After a SLES 15 server was upgraded to SLES 15 SP2, monitoring checks on the Samba shares stopped working. Instead of returning the current share status with free/available disk space, the plugin returned an error:
root@icinga:~# /usr/lib/nagios/plugins/check_disk_smb -H sles15sp2 -s IMPORT
Result from smbclient not suitable
To compare potential differences, another Samba server, still running on SLES 15 (without Service Pack), was used.
A quick check in the rpm list showed that Samba was updated from 4.7 (SLES 15) to 4.11 (SLES 15 SP2):
ck@sles15:~> rpm -qa | grep ^samba
samba-libs-4.7.11+git.153.b36ceaf2235-4.27.1.x86_64
samba-client-4.7.11+git.153.b36ceaf2235-4.27.1.x86_64
samba-4.7.11+git.153.b36ceaf2235-4.27.1.x86_64
ck@sles15sp2:~> rpm -qa|grep ^samba
samba-client-4.11.14+git.202.344b137b75d-4.14.1.x86_64
samba-libs-python3-4.11.14+git.202.344b137b75d-4.14.1.x86_64
samba-4.11.14+git.202.344b137b75d-4.14.1.x86_64
samba-libs-4.11.14+git.202.344b137b75d-4.14.1.x86_64
But the version is not the only thing which changed. Taking a closer look at the Samba configuration (using testparm) showed one particular - and important - change.
On SLES 15 the client and server protocols are defined as the following:
sles15:~ # testparm -v | grep -i prot
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = CORE
server max protocol = SMB3
server min protocol = LANMAN1
On the SLES 15 SP2 server, the protocols are different:
sles15sp2:~ # testparm -v | grep -i prot
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = SMB2_02
server max protocol = SMB3
server min protocol = SMB2_02
With the SP2 installation, the minimum SMB protocol requirements have changed to use SMB2_02.
As the Samba shares are checked from the monitoring server(s) using the check_smb_disk plugin, it is important to find out which version this Samba client is using.
By launching smbclient manually on the client side and keeping an eye on smbstatus on the server side, the used Samba protocol version can be identified:
root@icinga:~# smbclient //SLES15/IMPORT -U -c
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.7.11-git.153.b36ceaf22354.27.1-SUSE-oS15.0-x86_64]
smb: \>
sles15:~ # smbstatus | grep icinga
23015 nobody nobody icinga (ipv4:10.10.100.15:56958) NT1 - -
IMPORT 23015 10.166.100.15 Thu Mar 18 09:48:34 2021 CET - -
This means, that the monitoring server by default uses NT1 as SMB protocol.
This works fine on the SLES 15 server as the required minimum protocol there is set to LANMAN1, which is lower than NT1. But the SLES 15 SP2 server now requires a minimum version of SMB 2_02, therefore the connection fails:
root@icinga:~# smbclient //SLES15SP2/IMPORT -c
WARNING: The "syslog" option is deprecated
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
To be able to connect to the SLES 15 SP2 Samba server, the SMB protocol needs to be raised on the client side. In general this could be done by setting a higher version of the "client min protocol" option in /etc/smb/smb.conf, but this would then be used for all SMB connections. In this particular situation the defaults on the monitoring server should be kept, but a higher protocol version should be used for this SLES 15 SP2 server.
This can be achieved by creating a separate config file which overwrites the defaults from smb.conf:
root@icinga:~# cat /etc/samba/SLES15SP2.conf
[global]
client min protocol = SMB2_02
client max protocol = SMB3
In this config file (/etc/samba/SLES15SP2.conf), the same protocol versions are configured as defined on Samba server side.
This specific config file can now be used with smbclient with the optional -s parameter:
root@icinga:~# smbclient -s /etc/samba/SLES15SP2.conf //SLES15SP2/IMPORT -c
Enter root's password:
smb: \>
Looking at smbstatus on the SLES 15 SP2 server reveals, that the connection indeed worked:
sles15sp2:~ # smbstatus | grep icinga
17916 nobody nobody icinga (ipv4:10.10.100.15:50134) SMB3_11 - -
IMPORT 17916 10.166.100.15 Thu Mar 18 11:46:53 2021 CET - -
This time smbclient used the highest available protocol version (SMB3_11) to connect.
As seen above, smbclient is able to use a specific configuration file for a connection. To make check_disk_smb support this option, I created a pull request in both nagios-plugins and monitoring-plugins projects, already back in 2016. And I wrote about this code change in an older blog post (check_disk_smb: Access denied when monitoring share on old Samba server).
Meanwhile five years have passed (!) and my code change was merged in nagios-plugins project. The additional parameter -C is available in nagios-plugins since version 2.3.0. Unfortunately the code still has not yet been merged in the monitoring-plugins project. Debian and Ubuntu packages are using monitoring-plugins as upstream source, RedHat and CentOS packages use nagios-plugins as upstream project. To be able to use the -C parameter, you should probably use the latest version from the nagios-plugins project.
The -C parameter in check_disk_smb does the same as using the -s parameter in smbclient: It loads a specific Samba configuration file for this specific Samba connection:
root@icinga:~# /usr/lib/nagios/plugins/check_disk_smb -H sles15sp2 -s IMPORT -C /etc/samba/SLES15SP2.conf
Disk ok - 1718.16G (85%) free on \\sles15sp2\IMPORT | 'IMPORT'=318563057664B;1838915763404.8;2055258794393.6;0;2163430309888
And the check works again!
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder