is being used.

User avatar
thagrol
Posts: 11001
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK

Re: Samba, trying to question the doxa

Mon Dec 04, 2023 1:01 am

swampdog wrote:
Sun Dec 03, 2023 4:54 pm
I have two smb servers.
Depending on how you define "smb server" I have more than that and I don't believe that's particularly unique on a SOHO network. Every windows box that shares a directory/folder over SMB is a server. Every Linux box, Mac, or cell phone that does the same is a server.

A machine doesn't have to be running Samba, AD, or be part of a domain to be an "smb server".
Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

hortimech
Posts: 914
Joined: Wed Apr 08, 2015 5:52 pm

Re: Samba, trying to question the doxa

Mon Dec 04, 2023 10:02 am

swampdog wrote:
Sun Dec 03, 2023 9:33 pm
I use v1 internally. It worked fine until I tried (via win10) to move a load of stuff to a temporary "smb2". That failed. It left stuff behind. Moved what was moved back. Still getting random permission issues. It's almost like M$ wrote some code to randomly change the permissions on some files when smb1 is being used.
Without knowing just how you moved the 'stuff', I cannot really comment, except it is possible that the 'user' you used didn't have the permissions to move the 'stuff' that didn't move.

You really should stop using SMBv1, it is deprecated by both Microsoft and Samba. There is ongoing work to get Samba to fully use SMBv2/3 and once this is finished, it is highly likely Samba will remove SMBv1, though they could be beaten to that by Microsoft.

To be concise, SMBv1 will go away, it is in its last death-throws, please do not be the user that asks 'I am using SMBv1, but I can no longer connect to my data'.

swampdog
Posts: 1238
Joined: Fri Dec 04, 2015 11:22 am

Re: Samba, trying to question the doxa

Tue Dec 05, 2023 7:15 pm

thagrol wrote:
Mon Dec 04, 2023 1:01 am
swampdog wrote:
Sun Dec 03, 2023 4:54 pm
I have two smb servers.
Depending on how you define "smb server" I have more than that and I don't believe that's particularly unique on a SOHO network. Every windows box that shares a directory/folder over SMB is a server. Every Linux box, Mac, or cell phone that does the same is a server.

A machine doesn't have to be running Samba, AD, or be part of a domain to be an "smb server".
Two HP servers. They both have samba on them (as well as NFS and ISCSI). I'm slowly changing things so they'll be the only spinning rust(*) left one day. I don't count windoze, unless of course I want to wind myself up by remembering win10 habitually remembers share credentials even though I told it not to!

(*) except an rpi with an assortment of old disks but that project is on hold.

swampdog
Posts: 1238
Joined: Fri Dec 04, 2015 11:22 am

Re: Samba, trying to question the doxa

Tue Dec 05, 2023 7:49 pm

hortimech wrote:
Mon Dec 04, 2023 10:02 am
swampdog wrote:
Sun Dec 03, 2023 9:33 pm
I use v1 internally. It worked fine until I tried (via win10) to move a load of stuff to a temporary "smb2". That failed. It left stuff behind. Moved what was moved back. Still getting random permission issues. It's almost like M$ wrote some code to randomly change the permissions on some files when smb1 is being used.
Without knowing just how you moved the 'stuff', I cannot really comment, except it is possible that the 'user' you used didn't have the permissions to move the 'stuff' that didn't move.

You really should stop using SMBv1, it is deprecated by both Microsoft and Samba. There is ongoing work to get Samba to fully use SMBv2/3 and once this is finished, it is highly likely Samba will remove SMBv1, though they could be beaten to that by Microsoft.

To be concise, SMBv1 will go away, it is in its last death-throws, please do not be the user that asks 'I am using SMBv1, but I can no longer connect to my data'.
I'm stuck with SMBv1 because once in a while I have to activate old virtual machines.

It's not a complex setup. Both HP servers have user "Administrator" (full permissions). User "smb" can only read. Both belong to an "smb" group with a TURNIP workgroup. It used to be more complex because both HP servers ran centos with SELINUX. I upgraded them to debian and now there's not even SELINUX.

As mentioned in the reply above - win10 randomly remembers share credentials. It's bad enough it remembering "smb:smb" but if I have to do admin on win10 and use "Administrator:smb" it might remember that. The problem will fade away over time. The main reason to be "Administrator:smb" on win10 is for cygwin. After long & faithful service it needs to be replaced - WSL isn't going away like its SFL predecessor.

bls
Posts: 3600
Joined: Mon Oct 22, 2018 11:25 pm
Location: Seattle, WA

Re: Samba, trying to question the doxa

Tue Dec 05, 2023 9:03 pm

swampdog wrote:
Tue Dec 05, 2023 7:49 pm

As mentioned in the reply above - win10 randomly remembers share credentials. It's bad enough it remembering "smb:smb" but if I have to do admin on win10 and use "Administrator:smb" it might remember that. The problem will fade away over time. The main reason to be "Administrator:smb" on win10 is for cygwin. After long & faithful service it needs to be replaced - WSL isn't going away like its SFL predecessor.
Not sure if this works on Windows Home, but on Windows Pro, if you run control.exe and select "Credential Manager" and then "Windows Credentials", you can set hostname/username/password for remote servers.

