0x8007003B timeout copying large file to Samba server

PROBLEM: 0x8007003B timeout copying large file to Samba server

SOLUTION: This is an SMB.CONF issue, solved / fixed with this line:

strict allocate = no

DESCRIPTION: I had this issue for a long time, and mostly the web mocks people, tells them to do stupid things, or generally is unhelpful.  Lots of 2GB, or “your network” or “your firewall” or “turn off DPI” or whatever, none of it applicable to me.  I just accepted it, but decided to dig a little deeper today.

The exact amount of data written before it fails would vary, but the size from LS would always be the full file size.  Higher performance filesystems such as XFS, EXT4, JFS, all of them on NVMe arrays, I found I could get about 55GB allocated before timeout.  On spinning disk, it was much less, which is probably why many people fell down the rabbit hole of claiming 2GB limits, etc.

Strict Allocate = YES tells it to allocate the whole file upon request, which is what Windows does.  Samba says “OK, hold on”, and then times out.  Some people used powershell on a client to change the smbclient timeout to 600 seconds, or whatever, but that’s not really ideal, since it does not scale.

Strict Allocate = NO says to use normal UNIX semantics, where the file has no pre-allocated blocks, and allocates blocks only as the data comes in.  This starts with a fully sparse file, and data copy status on the windows client shows it processing immediately.  This is what we want for large files.  If it was only small files, then we don’t care.

I made this a global change.  I don’t need fully pre-allocated, non-sparse files on my file server.  It’s possible someone writing databases might need this, and you’d want to make sure you didn’t feed data faster than the kernel can allocate blocks.  Another one of those multiple filesystems kind of solutions.

When you play with tunables, you run into things that people don’t really know how to troubleshoot.  That’s what this is for, just so it shows up in web searches.


SMB/CIFS 3 on AIX

Mounting should be vaguely similar to the SMB1 mounting you had before.

Download and install SMB Client 3, and “Network Authentication Service” (aka kerberos 5) from here:

https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp

Ensure your Windows 201x server has SMB v3 enabled.

You want a service account in AD to use for your SMB3 mounts on AIX.

 

Notes about options:

encryption should be desired and secure_negotiate should be desired.
signing should be enabled
​​​​​pver should be 3.0.2
The kerberos realm specified in the “wrkgrp” option must be in all UPPERCASE if your domain is in uppercase.
The username provided for mounting is used for all read/write permissions/access.  
UID and GID default to root.system, but you can specify others.
fmode is the inverse of umask, and what the files’ permissions look like across the whole share.  Default is 755.
port can be 139 (ipv4) or 445 (ipv4 or ipv6).  Default is 445.

 

/etc/filesystems format:

/mnt:
     dev = /corpshare
     vfs = smbc
     mount = true
     options = “wrkgrp=CORP.DOMAIN,signing=enabled,pver=3.0.2,encryption=desired,secure_negotiate=desired”
     nodename = win2016server.corp.domain/sambauser

 

Command line example

mount -v smbc -n win2016server.corp.domain/sambauser/Passw0rd! \
-o “wrkgrp=CORP.DOMAIN,port=445,signing=required,encryption=required, \
secure_negotiate=desired,pver=auto” /corpshare /mnt

 

Store the samba credentials

mksmbcred -s win2016server.corp.comain -u sambauser [-p password]

See also lssmbcred, chsmbcred, and rmsmbcred.

 

Reference 2021:

https://www.ibm.com/docs/en/aix/7.2?topic=protocol-server-message-block-smb-client-file-system 


lancache

TLDR: I now only have to download microsoft and steam updates once for all 13 systems in the house.
 
I finally set up a LAN Cache. I got tired of windows update sneaking in and eating all of my bandwidth, killing movies, etc. We have 4 regular Steam clients, plus 3 that don’t run very often; and we have 13 Windows 10 systems. It seems like settings always revert, and they update whenever they want, or at 100% bandwidth a few months after setting the throttles low.
 
https://lancache.net/ caches steam, windows updates, and several others. It was much easier to set up than a squid webproxy on my router. This should make it so anything that is downloaded only downloads once. only have 200GB to throw at it right now, but that should help a bunch. I need to set it to auto-start on boot, and to give it more space eventually, but I’m just really happy it’s working now. And apache, SSLH, and DNSMASQ on the same host still working.
 
My router already pointed to my server for DNS Masquerading, so I could manually override things. I added a second IP address, and modified lancache.yml to put all services only on the new IP address. I updated dnsmasq.conf to forward to lancache only, because it was not obeying the fallback rules.
 
This means if lancache dies, I have to edit dnsmasq to keep the home network functional. So many layers.

Security Defect in Intel, ARM and AMD processors

THE RISK:
The defect allows a user process to read any system memory.
A VM can read memory from the host or another guest in some environments.

WHAT IS AFFECTED:
This does NOT affect POWER/PPC architecture.
Only some of this affects AMD, and only in some modes.
Almost every ARM and Intel processor since 1995 is affected.
That includes desktops, laptops, servers, cellphones, routers, automobiles with Sync/Onstar/autopilot, etc.

DISCOVERY:
This defect was reported in June, 2017, but due to pervasiveness, has been embargoed.
It is only fully described now because patch notes leaked the problem.

THE FIX:
The actual fix would be replacement of the affected CPUs with new silicon, which does not exist yet.
There is a partial software workaround which decreases system performance.

TECHNICAL:
The issue is because the processor does not perform access checking prior to loading L1 cache.
Due to this design issue, data can be forced into L1 cache, and read, before access is denied by the TLB.
It’s fairly slow, at around 2k/second, but a long-running process can harvest everything.

Hardware Statuses:
• ARM has provided workarounds to vendors, but it’s up to them to implement
• Intel’s CEO sold off as much of his stock as possible last year after glowing projections.
• Not a peep from AMD.
• POWER/PPC is not affected.

Software Statuses:
• Windows included a partial workaround in the November security rollup.
• MacOS released a partial workaround in December’s 10.13.2
• Linux included a partial workaround in the mainline kernels 4.15, and 4.14.11.
• The workarounds decrease performance between 1% and 45% depending on the workload.
• Cloud providers are scheduling maintenance January 2018.

More Reading:
• Community: https://spectreattack.com
• Google: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
• Workaround: https://en.wikipedia.org/wiki/Kernel_page-table_isolation
• AMD: https://www.amd.com/en/corporate/speculative-execution
• A better write-up: https://techcrunch.com/2018/01/03/kernel-panic-what-are-meltdown-and-spectre-the-bugs-affecting-nearly-every-computer-and-device/
• Outlet that broke the embargo: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/