[Samba] Fwd: After a few time lost access to the Samba server (server samba - a member of the AD Win2k3)
Kramarenko A. Maksim
Mc.Sim at k-max.name
Fri Sep 9 12:49:25 MDT 2011
A small addition:
When lost access to the server by name - when accessing the server by IP address, for example, \\10.0.0.11\ - access is granted.
Kramarenko A. Maksim <Mc.Sim at k-max.name> писал(а) в своём письме Fri, 09 Sep 2011 15:51:21 +0400:
> Hello!
> For a long time struggling with the problem with SAMBA, is I would
> appreciate your help!
>
> Problem:
> After some time working with files on the file server unexpectedly lost
> access to that server. When you try to access the server using windows
> explorer - a window of login / password. When you enter a correct username
> / password - again the same window with the introduction of a login /
> password. This problem can occur in some domain users that work for
> specific computers. Other users - are working "round the clock" without
> fail. For example, one computer work 2nd shift users. At the same time a
> single user problem occurs, the second - no. Accordingly, the falling off
> network printing and file access. After rebooting, or just logout / login
> the user computer - access is restored.
>
> Configuration:
> Samba is authenticated in the domain via winbind. Clients - most of WinXP.
> Distributors and samba version:
> ===========bash==============================
> files ~ # cat /etc/debian_version
> 6.0.2
> files ~ # uname -a
> Linux files 2.6.32-5-686 #1 SMP Mon Jun 13 04:13:06 UTC 2011 i686 GNU/Linux
> files ~ # dpkg -l | grep samba
> ii samba 2:3.5.6~dfsg-3squeeze4 SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:3.5.6~dfsg-3squeeze4 common files used by both the Samba server and client
> ii samba-common-bin 2:3.5.6~dfsg-3squeeze4 common files used by both the Samba server and client
> files ~ # dpkg -l | grep winbi
> ii libwbclient0 2:3.5.6~dfsg-3squeeze4 Samba winbind client library
> ii winbind 2:3.5.6~dfsg-3squeeze4 Samba nameservice integration server
> ===========bash==============================
> config samba and network:
> ===========bash==============================
> files ~ # testparm -s
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[homes]"
> Processing section "[backup$]"
> Processing section "[install$]"
> ......
> Loaded services file OK.
> WARNING: You have some share names that are longer than 12 characters.
> These may not be accessible to some older clients.
> (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
> Server role: ROLE_DOMAIN_MEMBER
> [global]
> workgroup = SAG
> realm = SAG.LOCAL
> server string = Файловый сервер
> security = ADS
> auth methods = winbind
> obey pam restrictions = Yes
> password server = dc.sag.local dc2.sag.local
> username map = /etc/samba/userssmb
> log file = /var/log/samba/log.%m
> smb ports = 139
> lpq cache time = 5
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> usershare path =
> panic action = /usr/share/samba/panic-action %d
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template homedir = /backup/SAG/%U
> winbind separator = ^
> winbind cache time = 600
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> cups options = raw
> veto files = /autorun.inf/AUTORUN.INF/.*/Thumbs.db/
> hide files = /$RECYCLE.BIN/desktop.ini/lost+found/Thumbs.db/
>
> [printers]
> comment = Очередь печати SMB
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
> [print$]
> comment = Драйверы принтера
> path = /var/lib/samba/printers
>
> [homes]
> comment = Личная папка пользователя %U
> read only = No
> browseable = No
>
> [backup$]
> comment = Инсталяхи
> path = /shares/backup
> read only = No
>
> [install$]
> comment = Инсталяхи
> path = /shares/install
> read only = No
> veto files =
> files ~ # cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat winbind
>
> hosts: files dns wins
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> files ~ # cat /etc/resolv.conf
> domain SAG.local
> search SAG.local
> nameserver 10.0.0.1
> nameserver 10.0.0.4
> files ~ # ifconfig eth4
> eth4 Link encap:Ethernet HWaddr 00:04:23:a6:19:c8
> inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:293175177 errors:0 dropped:0 overruns:0 frame:0
> TX packets:205770240 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:320660917 (305.8 MiB) TX bytes:677293276 (645.9 MiB)
> files ~ # cat /etc/hosts
> 127.0.0.1 localhost
> 127.0.1.1 files.SAG.local files
> ===========bash==============================
> logs:
> problem users have a lot of messages in the log at debug level 1:
> ===========bash==============================
> [2011/09/08 12:54:41.805370, 1]
> smbd/sesssetup.c:332(reply_spnego_kerberos)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2011/09/08 12:54:41.893536, 1]
> smbd/sesssetup.c:332(reply_spnego_kerberos)
> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> ===========bash==============================
> All the diagnostic command wbinfo-u, wbinfo-g, wbinfo-t, getent passwd
> domain_user_name, net ads info - work out without any problems. Time
> synchronized by cron every hour command "net time set", so that option
> with the divergence time is irrelevant.
