Oracle ZFS Storage Appliance: SMB Access may be denied from some Network Interfaces

Asset ID:	1-72-2367788.1
Update Date:	2018-03-07
Keywords:

Solution Type Problem Resolution Sure

Solution 2367788.1 : Oracle ZFS Storage Appliance: SMB Access may be denied from some Network Interfaces

Applies to:

Oracle ZFS Storage ZS5-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage Appliance Racked System ZS5-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS4-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage Appliance Racked System ZS4-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS5-2 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)

Symptoms

Customers with Oracle ZFS Storage Appliance (ZFSSA) in clustered configuration may be denied access to SMB shares if the access is through the IP address owned by the peer node. The symptom was first observed in cluster configurations, however, the access issues to SMB shares is observed also in standalone configurations.

When the problem occurs, messages similar to the following will be observed in the log. (/var/ak/logs/debug.sys)

Oct 16 09:11:02 lbl-138 smbsrv: [ID 421734 kern.notice] NOTICE:
[LBL-138\testuser]: testshare Access is denied to share as it is being accessed via an IP that is not owned by the same node

The above message can be verified by generating a support bundle and its content.

Please see the "Solution" section of this document for further details.

Changes

This issue can occur in the following releases:

ZFSSA Platform

2013.1.7.0 (Version string ak-2013.06.05.7.0) or later.

Solaris platforms are not impacted by this issue. The feature is unique to ZFSSA Platform.

Cause

BUG:27046617 - UNABLE TO ACCESS THE SHARE AFTER TAKEOVER DUE TO ASN VERIFY
BUG:22870185 - SMB SERVER SHOULD NOT MIX INTERFACES AND POOLS OWNED BY DIFFERENT NODES.

Solution

Until a final fix is available, the Workaround to this issue is as follows:

Verifying The Symptom

In order to verify the symptoms, there are two methods that can be used:

(a) Use a ZFSSA workflow to check if the problem exists.
(b) Generate a support bundle, extract the file and view debug.sys file.

Running a ZFSSA Workflow

If you choose to use the workflow (attached below), please follow the steps below:

(1) Please upload the attached workflow.
(2) Click on the uploaded workflow to execute.
(3) Provide your email address and SR number for the record.
(4) After it completes, check the audit log under Maintenance -> Log -> Audit.
You will see either one of the messages.

A 'denied access' message was found. This appliance is affected by bug 22870185 and 27380040. Please contact Oracle Support.
No 'denied access' messages found. You are not affected by this issue.

If you are asked to contact support, please reach us by opening a Service Request.

Verifying The Log File in Support Bundle

If you choose to check the log file in the support bundle, please follow the step below:

Generate the support bundle, then once your ZFSSA finishes the generation of the support bundle and start uploading, then cancel the upload. Please download the support bundle and extract the bundle locally.

If you are a Solaris/Linux user, please use the following command to extract:

gunzip -c ak.<uuid>.tar.gz | tar xvf -

For example, you will run something like below.

solaris-box # gunzip -c ak.750e1411-2089-c0dc-f358-d62efd1e0396.tar.gz | tar xvf -

After extraction, please check the content of logs/debug.sys to see if the message such as below exists.

Oct 16 09:11:02 lbl-138 smbsrv: [ID 421734 kern.notice] NOTICE:
[LBL-138\testuser]: testshare Access is denied to share as it is being accessed via an IP that is not owned by the same node

If you find the message similar to the above example, it is likely the system is affected by this issue. Please reach us by opening a Service Request.

Workaround For Clustered Configuration

(a) Check the status of the cluster and the owners of the network interfaces by running commands below.

(Status of Cluster)

test06-h0:> configuration cluster show
Properties:
state = AKCS_STRIPPED
description = Ready (waiting for failback)
peer_asn = d693ea5c-e912-6dd6-8b5f-ba1c3aa7e0a6
peer_hostname = test06-h1
peer_state = AKCS_OWNER
peer_description = Active (takeover completed)

Children:
resources => Configure resources

(Owners of Network Interfaces)

test06-h0:> configuration cluster resources show
Resources:

RESOURCE OWNER TYPE LABEL CHANGES DETAILS
net/nge0 test06-h0 private admin-head0 no 192.168.100.179
zfs/pool-0 test06-h0 singleton no
zfs/pool-1 test06-h1 singleton no

Check the OWNER column. If you have an empty interface and TYPE is 'singleton', it would cause the access issue that is described here.

(b) If you have OWNER names against all interfaces, a cluster fail back will resolve the problem.

(c) If you have network interfaces whose TYPE is 'singleton' and missing OWNER names, then the network interfaces must be recreated.

Workaround for Stand-alone Configuration

If you have a problem in a stand-alone configuration, network interfaces must be recreated.

If you have any questions or have difficulties resolving the problem, please contact Oracle Support.

Resolution

A final resolution for this issue is pending completion. Also see Service Alert <Document:2370372.1> for more information and updates on the Resolution to this issue.

References

<BUG:22870185> - SMB SERVER SHOULD NOT MIX INTERFACES AND POOLS OWNED BY DIFFERENT NODES.
<BUG:27380040> - BACKOUT OF 22870185 SMB SERVER SHOULD NOT MIX INTERFACES AND POOLS OWNED BY DIFF
<BUG:27046617> - UNABLE TO ACCESS THE SHARE AFTER TAKEOVER DUE TO ASN VERIFY

Attachments

This solution has no attachment