ZFS RAID NAS

brokenpromises · 01-25-2011, 03:20 PM

Hi All,

I'm in the process of building a ZFS NAS with 4 x 2TB disks, and am having difficulty setting up an OS.

- (Reasonably) easy to set up
- Support for Microsoft Active Directory integration
- GUI prefrable but not necessary (I will have non-command-line people who might need to administer the system)

Which OS is best? I was thinking Solaris 10 but that doesn't meet my last requirement. NAS OSes such as FreeNAS/Openfiler cannot be used because FreeNAS has no support for AD Integration, and Openfiler has AD integration but has no ZFS support.

The reason I need AD integration is to make my life easier. Also, I have about 40 Windows XP / 7 systems that are headless and run 'automatically', which will need to access this ZFS RAID volume once I set it up with samba.

Is there something out there that meets all my requirements?

At the VERY least, I need to share the ZFS RAID volume with 'full access' to all users that can access it (i.e. read/write/execute to all users without having to type a password in).

AlucardZero · 01-25-2011, 03:32 PM

For ZFS, your best choice is Solaris. The Linux ZFS ports aren't ready for real use yet, and last I heard, the FreeBSD ZFS port was missing many features.

Solaris does, too, meet your last requirement if you use the included Solaris Web Console and ZFS Administration applet. You use it via your browser. Screenshot: http://i.imgur.com/YckTz.png

xeleema · 01-25-2011, 03:45 PM

Greetingz!

There should be a way to accomplish what you're trying to do with a few Operating Systems;

Active Directory Integration:
This depends on the level of integration you need. For example, if you just need to make sure that Windows users can use the shares you setup, then every *NIX version supports Samba. Samba can be configured to pass authentication off to an Active Directory domain controller.
Bear in mind that this also depends on just how your Active Directory domain is setup. If it's running off of a set of Windows 2008 R2 (or 2003) servers, then certain compatibility options will need to be enabled on your Domain Controllers in some cases.

If you need full-blown "Active Directory"-based Identity Management, then you can either take a look at the many documents available that describe how to do this for Solaris 10 and certain Linux distributions (note: this route is much harder, even with certain commercial implementations of Active Directory integration, such as Centrify).

ZFS Filesystem Support:
I'm sure you're aware that certain Operating Systems have "Experimental" or just buggy implementations. The de facto Operating System you would want to go with in any Production or Business-critical environment would be Solaris 10's current release (fully patched, of course). I would also strongly recommend shelling out for a support contract, but that depends on how much $$$/hour you would lose if the server was down for a day.

GUI NAS Administration:
This depends. You mentioned this is not a hard-requirement. However what are your planned needs? Is the GUI for a System Administator, or does it need to be something more "user-level" (e.g: Does it have to prevent outright silly things from happening, like sharing root ( / ) or /var?)

"Alternative" Suggestion:
If you don't have a nead for a "one filesystem per share" type of setup (for example, if simple quotas would help you out. Might I suggest a two-server tactic?
a) A Solaris 10 server doing the ZFS, but exporting one or two big filesystems via iSCSI or NFS.
b) A "Hosting" server, that mounts up the filesystems, shares them out, and does the Active Directory authentication for users accessing the shares.
(Note that you would want to have both of these systems relativly close together, just to minimize any chance of outages disrupting service.)

With all that said, here's something that might appeal to you;

Solaris10
ZFS Support: Built-in.
AD Support: Depends on the level of "Active Directory Integration" you need, and how your AD domain is setup (see above).
GUI: There's always "webmin" for the SysAdmins.

brokenpromises · 01-28-2011, 10:34 PM

Hi Guys,

Thanks for the replies. Decided that the GUI / AD integration isn't important.

What IS important is to create and share a ZFS array over the network for everyone to access, (Windows 7 / Windows XP Desktops) without entering a password. This is possible, right?

Just got Solaris 11 Express installed. I'm pretty good with linux, but a newb to Solaris. Some commands are similar but most arent - I don't suppose anyone knows of a guide that will guide me through installing and setting up samba? I know how to create the ZFS array already.

xeleema · 01-28-2011, 11:37 PM

Quote:

Originally Posted by brokenpromises

What IS important is to create and share a ZFS array over the network for everyone to access, (Windows 7 / Windows XP Desktops) without entering a password. This is possible, right?

Yep! Just need Samba (correctly) setup on your server, and you'll be good to go!

Quote:

Originally Posted by brokenpromises

Just got Solaris 11 Express installed. I'm pretty good with linux, but a newb to Solaris. Some commands are similar but most arent - I don't suppose anyone knows of a guide that will guide me through installing and setting up samba? I know how to create the ZFS array already.