> The moment was lost access to the server - I have done "smbcontrol smbd
> debug 3". When you try to access the server at debug level 3 log gets the
> following (attachment log.scan2).
>
> In these logs are very interesting line:
> ===========bash==============================
> [2011/09/08 15:33:26.776661, 3]
> smbd/sesssetup.c:1232(reply_sesssetup_and_X_spnego)
> NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
> ===========bash==============================
> PrimaryDomain = [] lost a domain name,
> as well as a string:
> ===========bash==============================
> [2011/09/08 15:33:26.773385, 3] smbd/negprot.c:586(reply_negprot)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2011/09/08 15:33:26.773514, 3] smbd/negprot.c:586(reply_negprot)
> Requested protocol [LANMAN1.0]
> [2011/09/08 15:33:26.773583, 3] smbd/negprot.c:586(reply_negprot)
> Requested protocol [Windows for Workgroups 3.1a]
> [2011/09/08 15:33:26.773698, 3] smbd/negprot.c:586(reply_negprot)
> Requested protocol [LM1.2X002]
> [2011/09/08 15:33:26.773792, 3] smbd/negprot.c:586(reply_negprot)
> Requested protocol [LANMAN2.1]
> [2011/09/08 15:33:26.773891, 3] smbd/negprot.c:586(reply_negprot)
> Requested protocol [NT LM 0.12]
> [2011/09/08 15:33:26.774805, 3] smbd/negprot.c:404(reply_nt1)
> using SPNEGO
> [2011/09/08 15:33:26.774949, 3] smbd/negprot.c:691(reply_negprot)
> Selected protocol NT LM 0.12
> [2011/09/08 15:33:26.776019, 3] smbd/process.c:1485(process_smb)
> Transaction 1 of length 1352 (0 toread)
> ===========bash==============================
> SAMBA somehow sorts out the protocols to access shared resources on ....
> But why is this happening - is unclear.
>
> In the next loss of access to the server, I gradually increased the debug
> level from 4 to 10, noted that action in the log with the message echo
> "start-debug number_debug">> log. Tried to send a document to print excel
> spreadsheet on a shared printer:
> ===========bash==============================
> files ~ # echo "start-debug 4" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 4
> files ~ # # printing page from problem user
> files ~ # echo "stop-debug 4" >> /var/log/samba/log.vipiska1
> files ~ # echo "start-debug 5" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 5
> files ~ # # printing page from problem user
> files ~ # echo "stop-debug 5" >> /var/log/samba/log.vipiska1
> files ~ # echo "start-debug 6" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 6
> files ~ # # printing page from problem user
> files ~ # echo "stop-debug 6" >> /var/log/samba/log.vipiska1
> files ~ # echo "start-debug 7" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 7
> files ~ # # printing page from problem user
> files ~ # echo "stop-debug 7" >> /var/log/samba/log.vipiska1
> files ~ # echo "start-debug 8" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 8
> files ~ # # printing page from problem user
> files ~ # echo "stop-debug 8" >> /var/log/samba/log.vipiska1
> files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 9
> files ~ # # printing page from problem user
> files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
> files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
> files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
> files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 10
> files ~ # # printing page from problem user
> files ~ # echo "stop-debug 10" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 0
> files ~ # smbcontrol smbd debug 1
> files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
> files ~ # smbcontrol smbd debug 10
> files ~ # smbcontrol smbd debug 0
> ===========bash==============================
> After these steps to get a log (attachment log.vipiska1)
>
> In these logs are very interesting line:
> ===========bash==============================
> Got user=[] domain=[] workstation=[VIPISKA1] len1=1 len2=0
> [2011/09/09 11:46:06.139244, 3] auth/auth.c:216(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user []\[]@[VIPISKA1] with the new password interface
> [2011/09/09 11:46:06.139290, 3] auth/auth.c:219(check_ntlm_password)
> check_ntlm_password: mapped user is: [FILES]\[]@[VIPISKA1]
> [2011/09/09 11:46:06.139334, 3] auth/auth_winbind.c:54(check_winbind_security)
> check_winbind_security: Not using winbind, requested domain [FILES] was for this SAM.
> [2011/09/09 11:46:06.139370, 2] auth/auth.c:314(check_ntlm_password)
> check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
> ===========bash==============================
> samba does not show the user (samba user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER), but why?
> Help please!
More information about the samba
mailing list