[Samba] Intermittent ACCESS DENIED

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Tue Oct 3 13:57:39 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

On 09/27/2006 10:14 AM, Steven Cardinal escreveu:
> In a follow-up to a previous post a couple weeks back, we've implemented a
> Samba 3.0.20 (Suse packages on 10.0 - recompiled to include idmap_rid)
> server to replace the Windows 2000 file server in our Win2003 Active
> Directory. For the most part things have been going well, but occassionally
> people will get access denied errors to things that they were accessing
> just
> fine minutes before. With file shares, they can access the share via UNC
> and, if they unmap and remap the share, it works. The recommendation was to
> increase the log level to 10. I was finally able to capture a log while
> someone was having a problem. In this instance they were getting access
> denied to the printers.

	Printers has a particular case, usually if you change 'use client
driver' and 'disable spoolss' you can solve the Access Denied messages.
But this is for printers and W2K.


> To date, I've only seen these errors on Windows 2000 workstations and not
> our XP workstations, but since this is so intermittent and we have only a
> few XP boxes, I'm not sure that is signficant, but I figured I'd throw it
> out there anyway. Here's my config (with the names changed to protect the
> innocent)
> 
> [global]
>    unix charset = LOCALE
>    workgroup = MYDOMAIN
>    realm = MYDOMAIN.INT
>    server string = Production File Server 03
>    security = ADS
>    allow trusted domains = No
>    enable privileges = Yes
>    username map = /etc/samba/smbusers
>    log level = 10
>    log file = /var/log/samba/%m
>    max log size = 50
>    deadtime = 15
>    socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>    printcap name = cups
>    wins server = 10.0.0.10
>    ldap ssl = no
>    idmap backend = idmap_rid:MYDOMAIN=10000-50000
>    idmap uid = 10000-50000
>    idmap gid = 10000-50000
>    template shell = /bin/bash
>    winbind separator = +
>    cups options = raw

> [Software]
>    comment = Adheris Software
>    path = /srv/public/software
>    valid users = @MYDOMAIN+grpIT, @MYDOMAIN+grpDevelopers
>    admin users = "@MYDOMAIN+Domain Admins"
>    read only = No
>    create mask = 0664
>    directory mask = 0775
>    dos filemode = Yes
[...]

> And here is the debug information. The thing that stands out to me is the
> request for spoolss that fails. We do not have the iptables firewall
> enabled, but we seem to be getting a pipe issue perhaps? I'm weak on the
> programming/debugging side but take directions well if anyone has some
> suggestions. Thanks

	I would say that for the printer case you can try to change the
above mentioned parameters, it could solve the problem. For the file
shares, I have facing a similar problem recently, but so far, people
invovled with Windows keep telling that it is MS Windows related and
soon or late will cure itself. :-)

[... loglevel 10 ...]


	Kind regards,
- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFImxTCj65ZxU4gPQRAqmiAKCSUo+Wxg6UfuHNvsy2kYRVu4An6ACgnx5t
wDSx2JHRMbLm9TKF7YqAuLE=
=ZN/I
-----END PGP SIGNATURE-----

More information about the samba mailing list