Samba guides all pretty much apply to any *NIX. There's a few non-samba things you need to know about Solaris, though;

1) Services are started/stopped by the "Service Management Facility" (think "inetd on acid")
Read the manpages for "svcs" & "svcadm"
2) Solaris 10 and up has both "run levels" and "milestones".
Do "svcs -av | grep -i milestone" to get an idea of what you're looking at, then read up on the man pages for the milestones.
3) "killall" does not do the same thing in Solaris that it does in Linux! Don't run it! (read the man page)
4) The root account in Solaris does not have a separate home directory (/root), like it does in Linux.
Make one on your first boot. Go directly to the command-prompt and edit the /etc/passwd file, then create a /root.
5) The shutdown command behaves differently, check the man page.
Examples:
To reboot in 60 seconds:
shutdown -i6 -g 60 -y "Message to users about the reboot"
To shutdown in 10 minutes:
shutdown -i0 -g 600 -y "Message to users about this shutdown"
Note: When the shutdown command is used, it touches (creates) /etc/nologin. Users get the text in your message, and then are thrown off the machine.

brokenpromises · 01-29-2011, 12:27 AM

Thanks for that! Enabled ssh via svcadm and it's all up and running now. I created a root user during the install, and also created a 'standard' user - now I can't login as root, but I CAN su to root as the normal user I created then do root level stuff.

Now I'm trying to figure out how to install Samba. Is there a package management system such as apt or yum? (Here's me hoping I can get samba installed with a single command

)

xeleema · 01-29-2011, 08:17 AM

You're welcome.

Quote:

Originally Posted by brokenpromises

now I can't login as root, but I CAN su to root as the normal user I created then do root level stuff.

If you're talking about ssh'ing into the system as root, that's not permitted. You can check your sshd_config and change that if you really want to...

Quote:

Originally Posted by brokenpromises

Now I'm trying to figure out how to install Samba. Is there a package management system such as apt or yum? (Here's me hoping I can get samba installed with a single command

)

You can, that would be BlastWave.org you're looking for. There's a howto on the website, and a list of mirrors you can configure.
They use "pkgutil", similar to "yum" or "apt-get".

P.S: You're going to want to make sure /opt has a lot of space available. Everything from BlastWave.org usually installs in /opt/csw. Also, if you don't like the automated coolness, you could hit sunfreeware.com and play dependency-hell.

brokenpromises · 01-29-2011, 03:57 PM

Thanks! Got pkgutil installed, it's great. Also got samba installed. I found this guide to setting up the samba shares.

With the file sharing, looks like I have to set ACLs.

My understanding is, I have to first 'add' the user to the Solaris system (useradd), THEN set the ACL - this will mean that they need to log in before they can get access to the shares? I've got ~40 headless/keyboardless boxes, so this definitely isn't an option. I want to set it up so that you can just type \\HOSTNAME\SHARENAME and bam, you're in, and have full permissions.

How do I do that?

xeleema · 01-29-2011, 05:46 PM

Quote:

Originally Posted by brokenpromises

Thanks! Got pkgutil installed, it's great. Also got samba installed.

Awesome! It's pretty slick, eh?

Quote:

Originally Posted by brokenpromises

I found this guide to setting up the samba shares. With the file sharing, looks like I have to set ACLs.

Only if you're letting people access the Solaris server in the first place. Even then, ACLs are probably overkill.

Quote:

Originally Posted by brokenpromises

My understanding is, I have to first 'add' the user to the Solaris system (useradd), THEN set the ACL - this will mean that they need to log in before they can get access to the shares?

Nope. You can setup access that's either "dead simple" (where anyone could delete/overwrite anyone else's data), "kinda complex" where it'll limit which server can access which shares, or "complex" where you can break things down Windows-user by Windows-user.
None of those options involve people logging into the Solaris system.

Quote:

Originally Posted by brokenpromises

I've got ~40 headless/keyboardless boxes, so this definitely isn't an option. I want to set it up so that you can just type \\HOSTNAME\SHARENAME and bam, you're in, and have full permissions.

Yep, that's possible with Samba.

Quote:

Originally Posted by brokenpromises

How do I do that?

Well lemme give it a spin;
First, this all depends on how your Windows "environment" is setup. Do you have an Active Directory domain, or is everyone in a "WorkGroup"?

