[Samba] Fwd: After a few time lost access to the Samba server (server samba - a member of the AD Win2k3)
Kramarenko A. Maksim
Mc.Sim at k-max.name
Mon Sep 12 06:18:22 MDT 2011
Who would have thought ....
The problem was the presence of CNAME-record for the current server in DNS.
Sorry for my English ...
Kramarenko A. Maksim <Mc.Sim at k-max.name> писал(а) в своём письме Fri, 09 Sep 2011 22:49:25 +0400:
> A small addition:
> When lost access to the server by name - when accessing the server by IP address, for example, \\10.0.0.11\ - access is granted.
>
> Kramarenko A. Maksim <Mc.Sim at k-max.name> писал(а) в своём письме Fri, 09 Sep 2011 15:51:21 +0400:
>
>> Hello!
>> For a long time struggling with the problem with SAMBA, is I would
>> appreciate your help!
>>
>> Problem:
>> After some time working with files on the file server unexpectedly lost
>> access to that server. When you try to access the server using windows
>> explorer - a window of login / password. When you enter a correct username
>> / password - again the same window with the introduction of a login /
>> password. This problem can occur in some domain users that work for
>> specific computers. Other users - are working "round the clock" without
>> fail. For example, one computer work 2nd shift users. At the same time a
>> single user problem occurs, the second - no. Accordingly, the falling off
>> network printing and file access. After rebooting, or just logout / login
>> the user computer - access is restored.
>>
>> Configuration:
>> Samba is authenticated in the domain via winbind. Clients - most of WinXP.
>> Distributors and samba version:
>> ===========bash==============================
>> files ~ # cat /etc/debian_version
>> 6.0.2
>> files ~ # uname -a
>> Linux files 2.6.32-5-686 #1 SMP Mon Jun 13 04:13:06 UTC 2011 i686 GNU/Linux
>> files ~ # dpkg -l | grep samba
>> ii samba 2:3.5.6~dfsg-3squeeze4 SMB/CIFS file, print, and login server for Unix
>> ii samba-common 2:3.5.6~dfsg-3squeeze4 common files used by both the Samba server and client
>> ii samba-common-bin 2:3.5.6~dfsg-3squeeze4 common files used by both the Samba server and client
>> files ~ # dpkg -l | grep winbi
>> ii libwbclient0 2:3.5.6~dfsg-3squeeze4 Samba winbind client library
>> ii winbind 2:3.5.6~dfsg-3squeeze4 Samba nameservice integration server
>> ===========bash==============================
>> config samba and network:
>> ===========bash==============================
>> files ~ # testparm -s
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>> Processing section "[printers]"
>> Processing section "[print$]"
>> Processing section "[homes]"
>> Processing section "[backup$]"
>> Processing section "[install$]"
>> ......
>> Loaded services file OK.
>> WARNING: You have some share names that are longer than 12 characters.
>> These may not be accessible to some older clients.
>> (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
>> Server role: ROLE_DOMAIN_MEMBER
>> [global]
>> workgroup = SAG
>> realm = SAG.LOCAL
>> server string = Файловый сервер
>> security = ADS
>> auth methods = winbind
>> obey pam restrictions = Yes
>> password server = dc.sag.local dc2.sag.local
>> username map = /etc/samba/userssmb
>> log file = /var/log/samba/log.%m
>> smb ports = 139
>> lpq cache time = 5
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> usershare path =
>> panic action = /usr/share/samba/panic-action %d
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> template homedir = /backup/SAG/%U
>> winbind separator = ^
>> winbind cache time = 600
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind refresh tickets = Yes
>> winbind offline logon = Yes
>> cups options = raw
>> veto files = /autorun.inf/AUTORUN.INF/.*/Thumbs.db/
>> hide files = /$RECYCLE.BIN/desktop.ini/lost+found/Thumbs.db/
>>
>> [printers]
>> comment = Очередь печати SMB
>> path = /var/spool/samba
>> printable = Yes
>> browseable = No
>>
>> [print$]
>> comment = Драйверы принтера
>> path = /var/lib/samba/printers
>>
>> [homes]
>> comment = Личная папка пользователя %U
>> read only = No
>> browseable = No
>>
>> [backup$]
>> comment = Инсталяхи
>> path = /shares/backup
>> read only = No
>>
>> [install$]
>> comment = Инсталяхи
>> path = /shares/install
>> read only = No
>> veto files =
>> files ~ # cat /etc/nsswitch.conf
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat winbind
>>
>> hosts: files dns wins
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>> files ~ # cat /etc/resolv.conf
>> domain SAG.local
>> search SAG.local
>> nameserver 10.0.0.1
>> nameserver 10.0.0.4
>> files ~ # ifconfig eth4
>> eth4 Link encap:Ethernet HWaddr 00:04:23:a6:19:c8
>> inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:293175177 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:205770240 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:320660917 (305.8 MiB) TX bytes:677293276 (645.9 MiB)
>> files ~ # cat /etc/hosts
>> 127.0.0.1 localhost
>> 127.0.1.1 files.SAG.local files
>> ===========bash==============================
>> logs:
>> problem users have a lot of messages in the log at debug level 1:
>> ===========bash==============================
>> [2011/09/08 12:54:41.805370, 1]
>> smbd/sesssetup.c:332(reply_spnego_kerberos)
>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> [2011/09/08 12:54:41.893536, 1]
>> smbd/sesssetup.c:332(reply_spnego_kerberos)
>> Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> ===========bash==============================
>> All the diagnostic command wbinfo-u, wbinfo-g, wbinfo-t, getent passwd
>> domain_user_name, net ads info - work out without any problems. Time
>> synchronized by cron every hour command "net time set", so that option
>> with the divergence time is irrelevant.
