[Samba] Fwd: After a few time lost access to the Samba server (server samba - a member of the AD Win2k3)

Kramarenko A. Maksim Mc.Sim at k-max.name
Mon Sep 12 06:18:22 MDT 2011


Who would have thought ....
The problem was the presence of CNAME-record for the current server in DNS.

Sorry for my English ...


Kramarenko A. Maksim  <Mc.Sim at k-max.name> писал(а) в своём письме Fri, 09 Sep 2011 22:49:25 +0400:

> A small addition:
> When lost access to the server by name - when accessing the server by IP address, for example, \\10.0.0.11\ - access is granted.
>
> Kramarenko A. Maksim  <Mc.Sim at k-max.name> писал(а) в своём письме Fri, 09 Sep 2011 15:51:21 +0400:
>
>> Hello!
>> For a long time struggling with the problem with SAMBA, is I would
>> appreciate your help!
>>
>> Problem:
>> After some time working with files on the file server unexpectedly lost
>> access to that server. When you try to access the server using windows
>> explorer - a window of login / password. When you enter a correct username
>> / password - again the same window with the introduction of a login /
>> password. This problem can occur in some domain users that work for
>> specific computers. Other users - are working "round the clock" without
>> fail. For example, one computer work 2nd shift users. At the same time a
>> single user problem occurs, the second - no. Accordingly, the falling off
>> network printing and file access. After rebooting, or just logout / login
>> the user computer - access is restored.
>>
>> Configuration:
>> Samba is authenticated in the domain via winbind. Clients - most of WinXP.
>> Distributors and samba version:
>> ===========bash==============================
>> files ~ # cat /etc/debian_version
>> 6.0.2
>> files ~ # uname -a
>> Linux files 2.6.32-5-686 #1 SMP Mon Jun 13 04:13:06 UTC 2011 i686 GNU/Linux
>> files ~ # dpkg -l | grep samba
>> ii  samba                              2:3.5.6~dfsg-3squeeze4       SMB/CIFS file, print, and login server for Unix
>> ii  samba-common                       2:3.5.6~dfsg-3squeeze4       common files used by both the Samba server and client
>> ii  samba-common-bin                   2:3.5.6~dfsg-3squeeze4       common files used by both the Samba server and client
>> files ~ # dpkg -l | grep winbi
>> ii  libwbclient0                       2:3.5.6~dfsg-3squeeze4       Samba winbind client library
>> ii  winbind                            2:3.5.6~dfsg-3squeeze4       Samba nameservice integration server
>> ===========bash==============================
>> config samba and network:
>> ===========bash==============================
>> files ~ # testparm -s
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>> Processing section "[printers]"
>> Processing section "[print$]"
>> Processing section "[homes]"
>> Processing section "[backup$]"
>> Processing section "[install$]"
>> ......
>> Loaded services file OK.
>> WARNING: You have some share names that are longer than 12 characters.
>> These may not be accessible to some older clients.
>> (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
>> Server role: ROLE_DOMAIN_MEMBER
>> [global]
>>              workgroup = SAG
>>              realm = SAG.LOCAL
>>              server string = Файловый сервер
>>              security = ADS
>>              auth methods = winbind
>>              obey pam restrictions = Yes
>>              password server = dc.sag.local dc2.sag.local
>>              username map = /etc/samba/userssmb
>>              log file = /var/log/samba/log.%m
>>              smb ports = 139
>>              lpq cache time = 5
>>              socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>              usershare path =
>>              panic action = /usr/share/samba/panic-action %d
>>              idmap uid = 10000-20000
>>              idmap gid = 10000-20000
>>              template homedir = /backup/SAG/%U
>>              winbind separator = ^
>>              winbind cache time = 600
>>              winbind enum users = Yes
>>              winbind enum groups = Yes
>>              winbind use default domain = Yes
>>              winbind refresh tickets = Yes
>>              winbind offline logon = Yes
>>              cups options = raw
>>              veto files = /autorun.inf/AUTORUN.INF/.*/Thumbs.db/
>>              hide files = /$RECYCLE.BIN/desktop.ini/lost+found/Thumbs.db/
>>
>> [printers]
>>              comment = Очередь печати SMB
>>              path = /var/spool/samba
>>              printable = Yes
>>              browseable = No
>>
>> [print$]
>>              comment = Драйверы принтера
>>              path = /var/lib/samba/printers
>>
>> [homes]
>>              comment = Личная папка пользователя %U
>>              read only = No
>>              browseable = No
>>
>> [backup$]
>>              comment = Инсталяхи
>>              path = /shares/backup
>>              read only = No
>>
>> [install$]
>>              comment = Инсталяхи
>>              path = /shares/install
>>              read only = No
>>              veto files =
>> files ~ # cat /etc/nsswitch.conf
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat winbind
>>
>> hosts:          files dns wins
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>> files ~ # cat /etc/resolv.conf
>> domain SAG.local
>> search SAG.local
>> nameserver 10.0.0.1
>> nameserver 10.0.0.4
>> files ~ # ifconfig eth4
>> eth4      Link encap:Ethernet  HWaddr 00:04:23:a6:19:c8
>>                inet addr:10.0.0.11  Bcast:10.0.0.255  Mask:255.255.255.0
>>                UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>                RX packets:293175177 errors:0 dropped:0 overruns:0 frame:0