Active Directory Domain
There's quite a few guides on how to get Samba to play nice-nice with Active Directory. Here's a few good ones.
http://wiki.samba.org/index.php/Samb...tive_Directory
http://www.howtoforge.com/samba_active_directory

Workgroup
We have a pretty good thread here at LQ.
And there's some very good resources out on the web:
http://www.samba.org/samba/docs/using_samba/appa.html
http://en.wikibooks.org/wiki/Samba/C...ell_with_Samba

SWAT
Samba comes with a web-based configuration tool. As this can be a bit of a security risk, most packages don't enable it by default.
Check here for details on the GUI.

ProTIPs:
So samba's installed. But there's a few utilities you need to know about;

testparm
This lil guy will parse your smb.conf and let you know if something really retarted is in there (basically, if there's syntax errors).
It will also output all of the settings that are left at their default values (stuff you didn't specify directly in the smb.conf file).

smbstatus
This will tell you who's accessing what. Pretty handy if you want to find out if anyone/anything is using the service before you restart it.

Make sure your Windows boxen aren't "Mapping" drives unecessarily. "Mapping" drives is great for lUsers who can't remember share names, but if you're just doing automated stuff, put the UNC paths (the "\\servername\sharename" address is a UNC path) in your scripts.
Don't rely on drive letter mappings in your Windows world when you have automated things running. Stuff just *breaks* (and "Mappings" hold shares open when you run smbstatus, even though they're not "in use").

brokenpromises · 01-29-2011, 06:46 PM

Lets forget AD integration for now, just trying to get the share accessible even.

I just tried to create a share that will be fully accessible by everyone, and failed miserably:

(My pool name = storage, folder I want to share = renders)

Code:

# zfs create -o casesensitivity=mixed storage/renders
# zfs set aclinherit=passthrough storage/renders
# chmod 777 /storage/renders/
# zfs set sharesmb=name=share,guestok=true storage/renders

then finished off with a

Code:

# svcadm enable smb

Here's what happens when I type \\<IP>\share:

http://img694.imageshack.us/img694/5117/19410724.png

Output of # tail -f /var/adm/messages

Code:

Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error] [2011/01/31 00:45:43,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error]   idmap_alloc module tdb already registered!
Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error] [2011/01/31 00:45:43,  0] winbindd/idmap.c:149(smb_register_idmap)
Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error]   Idmap module passdb already registered!
Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error] [2011/01/31 00:45:43,  0] winbindd/idmap.c:149(smb_register_idmap)
Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error]   Idmap module nss already registered!
Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error] [2011/01/31 00:45:43,  0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db)
Jan 31 00:45:43 zpool winbindd[2338]: [ID 702911 daemon.error]   Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration
Jan 31 00:45:43 zpool smbd[2414]: [ID 702911 daemon.error] [2011/01/31 00:45:43,  0] lib/debug.c:663(reopen_logs)
Jan 31 00:45:43 zpool smbd[2414]: [ID 702911 daemon.error]   Unable to open new log file /usr/local/samba/var/log.ssdyo: No such file or directory

(SSDYO = my hostname (windows 7 system).

Output of # sharemgr show -vp

Code:

default nfs=()
zfs
    zfs/storage/renders smb=()
          /storage/renders
                  share=/storage/renders         smb=(guestok="true")
smb smb=()
        * /var/smb/cvol  smb=() "Default Share"
                  c$=/var/smb/cvol      "Default Share"
        * IPC$   smb=() "Remote IPC"
                  IPC$=IPC$     "Remote IPC"

xeleema · 01-29-2011, 07:04 PM

o_0

I've never seen anyone use "zfs set sharesmb=name=share,guestok=true storage/renders"
Shares should be defined in your smb.conf....bear in mind I don't use "OpenSolaris" or "Solaris Express", so they may have some additional (experimental?) features that you're trying to use.

Undo what you did there and stick with the samba you pulled down from BlastWave.org for now (I'm not sure if the "builtin" samba support does SMBv2, which newer versions of Windows need).
Do a quick search for us, too;
find / -name "*smb.conf*" -exec ls -l {} \; 2>/dev/null

brokenpromises · 01-29-2011, 07:15 PM

Code:

# find / -name "*smb.conf*" -exec ls -l {} \; 2>/dev/null
-rw-r--r-- 1 root sys 961 2010-11-06 05:13 /usr/kernel/drv/nsmb.conf
-rw-r--r-- 1 root other 9684 2011-01-30 23:46 /etc/opt/csw/samba/smb.conf
-rw-r--r-- 1 root bin 9684 2010-03-19 03:47 /etc/opt/csw/samba/smb.conf.CSW
-rw-r--r-- 1 root root 0 2011-01-26 22:38 /etc/sfw/smb.conf
-rw-r--r-- 1 root bin 364490 2010-04-22 11:24 /opt/csw/share/man/man5/smb.conf.5

Okay found em, which one do I edit? And what goes in there?

