CNDBA社区
SMB + SMB2: Accessing shares return an error after prolonged idle period
作者:
hbhe0316
Environment
Red Hat Enterprise Linux
6
7
8
SMB
SMB2
Issue
After a period of inactivity, accessing a SMB v1 share returns Permission denied for a user, but not others
After a period of inactivity, accessing a SMB v2+ share returns Input/output error for a user, but not others.
The following error may be returned in the logs: CIFS VFS: Unexpected lookup error -5
Periodically accessing a share avoids the errors.
Shares have to be unmounted and then remounted to regain access.
Resolution
SMB v1
RHEL 6
The ability for the client to recover from this issue will not be improved in Red Hat Enterprise Linux 6. The maximum version supported by the client in Red Hat Enterprise Linux 6 is SMBv1. Please see Workaround section for options.
RHEL7
This issue has been resolved with the errata RHSA-2021:0336 for the package(s) kernel-3.10.0-1160.15.2.el7 or later.
RHEL8
This issue has been resolved with the errata RHSA-2021:1578 for the package(s) kernel-4.18.0-305.el8 or later.
Workaround
Periodically access the SMB share to prevent the session from being closed.
Extend the session length timer on the SMB server.
Use SMB v2+
SMB v2+
RHEL 7.5
This issue has been resolved with the errata RHSA-2018:3459 for the package(s) kernel-3.10.0-862.20.2.el7 or later.
RHEL7
This issue has been resolved with the errata RHSA-2018:3083 for the package(s) kernel-3.10.0-957.el7 or later.
RHEL8
RHEL8 is not impacted by this issue
Root Cause
Historically, RHEL SMB clients did not attempt to reconnect to a SMB server after receiving STATUS_USER_SESSION_DELETED.
The below commit changes RHEL SMB client behavior for SMB v2+ and will force users to reconnect to a SMB server after receiving STATUS_USER_SESSION_DELETED instead of returning Input/output error when the share is accessed.
Raw
From 5ed415cf8a380136312352b9073d71e49548f819 Mon Sep 17 00:00:00 2001
From: Mark Syms <mark.syms@citrix.com>
Date: Thu, 24 May 2018 09:47:31 +0100
Subject: [PATCH] CIFS: 511c54a2f69195b28afb9dd119f03787b1625bb4 adds a check
for session expiry, status STATUS_NETWORK_SESSION_EXPIRED, however the
server can also respond with STATUS_USER_SESSION_DELETED in cases where the
session has been idle for some time and the server reaps the session to
recover resources.
Handle this additional status in the same way as SESSION_EXPIRED.
Signed-off-by: Mark Syms <mark.syms@citrix.com>
---
fs/cifs/smb2ops.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 7c0edd2..33fa7fc 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1323,10 +1323,11 @@ static bool smb2_set_sparse(const unsigned int xid, struct cifs_tcon *tcon,
{
struct smb2_sync_hdr *shdr = get_sync_hdr(buf);
- if (shdr->Status != STATUS_NETWORK_SESSION_EXPIRED)
+ if (shdr->Status != STATUS_NETWORK_SESSION_EXPIRED &&
+ shdr->Status != STATUS_USER_SESSION_DELETED)
return false;
- cifs_dbg(FYI, "Session expired/n");
+ cifs_dbg(FYI, "Session expired or deleted/n");
return true;
}
However, there is currently no transparent recovery for RHEL7 or RHEL8 as noted here. This means that the session will recover, but EAGAIN may be leaked to an application when requesting up-to-date inode information.
Diagnostic Steps
Record client side network traffic when it is accessing the SMB share.
On an unpatched system, the client is unable to establish a new connection for SMB2.
Raw
48 2019-06-14 10:00:31.798107 192.0.2.20 → 192.0.2.10 SMB2 174 Negotiate Protocol Request
49 2019-06-14 10:00:31.798278 192.0.2.10 → 192.0.2.20 SMB2 291 Negotiate Protocol Response
50 2019-06-14 10:00:31.798292 192.0.2.20 → 192.0.2.10 TCP 68 55455 → 445 [ACK] Seq=107 Ack=224 Win=30336 Len=0 TSval=676258257 TSecr=456963500
51 2019-06-14 10:00:31.798319 192.0.2.20 → 192.0.2.10 SMB2 192 Session Setup Request, NTLMSSP_NEGOTIATE
52 2019-06-14 10:00:31.798476 192.0.2.10 → 192.0.2.20 SMB2 386 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
53 2019-06-14 10:00:31.798527 192.0.2.20 → 192.0.2.10 SMB2 484 Session Setup Request, NTLMSSP_AUTH, User: admin
54 2019-06-14 10:00:31.798698 192.0.2.10 → 192.0.2.20 SMB2 144 Session Setup Response
55 2019-06-14 10:00:31.798726 192.0.2.20 → 192.0.2.10 SMB2 232 Tree Connect Request Tree: //cifs_server/shared_data
56 2019-06-14 10:00:31.798835 192.0.2.10 → 192.0.2.20 SMB2 145 Tree Connect Response, Error: STATUS_USER_SESSION_DELETED
57 2019-06-14 10:00:31.798859 192.0.2.20 → 192.0.2.10 SMB2 140 Session Logoff Request
58 2019-06-14 10:00:31.798980 192.0.2.10 → 192.0.2.20 SMB2 145 Session Logoff Response, Error: STATUS_USER_SESSION_DELETED
The communication finishes with the error STATUS_USER_SESSION_DELETED
``` which is described in the protocol as:
Raw
STATUS_USER_SESSION_DELETED - The user session specified by the client has been deleted on the server.
