"multiple response" errors in log.nmb (fwd)

Axel Thimm Axel.Thimm at physik.fu-berlin.de
Fri May 25 20:29:39 GMT 2001


On Thu, May 24, 2001 at 09:49:45AM -0400, Stenglein, James C wrote:
> This is a post I have found on this site (
> http://samba.cadcamlab.org/lists/samba-technical/Jun2000/00268.html )
> regarding a Samba issue.  I cannot find a follow-up on this and it is the
> same log problem that I am having.  Was there any follow up or possible
> resolution to this?  Thanks in Advance for your help!!
> This is the actual post....
> Our log.nmb file fills up very quickly with the following pattern of
> messages: 
> [2000/06/22 11:58:25, 0] nmbd/nmbd_namequery.c:query_name_response(93)
> query_name_response: Multiple (2) responses received for a query on subnet
> for name NT.CIS.KSU.EDU<1d>. This response was from IP

Is NT.CIS.KSU.EDU the name of your domain? Is the usual master
domain browser?

>  There is also another pattern in the log file: the set of errors occurs
> every 5 minutes(+/- a few seconds). This seems a little redundant to me. My
> questions: Is this error significant? Does it affect performance? Is there
> anything I can do about it? Other than editing the source to get rid of the
> error? I'm not familiar with WINS... is the problem on the NT server or the
> Samba server? 

I have the same problem since ages (and the were some post from me in Ferbuary
this year also with no replies).

The setup is a Samba (2.2.x cvs) controlled domain with a lot of Samba and
Windows clients. I think what happens is the following: Some Windows clients
broadcast elections on IPX or NetBEUI and as they are the only ones (the Samba
boxes only radiate on TCP/IP) they think they have won. I'd call this a
Master-Domain-Browser-Hijacking. When a client asks for the domain master
browser both answer. The second reply is then logged as a warning.

It would be nice, if the Samba team could extend this warning to include also
the *first* response, which is the one from the guilty IPX/NetBEUI Windows box
(mostly Windows 95 variants which included IPX by default, or paranoic
sysadmins that install all protocolls ("the most I have the better ..."))

I have been spending days with ethereal and tcpdump to find those damned IPX
machines in our nets and I still have 5-10 here :(

On Thu, May 24, 2001 at 03:43:44PM -0500, Christopher R. Hertel wrote:
> I wish I had time to look into this one, but I don't.  The logs seem to show
> a single machine (NT.CIS.KSU.EDU) sending multiple replies to a single name
> query.  I would really like to see what is happening on the wire.  As I say,
> though, I don't have time just now so I will simply suggest that you do an
> Ethereal (or tcpdump or netmon) trace and take a look yourself.  My guess is
> that the NT box is misbehaving somehow but I have nothing but the logs on
> which to base my guess.

All of the above modulo my guessing. Christoffer R. Hertel is the NetBIOS
expert, so if he deems my findings, be sure, he is right. ;)

Regards, Axel.
Axel.Thimm at physik.fu-berlin.de

More information about the samba-technical mailing list