[Samba] After a few time lost access to the Samba server (server samba - a member of the AD Win2k3)

Kramarenko A. Maksim Mc.Sim at k-max.name
Fri Sep 9 05:11:58 MDT 2011


Hello!
For a long time struggling with the problem with SAMBA, is I would  
appreciate your help!

Problem:
After some time working with files on the file server unexpectedly lost  
access to that server. When you try to access the server using windows  
explorer - a window of login / password. When you enter a correct username  
/ password - again the same window with the introduction of a login /  
password. This problem can occur in some domain users that work for  
specific computers. Other users - are working "round the clock" without  
fail. For example, one computer work 2nd shift users. At the same time a  
single user problem occurs, the second - no. Accordingly, the falling off  
network printing and file access. After rebooting, or just logout / login  
the user computer - access is restored.

Configuration:
Samba is authenticated in the domain via winbind. Clients - most of WinXP.  
Distributors and samba version:
===========bash==============================
files ~ # cat /etc/debian_version
6.0.2
files ~ # uname -a
Linux files 2.6.32-5-686 #1 SMP Mon Jun 13 04:13:06 UTC 2011 i686 GNU/Linux
files ~ # dpkg -l | grep samba
ii  samba                              2:3.5.6~dfsg-3squeeze4        
SMB/CIFS file, print, and login server for Unix
ii  samba-common                       2:3.5.6~dfsg-3squeeze4       common  
files used by both the Samba server and client
ii  samba-common-bin                   2:3.5.6~dfsg-3squeeze4       common  
files used by both the Samba server and client
files ~ # dpkg -l | grep winbi
ii  libwbclient0                       2:3.5.6~dfsg-3squeeze4       Samba  
winbind client library
ii  winbind                            2:3.5.6~dfsg-3squeeze4       Samba  
nameservice integration server
===========bash==============================
config samba and network:
===========bash==============================
files ~ # testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[homes]"
Processing section "[backup$]"
Processing section "[install$]"
......
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
[global]
         workgroup = SAG
         realm = SAG.LOCAL
         server string = Файловый сервер
         security = ADS
         auth methods = winbind
         obey pam restrictions = Yes
         password server = dc.sag.local dc2.sag.local
         username map = /etc/samba/userssmb
         log file = /var/log/samba/log.%m
         smb ports = 139
         lpq cache time = 5
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         usershare path =
         panic action = /usr/share/samba/panic-action %d
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template homedir = /backup/SAG/%U
         winbind separator = ^
         winbind cache time = 600
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind refresh tickets = Yes
         winbind offline logon = Yes
         cups options = raw
         veto files = /autorun.inf/AUTORUN.INF/.*/Thumbs.db/
         hide files = /$RECYCLE.BIN/desktop.ini/lost+found/Thumbs.db/

[printers]
         comment = Очередь печати SMB
         path = /var/spool/samba
         printable = Yes
         browseable = No

[print$]
         comment = Драйверы принтера
         path = /var/lib/samba/printers

[homes]
         comment = Личная папка пользователя %U
         read only = No
         browseable = No

[backup$]
         comment = Инсталяхи
         path = /shares/backup
         read only = No

[install$]
         comment = Инсталяхи
         path = /shares/install
         read only = No
         veto files =
files ~ # cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
files ~ # cat /etc/resolv.conf
domain SAG.local
search SAG.local
nameserver 10.0.0.1
nameserver 10.0.0.4
files ~ # ifconfig eth4
eth4      Link encap:Ethernet  HWaddr 00:04:23:a6:19:c8
           inet addr:10.0.0.11  Bcast:10.0.0.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:293175177 errors:0 dropped:0 overruns:0 frame:0
           TX packets:205770240 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:320660917 (305.8 MiB)  TX bytes:677293276 (645.9 MiB)
files ~ # cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       files.SAG.local files
===========bash==============================
logs:
problem users have a lot of messages in the log at debug level 1:
===========bash==============================
[2011/09/08 12:54:41.805370,  1]  
smbd/sesssetup.c:332(reply_spnego_kerberos)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2011/09/08 12:54:41.893536,  1]  
smbd/sesssetup.c:332(reply_spnego_kerberos)
   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
===========bash==============================
All the diagnostic command wbinfo-u, wbinfo-g, wbinfo-t, getent passwd  
domain_user_name, net ads info - work out without any problems. Time  
synchronized by cron every hour command "net time set", so that option  
with the divergence time is irrelevant.
The moment was lost access to the server - I have done "smbcontrol smbd  
debug 3". When you try to access the server at debug level 3 log gets the  
following (attachment log.scan2).
At debug level 3, with logout and login the user gets the following log  
(attachment log.scan2-login).

