## Nasuni and Multi-User SMB Connectors Troubleshooting Guide ##### last updated on Sep. 4, 2024 SMB providers allow Access Anywhere platform to manage and access data on file servers supporting the SMB network file-sharing protocol. In addition to synchronization of metadata synchronization, the "multiuser" SMB providers synchronize permissions. User and group permissions are managed through the SMB server. The aim of this troubleshooting document is to provide advice on SMB connector troubleshooting issues and edge cases for administrators of Access Anywhere: * [[cloudproviders/nasuni]] * [[server/cifs]] It is recommended to use SMB version 2.1 as the base SMB protocol for the Nasuni connector. If you are considering using SMB 3.0 with the Nasuni connector please contact support. SMB 3.0 can be used with the SMB Multi-User Connector. ### Terminology We use the words "provider" and "connector" almost interchangeably throughout this document. The precise distinction between them is that a connector is a piece of code that can attach a certain kind of storage to Access Anywhere, and a provider is a connector that has been configured to attach a specific storage system instance to Access Anywhere using a particular account. ### Storage Permissions The Multi-User SMB connector and the Nasuni connector obtain information about which providers and folders a user should have access to from the permissions that have been set on the underlying storage as well as group membership from AD. To have access to a connector a user must have effective permission (directly or via group membership) to access the share to which the storage connector is connected. Instructions for checking a user’s permissions from the Linux command line can be found [[https://unix.stackexchange.com/questions/367321/determine-smb-shares-i-have-read-and-or-write-access-to|here]] To check the permissions from Windows: * navigate to the folder’s parent directory * open the folder’s context menu * click on “Properties” * go to the “Security” tab * click on “Advanced” You will see a list of permissions for the folder: {{ :perms.png?direct&400 |}} If the user whose permissions you are checking is in a lot of groups then it may be easiest to use the "Effective Access" feature from the "Advanced" tab to see what permissions she has after all of the group permissions are combined. Note that “Deny” permissions supersede “Allow” permissions. ### Permission Synchronization In addition to caching folder and file metadata the connector synchronizes and caches permissions including folder ACLs, group membership and mapping of SIDs to group names. Since these connectors are enabled for [[server:cloudrefreshmode|real-time synchronization]] permissions are synced as a user browses through folders. Folder ACLs are checked when a folder is refreshed but by default not more than once every 30 seconds. This can be changed using ```ffconfig set cloudrefreshexpiration 30``` or through the Appliance Administration under Site Functionality > Storage Connectors > Cloud Refresh caching time. The default cache expiration time for groups is 300 seconds. This can be changed using ```ffconfig set cifsldapcachetime 300```. The mapping of SIDs to group names is cached by default for 1 week. This can be changed with ```ffconfig set cifsgroupsidcachetime 604800```. Permissions that have been synced can be seen within the Cloud File Manager from the folder menu "Permissions" or "Subfolder Permissions". ## Troubleshooting Issues / Edge Cases ### New User Doesn’t See a Share Assuming that the permissions on the underlying storage and the group membership are correct the next step is to determine whether the user can see the share in the Web File Manager and/or from a Access Anywhere desktop Cloud Drive. If the user can see the share in the File Manager and not in the Drive, please ask them to log out from the Drive and then log in again. If the user can see the share in the Drive and not in the File Manager then please ask her to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the share is still not visible, [[mailto:support@nasuni.com|contact Support]]. ### Some Users See a Share and Some Don’t Assuming that the permissions on the underlying storage and the group membership are correct the next step is to determine whether the users can see the share in the Web File Manager and/or from a Access Anywhere desktop Cloud Drive. If they can see the share in the File Manager and not in the Drive, please ask them to log out from the Drive and then log in again. If the users can see the share in the Drive and not in the File Manager then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the share is still not visible, [[mailto:support@nasuni.com|contact Support]]. ### No Users See Recently Added Share Assuming that the permissions on the underlying storage and the group membership are correct and the provider is operating in Cloud Refresh mode (real-time sync mode), the next step is to determine whether the users can see the share in the Web File Manager and/or from a Access Anywhere desktop Cloud Drive. If they can see the share in the File Manager and not in the Drive, please ask them to log out from the Drive and then log in again. If the users can see the share in the Drive and not in the File Manager then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the share is still not visible, [[mailto:support@nasuni.com|contact Support]]. ### User Doesn’t See Share After Being Granted Permission to Use It If the user can see the share in the File Manager and not in the Drive, please ask him to log out from the Drive and then log in again. If the user can see the Share in the Drive and not in the File Manager then please ask him to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the share is still not visible, [[mailto:support@nasuni.com|contact Support]]. ### User Can No Longer Access Any Shares from Cloud Drive If the user’s password has changed then the Drive may remain logged in but the shares will no longer be visible through the Drive. In this case the user should log in through the web interface with her new password. This will restore the Drive’s access. She can then exit the web interface without affecting the Drive’s access. ### Users Cannot Operate on Shares ("Permission Denied") This indicates that the shares are no longer accessible through their mounts on Access Anywhere host. (The shares are "stale"). A linux administrator can refresh the mounts using a script provided by NAA As follows: * ssh into Access Anywhere as smeconfiguser * become the root user * use curl to fetch the script: ``` curl