AIX

 View Only

LinkedIn Share on LinkedIn

Server Message Block(SMB) Client Filesystem on AIX

By SRINIVAS GUNDURAO posted Tue January 11, 2022 04:46 AM

  
1. Introduction

The SMB client file system is based on the SMB protocol version 2.1 and version 3.0.2. You can use the SMB client file system to access files on an SMB server.

The SMB server is a server that runs Windows Server 2012, Windows Server 2016, or Windows Server 2019 operating system. In each of these server operating system types, a directory can be exported as a share. This share can then be mounted on an AIX® logical partition by using the SMB client file system. By using the SMB client file system, you can access the shares on SMB servers as local file systems on the AIX logical partition. You can use the SMB client file system to create, delete, read, and write files and directories on the SMB server and also to modify the access duration to these files and directories. However, you cannot change the owner or access permission of these files and directories.

More information about SMBC on AIX can be found at:
https://www.ibm.com/docs/en/aix/7.2?topic=protocol-server-message-block-smb-client-file-system

2. SMBC Release Updates
This stanza will be updated whenever a new SMBC version for AIX is released.

Following new versions of SMBC fileset is released on web(https://www-01.ibm.com/marketing/iwm/iwm/web/dispatcher.do?source=aixbp). Check the 'Changelog' for more information on the changes.

7.1.302.6 for AIX 7.1
7.2.302.6 for AIX 7.2 and later releases

Release History

SMBC Release AIX Release supported Date of the release Currently active or not
7.2.302.6 7.2 and 7.3 12-16-2021 Yes
7.1.302.6 7.1 12-16-2021 Yes
7.1.302.4 7.1, 7.2 and 7.3 07-07-2021 No
7.1.302.3 7.1, 7.2 and 7.3 11-06-2020 No

3. Changelog
7.1.302.6 and 7.2.302.6
Following new features are added:
1. SMB 3.0.2 file name and directory name case-insensitivity.
2. SMB 3.0.2 support for Unicode (or Universal Coded Character Set) Transformation Format 8-bit (UTF-8).
3. SMIT support & automating /etc/filesystems update through new set of commands - mksmbcmnt, chsmbcmnt, rmsmbcmnt and lssmbcmnt.
4. SMB 3.0.2 support for the Live Update operation on AIX 7.2 and later(Supported only in 7.2.302.6).
5. SMB 3.0.2 performance improvement of 'ls' command.

Following issues are fixed along with various other internally found issues:
- IJ33608: SMBC LOGS EXCESSIVE EAGAIN (ERRNO 11) MESSAGES
- IJ34579: SMBC MAY SOMETIMES FAIL TO WRITE TO A FILE
- IJ35856: SMBC MAY READ PAST THE END OF A FILE
- IJ30134: SMBC HANGS WHEN TRYING TO RENEW CREDENTIALS
- IJ32808: SMBC DELETED DIRECTORY MAY STILL BE LISTED
- IJ32908: SMBC MAY FAIL TO MOUNT SHARES DURING BOOT
- IJ32907: SMBC UPGRADE FAILS IN ALTROOT ENVIRONMENT

7.1.302.4
- IJ28517: commands hangs on SMB mounts
- IJ27282: SMBCD MAY DUMP CORE WHEN A SHARE IS RECONNECTING
- IJ29099: FILES ON SMBC MOUNTS MAY APPEAR LARGER THAN THEY ARE
- IJ29726: find command hangs with 300 mounts no IO
- IJ29471: SMBC SYMBOLIC LINKS USE A FORWARD SLASH INSTEAD OF A BACKSLASH
- IJ27282: smbcd dumps core
- IJ30362: SMBC HANGS IF THE SMB SERVER RETURNS STATUS_DELETE_PENDING
- smbc.rte de-installation failure
- SMB kernel extension unload may cause system crash sometimes

7.1.302.3
- IJ28811: SMB Data deduplication files are not listed on lookup
- SMB 3.0.2 support

4. Setting up SMBC on AIX

The instructions in this document make these assumptions.

