Jamf Nation Community

I've read and tried all of that and the results are still not worth the effort.

Compared to 10.6.8 or Windows SMB browsing, mavericks is just terrible. I was hoping something new has come up.

@tnielsen

I hear you on that! File sharing turned a little hairy with 10.9 on a few fronts. Most of the other issues were taken care of by 10.9.4 (10.9.2 and 10.9.3 took care of a lot of the AFP and WebDAV issues, thankfully!), but that SMB2 vs SMB on Windows thing looks like one of their sticky ones.
The issue between SMB2 and SMB on Windows 2008R2 is one we've been looking into for some time, since it's had a pretty negative effect on Casper Admin and its ability to not only compile configurations but to even mount Windows based distribution points entirely. Not a fun situation for anyone.

I'd love for something new to come up as well, from a JAMF point and just in general, as we're very aware that this is a pretty inconvenient problem for customers who are in a heavy Windows environment or who have a Windows SMB share as their primary distribution point. It's pretty frustrating for customers and for support (believe me, nobody here likes having to say 'it's a third party issue and we don't really have a good/easy way around it yet'!) and there doesn't yet seem to be a good way to get around it effectively. If there is, I've just been super unlucky in finding it.

The defect we have open is actively being worked on. I had a chat with one of our developers about it yesterday, though it was more confirming what was being seen and asking about some of the workarounds found on Apple's Forums and with the blog post mentioned. I'd guess they're hoping to avoid having to slow things down to use the older SMB protocol, which isn't a bad thing to want to avoid.

We do watch the Apple discussion forums as well, and it looks like it's a pretty widespread thing when Windows servers are involved (from what I'm seeing, at least where the JSS is involved, it appears that it's still working mostly okay with Linux SMB shares). It would be nice to see some more compatibility built in on the Mavericks side of things, or at least an update to get some better backwards compatibility going, but we may be stuck with the workarounds until that happens.

If you don't mind sharing, what did you see in terms of behavior when trying some of those workarounds? On my test machines, I saw a slight improvement and one share point that was unable to be mounted in Casper Admin would finally mount, but it was still pretty slow transferring data, and I still couldn't compile configurations.

I've got this thread (and the other one) bookmarked to watch for updates, and if I manage to dig up anything new/different, it'll certainly be posted.

Amanda Wulff
JAMF Software Support

@tnielsen

Found a couple more threads that might have something useful to try if you haven't seen them already:

https://discussions.apple.com/thread/5483728

One poster there mentioned that doing the following helped in their environment:

- Set Lan Manager Authentication Level to "Send NTLMv2 response only"
- Connect from the client without specifying a domain, just enter the shortname and password.

There are some of the longer discussions on the matter on Apple’s discussion forums, most of them having been started last fall and a good chunk of them still being active until very recently; I haven’t had time to go through all of the pages, but mixed in with the ‘me too!’ replies, there are things others have tried to try and get it working in the thread below.

It looks like the most common workarounds out there are the ones that have already come up here, but there were some Windows side workarounds that may be worth looking into.

https://discussions.apple.com/thread/5500165 <— this one has a few different settings to change on the Windows side of things, usually through PowerShell. Sweetcider went into a little more detail on the changes made in PowerShell.

A couple people there said enabling “Force NetBios over TCP/IP” on the Windows side helped the speeds in their environments.

On page 6 of that thread, the user Jorge Secco Caetano posted a couple of registry keys to try changing as well; a couple users reported having success with that, so it may be worth looking into. User ncalliari expanded on that with the DWORD values that were necessary.

The common threme I’m seeing in the above thread is that there isn’t a single workaround (yet) that works for everyone, which isn’t exactly what I was hoping to find.

A lot of the other threads were just echoes of ‘me too’, but didn’t have much for suggestions, so I haven’t included links to those.

Amanda Wulff
JAMF Software Support

Also there are major issues with Mavericks and certain NAS devices. We have an EMC SAN and for our accounting team we had to backtrack to 10.8.5 plus added a couple of Win8 laptops.

Hopefully this issue will be resolved with 10.10, however by then, we will probably have our entire accounting staff on Win8 :(

Corbin

What model of EMC device do you have, @corbin3ci? We have two VNX5300's that host a couple of our distribution points for Casper. I've not had any issues with them and Casper Admin, but we're getting ready to section off another part of the SAN for end user file storage, so your post has me a bit worried. What issues have you seen? Any official response from EMC on it?

Thanks,
Eric

I believe the Clarion model. Here is the thread with further discussions -

https://jamfnation.jamfsoftware.com/discussion.html?id=8860

Corbin

Hmmm... We have some AX-4's but they're no longer in production. The MacEnterprise post referenced in the linked JAMFNation post died after someone suggested 10.9.2 fixed it. I'm on 10.9.4 and though I can change permissions--which isn't a desirable behavior--it at least appears as though the permissions aren't getting screwed up to the point where the file is invisible or gets deleted. After making some changes and attempting to view permissions from Windows however, I do receive the "some permissions are incorrectly ordered" error. Sheesh, guess I now have something else to worry about and do more testing on...

