Why is Win98 looking for user "nobody"?

Milewski, Evan milewse at pweh.com
Wed Sep 19 06:38:09 GMT 2001

Steve and Tony,
   I also have the exact same problem.  What I have seen in my analysis is
that these logons come from windows boxes (NT), and as you saw are sporadic,
coming in bursts of connections.  I have several thousand desktops, all
running samba, and the problem I saw was that these connections would be
going to every machine.  I would see the same windows machine trying to log
onto each samba box in order right down the line...then a minute later
another windows device trying to authenticate to all samba machines...I have
an entry of "deadtime = 5" in my smb.conf file, so these connections to IPC$
from "nobody" will hang around for 5 minutes (they seem to fail to do what
they are trying to do after they connect) and then die.  But at any given
time I would have anywhere from 1 (normal) to 9 smbd processes running at
any given time on all my samba boxes.  This in turn we believe was
overwhelming our NT primary domain controller with all of these connections
(a different issue).  I addressed this whole issue by putting in my global
smb.conf section the entry "invalid users = nobody".  All of these
connections are now denied but don't hang around, but I still don't know how
to stop them from trying.  One idea we had was that it had to do with print
browsing on the windows side, and the windows machines are trying to go down
their lists of available print browsers, which each samba is saying it is.
I don't know if that is on track or not.  

If either of you find out more information, please let me know as well.

>    Funny you should mention the nobody user. I have the same entry in my
>except that somehow the user nobody was created and allowed a connection to
>made to IPC$. I have no guest accounts enabled in smb and have no idea as
>how this connection was allowed. I was working from home and did a netstat
>and saw a connection being made on port 138 by an address at work (yet the
>server is not in production and nobody knows the IPs). I shut down smb and
>after perusing the logs, found the nobody entries. I am on the hunt for an
>answer to this and will share any info I get on this matter. I would
>if you would do the same.
>Steve Snyder wrote:
> Using Samba v2.0.10 on a RedHat v7.1 box, I see that the Win98 clients on
> our network are making sporatic requests for user "nobody" (as shown
> below).  Anyone know what's going on here?
> My network has both Linux and Win98 clients, but only the Win98 clients
> showing this behavior.  Both the Linux and Win98 clients access the same
> shared drives, but only the Win98 clients use shared printers.
> Also, the requests are bursty.  The log entries below are the entire log
> file for this week and are copied on Tuesday morning.  So after about
> 48hours of silence (logs are rotated on Sunday) all of a sudden this
> (Win98 SE + all MS updates) is seeking user "nobody".   Hmm.
> Note that I actually do *not* have "nobody" defined in my smb_passwd file,
> so the messages are strictly accurate.  Note also that I have "guest ok =
> yes" on a couple of shares, though these log entries are from machines
> actual users, not guests, logged in.
> Any thoughts on this?  Thanks.

More information about the samba mailing list