  • The Kerberos server is Windows Server with Active Directory
  • Active Directory is already configured and has a domain for authenticating share users
  • Kerberos is not already installed and configured on AIX
  • The Kerberos Key Distribution Center (KDC) server is the same as the Kerberos admin server
  • There is only one Kerberos domain

The examples in this document uses these values.

Kerberos realm name

SMB_21.FVT

Kerberos domain name

xyz.com

Kerberos server name

llm140.xyz.com

Kerberos KDC

llm140.xyz.com

MB share user name

cec102usr1

4.1.    Install and configure Kerberos on the AIX client

Download the latest Kerberos filesets at https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp, currently 1.16.1.1.  The offering name is “IBM Network Authentication Service for AIX”.

Install all the filesets in the tar file except for krb5.server.  After installation, verify the filesets are at the correct level.


Run the mkkrb5clnt command to configure Kerberos on AIX.

4.2.    Create the SMB share user on Windows

Skip this step if the share user already exists.

Start Server Manager and select “Active Directory Users and Computers” from the Tools menu.



In the “Active Directory Users and Computers” pane, select the appropriate folder under the Active Directory domain name, and click the “Create a new user in the current container” button.



In the “New Object – User” box, enter the user name in the “User login name” box.



Click Next.

Enter the user’s password in both boxes.  The maximum supported password length is 127 characters.  Uncheck the “User must change password at next login” box.  Check or uncheck the other boxes as desired.



Click Next.

Click Finish to create the user.


4.3.    Give the user access to the Windows share

In Server Manager, click on “File and Storage Services” in the left pane and then click “Shares”.

Select the share that the user will access.  Right click on the share and select “Properties”.  Click on Permissions in the left pane of the Properties box and then click the “Customize permissions” button.

Click the “Add” button.  In the “Permission Entry” box, click “Select a principal”.  Enter the user name in the “Enter the object name to select” box and click OK.


Back in the “Permission Entry” box, select the desired permissions and click OK.

Note:  in some environments, the user may need “Full control” permission to be able to mount the share.

4.4.    Install smbc.rte fileset on AIX

Download the latest smbc.rte fileset at https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp.  The offering name is “SMB CLIENT for AIX”. Select and download fileset ‘7.1.302.x’ for AIX 7.1 and ‘7.2.302.x’ for AIX 7.2 and above.

Install the smbc.rte fileset.  Run this command to verify that it installed correctly.


Note:  a reboot is required if a previous version of smbc.rte was already installed.

4.5.    Mount the share onto AIX

To mount the share onto AIX, use the mount command with the specified options.

mount -v smbc -n <server name>/<user name>/<user password> \
-o wrkgrp=<Kerberos realm name> <share name> <local mount point>

For example,

NOTE:  The value for the wrkgrp option is used for both the Kerberos realm name and the Active Directory domain name.  Although Active Directory domain names are not case sensitive, Kerberos realm names are, and they must always be specified in all upper-case letters.  Therefore, the wrkgrp option value must always be in all upper-case letters.

4.6.    Configure a share for automatic mounting at boot time

To manage the SMB client file system in the /etc/filesystems file, you can use the lssmbcmnt, mksmbcmnt, chsmbcmnt, and rmsmbcmnt commands. You can also add the SMB client file system entries manually.

Here is the process to do this manually. To mount a share automatically without specifying the password in plain text in /etc/filesystems, create an entry in the encrypted password cache file /etc/smbcred for the share user with the mksmbcred command.  The syntax is

mksmbcred -s <server_name> -u <user_name> [-p password]

For example,

If the password option is not specified, then a password prompt will appear.

Now add a stanza to /etc/filesystems for the share.  Here is an example.

To do this, you may also use 'mksmbcmnt' command. Here's a document on how to use it: https://www.ibm.com/docs/en/ssw_aix_72/m_commands/mksmbcmnt.html

The share may now be mounted manually by simply referring to its mount point and, with the “mount = true” option, it will mount automatically at boot time.