@amanda.wulff

I appreciate your response very much. Thank you. Over the course of the last two years, I've tried just about all of these methods. In the end, it wasn't worth the micromanagement, nor the possible problems it would create which I'd then have to take into account for future trouble shooting.

I'm at the point where we're looking into 3rd party tools to accomplish the speeds and reliability we want.

@tnielsen

Ouch, yeah, it's a pretty nasty one that causes everyone (including us!) a lot of headaches. It's especially frustrating since it seems to be an OS level thing, which makes it so much harder for us to be able to provide a reliable fix or workaround for as well.

If you do come across something that helps with SMB2 -> SMB communication, please post about it as I'm sure there are a lot of us that would love to take a look at it and try it out.

What we've been seeing lately is that 2012 servers seem to handle it a little better than the 2008 servers, where the problem seems almost universal, so that's at least one small positive sign; we've also notice that Linux SMB shares are a little more reliable with it as well, which can be helpful.

For the most part, for the Windows 2008 shares, we've started recommending getting an HTTP share going, or seeing if it's possible to spin up a Linux box or a Mac to run an AFP (a little extra legwork to do that in Linux, but it's possible) share, a JDS, or SMB2 (if a Mac) share from instead since it's been so tricky to find workarounds for the SMB2/SMB on Windows problems that work reliably.

Amanda Wulff
JAMF Software Support

This has been coming up frequently in my environment this year as we continue to decommission Xserves for file sharing. Casper implications aside, I've resorted to the position of:

"it's an industry wide problem that's been around for years and none of the hundreds of reported fixes are reliable"

and the only real solution is ExtremeZ-IP; which no one want's to pay the premium for. It's high, but I'd happily pay it to make this nonsense disappear.

We took this issue to our named Apple SE last month, who connected us with a consultant. He would not entertain troubleshooting with anything below 10.9 (900 machines in my case!). And after running a variety of packet traces with 10.9/SMB2, he then asked us to test with the new public beta as:

"there is reason to believe Yosemite may improve your experience".

Just yesterday as I was looking for additional reports of the 'Windows deduplication permissions bug' (have you seen that yet? Good Grief!); I came across this post:

http://macsmbissues.com/forums/topic/any-other-file-issues/page/2/

Take a look at the last post by Michael P. I'll only believe it when I see it, but a glimmer of hope maybe...

@dpertschi

And after running a variety of packet traces with 10.9/SMB2, he then asked us to test with the new public beta as: "there is reason to believe Yosemite may improve your experience".

That would be such a massive relief to everyone who needs to use Windows SMB shares if it turns out to be the case.
I'd be very happy (and I'd guess I could speak for everyone in Support on that as well!) to not have to tell people, "We can't really use a Windows share right now due to this issue, here are some things to try, but there's no guarantee any of it will work," and I'm sure admins would be over the moon to not have to try and troubleshoot it only to find that it's an OS level incompatibility with no current fix or workaround.

Amanda Wulff
JAMF Software Support

WOW, I can't believe there's a site dedicated to the SMB problem. That's hilariously sad.

For the record, I can confirm that 10.10 shows no improvement, at least in it's beta mode. I was really hoping it did.

Ah well.

@tnielsen

I have to admit, I laughed at the sinking ship graphic.

Less funny is the fact that the 10.10 beta didn't seem to help out in your situation, though. Maybe the final release will be a bit better with it. It would be nice if it not doing much in beta was just a quirk of the beta.

Amanda Wulff
JAMF Software Support

@amanda.wulff

Apple engineering provided me with a solution today. I have Windows 2008 R2 with SMB shares and my macs are running 10.9.4 and bound to AD.

My environment seems to be working with Access Based Enumeration off and forcing SMB1 on each client.

In order to enforce SMB1 on a mac client:

1. Create the Global Config: $ sudo -s $ sudo echo "[default]" >> /etc/nsmb.conf $ sudo echo "smb_neg=smb1_only" >> /etc/nsmb.conf
2. Restart the OS X Client
3. create a new AD Test user
4. Login and check if the issue still persist

See the end of Jamf thread 10168 for more details.

@jake.snyder and @amanda.wulff Thanks ! I found this very helpful (and yet also troubling). I was having problems with slow sync times with 10.10.4 and 10.10.5 Mac clients that were connecting to Windows servers.

Many of these users were previously on 10.8.x so those machine would have only done SMB1 anyway.

I implemented the fix from @jake.snyder's post and it instantly was able to sync much faster. The troubling part of this is that you would think that at 10.10.5 this should be fixed. Is it an Apple or Microsoft issue ? Didn't Apple actually license SMB2 and 3 from Microsoft ? Do others still have this issue on 10.10.x machines ?

We were also having a bunch of issues trying to get DFS to work correctly but that is another story. But this issue was also making trying to sort out that problem worse as well.

Thanks @amanda.wulff for the help! I'm currently testing CIFS instead of the current SMB for OS X 10.10. CIFS is MUCH more consistent and stable than smb.

So much troubles connecting our users to their network home folder (Windows Server 2012).

I have the same issues with some Macs. CIFS often seems to work much better than SMB when connecting to Windows Server shares - in this case Server 2012 R2, fully-patched. Recent incarnations of MacOS up to and including Mojave. Workgroup (not AD) access.