Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NAS-133680 / 25.04-RC.1 / Disable SMB2 lease support in multiprotocol SMB mode (by anodos325) #15741

Merged
merged 3 commits into from
Feb 17, 2025
Merged

NAS-133680 / 25.04-RC.1 / Disable SMB2 lease support in multiprotocol SMB mode (by anodos325) #15741

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d660b58
Disable SMB2 lease support in multiprotocol SMB mode
anodos325 Feb 17, 2025
fed09a5
Fix
anodos325 Feb 17, 2025
64d6e39
Update src/middlewared/middlewared/plugins/smb.py
anodos325 Feb 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions src/middlewared/middlewared/plugins/smb.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,14 @@ async def validate_smb(self, new, verrors):
'smb_update.aapl_extensions',
'This option must be enabled when AFP or time machine shares are present'
)
else:
if await self.middleware.call('sharing.smb.query', [['purpose', '=', 'MULTI_PROTOCOL_NFS']]):
verrors.add(
'smb_update.aapl_extensions',
'This option may not be enabled concurrently with shares that are configured for '
'multi-protocol NFS access.'
)


if new['enable_smb1']:
if audited_shares := await self.middleware.call(
Expand Down Expand Up @@ -1330,6 +1338,13 @@ async def validate(self, data, schema_name, verrors, old=None):
'This feature may be enabled in the general SMB server configuration.'
)

if data['purpose'] == 'MULTI_PROTOCOL_NFS' and smb_config['aapl_extensions']:
verrors.add(
f'{schema_name}.purpose',
'MULTI_PROTOCOL_NFS purpose requires global changes that are incompatible '
'with the enabling of Apple SMB protocol extensions.'
)

if data['timemachine'] or data['purpose'] in ('TIMEMACHINE', 'ENHANCED_TIMEMACHINE'):
if not smb_config['aapl_extensions']:
verrors.add(
Expand Down
2 changes: 1 addition & 1 deletion src/middlewared/middlewared/plugins/smb_/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ class SMBSharePreset(enum.Enum):
MULTI_PROTOCOL_NFS = {"verbose_name": "Multi-protocol (NFSv4/SMB) shares", "params": {
'streams': True,
'durablehandle': False,
'auxsmbconf': '',
'auxsmbconf': 'kernel oplocks=True',
}, "cluster": False}
PRIVATE_DATASETS = {"verbose_name": "Private SMB Datasets and Shares", "params": {
'path_suffix': '%U',
Expand Down
10 changes: 8 additions & 2 deletions src/middlewared/middlewared/plugins/smb_/util_smbconf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,8 +181,6 @@ def generate_smb_share_conf_dict(

if share_config['durablehandle']:
config_out['posix locking'] = False
else:
config_out['kernel oplocks'] = True

if share_config['timemachine']:
config_out['fruit:timemachine'] = True
Expand Down Expand Up @@ -294,6 +292,7 @@ def generate_smb_conf_dict(
case _:
pass

has_mixed_mode = filter_list(smb_shares, [['purpose', '=', 'MULTI_PROTOCOL_NFS']])
home_share = filter_list(smb_shares, [['home', '=', True]])
if home_share:
if ds_type is DSType.AD:
Expand Down Expand Up @@ -559,6 +558,13 @@ def generate_smb_conf_dict(

smbconf.update({f'{idmap_prefix} {backend_parameter}': value})

"""
Mixed NFS / SMB shares enables kernel oplock support, which requires
globally disabling SMB2 leases
"""
if has_mixed_mode:
smbconf['smb2 leases'] = False

for e in smb_service_config['smb_options'].splitlines():
# Add relevant auxiliary parameters
entry = e.strip()
Expand Down
8 changes: 8 additions & 0 deletions tests/unit/test_smb_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -465,3 +465,11 @@ def test__enable_stig():
)
assert conf['client use kerberos'] == 'required'
assert conf['ntlm auth'] == 'disabled'


def test__multiprotocol_share_leases():
conf = generate_smb_conf_dict(
None, None, BASE_SMB_CONFIG, [BASE_SMB_SHARE | {'purpose': 'MULTI_PROTOCOL_NFS'}],
BIND_IP_CHOICES, BASE_IDMAP, False, SYSTEM_SECURITY_DEFAULT
)
assert conf['smb2 leases'] is False
12 changes: 10 additions & 2 deletions tests/unit/test_smb_share.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,8 +252,6 @@ def test__durablehandle(nfsacl_dataset, enabled):

if enabled:
assert conf['posix locking'] is False
else:
assert conf['kernel oplocks'] is True


@pytest.mark.parametrize('enabled', [True, False])
Expand Down Expand Up @@ -384,6 +382,16 @@ def test__worm_preset(nfsacl_dataset):
]


def test__multiprotocol_nfs_preset(nfsacl_dataset):
conf = generate_smb_share_conf_dict(None, BASE_SMB_SHARE | {
'path': nfsacl_dataset,
'purpose': 'MULTI_PROTOCOL_NFS',
}, BASE_SMB_CONFIG)

assert conf['path'] == nfsacl_dataset
assert conf['kernel oplocks'] == 'True'


def test__shadow_copy_off(nfsacl_dataset):
conf = generate_smb_share_conf_dict(None, BASE_SMB_SHARE | {
'path': nfsacl_dataset,
Expand Down