Thursday, October 28, 2010

Snow Leopard Error -50 when copying to an SMB share

Symptom

Snow Leopard client copying file to SMB will get a –50 unkown error and the copying will halt. This only happens to Snow Leopard and only to SMB. Copying the same files to AFP works fine. It is also only on certain files. We can take this file to another Snow Leopard machine and reproduce it every time.

Cause

We found out that it has to do with files with resource fork. I think Snow Leopard and Leopard no longer embed resource fork into files anymore. But I am guessing these files were touched or created by older Apple OS. This explains why out of thousands of files, we only see some files with this problem. This is due to the fact that the Snow Leopard Client now defaults to using NTFS Streams rather than AppleDouble files (dot underscore files) to store the resource fork.

Solution

Turn off NTFS Streams support in Snow Leopard. You can do this on the client by running this command.

echo "[default]" | sudo tee -a /etc/nsmb.conf
echo "streams=no" | sudo tee -a /etc/nsmb.conf

Of course this would be a pain if you have to touch every clients. An easier way is to touch the share by creating a file at the root of the share called ".com.apple.smb.streams.off". As this is a hidden file, it is probably best to do this from the command line.

cd /Volumes/sharename/

touch .com.apple.smb.streams.off

No reboot is needed. Client just need to dismount and mount the share again.

Tuesday, October 19, 2010

Windows and Mac users unable to access server shares and printers

We received a report from several offices that users were unable to access server shares or print until their passwords were reset in AD.

Users were able to log into their computers and send/receive mail.

The users were receiving a "user name could not be found" error when attempting to connect to servers and the printers were showing "Unable to Connect".

The problem was that the User Principal Name (UPN) was holding old cached values. Logging into the computer using the full UPN (first.last@domain.com), restarting and logging back in with the normal AD name (first.last) resolved the issue.

This problem seemed to only affect users who had had their UPN updated recently.

Thursday, October 7, 2010

Mac Binding Fails- Advice from Apple

Apple's KB regarding binding problems and possible work-arounds involving clearing out Kerberos config files and DNS config check:

http://support.apple.com/kb/TS2691

Wednesday, October 6, 2010

Snow Leopard (10.6) can not connect to server using SMB: RESOLVED

Problem: AD bound 10.6.x Macs were experiencing problems connecting to SMB shares on Windows servers.  Users could not connect to the shares, or it would take several minutes to open/browse folders.

Cause:   It was found that the issue happens when there is a folder or file on the share for which the security list includes an “Unknown SID”. When listing the content of the share, the OS X Directory Service plugin attempts to resolve all SIDs to AD objects. In this case, the plugin encounters a “Unknown SID” and expends 60 seconds attempting to resolve the SID. Once 60-second timeout is reached, the plugin skips the entry and will list the share contents. Now, if there are multiple files or folders of “Unknown SIDs”, the time for listing the content will multiply base on how many of these “Unknown SIDs” on there thus explaining the different delay time users are experiencing.

Resolution:  
Test indicates that once these “Unknown SIDs” are removed from the affected file/folder, the speed of SMB will return to normal. The mount and content listing of the share will take seconds instead of minutes.

Apple will take the finding back to their product engineering to determine how they might be able to mitigate the timeout issue from OS X.

The problem of resolving this issue for server administrators is that it is not practical to identify these “Unknown SIDs” and remove them manually. After some research, it seems that Microsoft has a tool to do this.

SUBINACL - Display or modify Access Control Entries (ACEs) for file and folder Permissions, Ownership and Domain.


Download the MSI and install it to your file server. You can then run it using the following syntax. It will removed all the “Unknown SIDs” from the files and folders you specify.

subinacl /subdirectories X:\* /cleandeletedsidsfrom=IPGNA

This will clean out all “Unknown SIDs” from the path you specify and all the directories below that. You can also use a /TESTMODE switch to test it out. It will run the command and show you the result without actually modifying anything. It is recommended that you run it under testmode once.