https://raw.githubusercontent.com/SMEStorage/filefabric-scripts/main/smb_scripts/flush_mounts.sh -o flush_mounts.sh ``` * make the script executable: ``` chmod 0700 flush_mounts.sh ``` * run the script: ``` ./flush_mounts.sh -n ``` For example: ``` ./flush_mounts.sh -n 172.20.25.226 ``` For HA installations this process should be repeated on each of Access Anywhere's web application nodes. Note that upgrading or restarting the Nasuni Filer can sometimes result in the mounts of shares exported by the Filer becoming stale. ### Drive Displays Error Message “Password not found for user. Please re-login” This can happen if a share was added after the user most recently logged in. When this happens, the user should log out and in through the Drive again. ### Share has Disappeared If a share that was previously accessible to a user ceases to be visible, the most likely explanation is that the user’s permissions have changed. Please see Important Point 1 at the top of this document. ### User’s Permissions on Folder are Incorrect As described in Important Point 1 at the top of this document, these providers get their information about which shares a user should see from the permissions that have been set on the underlying storage. These permissions are refreshed frequently by Access Anywhere. The user should first try navigating away from the folder in question and then navigating back to it. If his permissions remain incorrect then check them directly on the storage as described above. ### File or Folder is Missing from Directory If a file is missing from the Cloud Drive but visible in the Web File Manager the refresh the Drive’s view of the data as follows: * If you are using the Windows Cloud Drive access this option from the Cloud Drive access this option from the Cloud Drive icon’s context menu on the Windows Task Bar: {{ ::windows_refresh_now.png?direct&200 |}} * If you are using the Mac Cloud Drive access this option from the Cloud Drive access this option from the Cloud Drive icon’s context menu on the Mac Menu Bar: {{ ::mac_refresh.png?direct&200 |}} If the users can see the file or folder in the Drive and not in the File Manager then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the file/folder is still not visible, [[mailto:support@nasuni.com|contact Support]]. If a file is missing from both the Web File Manager and the Cloud Drive check the storage directly to confirm that the file or folder is there. If it is, please [[mailto:support@nasuni.com|contact Support]]. ### File Update Missing If the latest version of a file is missing from the Cloud Drive but visible in the Web File Manager then refresh the Drive’s view of the data as follows: * If you are using the Windows Cloud Drive access this option from the Cloud Drive access this option from the Cloud Drive icon’s context menu on the Windows Task Bar: {{ ::windows_refresh_now.png?direct&200 |}} * If you are using the Mac Cloud Drive access this option from the Cloud Drive access this option from the Cloud Drive icon’s context menu on the Mac Menu Bar: {{ ::mac_refresh.png?direct&200 |}} If the latest version of the file is missing from the Web File Manager but visible in the Cloud Drive then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the file/folder is still not visible, [[mailto:support@nasuni.com|contact Support]]. If a file is missing from both the Web File Manager and the Cloud Drive check the storage directly to confirm that the file or folder is there. If it is, please [[mailto:support@nasuni.com|contact Support]]. ### File Missing from Folder Shared With a Link Navigate to the folder in the Web File Manager. This will cause the directory’s contents to be updated. ### Access to File or Folder Denied for Shared Link When the password of a user who has created shared links changes, the shared links will not be usable until the user re-authenticates on Access Anywhere by logging out and back in. ### Listing of Directory Contents is Slow The speed at which directory listings are displayed in the Cloud Drive and the File Manager is roughly proportional to the number of files or subfolders in the directory, as well as the response time from the storage. As a rule of thumb, allow one second for every thousand files or subfolders. If directory listings are taking significant longer than one second per thousand items, the most common cause is slow responses by the storage to Access Anywhere’s requests for the access permissions for the folder’s contents. The storage should not take more than a second or two respond to these requests. A Linux system administrator can determine how long the storage is taking to send the permissions by following these steps: * Log in to Access Anywhere host VM as smeconfiguser using ssh. * Run the following (using your share, folder and username) time smbclient '///' -W '' -U '' -D '//' -c 'showacls; ls' 2>&1 . If the administrator determines that slow responses from the storage are not the case of the delay, please [[mailto:support@nasuni.com|contact Support]] for assistance. ### “Error 13 permission denied” When Adding a Provider that Connects to a Share The name of the share you enter in Access Anywhere and the name of the share on the storage must match exactly including case. Check Access Anywhere value for case and correct it as needed. ### No Permissions on Provider that Connects to a Subdirectory in a Share The name and path of the folder on the share you enter in Access Anywhere and the name and path of the folder on the share on the storage must match exactly including case. Check Access Anywhere value for case and correct it as needed. ### Conflict Files Created Conflict files are created when Access Anywhere cannot complete certain operations as expected. This happens most frequently when changes are made directly to the storage and also through Access Anywhere (in other words the storage is being used bi-modally). Typically the creation of conflict files does not indicate an error. If, however, conflict files are being created frequently then please [[mailto:support@nasuni.com|contact Support]]. ### Access Anywhere Cannot Mount an SMB Share Working as root, use the same smbclient command to see whether an SMB connection between Access Anywhere and the storage can be established: ``` smbclient '///' -W '' -U '' -D '//' -c 'ls' 2>&1 ``` Still working as root, use the mount command to see whether the storage can be mounted: ``` mkdir -p /mnt/tmp; mount -t cifs -o rw,soft,nolock,user='',domain='',mapchars /// /mnt/tmp/ ``` If either of these commands is unsuccessful then Access Anywhere will not be able to use the storage.