[Samba] win 7 client can't map drive: getpeername failed
Ed Strong
eds3141 at gmail.com
Tue May 14 07:37:16 MDT 2013
Thanks so much gaiseric for your continued help,
Your advice was spot on and I have found the issue in the windows 7
security settings. Not sure how
it happened as a bad client was imaged from a good client.
I'd already tweaked the "Network Security: LAN Manager authentication
level" to 'Send LM & NTLM - use NTLMv2 session security if negotiated' but
on closer examination I found several other differences. The 4 changes that
got me working were:
1: Microsoft network client: Digitally sign communications (always)
Disabled
2: Network access: Do not allow anonymous enumeration of SAM accounts and
shares Disabled
3: Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients Require 128-bit encryption
4: Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers Require 128-bit encryption
though I suspect just changes 1: and 3: would have been enough.
Once again thanks for all your input.
Ed
On 13 May 2013 15:59, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
> That suggests either a configuration difference with some of the win 7
> machines or a difference with some of the AD accounts for the machines.
>
> On the NAS, does the "getent passwd" command display user and machine
> accounts? Is it may be showing only some machine accounts and not
> others? It might be possible that samba has been unable to account an
> idmap entry for newer machines. All though I would think this would
> affect authentication issues, not connection issues. I have found
> idmapping to be one of the less reliable functions in samba.
>
> Are all the Win 7 machines configured with identical network settings
> (apart from the IP address itself of course.) this should be the case if
> you use DHCP.
> Are their any security settings on the problem Win 7 machines that are
> different? If you use gpedit.msc -> computer -> security settings , you
> may want to review things like NTLMv2 settings. Are all the machine
> accounts in the same AD container ?
>
> If this is all AD, then you should not need to use WINS. Although it
> may also help resolve confusion about which machine is the local master
> browser. Which shouldn't really matter either. I use samba 3.x as a
> non-AD PDC so the WINS and browser stuff is more important.
>
> Is the Microsoft server is the AD PDC it may expect to be the local master
> browser. I think there can only be one local master browser per
> subnet. And if you look thru the nmbd logs (?) on the NAS as well as the
> logs on the Win 2008 server . you may see results of a browser
> election.
>
>
> the "testparm -v" will show you all the config settings, including those
> set by default even if not explicitly set in smb.conf
>
>
> On 05/13/13 08:44, Ed Strong wrote:
>
> Hi,
>
> all XP clients work fine. As do most win 7 clients. Just a handful of
> win7 clients have this issue.
>
> We only have one Microsoft server: 2008 R2, it does not have the WINS
> server feature installed.
> The qnap box is called saturn and is a member of the domain
> telnet saturn 139
> results in blank screen, blinking cursor so port open I guess.
> NAS uses our Microsoft server for it's DNS and registers itself in DNS
> Also on the NAS I have:
> Enable WINS server NOT checked
> Local master browser checked
> Allow only NTLMv2 authentication NOT checked
> DNS has a reverse lookup zone with a PTR record for client
>
>
> This is my foray into samba so I'm not familiar with the config file
> structure but here is the global
> section:
>
> [global]
> log level = 3
> passdb backend = smbpasswd
> workgroup = OUR_DOMAIN
> security = ADS
> server string =
> encrypt passwords = Yes
> username level = 0
> map to guest = Bad User
> null passwords = yes
> max log size = 50
> socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=262144 SO_RCVBUF=131072
> os level = 20
> preferred master = no
> dns proxy = No
> smb passwd file=/etc/config/smbpasswd
> username map = /etc/config/smbusers
> guest account = guest
> directory mask = 0777
> create mask = 0777
> oplocks = yes
> locking = yes
> disable spoolss = yes
> load printers = no
> display charset = UTF8
> force directory security mode = 0000
> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
> Trash Folder/Temporary
> Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/
> delete veto files = yes
> map archive = no
> map system = no
> map hidden = no
> map read only = no
> deadtime = 10
> use sendfile = yes
> unix extensions = no
> store dos attributes = yes
> client ntlmv2 auth = yes
> dos filetime resolution = no
> inherit acls = yes
> wide links = yes
> force unknown acl user = yes
> template homedir = /share/homes/DOMAIN=%D/%U
> domain logons = no
> min receivefile size = 4096
> case sensitive = auto
> domain master = auto
> local master = yes
> enhance acl v1 = yes
> remove everyone = yes
> kernel oplocks = no
> mangled names = no
> realm = OUR_DOMAIN.local
> password server = SERVER.OUR_DOMAIN.local
> pam password change = yes
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 3600
> idmap uid = 400001-500000
> idmap gid = 400001-500000
> idmap config OUR_DOMAIN : backend = rid
> idmap config OUR_DOMAIN : range = 10000001-20000000
> wins support = no
> name resolve order = host bcast
>
>
>
> On 10 May 2013 16:19, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
>
>> Are XP clients having the same problem? Trying with an XP client
>> would help indicate if there was something specific to XP. (I skipped
>> vista.)
