moby: New-SmbGlobalMapping don't continued working in Container

I have report same New-SmbGlobalMapping problem in here. Sorry, I don’t know where is right area.

https://github.com/docker/for-win/issues/2606

Steps to reproduce the issue: Host 1: File Server

Server Core 1803

New-SmbShare -Name DocFiles -Path "D:\DocFiles\" -FullAccess  Everyone

Host 2: docker Host

$creds = Get-Credential
New-SmbGlobalMapping -RemotePath \\Host1\\DocFiles -Credential $creds -LocalPath Z:

Run Swarm Service

docker service create `
--name docfiles `
--replicas=1 `
--constraint 'node.labels.osname == Host2' `
--mount "type=bind,source=Z:\images,destination=C:\inetpub\wwwroot\images" `
--publish published=8080,target=80,protocol=tcp `
microsoft/iis:windowsservercore-1803

Run docker-compose

version: '3'
services:

  docfiles:
    container_name: docfiles
    image: microsoft/iis:windowsservercore-1803
    ports:
      - "7003:80"
    volumes:
      - Z:\images\:C:\inetpub\wwwroot\images\

Run docker run

docker run -d -p 7003:80 -v Z:\images\:C:\inetpub\wwwroot\images\ microsoft/iis:windowsservercore-1803

Describe the results you received:

Now, I can access Host 2 images folder data from IIS service. but wait a minute, will get HTTP 500. ( swarm, compose, docker run same result)

Run docker exec into container, run dir C:\inetpub\wwwroot\ or dir C:\inetpub\wwwroot\images will get access deny message.