I tried adding

Code:

[renders]
        path = /storage/renders
        read only = No
        writable = Yes
        public = yes
        guest ok = Yes

into

Code:

/etc/opt/csw/samba/smb.conf

and then

Code:

svcadm restart smb

Which completed without errors, but I still got the login username / password box on my windows 7 client.

xeleema · 01-29-2011, 07:38 PM

Ah, okay, this is starting to make sense;

It seems like the "Solaris Express" download of yours already came with samba (/etc/sfw is a dead givaway the "Solaris Companion" has been installed).

Lemme explain the conf files you have

/etc/opt/csw/samba/smb.conf
/etc/opt/csw/samba/smb.conf.CSW (<- Example configuration file, don't edit)
/opt/csw/share/man/man5/smb.conf.5
This is the blastwave stuff (/opt/csw & /etc/opt/csw, and maybe /var/opt/csw should be the only places you see Blastwave.org stuff)

/etc/sfw/smb.conf
This is from the "Solaris Companion", maybe that comes with a full-blown "Solaris Express" install...I'm not sure (I shy away from the "Beta" stuff).

/usr/kernel/drv/nsmb.conf
This is a kernel driver configuration file. Probably has nothing to do with samba. You can ignore this one.

Okay, run the following command and see what you get;
svcs -av | egrep -i "samba|smb|nmbd|winbind|csw"

Most BlastWave services have "CSW" (or "csw") in the name. If you see two samba daemons running, we have to decide on which one you want to use.
I would go with the BlastWave stuff personally. It's a snap to update it, and typically doesn't blow your configuration files away when you do.

You are editing the correct file, however I'm not so sure you're restarting the right service.
The config file you added [Renders] to is for BlastWave, so you'll need to search for (and disable) any non-BlastWave samba service.

By the way, add this to your global;

Code:

hosts allow = 127.0.0.1 x.y.z.

(Keep in mind, "x.y.z." would be your IP range for your boxen, like "192.168.1." or "172.16.0." (it's just three octects for me because I run a few private Class C networks)
Mine looks like this;

Code:

hosts allow = 127.0.0.1 192.168.1. 192.168.9. 172.16.9.

P.S: I have to clear some space for a few servers that are getting dropped off today. I should be back online around 23:30 CST.

brokenpromises · 01-30-2011, 07:19 PM

Okay I got it working.

The directory I want to share is located at /storage/renders

1. Disable built in samba service
2. Install Blastwave
3. Install samba through blastwave
4. Blow away original smb.conf config file located at /etc/opt/csw/samba/smb.conf
5. Create new smb.conf with contents:

Code:

[global]
netbios name = linuxserver
workgroup = WORKGROUP
server string = Public File Server
security = user
map to guest = bad user
guest account = smbguest

[public]
path = /storage/renders
guest ok = yes
read only = no

6. Add this at the end of /etc/passwd

Code:

smbguest:x:525:525:Samba Guest Account:/dev/null:/bin/false

7. Add a smb guest group by typing this at the shell:

Code:

# groupadd -g 525 smbguest

8. Create / navigate to directory that you specified in smb.conf (the share directory)

9. Use chown to change ownership to samba guest acct:

Code:

chown -R smbguest:smbguest /storage/renders

10. Finally restart services

Code:

svcadm restart cswsamba:default cswsamba:cswnmbd cswsamba:cswwinbindd cswsamba:cswsmbd

Also - how does one cehck the amount of free memory on a Solaris Express 11 box?

xeleema · 01-30-2011, 09:34 PM

@brokenpromises
Way to go! That's so good to hear! I really appreciate the mini-howto, too, as I've not used Solaris 11 Expresss myself.

Quote:

Originally Posted by brokenpromises

Also - how does one cehck the amount of free memory on a Solaris Express 11 box?

Okay, this I know;
a) The "top" program might come with Solaris 11 Express. If not, BlastWave has it.

b) You can run "prtconf | grep Mem" for the total amount of RAM.

c) "vmstat" will give you the total + usage of RAM:

Code:

luser@lhost(SunOS)$ vmstat
 kthr      memory            page            disk          faults      cpu
 r b w   swap  free  re  mf pi po fr de sr dd dd f0 m1   in   sy   cs us sy id
 0 0 0 1974568 50960  4  24  1  0  0  0  0  1  1 -0  1  453  384  409  1  2 97
luser@lhost(SunOS)$

d) "prstat -S size" (capital "S")
Kinda like "top" but sorts programs by "size" (check the man page for what "Size" really means!)

Check the UNIX Rossetta Stone for more "How do I do X in Solaris" type things. (Very handy!!)