SMB providers allow Access Anywhere platform to manage and access data on file servers supporting the SMB network file-sharing protocol. In addition to synchronization of metadata synchronization, the “multiuser” SMB providers synchronize permissions. User and group permissions are managed through the SMB server.
The aim of this troubleshooting document is to provide advice on SMB connector troubleshooting issues and edge cases for administrators of Access Anywhere:
It is recommended to use SMB version 2.1 as the base SMB protocol for the Nasuni connector. If you are considering using SMB 3.0 with the Nasuni connector please contact support. SMB 3.0 can be used with the SMB Multi-User Connector.
We use the words “provider” and “connector” almost interchangeably throughout this document. The precise distinction between them is that a connector is a piece of code that can attach a certain kind of storage to Access Anywhere, and a provider is a connector that has been configured to attach a specific storage system instance to Access Anywhere using a particular account.
The Multi-User SMB connector and the Nasuni connector obtain information about which providers and folders a user should have access to from the permissions that have been set on the underlying storage as well as group membership from AD.
To have access to a connector a user must have effective permission (directly or via group membership) to access the share to which the storage connector is connected.
Instructions for checking a user’s permissions from the Linux command line can be found here
To check the permissions from Windows:
You will see a list of permissions for the folder:
If the user whose permissions you are checking is in a lot of groups then it may be easiest to use the “Effective Access” feature from the “Advanced” tab to see what permissions she has after all of the group permissions are combined.
Note that “Deny” permissions supersede “Allow” permissions.
In addition to caching folder and file metadata the connector synchronizes and caches permissions including folder ACLs, group membership and mapping of SIDs to group names. Since these connectors are enabled for real-time synchronization permissions are synced as a user browses through folders.
Folder ACLs are checked when a folder is refreshed but by default not more than once every 30 seconds. This can be changed using ffconfig set cloudrefreshexpiration 30
or through the Appliance Administration under Site Functionality > Storage Connectors > Cloud Refresh caching time.
The default cache expiration time for groups is 300 seconds. This can be changed using ffconfig set cifsldapcachetime 300
.
The mapping of SIDs to group names is cached by default for 1 week. This can be changed with ffconfig set cifsgroupsidcachetime 604800
.
Permissions that have been synced can be seen within the Cloud File Manager from the folder menu “Permissions” or “Subfolder Permissions”.
Assuming that the permissions on the underlying storage and the group membership are correct the next step is to determine whether the user can see the share in the Web File Manager and/or from a Access Anywhere desktop Cloud Drive. If the user can see the share in the File Manager and not in the Drive, please ask them to log out from the Drive and then log in again.
If the user can see the share in the Drive and not in the File Manager then please ask her to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the share is still not visible, contact Support.
Assuming that the permissions on the underlying storage and the group membership are correct the next step is to determine whether the users can see the share in the Web File Manager and/or from a Access Anywhere desktop Cloud Drive. If they can see the share in the File Manager and not in the Drive, please ask them to log out from the Drive and then log in again.
If the users can see the share in the Drive and not in the File Manager then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the share is still not visible, contact Support.
Assuming that the permissions on the underlying storage and the group membership are correct and the provider is operating in Cloud Refresh mode (real-time sync mode), the next step is to determine whether the users can see the share in the Web File Manager and/or from a Access Anywhere desktop Cloud Drive. If they can see the share in the File Manager and not in the Drive, please ask them to log out from the Drive and then log in again.
If the users can see the share in the Drive and not in the File Manager then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the share is still not visible, contact Support.
If the user can see the share in the File Manager and not in the Drive, please ask him to log out from the Drive and then log in again.
If the user can see the Share in the Drive and not in the File Manager then please ask him to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory.
If the share is still not visible, contact Support.
If the user’s password has changed then the Drive may remain logged in but the shares will no longer be visible through the Drive. In this case the user should log in through the web interface with her new password. This will restore the Drive’s access. She can then exit the web interface without affecting the Drive’s access.