>>
>>
>> Can you check in smb.conf
>> - is the server a member server, AD member server, standalone
>> server, or domain controller.
>> - Are ports explicitly defined
>> - how is name resolution configured?
>> - is NTLMv2 required (I couldn't get NTLMv2 support working.)
>>
>>
>> Domain membership shouldn't matter at this point since you aren't even
>> getting to the authentication phase.
>>
>> Can you telnet port 139 to make sure it is open?
>>
>>
>> Do you have a WINS server defined? If so make sure client and NAS are
>> using the same WINS server. Is your NAS configured to use a DNS server?
>> Do you have a reverse lookup zone defined in DNS? the NAS maybe trying
>> to do a reverse lookup on the IP of the client. There doesn't need to be
>> a PTR entry for the client but you are least want the zone. If DNS
>> tries to lookup an IP and gets an immediate "host not found" that is OK.
>> If it times out because it can't even locate a DNS server then that could
>> cause problems for other services dependent on DNS.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 05/10/13 10:58, Ed Strong wrote:
>>
>>> Hi,
>>>
>>> Thanks for the info, I'm replying to you in gmail to
>>> samba at lists.samba.org,
>>> hope that is correct ?
>>>
>>> Yes I can edit the config file on the NAS
>>>
>>> Looking at the network packets all communication to NAS seems to be on
>>> port
>>> microsoft-ds (445)
>>> I can't see any traffic on ports 137/138/139
>>>
>>> If i use the IP I get exactly the same error :(
>>>
>>>
>>> On 10 May 2013 15:01, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
>>>
>>> I think the "Error was Transport endpoint is not connected" warnings
>>>> are
>>>> sometimes misleading. Do you have any control over the samba config
>>>> (smb.conf) on the NAS ? On regular samba installs, changing the
>>>> default
>>>> port settings can cause more problems.
>>>>
>>>> Windows 7 will try to connect on port 445 (SMB or CIFS over tcp/ip),
>>>> and
>>>> will then reconnect to ports 137/138/139 (SMB over netbios over tcp/ip)
>>>> since samba 3.x doesn't handle the newer SMB-over-tcp/ip.
>>>> Disabling
>>>> 445 on the server seems to cause more problems than it solves.
>>>>
>>>>
>>>> Are you able to connect via IP ? e.g net use \\qnap_ip\share ?
>>>>
>>>> I had problems in the past when I disabled port 445 on samba servers.
>>>> Remote users (no netbios broadcasts permitted) could connect via IP
>>>> but
>>>> not via name. For the name only connections, packet monitoring would
>>>> show packets getting thru the the server but the exchange between client
>>>> and server not being completed. For clients connecting via IP, the
>>>> client
>>>> would send packets to server, server respond, and then clients
>>>> responded.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 05/07/13 03:53, Ed Strong wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> I'm re-posting this (with some more info) as I don't think the original
>>>>> got
>>>>> through as I wasn't
>>>>> signed up to the samba list.
>>>>>
>>>>> this is my first foray in samba (and newsgroups) so go easy :)
>>>>> I've started reading the o'reilly samba book but finding it hard going.
>>>>>
>>>>> Anyway I'm trying to map a network drive from a windows 7 pro client
>>>>> to a
>>>>> QNAP NAS with the command:
>>>>> net use s: \\qnap\share
>>>>>
>>>>> I've posted on several forums and got good advice but the problem
>>>>> remains.
>>>>> Rather than repost all the detail, please see my original posts:
>>>>>
>>>>> http://forum.qnap.com/**viewtopic.php?f=185&t=74639<
>>>>> http://forum.qnap.com/viewtopic.php?f=185&t=74639>
>>>>> http://social.technet.**microsoft.com/Forums/en-US/**
>>>>> winservergen/thread/11d35b0c-**ac95-489f-b5d1-0486b9774603<
>>>>> http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603
>>>>> >
>>>>> http://www.edugeek.net/forums/**windows-7/112309-map-network-**
>>>>> drive-nas-but-get-error-64-58-**a.html<
>>>>> http://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html>
>>>>>
>>>>>
>>>>>
>>>>> I've managed to ssh onto the QNAP via putty and found this in the logs
>>>>> (getpeername failed)
>>>>>
>>>>> [/var/log] # pwd
>>>>> /var/log
>>>>> [/var/log] # tail -f log.smbd
>>>>> [2013/05/01 09:36:17.135999, 0] lib/util_sock.c:474(read_fd_
>>>>> with_timeout)
>>>>> [2013/05/01 09:36:17.136096, 0]
>>>>> lib/util_sock.c:1440(get_peer_**addr_internal)
>>>>>
>>>>> getpeername failed. Error was Transport endpoint is not connected
>>>>> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
>>>>> by
>>>>> peer.