 4.7.    Managing share user credentials on AIX

The commands mksmbcred, chsmbcred, rmsmbcred, and lssmbcred may be used respectively to create, change, remove, and list cached password entries in /etc/smbcred.  All these commands must be run as the root user. The documentation of these commands can be found in the following links:
https://www.ibm.com/docs/en/aix/7.2?topic=m-mksmbcred-command
https://www.ibm.com/docs/en/aix/7.2?topic=c-chsmbcred-command
https://www.ibm.com/docs/en/aix/7.2?topic=r-rmsmbcred-command
https://www.ibm.com/docs/en/aix/7.2?topic=l-lssmbcred-command

4.8.    Enable symbolic links on Windows (optional)

The smbc.rte client supports SMB symbolic links.  This option is not enabled by default in Windows.

To allow the share user to create symbolic links, press W+R and type “gpmc.msc” in the “Open” box.  Click OK.

Open the appropriate Active Directory domain in the left pane, open the “Group Policy Objects” folder and then select the appropriate policy—default domain or default domain controllers.  Right click on the policy and select “Edit…”.

In the Group Policy Management Editor, navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment.

Find the policy “Create symbolic links”, right click on it and select Properties.

In the Properties box, make sure “Define these policy settings” is checked.  Then click the “Add User or Group…” button.

Enter the share user name in the “User and group names” box and click OK.


4.9.    Enable SMB packet signing (optional)

By default, packet signing is enabled in Windows.  To check or change packet signing policies, Press W+R and type “gpmc.msc” in the “Open” box.  Click OK.

Open the appropriate Active Directory domain in the left pane, open the “Group Policy Objects” folder and then select the appropriate policy—default domain or default domain controllers.  Right click on the policy and select “Edit…”.

In the Group Policy Management Editor, navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options.

In the “Policy” pane, find the policies “Microsoft network server: Digitally sign communications (always)” and “Microsoft network server: Digitally sign communications (if client agrees)” and set them as desired.  Note that defining the “(always)” policy setting as “Enabled” requires all clients to support and use packet signing.  The “(if client agrees)” policy, if enabled, allows clients to choose whether to use packet signing or not.  If both are enabled, “(always)” takes precedence. 

4.10.         Enable SMB packet encryption (optional)

By default, packet encryption is disabled in Windows.  To check or change packet encryption policies, follow the steps mentioned in below link under section “Enable SMB Encryption” -

https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security

4.11.         Using SMIT interface

SMIT interface can be used to perform the following tasks:

  • List the SMB client mount points
  • Display the SMB client tunable parameters
  • Configure the SMB client credentials
  • Add or mount an SMB client file system
  • Remove or unmount an SMB client file system
  • Change an SMB client file system

In the SMIT interface, go to Communications Applications and Services > SMB Client for AIX to access the SMB client file system options. You can also use the following SMIT fast path:

 smit smbc

4. ‘ls’ performance improvement

Changes are made in SMB Client filesystem code to improve ‘ls command’ performance. This has a dependency on some changes in AIX kernel which are made through APAR IJ35417. To get the ‘ls command’ performance improvement in SMB client filesystem, upgrade to AIX level where changes of the APAR IJ35417 are present or request for an ifix for your level of AIX.


5. References

https://blogs.technet.microsoft.com/sbs/2014/02/21/deploying-windows-server-2012-r2-essentials-in-an-existing-active-directory-environment/

https://blogs.msdn.microsoft.com/openspecification/2009/04/10/smb-maximum-transmit-buffer-size-and-performance-tuning

https://support.microsoft.com/en-in/help/297684/mapped-drive-connection-to-network-share-may-be-lost

https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/smb-file-server

https://blogs.msdn.microsoft.com/openspecification/2013/03/19/cifs-and-smb-timeouts-in-windows/

https://blogs.msdn.microsoft.com/openspecification/2013/03/27/smb-2-x-and-smb-3-0-timeouts-in-windows/

https://docs.microsoft.com/en-gb/archive/blogs/openspecification/smb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys

 

SMB client file system: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/network/smbcfs.html
mount command: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/m_commands/mount.html
smbcd Daemon: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/s_commands/smbcd.html
smbcstat command: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/s_commands/smbcstat.html
smbctune.conf file: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/filesreference/smbctune.conf.html
smbctune command: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/s_commands/smbctune.html

Troubleshooting smbc.rte: https://www.ibm.com/support/pages/node/1396083

0 comments
124 views

Permalink