[Samba] Cannot map to Linux share from Windows

Thu Dec 4 18:38:18 GMT 2008

On Thu, Dec 04, 2008 at 10:05:49AM -0800, Roger Criddle wrote:
> Help,
>      I have set up RHEL5 to authenticate against Windows Server 2003 R2 Active Directory using ldap/kerberos.   Everything works fine except that I cannot map a drive from Windows machines to the shares I have set up in Samba on the linux machine.    I can log into Linux using accounts in AD, and running smbclient \\\\linuxserver\\sambashare works fine on the linux box using account information from AD.    Kinit returns a ticket successfully.   "wbinfo -u" successfully returns a list of users in AD, and "wbinfo -g" successfully returns a list of groups from AD.   "getent passwd username" successfully returns information from AD.    But if I go to a Windows machine and map a network drive, it returns the error "The network connection is longer available".       
> 
> My smb.conf is as follows:   I have also tried it without the socket options line.
> [global]
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384     
> workgroup = phx
> password server = phxwn01
> realm = PHX.ENG
> security = ads
> idmap backend = ad
> template shell = /bin/tcsh
> winbind use default domain = false
> winbind offline logon = false
> [vobstore]
> comment = PHX Vob storage
> path = /vobstore
> writeable = yes
> browseable = yes
> guest ok = yes
>  
> In smbd debug mode 5, the latter part of the log.smbd file shows the following when trying to connect from the Windows machine.   It seems to find the account from AD fine and grant access, but unexpectedly closes the connection for some reason.
>  [2008/12/04 09:48:04, 5] smbd/connection.c:claim_connection(142)
> claiming [vobstore]
> [2008/12/04 09:48:04, 3] lib/util_seaccess.c:se_access_check(249)
> [2008/12/04 09:48:04, 3] lib/util_seaccess.c:se_access_check(252)
> se_access_check: user sid is S-1-5-21-2693496084-966658720-213559819-1120
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-513
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-11
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-518
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-512
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-519
> [2008/12/04 09:48:04, 5] lib/util_seaccess.c:se_access_check(310)
> se_access_check: access (2) granted..
> [2008/12/04 09:48:04, 3] lib/util_seaccess.c:se_access_check(249)
> [2008/12/04 09:48:04, 3] lib/util_seaccess.c:se_access_check(252)
> se_access_check: user sid is S-1-5-21-2693496084-966658720-213559819-1120
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-513
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-11
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-518
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-512
> se_access_check: also S-1-5-21-2693496084-966658720-213559819-519
> [2008/12/04 09:48:04, 5] lib/util_seaccess.c:se_access_check(310)
> se_access_check: access (2) granted.
> [2008/12/04 09:48:04, 3] smbd/sec_ctx.c:set_sec_ctx(324)
> setting sec ctx (10000, 4) - sec_ctx_stack_ndx = 0
> [2008/12/04 09:48:04, 5] auth/token_util.c:debug_nt_user_token(470)
> NT user token of user S-1-5-21-2693496084-966658720-213559819-1120
> contains 8 SIDs
> SID[ 0]: S-1-5-21-2693496084-966658720-213559819-1120
> SID[ 1]: S-1-5-21-2693496084-966658720-213559819-513
> SID[ 2]: S-1-1-0
> SID[ 3]: S-1-5-2
> SID[ 4]: S-1-5-11
> SID[ 5]: S-1-5-21-2693496084-966658720-213559819-518
> SID[ 6]: S-1-5-21-2693496084-966658720-213559819-512
> SID[ 7]: S-1-5-21-2693496084-966658720-213559819-519
> SE_PRIV 0x0 0x0 0x0 0x0
> [2008/12/04 09:48:04, 5] auth/token_util.c:debug_unix_user_token(490)
> UNIX token of user 10000
> Primary group is 4 and contains 1 supplementary groups
> Group[ 0]: 10002
> [2008/12/04 09:48:04, 5] smbd/uid.c:change_to_user(272)
> change_to_user uid=(0,10000) gid=(0,4)
> [2008/12/04 09:48:04, 1] smbd/service.c:make_connection_snum(1190)
> phxwn01 (::ffff:192.168.50.20) connect to service vobstore initially as user p53044 (uid=10000, gid=4) (pid 6819)
> [2008/12/04 09:48:04, 3] smbd/sec_ctx.c:set_sec_ctx(324)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/12/04 09:48:04, 5] auth/token_util.c:debug_nt_user_token(464)
> NT user token: (NULL)
> [2008/12/04 09:48:04, 5] auth/token_util.c:debug_unix_user_token(490)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2008/12/04 09:48:04, 5] smbd/uid.c:change_to_root_user(287)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2008/12/04 09:48:04, 3] smbd/reply.c:reply_tcon_and_X(727)
> tconX service=VOBSTORE 
> [2008/12/04 09:48:04, 5] lib/util.c:show_msg(642)
> [2008/12/04 09:48:04, 5] lib/util.c:show_msg(652)
> size=62
> smb_com=0x75
> smb_rcls=0
> smb_reh=0
> smb_err=0
> smb_flg=136
> smb_flg2=51201
> smb_tid=1
> smb_pid=65279
> smb_uid=101
> smb_mid=256
> smt_wct=7
> smb_vwv[ 0]= 255 (0xFF)
> smb_vwv[ 1]= 0 (0x0)
> smb_vwv[ 2]= 1 (0x1)
> smb_vwv[ 3]= 511 (0x1FF)
> smb_vwv[ 4]= 31 (0x1F)
> smb_vwv[ 5]= 0 (0x0)
> smb_vwv[ 6]= 0 (0x0)
> smb_bcc=13
> [2008/12/04 09:48:04, 0] lib/util_sock.c:read_socket_with_timeout(939)
> [2008/12/04 09:48:04, 0] lib/util_sock.c:get_peer_addr_internal(1607)
> getpeername failed. Error was Transport endpoint is not connected
> read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.

This is the client shutting down the TCP connection on us.
We don't know why. Get a network trace and try and see
the TCP FIN or RST packet from the client. See what the
last reply was (looks like the TconX reply to me). That
might give a clue.

Jeremy.