>>>>> [2013/05/01 09:36:17.137700, 1]
>>>>> smbd/server.c:299(remove_**child_pid)
>>>>>
>>>>> Scheduled cleanup of brl and lock database after unclean shutdown
>>>>> [2013/05/01 09:36:17.178522, 1] smbd/service.c:1073(make_**
>>>>>
>>>>> connection_snum)
>>>>> 172.24.120.139 (172.24.120.139) connect to service Staff initially
>>>>> as
>>>>> user DOMAIN+admin (uid=10001423, gid=10000514) (pid
>>>>>
>>>>> 25771)
>>>>> [2013/05/01 09:36:17.179093, 0] lib/util_sock.c:474(read_fd_**
>>>>>
>>>>> with_timeout)
>>>>> [2013/05/01 09:36:17.179173, 0]
>>>>> lib/util_sock.c:1440(get_peer_**addr_internal)
>>>>>
>>>>> getpeername failed. Error was Transport endpoint is not connected
>>>>> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
>>>>> by
>>>>> peer.
>>>>> [2013/05/01 09:36:17.179289, 1] smbd/service.c:1254(close_**cnum)
>>>>>
>>>>> 172.24.120.139 (172.24.120.139) closed connection to service Staff
>>>>> [2013/05/01 09:36:37.142714, 1]
>>>>> smbd/server.c:272(cleanup_**timeout_fn)
>>>>>
>>>>> Cleaning up brl and lock database after unclean shutdown
>>>>>
>>>>>
>>>>> The QNAP's samba version appears to be 3.5.2:
>>>>>
>>>>> [/var/log] # ps -ef | grep smb
>>>>> 4016 admin 3104 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 4017 admin 3728 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 4366 admin 1840 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 4877 admin 3300 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 4902 admin 3952 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 4978 admin 4132 S /usr/local/samba/sbin/smbd -l /var/log -D
>>>>> -s
>>>>> /etc/config/smb.conf
>>>>> 4979 admin 3356 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 4980 admin 1224 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 4995 admin 1016 S /usr/local/samba/sbin/smbd -l /var/log -D
>>>>> -s
>>>>> /etc/config/smb.conf
>>>>> 5063 admin 2068 S /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>> 9509 admin 1664 S /usr/local/samba/sbin/nmbd -l /var/log -D
>>>>> -s
>>>>> /etc/config/smb.conf
>>>>> 25540 admin 544 S grep smb
>>>>> [/var/log] # /usr/local/samba/sbin/smbd -V
>>>>> Version 3.5.2
>>>>>
>>>>>
>>>>> I've also installed MS network monitor on two clients and did a capture
>>>>> whilst running the command
>>>>> net use s:\ \\saturn\staff
>>>>>
>>>>> I've posted three screenshots here:
>>>>>
>>>>> https://plus.google.com/**photos/108734482620454690509/**
>>>>> albums/5875135861918839393?**authkey=CJ3lwKu2xJqMyQE<
>>>>> https://plus.google.com/photos/108734482620454690509/albums/5875135861918839393?authkey=CJ3lwKu2xJqMyQE>
>>>>>
>>>>>
>>>>>
>>>>> Basically, Worked.png shows the SMB frames on a PC where the net use
>>>>> command worked
>>>>> and Failed.png shows the SMB frames on a PC where the net use command
>>>>> did
>>>>> not work
>>>>>
>>>>> It looks to me like the first 6 SMB frames are identical. Then things
>>>>> start
>>>>> to change
>>>>>
>>>>> On the working client we continue with frame 10113 which is a
>>>>> Dfsc: Get DFS Referral Request
>>>>>
>>>>> but the failing client continues with some TCP frames (see
>>>>> tcp-frames154-157.png) 154 to 157
>>>>> before it seems to start the negotiation again at frame 158
>>>>>
>>>>> Not sure how to troubleshoot this further so any advice welcome.
>>>>>
>>>>> Thanks
>>>>> Ed
>>>>>
>>>>> PS I initially tried to post this on google group linux.samba but was
>>>>> rejected by the
>>>>> moderation robot which said "Please submit your message to the mailing
>>>>> list
>>>>> address".
>>>>> I did this with attached png's but failed due to file size so hopefully
>>>>> 3rd
>>>>> time lucky!
>>>>>
>>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/**mailman/options/samba<
>>>> https://lists.samba.org/mailman/options/samba>
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>
More information about the samba
mailing list