PS C:\inetpub\wwwroot> dir
dir : Access to the path 'C:\inetpub\wwwroot' is denied.
At line:1 char:1
+ dir
+ ~~~
    + CategoryInfo          : PermissionDenied: (C:\inetpub\wwwroot:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

Describe the results you expected:

Mount New-SmbGlobalMapping command disk (or folder) to container volume and continued working.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      18.03.1-ee-2
 API version:  1.37
 Go version:   go1.10.2
 Git commit:   ebbcd7e
 Built:        Tue Jul 10 21:32:32 2018
 OS/Arch:      windows/amd64
 Experimental: false

Server:
 Engine:
  Version:      18.03.1-ee-2
  API version:  1.37 (minimum version 1.24)
  Go version:   go1.10.2
  Git commit:   ebbcd7e
  Built:        Tue Jul 10 21:49:06 2018
  OS/Arch:      windows/amd64
  Experimental: true

Output of docker info:

Containers: 11
 Running: 9
 Paused: 0
 Stopped: 2
Images: 35
Server Version: 18.03.1-ee-2
Storage Driver: windowsfilter (windows) lcow (linux)
 Windows:
 LCOW:
Logging Driver: json-file
Plugins:
 Volume: local
 Network: ics l2bridge l2tunnel nat null overlay transparent
 Log: awslogs etwlogs fluentd gelf json-file local logentries splunk syslog
Swarm: active
 NodeID: katfcy8mm46drlotguaen45x3
 Is Manager: true
 ClusterID: mkzqq3nudssg6hlu9wkfc8bz8
 Managers: 3
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 10
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
  Force Rotate: 0
 Autolock Managers: false
 Root Rotation In Progress: false
 Node Address: x.x.x.223
 Manager Addresses:
  x.x.x.223:2377
  x.x.x.224:2377
  x.x.x.225:2377
Default Isolation: process
Kernel Version: 10.0 17134 (17134.1.amd64fre.rs4_release.180410-1804)
Operating System: Windows Server Datacenter Version 1803 (OS Build 17134.112)
OSType: windows
Architecture: x86_64
CPUs: 8
Total Memory: 16GiB
Name: host2
ID: QBMU:FFGX:6VJK:XX4C:KLJX:A753:TRIS:THT3:OZAX:XAE2:HQ2Q:KF4M
Docker Root Dir: D:\docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

Docker Host is VM, Running Windows Server Core 1803

PS C:\WINDOWS\system32> systeminfo

Host Name:                 Host2
OS Name:                   Microsoft Windows Server Standard
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 6
Comments: 17 (1 by maintainers)

Most upvoted comments

Hi, Just use the -RequirePrivacy $true along with the New-SMBGlobalMapping.

MUP cache seems to be a problem here. The MUP cache clears every 15 minutes and the credentials to the SMB File Share are not saved.

New commands looks like - New-SMBGlobalMapping -RemotePath \contosofileserver\share1 -LocalPath G: -RequirePrivacy $true

+12

marciogmorales on Feb 6, 2020

I was able to resolve this on Windows Server 2019 with these steps:

Create the New-SmbGlobalMapping (as z:)
Create a new folder on a local hard drive to “host” the share as a symbolic link (c:\hostfolder)
In powershell, use New-Item -ItemType SymbolicLink to from the z:\ to c:\hostfolder as ZDrive
Mount c:\hostfolder\ZDrive as volume in docker.

jjohnson-33 on Aug 16, 2019

I’ve experienced the same issue when I was testing IIS containers with application which requires access to the resources on SMB shares (Azure File Share). For now, the workaround could be running the containers with hyper-v isolation mode where the bind mount to the mapped drive seems to be working without any issues.

The process and hyperv isolation modes accessing a docker daemon host file system using different logic: read more what could suggest that on process mode something on docker host is recognizing the container process as not permitted for accessing the share drive and blocks this access. The Windows Defender is disabled and no other security tool is running on VM so this looks really strange.

Output of docker version:

Client: Docker Engine - Enterprise
 Version:           18.09.5
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        be4553c277
 Built:             04/11/2019 06:44:52
 OS/Arch:           windows/amd64
 Experimental:      false

Server: Docker Engine - Enterprise
 Engine:
  Version:          18.09.5
  API version:      1.39 (minimum version 1.24)
  Go version:       go1.10.8
  Git commit:       be4553c277
  Built:            04/11/2019 06:43:04
  OS/Arch:          windows/amd64
  Experimental:     false

Output of docker info:

Containers: 10
 Running: 1
 Paused: 0
 Stopped: 9
Images: 389
Server Version: 18.09.5
Storage Driver: windowsfilter
 Windows:
Logging Driver: json-file
Plugins:
 Volume: local
 Network: ics l2bridge l2tunnel nat null overlay transparent
 Log: awslogs etwlogs fluentd gelf json-file local logentries splunk syslog
Swarm: inactive
Default Isolation: process
Kernel Version: 10.0 17763 (17763.1.amd64fre.rs5_release.180914-1434)
Operating System: Windows Server 2019 Datacenter Version 1809 (OS Build 17763.437)
OSType: windows
Architecture: x86_64
CPUs: 4
Total Memory: 16GiB
Name: xxxxxx
ID: WMGI:BKNH:5MRT:7ETP:DVRB:4M2M:VGYC:2VIW:YXLL:HBP6:YHQ7:GL3G
Docker Root Dir: C:\ProgramData\docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

Docker Host is Azure VM, Running Windows Server 2019 Datacenter Version 1809 (OS Build 17763.437)