A patched system shows that the SMB client creates a new session after receiving STATUS_USER_SESSION_DELETED
Raw
```shell
$ tshark -tad -n -r deleted_session.pcap -Y 'smb2 && frame.number in {836..898}'
836 2021-02-03 14:40:52.146720 192.0.2.159 → 192.0.2.132 SMB2 168 Find Request File: SMB2_FIND_ID_FULL_DIRECTORY_INFO Pattern: *
837 2021-02-03 14:40:52.147087 192.0.2.132 → 192.0.2.159 SMB2 143 Find Response, Error: STATUS_NO_MORE_FILES SMB2_FIND_ID_FULL_DIRECTORY_INFO Pattern: *
838 2021-02-03 14:40:52.149082 192.0.2.159 → 192.0.2.132 SMB2 158 Close Request File:
839 2021-02-03 14:40:52.149443 192.0.2.132 → 192.0.2.159 SMB2 194 Close Response
857 2021-02-03 14:41:08.910419 192.0.2.159 → 192.0.2.132 SMB2 198 Create Request File:
858 2021-02-03 14:41:08.911356 192.0.2.132 → 192.0.2.159 SMB2 143 Create Response, Error: STATUS_USER_SESSION_DELETED
865 2021-02-03 14:41:08.920313 192.0.2.159 → 192.0.2.132 SMB2 172 Negotiate Protocol Request
867 2021-02-03 14:41:08.923798 192.0.2.132 → 192.0.2.159 SMB2 318 Negotiate Protocol Response
872 2021-02-03 14:41:08.934015 192.0.2.159 → 192.0.2.132 SMB2 80 Session Setup Request
874 2021-02-03 14:41:08.936261 192.0.2.132 → 192.0.2.159 SMB2 164 Session Setup Response
875 2021-02-03 14:41:08.936333 192.0.2.159 → 192.0.2.132 SMB2 216 Tree Connect Request Tree: //win2k16-dfs1.example.net/greendale
876 2021-02-03 14:41:08.936776 192.0.2.132 → 192.0.2.159 SMB2 150 Tree Connect Response
877 2021-02-03 14:41:08.938886 192.0.2.159 → 192.0.2.132 SMB2 206 Tree Connect Request Tree: //win2k16-dfs1.example.net/IPC$
878 2021-02-03 14:41:08.939305 192.0.2.132 → 192.0.2.159 SMB2 150 Tree Connect Response
880 2021-02-03 14:41:08.947958 192.0.2.159 → 192.0.2.132 SMB2 80 Session Setup Request
882 2021-02-03 14:41:08.949369 192.0.2.132 → 192.0.2.159 SMB2 164 Session Setup Response
883 2021-02-03 14:41:08.949424 192.0.2.159 → 192.0.2.132 SMB2 216 Tree Connect Request Tree: //win2k16-dfs1.example.net/greendale
884 2021-02-03 14:41:08.949803 192.0.2.132 → 192.0.2.159 SMB2 150 Tree Connect Response
885 2021-02-03 14:41:08.950196 192.0.2.159 → 192.0.2.132 SMB2 206 Tree Connect Request Tree: //win2k16-dfs1.example.net/IPC$
886 2021-02-03 14:41:08.950651 192.0.2.132 → 192.0.2.159 SMB2 150 Tree Connect Response
895 2021-02-03 14:41:10.040311 192.0.2.159 → 192.0.2.132 SMB2 198 Create Request File:
896 2021-02-03 14:41:10.040949 192.0.2.132 → 192.0.2.159 SMB2 222 Create Response File:
898 2021-02-03 14:41:10.048646 192.0.2.159 → 192.0.2.132 SMB2 174 GetInfo Request FILE_INFO/SMB2_FILE_ALL_INFO File:
版权声明:本文为博主原创文章,未经博主允许不得转载。
Linux
