[Samba] win 7 client can't map drive: getpeername failed

Ed Strong eds3141 at gmail.com
Tue May 14 07:37:16 MDT 2013


Thanks so much gaiseric for your continued help,
Your advice was spot on and I have found the issue in the windows 7
security settings. Not sure how
it happened as a bad client was imaged from a good client.

I'd already tweaked the "Network Security: LAN Manager authentication
level" to 'Send LM & NTLM - use NTLMv2 session security if negotiated' but
on closer examination I found several other differences. The 4 changes that
got me working were:

1: Microsoft network client: Digitally sign communications (always)
Disabled
2: Network access: Do not allow anonymous enumeration of SAM accounts and
shares    Disabled
3: Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients    Require 128-bit encryption
4: Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers    Require 128-bit encryption

though I suspect just changes 1:  and 3: would have been enough.

Once again thanks for all your input.
Ed



On 13 May 2013 15:59, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:

>  That suggests either a configuration difference with some of the win 7
> machines or a difference with some of the AD accounts for the machines.
>
> On the NAS, does the "getent passwd" command display user and machine
> accounts?   Is it may be showing only some machine accounts and not
> others?  It might be possible that samba has been unable to account an
> idmap entry for newer machines.   All though I  would think this would
> affect authentication issues, not connection issues.  I have found
> idmapping to be one of the less reliable functions in samba.
>
> Are all the Win 7 machines configured with identical network settings
> (apart from the IP address itself of course.) this should be the case if
> you use DHCP.
> Are their any security settings on the problem  Win 7 machines that are
> different?  If you use gpedit.msc -> computer -> security settings ,   you
> may want to review things like NTLMv2 settings.   Are all the machine
> accounts in the same AD container ?
>
> If this is all AD, then you should not need to use WINS.     Although it
> may also help resolve confusion about which machine is the local master
> browser.    Which shouldn't really matter either.  I use samba 3.x as a
> non-AD PDC  so the WINS and browser stuff is more important.
>
> Is the Microsoft server is the AD PDC it may expect to be the local master
> browser.   I think there can only be one local master browser per
> subnet.    And if you look thru the nmbd logs (?) on the NAS as well as the
> logs on the Win 2008 server . you may see results of a browser
> election.
>
>
> the "testparm -v" will show you all the config settings, including those
> set by default even if not explicitly set in smb.conf
>
>
> On 05/13/13 08:44, Ed Strong wrote:
>
>       Hi,
>
>  all XP clients work fine. As do most win 7 clients.  Just a handful of
> win7 clients have this issue.
>
> We only have one Microsoft server: 2008 R2, it does not have the WINS
> server feature installed.
>  The qnap box is called saturn and is a member of the domain
>    telnet saturn 139
>  results in blank screen, blinking cursor so port open I guess.
>  NAS uses our Microsoft server for it's DNS and registers itself in DNS
>  Also on the NAS I have:
>    Enable WINS server NOT checked
>     Local master browser checked
>    Allow only NTLMv2 authentication NOT checked
>  DNS has a reverse lookup zone with a PTR record for client
>
>
>  This is my foray into samba so I'm not familiar with the config file
> structure but here is the global
> section:
>
> [global]
> log level = 3
> passdb backend = smbpasswd
> workgroup = OUR_DOMAIN
> security = ADS
> server string =
>         encrypt passwords = Yes
> username level = 0
>         map to guest = Bad User
> null passwords = yes
>         max log size = 50
> socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=262144 SO_RCVBUF=131072
> os level = 20
> preferred master = no
>         dns proxy = No
>         smb passwd file=/etc/config/smbpasswd
>         username map = /etc/config/smbusers
>         guest account = guest
>         directory mask = 0777
>         create mask = 0777
> oplocks = yes
>         locking = yes
>         disable spoolss = yes
>         load printers = no
> display charset = UTF8
> force directory security mode = 0000
> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
> Trash Folder/Temporary
> Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/
>         delete veto files = yes
> map archive = no
> map system = no
> map hidden = no
> map read only = no
> deadtime = 10
> use sendfile = yes
> unix extensions = no
> store dos attributes = yes
> client ntlmv2 auth = yes
> dos filetime resolution = no