In these logs are very interesting line:
===========bash==============================
[2011/09/08 15:33:26.776661,  3]  
smbd/sesssetup.c:1232(reply_sesssetup_and_X_spnego)
   NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002  
5.1] PrimaryDomain=[]
===========bash==============================

PrimaryDomain = [] lost a domain name,
as well as a string:
===========bash==============================
[2011/09/08 15:33:26.773385,  3] smbd/negprot.c:586(reply_negprot)
   Requested protocol [PC NETWORK PROGRAM 1.0]
[2011/09/08 15:33:26.773514,  3] smbd/negprot.c:586(reply_negprot)
   Requested protocol [LANMAN1.0]
[2011/09/08 15:33:26.773583,  3] smbd/negprot.c:586(reply_negprot)
   Requested protocol [Windows for Workgroups 3.1a]
[2011/09/08 15:33:26.773698,  3] smbd/negprot.c:586(reply_negprot)
   Requested protocol [LM1.2X002]
[2011/09/08 15:33:26.773792,  3] smbd/negprot.c:586(reply_negprot)
   Requested protocol [LANMAN2.1]
[2011/09/08 15:33:26.773891,  3] smbd/negprot.c:586(reply_negprot)
   Requested protocol [NT LM 0.12]
[2011/09/08 15:33:26.774805,  3] smbd/negprot.c:404(reply_nt1)
   using SPNEGO
[2011/09/08 15:33:26.774949,  3] smbd/negprot.c:691(reply_negprot)
   Selected protocol NT LM 0.12
[2011/09/08 15:33:26.776019,  3] smbd/process.c:1485(process_smb)
   Transaction 1 of length 1352 (0 toread)
===========bash==============================
SAMBA somehow sorts out the protocols to access shared resources on ....
But why is this happening - is unclear.

In the next loss of access to the server, I gradually increased the debug  
level from 4 to 10, noted that action in the log with the message echo  
"start-debug number_debug">> log. Tried to send a document to print excel  
spreadsheet on a shared printer:
===========bash==============================
files ~ # echo "start-debug 4" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 4
files ~ # # printing page from problem user
files ~ # echo "stop-debug 4" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 5" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 5
files ~ # # printing page from problem user
files ~ # echo "stop-debug 5" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 6" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 6
files ~ # # printing page from problem user
files ~ # echo "stop-debug 6" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 7" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 7
files ~ # # printing page from problem user
files ~ # echo "stop-debug 7" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 8" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 8
files ~ # # printing page from problem user
files ~ # echo "stop-debug 8" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 9
files ~ # # printing page from problem user
files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 10
files ~ # # printing page from problem user
files ~ # echo "stop-debug 10" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 0
files ~ # smbcontrol smbd debug 1
files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 10
files ~ # smbcontrol smbd debug 0
===========bash==============================
After these steps to get a log (attachment log.vipiska1)

In these logs are very interesting line:
===========bash==============================
   Got user=[] domain=[] workstation=[VIPISKA1] len1=1 len2=0
[2011/09/09 11:46:06.139244,  3] auth/auth.c:216(check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user  
[]\[]@[VIPISKA1] with the new password interface
[2011/09/09 11:46:06.139290,  3] auth/auth.c:219(check_ntlm_password)
   check_ntlm_password:  mapped user is: [FILES]\[]@[VIPISKA1]
[2011/09/09 11:46:06.139334,  3]  
auth/auth_winbind.c:54(check_winbind_security)
   check_winbind_security: Not using winbind, requested domain [FILES] was  
for this SAM.
[2011/09/09 11:46:06.139370,  2] auth/auth.c:314(check_ntlm_password)
   check_ntlm_password:  Authentication for user [] -> [] FAILED with error  
NT_STATUS_NO_SUCH_USER
===========bash==============================
samba does not show the user (samba user [] -> [] FAILED with error  
NT_STATUS_NO_SUCH_USER), but why?
Help please!


More information about the samba mailing list