PS C:\WINDOWS\system32> systeminfo

Host Name:                 xxxxxx
OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          N/A
Registered Organization:   N/A
Product ID:                00430-00000-00000-AA500
Original Install Date:     2/20/2019, 2:47:58 PM
System Boot Time:          4/25/2019, 2:24:02 PM
System Manufacturer:       Microsoft Corporation
System Model:              Virtual Machine
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2295 Mhz
BIOS Version:              American Megatrends Inc. 090007 , 6/2/2017
Windows Directory:         C:\windows
System Directory:          C:\windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     16,384 MB
Available Physical Memory: 10,738 MB
Virtual Memory: Max Size:  18,816 MB
Virtual Memory: Available: 9,683 MB
Virtual Memory: In Use:    9,133 MB
Page File Location(s):     D:\pagefile.sys
Domain:                    xxxxx
Logon Server:              \\xxxxx
Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB4486553
                           [02]: KB4470788
                           [03]: KB4480056
                           [04]: KB4489907
                           [05]: KB4493478
                           [06]: KB4493510
                           [07]: KB4493509
Network Card(s):           3 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     xx.xx.xx.xx
                                 IP address(es)
                                 [01]: xx.xx.xx.xx
                                 [02]: xxxx::xxxx:xxxx:xxxx:xxxx
                           [02]: Mellanox ConnectX-3 Virtual Function Ethernet Adapter
                                 Connection Name: Ethernet 2
                                 DHCP Enabled:    No
                                 IP address(es)
                           [03]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: vEthernet (nat)
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: xx.xx.xx.xx
                                 [02]: xxxx::xxxx:xxxx:xxxx:xxxx
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

SheGe on Apr 29, 2019

I’m following these advises but still confused. Tried using both New-SmbGlobalMapping -RemotePath "\\10.0.0.4\data" -Credential $credentialObject -LocalPath Z: -FullAccess @( "NT AUTHORITY\SYSTEM", "NT AUTHORITY\NetworkService" ) -Persistent $true -RequirePrivacy $true

and

New-SmbGlobalMapping -RemotePath "\\10.0.0.4\share" -Credential $credentialObject -LocalPath Z: -RequirePrivacy $true

Then docker run -d --name webserver -v Z:\content\:C:\inetpub\wwwroot -p 80:80 microsoft/iis

But getting access denied if trying to go to that folder in the container (or 500 in the webserver). Accessing Z: in windows or writing files to it is no problem at all. 10.0.0.4, in this case, is a SAMBA server from an ubuntu machine. And mounting any local drive like D: works fine too.

EDIT: Ok, so this works for me as a workaround. I’m mounting the SMB drive INSIDE the container instead. I’m not sure what the drawbacks would be but it seems to work.

docker run -d --name webserver -p 80:80 microsoft/iis
docker exec -it webserver powershell
$StoragePassword = “secretpass”
[SecureString]$secureString = $StoragePassword | ConvertTo-SecureString -AsPlainText -Force
[PSCredential]$credentialObject = New-Object System.Management.Automation.PSCredential -ArgumentList “10.0.0.4\username”, $secureString
New-SmbGlobalMapping -RemotePath “\10.0.0.4\share” -Credential $credentialObject -LocalPath Z: -Persistent $true -RequirePrivacy $true
rm .\inetpub\wwwroot
New-Item -ItemType SymbolicLink -Path C:\inetpub\wwwroot -Target Z:\

Joohansson on Aug 14, 2020

@jjohnson-33 I tried your solution of using a SymLink but I got the same behavior which is that it works for about 12 minutes in my case and then something must change or timeout and I start getting Access denied.

Were there any other steps at all you might have took to get this working?

This is on Windows Server 2019 with DockerEE 19.03.2.

mrhockeymonkey on Oct 2, 2019

I ran into the similar problem. There were two kinds of result, The parameter is incorrect. and Access is denied.. I think this is a network-timeout related issue.

As long as I tested,

The problem always reproduces if I sign out and wait for fifteen minutes.
The problem doesn’t reproduce in the case of local machine’s share, like “\\–1.ipv6-literal.net\share1”.
The problem also reproduces in the case of file server in the same LAN.
The problem doesn’t reproduce if some containers on the same machine periodically access to the mounted volume.
The problem doesn’t reproduce on AKS Kubernetes.
The problem doesn’t reproduce in Hyper-V containers(As SheGe told in the above).
The problem sometimes reproduce if I keep signing in and open an Explorer window.
The problem reproduces in both ServerCore and Nano Server containers.

ghost on Aug 4, 2019

Something similar happens in my environment. A single container, after a running time, displays Access Denied.

In my case the service has a healtcheck enabled, then the container returns to air quickly.

but is normal users complain that they fell from the system because of this situation

mmgil on Jun 21, 2019