[Samba] "getpeername failed" error when signed communications policy enabled

Hilton, David davidh at hp.com
Thu Dec 15 02:10:11 MST 2011 

No, the only error that we see is the "getpeername failed" error in the Samba log for the client machine that is trying to print the job.

David.

-----Original Message-----
From: Jeremy Allison [mailto:jra at samba.org]
Sent: 14 December 2011 22:12
To: Hilton, David
Cc: samba at lists.samba.org
Subject: Re: [Samba] "getpeername failed" error when signed communications policy enabled

On Wed, Dec 07, 2011 at 11:01:50AM +0000, Hilton, David wrote:
> Hi,
>
> I'm looking for help with an issue that we are seeing with the following
> configuration:
>
> We are using Samba (3.5.12-72.fc15) to share out CUPS printers from a Fedora
> 15 machine. However, a requirement of the system is that these printers are
> not directly visible from client systems (Windows 7 SP1 32-bit), so instead
> we are sharing them out from a Windows print server (Windows 2008 R2 SP1).
> So the clients connect to print queues on the Windows print server, which in
> turn forwards the print jobs on to CUPS.
>
> The issue we are seeing occurs when a policy change is made on the Windows
> 2008 R2 print server. If the "Microsoft network client: Digitally sign
> communications (always)" policy setting is enabled, we see the following
> behaviour:
>
> - Applications running on the print server can print normally.
> - Applications running on client machines fail to print.
>
> When a print job fails we see the following in the samba log for the client
> machine:
>
>
> [2011/12/07 10:43:23.381798,  2] auth/auth.c:304(check_ntlm_password)
>   check_ntlm_password:  authentication for user [XXX] -> [XXX] -> [XXX]
> succeeded
> [2011/12/07 10:43:39.760399,  0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/12/07 10:43:39.760476,  0]
> lib/util_sock.c:1441(get_peer_addr_internal)
>   getpeername failed. Error was Transport endpoint is not connected
>   read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
>
>
>
> The smb.conf file that we are using is as follows:
>
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2011/12/05 17:22:13
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
>    workgroup = LOW
>    password server = LOWDC
>    security = user
>    idmap uid = 16777216-33554431
>    idmap gid = 16777216-33554431
>    template shell = /bin/false
>    winbind use default domain = false
>    winbind offline logon = false
>    server signing = auto
>    log level = 2
>    log file = /var/log/samba.log.%m
>    max log size = 50
>    debug timestamp = yes
>
> #--authconfig--end-line--
> load printers = yes
> printing = cups
> printcap name = cups
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = yes
> writable = no
> printable = yes
> printer admin = root, @ntadmins, @smbprintadm
> use client driver = yes
>
>
>
>
>
> If the "Microsoft network client: Digitally sign communications (always)"
> setting is disabled it all works OK, but disabling this policy setting is
> not an allowed option at present.

That sounds like a signing error - do you see such in the
Samba logs ?

Jeremy.

More information about the samba mailing list