This indicates that the shares are no longer accessible through their mounts on Access Anywhere host. (The shares are “stale”). A linux administrator can refresh the mounts using a script provided by NAA As follows:
curl https://raw.githubusercontent.com/SMEStorage/filefabric-scripts/main/smb_scripts/flush_mounts.sh -o flush_mounts.sh
chmod 0700 flush_mounts.sh
./flush_mounts.sh -n <NAS_name_or_IP_address>
For example:
./flush_mounts.sh -n 172.20.25.226
For HA installations this process should be repeated on each of Access Anywhere's web application nodes.
Note that upgrading or restarting the Nasuni Filer can sometimes result in the mounts of shares exported by the Filer becoming stale.
This can happen if a share was added after the user most recently logged in. When this happens, the user should log out and in through the Drive again.
If a share that was previously accessible to a user ceases to be visible, the most likely explanation is that the user’s permissions have changed. Please see Important Point 1 at the top of this document.
As described in Important Point 1 at the top of this document, these providers get their information about which shares a user should see from the permissions that have been set on the underlying storage. These permissions are refreshed frequently by Access Anywhere. The user should first try navigating away from the folder in question and then navigating back to it. If his permissions remain incorrect then check them directly on the storage as described above.
If a file is missing from the Cloud Drive but visible in the Web File Manager the refresh the Drive’s view of the data as follows:
If the users can see the file or folder in the Drive and not in the File Manager then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the file/folder is still not visible, contact Support.
If a file is missing from both the Web File Manager and the Cloud Drive check the storage directly to confirm that the file or folder is there. If it is, please contact Support.
If the latest version of a file is missing from the Cloud Drive but visible in the Web File Manager then refresh the Drive’s view of the data as follows:
If the latest version of the file is missing from the Web File Manager but visible in the Cloud Drive then please ask them to do a full page refresh of the File Manager’s Files page and also to do a Cloud Refresh of their root directory. If the file/folder is still not visible, contact Support.
If a file is missing from both the Web File Manager and the Cloud Drive check the storage directly to confirm that the file or folder is there. If it is, please contact Support.
Navigate to the folder in the Web File Manager. This will cause the directory’s contents to be updated.
When the password of a user who has created shared links changes, the shared links will not be usable until the user re-authenticates on Access Anywhere by logging out and back in.
The speed at which directory listings are displayed in the Cloud Drive and the File Manager is roughly proportional to the number of files or subfolders in the directory, as well as the response time from the storage. As a rule of thumb, allow one second for every thousand files or subfolders.
If directory listings are taking significant longer than one second per thousand items, the most common cause is slow responses by the storage to Access Anywhere’s requests for the access permissions for the folder’s contents. The storage should not take more than a second or two respond to these requests. A Linux system administrator can determine how long the storage is taking to send the permissions by following these steps:
time smbclient '//<nas name>/<share>' -W '<domain>' -U '<Admin User from Provider setup>' -D '/<slow loading folder name>/' -c 'showacls; ls' 2>&1 .
If the administrator determines that slow responses from the storage are not the case of the delay, please contact Support for assistance.
The name of the share you enter in Access Anywhere and the name of the share on the storage must match exactly including case. Check Access Anywhere value for case and correct it as needed.
The name and path of the folder on the share you enter in Access Anywhere and the name and path of the folder on the share on the storage must match exactly including case. Check Access Anywhere value for case and correct it as needed.
Conflict files are created when Access Anywhere cannot complete certain operations as expected. This happens most frequently when changes are made directly to the storage and also through Access Anywhere (in other words the storage is being used bi-modally). Typically the creation of conflict files does not indicate an error. If, however, conflict files are being created frequently then please contact Support.
Working as root, use the same smbclient command to see whether an SMB connection between Access Anywhere and the storage can be established:
smbclient '//<nas name>/<share>' -W '<domain>' -U '<User from Provider setup>' -D '/<slow loading folder name>/' -c 'ls' 2>&1
Still working as root, use the mount command to see whether the storage can be mounted:
mkdir -p /mnt/tmp; mount -t cifs -o rw,soft,nolock,user='<User from Provider Setup>',domain='<Domain>',mapchars //<nas name>/<share> /mnt/tmp/
If either of these commands is unsuccessful then Access Anywhere will not be able to use the storage.