This is the first thing I do on a new Windows system (although not doing much of that these days)

Conencting to my SMB servers Just Works using the username/password that I want it to.

Oh, and this is also where you can delete saved credentials.
Pi tools:
Quickly and easily build customized exactly as-you-want SSDs/SD Cards: https://github.com/gitbls/sdm
Easily run and manage your network's DHCP/DNS servers on a Pi: https://github.com/gitbls/ndm
Easy and secure IPSEC/IKEV2 VPN installer/manager: https://github.com/gitbls/pistrong
Lightweight Virtual VNC Config: https://github.com/gitbls/RPiVNCHowTo

swampdog
Posts: 1238
Joined: Fri Dec 04, 2015 11:22 am

Re: Samba, trying to question the doxa

Sat Dec 09, 2023 11:38 am

bls wrote:
Tue Dec 05, 2023 9:03 pm
swampdog wrote:
Tue Dec 05, 2023 7:49 pm

As mentioned in the reply above - win10 randomly remembers share credentials. It's bad enough it remembering "smb:smb" but if I have to do admin on win10 and use "Administrator:smb" it might remember that. The problem will fade away over time. The main reason to be "Administrator:smb" on win10 is for cygwin. After long & faithful service it needs to be replaced - WSL isn't going away like its SFL predecessor.
Not sure if this works on Windows Home, but on Windows Pro, if you run control.exe and select "Credential Manager" and then "Windows Credentials", you can set hostname/username/password for remote servers.

This is the first thing I do on a new Windows system (although not doing much of that these days)

Conencting to my SMB servers Just Works using the username/password that I want it to.

Oh, and this is also where you can delete saved credentials.
Loads of off-topic waffle ;-)

Both mine and my wife's machines are dual boot (win10/mint) and both are win10 pro. Hers is registered. Mine is not. Hers dual boots the old fashioned way (off a single disk via a grub menu entry) whereas mine requires me to select the windoze disk from the uefi boot menu. Both win10's have a second admin user which can be used to log in if the main account gets corrupted. Her box was shop installed. My win10 originally was registered but via the upgrade(*) path: it ended up with two M$ reserved partitions, both of which were required for it to boot. When I heard win10 could be run unregistered that's what I did for my win10 (fresh install). I only use it for skyrim. I don't game that much and most will work under linux/steam/proton. Fwiw, so will skyrim: it's the mod manager etc which will not.

The two installations could not be more different. Both suffer from randomly remembering credentials though. I can tell my win10 to forget as you suggest and it mostly will. Neither has mapped drives. Both require the user to type in the full share path into the search box then fill in the credentials. I do this under my win10 primarily for cygwin updates. Typically reboot. Once in a while I can click on the cygwin "setup.exe" to discover it runs (the exe is on //smb/PUBLIC/app/) without being asking for credentials after a reboot. My wife's win10 will more regularly remember credentials. I first noticed this behaviour when my wife's antivirus quarantined a load of cygwin download files. I fudged that by moving the cygwin stuff from an "Administrator:smb" share to /PUBLIC/ (which "smb:smb" can write to) which was kinda handy at the time as /PUBLIC/ was where I pointed guests with their phones.

Interesting factoid: I was able to register XP as recently as a year or two ago.
(*) I've purchased every copy of windoze from NT4 workstation (and NT4 server) up until 2003 server (volume licence). I made the mistake of buying an XP to win7 upgrade which I then upgraded to win10 which left me with the above pair of reserved partitions. I could not get it to move from ssd to nvme. Neither did I want windoze polluting my linux disks any more. Being stubborn, and very annoyed at spending so much over the years on defunct products, I dug out my original XP cd with the intention of creating a virtual machine, upgrading it to win7 then win10. The XP key no longer worked (would not activate). Had a few beers then just for the lulz, called that ancient UK M$ activation phone number. Incredibly, that was still limping along and got XP activated. Hurrah! ..until I realised my newly activated XP doesn't understand scsi disks. Then I remembered I had used w2k(**) to create a slipsteam installation XP disk (that did understand scsi). Even if I could find a w2k backup and even if I could create a VM from it, why the hell am I doing this to regain a product key I already paid for? Unregistered win10 it is.

Back on topic:
My PC is definitely win11 compatible yet M$ have told me it isn't (until recent months). I had put this down to my win10 being unregistered. My wife's previous PC was always compatible (despite having no TPM) so the M$ check tool is useless. Her current PC keeps pestering her to upgrade. One thing can be sure, win11 is going to like smbv1 even less than win10 does. I'm going to have to get her to win11 by installing it from scratch. It's not samba which is the stumbling block. I can simply undo some config settings. The problem is the massive amount of data which needs to be backed up prior to letting win11 near my network.

(**) w2k was the best windoze imo.

The long term plan is that if I leave the problem long enough, it will go away. WSL and something like sshfs/nfs/iscsi can take over. My samba is after all, only a mechanism to allow both OS to share files.

Return to “Networking and servers”