>> The moment was lost access to the server - I have done "smbcontrol smbd
>> debug 3". When you try to access the server at debug level 3 log gets the
>> following (attachment log.scan2).
>>
>> In these logs are very interesting line:
>> ===========bash==============================
>> [2011/09/08 15:33:26.776661, 3]
>> smbd/sesssetup.c:1232(reply_sesssetup_and_X_spnego)
>> NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
>> ===========bash==============================
>> PrimaryDomain = [] lost a domain name,
>> as well as a string:
>> ===========bash==============================
>> [2011/09/08 15:33:26.773385, 3] smbd/negprot.c:586(reply_negprot)
>> Requested protocol [PC NETWORK PROGRAM 1.0]
>> [2011/09/08 15:33:26.773514, 3] smbd/negprot.c:586(reply_negprot)
>> Requested protocol [LANMAN1.0]
>> [2011/09/08 15:33:26.773583, 3] smbd/negprot.c:586(reply_negprot)
>> Requested protocol [Windows for Workgroups 3.1a]
>> [2011/09/08 15:33:26.773698, 3] smbd/negprot.c:586(reply_negprot)
>> Requested protocol [LM1.2X002]
>> [2011/09/08 15:33:26.773792, 3] smbd/negprot.c:586(reply_negprot)
>> Requested protocol [LANMAN2.1]
>> [2011/09/08 15:33:26.773891, 3] smbd/negprot.c:586(reply_negprot)
>> Requested protocol [NT LM 0.12]
>> [2011/09/08 15:33:26.774805, 3] smbd/negprot.c:404(reply_nt1)
>> using SPNEGO
>> [2011/09/08 15:33:26.774949, 3] smbd/negprot.c:691(reply_negprot)
>> Selected protocol NT LM 0.12
>> [2011/09/08 15:33:26.776019, 3] smbd/process.c:1485(process_smb)
>> Transaction 1 of length 1352 (0 toread)
>> ===========bash==============================
>> SAMBA somehow sorts out the protocols to access shared resources on ....
>> But why is this happening - is unclear.
>>
>> In the next loss of access to the server, I gradually increased the debug
>> level from 4 to 10, noted that action in the log with the message echo
>> "start-debug number_debug">> log. Tried to send a document to print excel
>> spreadsheet on a shared printer:
>> ===========bash==============================
>> files ~ # echo "start-debug 4" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 4
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 4" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 5" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 5
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 5" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 6" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 6
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 6" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 7" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 7
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 7" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 8" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 8
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 8" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 9
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 10
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 10" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 0
>> files ~ # smbcontrol smbd debug 1
>> files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 10
>> files ~ # smbcontrol smbd debug 0
>> ===========bash==============================
>> After these steps to get a log (attachment log.vipiska1)
>>
>> In these logs are very interesting line:
>> ===========bash==============================
>> Got user=[] domain=[] workstation=[VIPISKA1] len1=1 len2=0
>> [2011/09/09 11:46:06.139244, 3] auth/auth.c:216(check_ntlm_password)
>> check_ntlm_password: Checking password for unmapped user []\[]@[VIPISKA1] with the new password interface
>> [2011/09/09 11:46:06.139290, 3] auth/auth.c:219(check_ntlm_password)
>> check_ntlm_password: mapped user is: [FILES]\[]@[VIPISKA1]
>> [2011/09/09 11:46:06.139334, 3] auth/auth_winbind.c:54(check_winbind_security)
>> check_winbind_security: Not using winbind, requested domain [FILES] was for this SAM.
>> [2011/09/09 11:46:06.139370, 2] auth/auth.c:314(check_ntlm_password)
>> check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
>> ===========bash==============================
>> samba does not show the user (samba user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER), but why?
>> Help please!
--
С Уважением,
Крамаренко Максим Анатольевич.
http://www.k-max.name/
More information about the samba
mailing list