> inherit acls = yes
> wide links = yes
> force unknown acl user = yes
> template homedir = /share/homes/DOMAIN=%D/%U
> domain logons = no
> min receivefile size = 4096
> case sensitive = auto
> domain master = auto
> local master = yes
> enhance acl v1 = yes
> remove everyone = yes
> kernel oplocks = no
> mangled names = no
> realm = OUR_DOMAIN.local
> password server = SERVER.OUR_DOMAIN.local
> pam password change = yes
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 3600
> idmap uid = 400001-500000
> idmap gid = 400001-500000
> idmap config OUR_DOMAIN : backend = rid
> idmap config OUR_DOMAIN : range = 10000001-20000000
> wins support = no
> name resolve order = host bcast
>
>
>
> On 10 May 2013 16:19, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
>
>> Are XP clients having the same problem?      Trying with an XP client
>> would help indicate if there was something specific to XP.    (I skipped
>> vista.)
>>
>>
>> Can you check in smb.conf
>>     -  is the server a member server, AD member server, standalone
>> server, or domain controller.
>>     -   Are ports explicitly defined
>>     -  how is name resolution configured?
>>    - is NTLMv2 required (I couldn't get NTLMv2 support working.)
>>
>>
>> Domain membership shouldn't matter at this point since you aren't even
>> getting to the authentication phase.
>>
>> Can you  telnet port 139 to make sure it is open?
>>
>>
>> Do you have a WINS server defined?    If so make sure client and NAS are
>> using the same WINS server.    Is your NAS configured to use a DNS server?
>>   Do you have a reverse lookup zone defined in DNS?    the NAS maybe trying
>> to do a reverse lookup on the IP of the client.   There doesn't need to be
>> a PTR entry for the client but you are least want the zone.     If DNS
>> tries to lookup an IP and gets an immediate "host not found"   that is OK.
>>  If it times out because it can't even locate a DNS server then that could
>> cause problems for other services dependent on DNS.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 05/10/13 10:58, Ed Strong wrote:
>>
>>>  Hi,
>>>
>>> Thanks for the info, I'm replying to you in gmail to
>>> samba at lists.samba.org,
>>> hope that is correct ?
>>>
>>> Yes I can edit the config file on the NAS
>>>
>>> Looking at the network packets all communication to NAS seems to be on
>>> port
>>> microsoft-ds (445)
>>> I can't see any traffic on ports 137/138/139
>>>
>>> If i use the IP I get exactly the same error :(
>>>
>>>
>>> On 10 May 2013 15:01, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
>>>
>>>    I think the "Error was Transport endpoint is not connected" warnings
>>>> are
>>>> sometimes misleading. Do you have any control over the samba config
>>>> (smb.conf) on the NAS ?    On regular samba installs, changing the
>>>> default
>>>> port settings can cause more problems.
>>>>
>>>> Windows 7 will try to connect on port 445  (SMB or CIFS over tcp/ip),
>>>> and
>>>> will then reconnect to ports 137/138/139 (SMB over netbios over tcp/ip)
>>>> since samba 3.x doesn't handle the newer SMB-over-tcp/ip.
>>>> Disabling
>>>> 445 on the server seems to cause more problems than it solves.
>>>>
>>>>
>>>> Are you able to connect via IP ?  e.g net use \\qnap_ip\share ?
>>>>
>>>> I had problems in the past when I disabled port 445 on samba servers.
>>>>   Remote users (no netbios broadcasts permitted) could connect via IP
>>>> but
>>>> not via name.     For the name only connections, packet monitoring would
>>>> show packets getting thru the the server but the exchange between client
>>>> and server not being completed.  For clients connecting via IP, the
>>>> client
>>>> would send packets to server, server respond, and then clients
>>>> responded.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 05/07/13 03:53, Ed Strong wrote:
>>>>
>>>>    Hi,
>>>>>
>>>>> I'm re-posting this (with some more info) as I don't think the original
>>>>> got
>>>>> through as I wasn't
>>>>> signed up to the samba list.
>>>>>
>>>>> this is my first foray in samba (and newsgroups) so go easy :)
>>>>> I've started reading the o'reilly samba book but finding it hard going.
>>>>>
>>>>> Anyway I'm trying to map a network drive from a windows 7 pro client
>>>>> to a
>>>>> QNAP NAS with the command:
>>>>>     net use s: \\qnap\share
>>>>>
>>>>> I've posted on several forums and got good advice but the problem
>>>>> remains.
>>>>> Rather than repost all the detail, please see my original posts:
>>>>>
>>>>>  http://forum.qnap.com/**viewtopic.php?f=185&t=74639<
>>>>> http://forum.qnap.com/viewtopic.php?f=185&t=74639>
>>>>> http://social.technet.**microsoft.com/Forums/en-US/**
>>>>> winservergen/thread/11d35b0c-**ac95-489f-b5d1-0486b9774603<
>>>>> http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603
>>>>> >
