[Samba] ***HELP*** Users cannot access shares on member server
after restart
Robert Steinmetz
rob at steinmetznet.com
Wed Nov 26 02:02:34 GMT 2008
I have done a version upgrade and now have Ubuntu 8.10 AMD 64 with Samba
3.2.4
I'm still having the same problem.
I'm now virtually positive its my configuration
Anyone out there got any ideas?
Robert Steinmetz wrote:
> I've posted about this problem several times but so far nothing has
> worked.
>
> Whenever I restart my samba servers the member server refuses to
> authenticate users. Sometimes is will only authenticate some users on
> some shares. Usually by fiddling with it I can eventually get it to
> work but I can't identify the solution so I can replicate it. Once it
> finally starts to work it works fine until the next restart.
>
> "fiddling with it" means that I run a bunch of commands to try to
> identify the problem and restarting the processes on the two servers.
> It eventually starts working. I haven't been able identify which
> command actually causes the system to start working. It doesn't appear
> to be the same one every time. For example sometimes "net rpc join"
> seems to work, but not this time.
>
> Users on the XP machines can browse the network and see the Domain,
> both servers and all of the shares on either server. They can access
> shares on the PDC with no problem. When they attempt to access the
> shares on the Member Server sometimes they get a user/password window
> and no combination of user and password is accepted.
>
> I'm completely stumped, which isn't hard. This is driving me nuts.
>
> Among other commands I have run;
>
> wbinfo -u and -g get what I expect, alist of users and groups
> net status shares returns a list of shares
> net status sessions return a list of sessions
> getent passwd lists the domain users
> getent group lists the groups including the domain groups
> netlookup dc returns the correct ip address
> netlookup master returns the correct ip address
>
> Here is a log of one of the failed connections;
>
> [2008/11/25 12:50:57, 3] smbd/process.c:switch_message(927)
> switch message SMBtconX (pid 7447) conn 0x0
> [2008/11/25 12:50:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/11/25 12:50:57, 3] lib/access.c:check_access(312)
> check_access: no hostnames in host allow/deny list.
> [2008/11/25 12:50:57, 2] lib/access.c:check_access(323)
> Allowed connection from (192.168.1.9)
> [2008/11/25 12:50:57, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2008/11/25 12:50:57, 3] smbd/uid.c:push_conn_ctx(358)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2008/11/25 12:50:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2008/11/25 12:50:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/11/25 12:50:57, 3] smbd/service.c:find_forced_group(525)
> Forced group samba
> [2008/11/25 12:50:57, 3] smbd/service.c:make_connection_snum(806)
> Connect path is '/files/Lucretia/Sigma' for service [Sigma]
> [2008/11/25 12:50:57, 3] lib/util_seaccess.c:se_access_check(250)
> [2008/11/25 12:50:57, 3] lib/util_seaccess.c:se_access_check(251)
> se_access_check: user sid is
> S-1-5-21-4166445610-3302986456-3838465043-3066
> se_access_check: also S-1-22-2-2003
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-11
> [2008/11/25 12:50:57, 3] lib/util_seaccess.c:se_access_check(250)
> [2008/11/25 12:50:57, 3] lib/util_seaccess.c:se_access_check(251)
> se_access_check: user sid is
> S-1-5-21-4166445610-3302986456-3838465043-3066
> se_access_check: also S-1-22-2-2003
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-11
> [2008/11/25 12:50:57, 0] smbd/service.c:make_connection_snum(850)
> make_connection: connection to Sigma denied due to security descriptor.
> [2008/11/25 12:50:57, 3] smbd/error.c:error_packet_set(106)
> error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> [2008/11/25 12:51:08, 3] smbd/process.c:process_smb(1069)
> Transaction 173 of length 43
> [2008/11/25 12:51:08, 3] smbd/process.c:switch_message(927)
> switch message SMBulogoffX (pid 7447) conn 0x0
>
>
> If any other information would help let me know.
>
> Here is my configuration.
>
> Ubuntu 8.04 LTS AMD 64
> Samba Version 3.0.28a
>
> I have an NT style domain with XP pro desktops.
> 1 -PDC
> 1- Member Server
> No AD No LDAP
>
> On the PDC smbd and nmbd are unning
> On the Member Server smbd nmbd and winbind are running.
>
> Here is part of nsswitch.con;
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat winbind
>
>
> Here is the Globals Section of the PDC
>
> [global]
> workgroup = ATLANTA
> server string = %h mail passwd server (Samba, Ubuntu)
> passdb backend = tdbsam
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> time server = Yes
> hostname lookups = Yes
> logon path = \\THELMA\%U\.profiles
> logon drive = U:
> logon home = \\THELMA\%U
> domain logons = Yes
> domain master = Yes
> preferred master = Yes
> security = user
>
> Here is the Globals for the Member Server
>
> [global]
> workgroup = ATLANTA
> server string = %h file server (Samba, Ubuntu)
> security = domain
> password server = 192.168.1.24
> log level = 3
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> wins proxy = yes
> wins server = 192.168.1.24
> panic action = /usr/share/samba/panic-action %d
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template shell = /bin/bash
> name resolve order = wins bcast hosts
> hosts allow = 192.168.1.0/255.255.255.0
> winbind enum groups = yes
> winbind enum users = yes
>
> Here are two shares one worked and one didn't last time.
>
> [Projects]
> path = /files/Lucretia/Projects
> comment = Project Specific Data
> force group = samba
> read only = no
> create mask = 0764
> directory mask = 0775
>
> [Office]
> comment = General Office Data
> path = /files/Lucretia/Office
> force group = samba
> read only = No
> create mask = 0764
> directory mask = 0775
>
> This time neither work but this one does.
>
> [Vault]
> comment = Ancient Files
> path = /files/Vault
>
> All directories have the same ownership and linux permissions
>
> drwxrwsr-x 69 rob samba 16416 2008-10-24 17:15 Office
> drwxrwsr-x 51 rob samba 4032 2008-11-12 09:43 Projects
>
> drwxrwsr-x 24 rob samba 688 2008-06-11 12:01 Vault
>
--
Robert Steinmetz, AIA
Principal
Steinmetz & Associates
More information about the samba
mailing list