>>                TX packets:205770240 errors:0 dropped:0 overruns:0 carrier:0
>>                collisions:0 txqueuelen:1000
>>                RX bytes:320660917 (305.8 MiB)  TX bytes:677293276 (645.9 MiB)
>> files ~ # cat /etc/hosts
>> 127.0.0.1       localhost
>> 127.0.1.1       files.SAG.local files
>> ===========bash==============================
>> logs:
>> problem users have a lot of messages in the log at debug level 1:
>> ===========bash==============================
>> [2011/09/08 12:54:41.805370,  1]
>> smbd/sesssetup.c:332(reply_spnego_kerberos)
>>        Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> [2011/09/08 12:54:41.893536,  1]
>> smbd/sesssetup.c:332(reply_spnego_kerberos)
>>        Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>> ===========bash==============================
>> All the diagnostic command wbinfo-u, wbinfo-g, wbinfo-t, getent passwd
>> domain_user_name, net ads info - work out without any problems. Time
>> synchronized by cron every hour command "net time set", so that option
>> with the divergence time is irrelevant.
>> The moment was lost access to the server - I have done "smbcontrol smbd
>> debug 3". When you try to access the server at debug level 3 log gets the
>> following (attachment log.scan2).
>>
>> In these logs are very interesting line:
>> ===========bash==============================
>> [2011/09/08 15:33:26.776661,  3]
>> smbd/sesssetup.c:1232(reply_sesssetup_and_X_spnego)
>>        NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
>> ===========bash==============================
>> PrimaryDomain = [] lost a domain name,
>> as well as a string:
>> ===========bash==============================
>> [2011/09/08 15:33:26.773385,  3] smbd/negprot.c:586(reply_negprot)
>>        Requested protocol [PC NETWORK PROGRAM 1.0]
>> [2011/09/08 15:33:26.773514,  3] smbd/negprot.c:586(reply_negprot)
>>        Requested protocol [LANMAN1.0]
>> [2011/09/08 15:33:26.773583,  3] smbd/negprot.c:586(reply_negprot)
>>        Requested protocol [Windows for Workgroups 3.1a]
>> [2011/09/08 15:33:26.773698,  3] smbd/negprot.c:586(reply_negprot)
>>        Requested protocol [LM1.2X002]
>> [2011/09/08 15:33:26.773792,  3] smbd/negprot.c:586(reply_negprot)
>>        Requested protocol [LANMAN2.1]
>> [2011/09/08 15:33:26.773891,  3] smbd/negprot.c:586(reply_negprot)
>>        Requested protocol [NT LM 0.12]
>> [2011/09/08 15:33:26.774805,  3] smbd/negprot.c:404(reply_nt1)
>>        using SPNEGO
>> [2011/09/08 15:33:26.774949,  3] smbd/negprot.c:691(reply_negprot)
>>        Selected protocol NT LM 0.12
>> [2011/09/08 15:33:26.776019,  3] smbd/process.c:1485(process_smb)
>>        Transaction 1 of length 1352 (0 toread)
>> ===========bash==============================
>> SAMBA somehow sorts out the protocols to access shared resources on ....
>> But why is this happening - is unclear.
>>
>> In the next loss of access to the server, I gradually increased the debug
>> level from 4 to 10, noted that action in the log with the message echo
>> "start-debug number_debug">> log. Tried to send a document to print excel
>> spreadsheet on a shared printer:
>> ===========bash==============================
>> files ~ # echo "start-debug 4" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 4
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 4" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 5" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 5
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 5" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 6" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 6
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 6" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 7" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 7
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 7" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 8" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 8
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 8" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 9
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
>> files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 10
>> files ~ # # printing page from problem user
>> files ~ # echo "stop-debug 10" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 0
>> files ~ # smbcontrol smbd debug 1
>> files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
>> files ~ # smbcontrol smbd debug 10
>> files ~ # smbcontrol smbd debug 0
>> ===========bash==============================
>> After these steps to get a log (attachment log.vipiska1)
>>
>> In these logs are very interesting line:
>> ===========bash==============================
>>        Got user=[] domain=[] workstation=[VIPISKA1] len1=1 len2=0
>> [2011/09/09 11:46:06.139244,  3] auth/auth.c:216(check_ntlm_password)
>>        check_ntlm_password:  Checking password for unmapped user []\[]@[VIPISKA1] with the new password interface
>> [2011/09/09 11:46:06.139290,  3] auth/auth.c:219(check_ntlm_password)
>>        check_ntlm_password:  mapped user is: [FILES]\[]@[VIPISKA1]
>> [2011/09/09 11:46:06.139334,  3] auth/auth_winbind.c:54(check_winbind_security)
>>        check_winbind_security: Not using winbind, requested domain [FILES] was for this SAM.
>> [2011/09/09 11:46:06.139370,  2] auth/auth.c:314(check_ntlm_password)
>>        check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
>> ===========bash==============================
>> samba does not show the user (samba user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER), but why?
>> Help please!


-- 
С Уважением,
Крамаренко Максим Анатольевич.
http://www.k-max.name/


More information about the samba mailing list