>>>>> http://www.edugeek.net/forums/**windows-7/112309-map-network-**
>>>>> drive-nas-but-get-error-64-58-**a.html<
>>>>> http://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html>
>>>>>
>>>>>
>>>>>
>>>>> I've managed to ssh onto the QNAP via putty and found this in the logs
>>>>> (getpeername failed)
>>>>>
>>>>> [/var/log] # pwd
>>>>> /var/log
>>>>> [/var/log] # tail -f log.smbd
>>>>> [2013/05/01 09:36:17.135999,  0] lib/util_sock.c:474(read_fd_
>>>>> with_timeout)
>>>>> [2013/05/01 09:36:17.136096,  0]
>>>>>  lib/util_sock.c:1440(get_peer_**addr_internal)
>>>>>
>>>>>     getpeername failed. Error was Transport endpoint is not connected
>>>>>     read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
>>>>> by
>>>>> peer.
>>>>>  [2013/05/01 09:36:17.137700,  1]
>>>>> smbd/server.c:299(remove_**child_pid)
>>>>>
>>>>>     Scheduled cleanup of brl and lock database after unclean shutdown
>>>>>  [2013/05/01 09:36:17.178522,  1] smbd/service.c:1073(make_**
>>>>>
>>>>> connection_snum)
>>>>>     172.24.120.139 (172.24.120.139) connect to service Staff initially
>>>>> as
>>>>> user DOMAIN+admin (uid=10001423, gid=10000514) (pid
>>>>>
>>>>> 25771)
>>>>>  [2013/05/01 09:36:17.179093,  0] lib/util_sock.c:474(read_fd_**
>>>>>
>>>>> with_timeout)
>>>>> [2013/05/01 09:36:17.179173,  0]
>>>>>  lib/util_sock.c:1440(get_peer_**addr_internal)
>>>>>
>>>>>     getpeername failed. Error was Transport endpoint is not connected
>>>>>     read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
>>>>> by
>>>>> peer.
>>>>>  [2013/05/01 09:36:17.179289,  1] smbd/service.c:1254(close_**cnum)
>>>>>
>>>>>     172.24.120.139 (172.24.120.139) closed connection to service Staff
>>>>>  [2013/05/01 09:36:37.142714,  1]
>>>>> smbd/server.c:272(cleanup_**timeout_fn)
>>>>>
>>>>>     Cleaning up brl and lock database after unclean shutdown
>>>>>
>>>>>
>>>>> The QNAP's samba version appears to be 3.5.2:
>>>>>
>>>>> [/var/log] # ps -ef | grep smb
>>>>>    4016 admin      3104 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    4017 admin      3728 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    4366 admin      1840 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    4877 admin      3300 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    4902 admin      3952 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    4978 admin      4132 S   /usr/local/samba/sbin/smbd -l /var/log -D
>>>>> -s
>>>>> /etc/config/smb.conf
>>>>>    4979 admin      3356 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    4980 admin      1224 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    4995 admin      1016 S   /usr/local/samba/sbin/smbd -l /var/log -D
>>>>> -s
>>>>> /etc/config/smb.conf
>>>>>    5063 admin      2068 S   /usr/local/samba/sbin/winbindd -s
>>>>> /etc/config/smb.conf
>>>>>    9509 admin      1664 S   /usr/local/samba/sbin/nmbd -l /var/log -D
>>>>> -s
>>>>> /etc/config/smb.conf
>>>>> 25540 admin       544 S   grep smb
>>>>> [/var/log] # /usr/local/samba/sbin/smbd -V
>>>>> Version 3.5.2
>>>>>
>>>>>
>>>>> I've also installed MS network monitor on two clients and did a capture
>>>>> whilst running the command
>>>>>      net use s:\ \\saturn\staff
>>>>>
>>>>> I've posted three screenshots here:
>>>>>
>>>>>  https://plus.google.com/**photos/108734482620454690509/**
>>>>> albums/5875135861918839393?**authkey=CJ3lwKu2xJqMyQE<
>>>>> https://plus.google.com/photos/108734482620454690509/albums/5875135861918839393?authkey=CJ3lwKu2xJqMyQE>
>>>>>
>>>>>
>>>>>
>>>>> Basically, Worked.png shows the SMB frames on a PC where the net use
>>>>> command worked
>>>>> and Failed.png shows the SMB frames on a PC where the net use command
>>>>> did
>>>>> not work
>>>>>
>>>>> It looks to me like the first 6 SMB frames are identical. Then things
>>>>> start
>>>>> to change
>>>>>
>>>>> On the working client we continue with frame 10113 which is a
>>>>>     Dfsc: Get DFS Referral Request
>>>>>
>>>>> but the failing client continues with some TCP frames (see
>>>>> tcp-frames154-157.png) 154 to 157
>>>>> before it seems to start the negotiation again at frame 158
>>>>>
>>>>> Not sure how to troubleshoot this further so any advice welcome.
>>>>>
>>>>> Thanks
>>>>> Ed
>>>>>
>>>>> PS I initially tried to post this on google group linux.samba but was
>>>>> rejected by the
>>>>> moderation robot which said "Please submit your message to the mailing
>>>>> list
>>>>> address".
>>>>> I did this with attached png's but failed due to file size so hopefully
>>>>> 3rd
>>>>> time lucky!
>>>>>
>>>>>    --
>>>> To unsubscribe from this list go to the following URL and read the
>>>>  instructions:  https://lists.samba.org/**mailman/options/samba<
>>>> https://lists.samba.org/mailman/options/samba>
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>


More information about the samba mailing list