Why people combine NFS with Samba servers

October 5, 2010

One of the things that the Samba people say in response to certain problem reports is that you should not use Samba on NFS-mounted filesystems. This is impractical advice in many production environments, and I will tell you why: namespaces. Or less abstractly, making it so that users do not have to know what fileserver their files come from.

We are not atypical as midsized environments go, and right now we have four fileservers and around two hundred filesystems distributed between those fileservers. We do not particularly want users to have to know or care exactly which fileserver hosts their home directory (partly because it can change sometimes). This is easy on Unix machines, where users just use filesystem names and the sysadmins make sure that those filesystems are mounted from the right places; the result is a single global namespace of filesystems.

Using Samba to re-export NFS mounts allows us to preserve this property for SMB/CIFS clients as well, in a straightforward configuration. We have one Samba server which users map shares from, and they don't have to care where the storage really comes from. From both the user perspective and the Samba perspective, NFS is fusing multiple fileserver namespaces together into a single global namespace where everyone is indifferent as to where the files are really coming from.

It looks like it is at least theoretically possible to use SMB features to do a pure-Samba version of this fused namespace (you can, under some circumstances, make a Samba share that just redirects clients to another SMB server). However, it also appears that the Samba configuration would be significantly more complicated, and I don't know if clients expose the SMB redirections involved to the users (this would be undesirable).

Of course this omits the elephant in the corner of the room, namely having to run Samba on your fileservers. In our case this would be highly undesirable purely on various practical grounds. For others this is alarming based on load and security issues; you are running much more on your fileservers, both in terms of processes and in terms of having to run large amounts of code that historically have had a number of security issues. Sticking NFS in the middle gives you significantly more isolation.


Comments on this page:

From 78.94.202.93 at 2010-10-05 04:00:18:

What about using Windows NFS clients to avoid Samba servers?

Is this an option in practice?

PS: Is it somehow possible to post comments without publicizing the IP address?

From 207.112.67.77 at 2010-10-05 08:12:15:

From my little world of 4 windows shares and 1 readonly nfs I am in awe of your "mid-sized" system.

When you say 4 servers and 200 filesystems are the servers combining the filesystems into one namespace, or are the servers exporting 200 filessystems? Why so many filesystems?

Given a big budget would it be feasible to convert the 4 servers into one server? Would it make management easier?

WRT NFS for windows when I last looked at this the user mapping was a massive mess. I could see using it for a few users but I cannot see how it would scale. It is entirely possible that I was missing something.

By cks at 2010-10-05 11:49:59:

As far as I can see, having Windows machines use NFS has two large problems. First, it would expose the whole 'which filesystem comes from which server' issue to them. Second, as far as I know it has much worse practical security issues with access control.

Having the IP address appear can (only) be avoided by having an already established identity here. I have to set these up by hand, but I'm happy to do so for people who are going to be (semi-)regular commentators. Send me email to let me know the name you want (it has to be ASCII with no whitespace, but mixed case and '.' and so on is allowed).

From 63.171.219.94 at 2010-10-05 16:49:42:

Have you ever considered using netapp for your storage? It seems like you are constanly fighting zfs, nfs, smb and other storage oddities. Netapp would probably just work without all the fighting. Mapping between cifs and nfs happens transparently.

By cks at 2010-10-05 17:29:38:

NetApps are expensive, especially if you want hardware redundancy. We're (part of) a university, operating on a relatively shoestring budget; this is why we've assembled this environment from inexpensive, do it yourself components.

(You can argue that staff time is expensive enough that a NetApp pays for itself, but that's a hard argument at universities.)

By has at 2022-07-14 03:05:43:

At one very large (engineering-oriented) site that I’m aware of, all of the Unix NFS file systems are also exported from their originating hosts as Samba shares, then joined together for the Windows clients in one massive MSDFS that is maintained by scripts, based on the automount tables. A Linux client would use /data/stuff and Windows could use \\thedfs\data\stuff to get to the same place.

Written on 05 October 2010.
« Linux, Samba, NFS, and POSIX locking
What is going on with Samba's POSIX locking on NFS on Linux »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Oct 5 01:28:23 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.