[Samba] 转发: 答复: ??????: Is the "\\x.x.x.x" type tree connect request a client related feature?
Chenyehua
chen.yehua at h3c.com
Wed Feb 8 12:10:00 UTC 2017
Thanks for your response, Rowland.
Sorry for the late reply.
Here is my smb.conf:
[global]
workgroup = grouptest1
server string = %h server (Samba NAS)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 10000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad password
usershare allow guests = yes
max protocol = SMB3
large readwrite = yes
use sendfile = yes
aio read size = 1024
oplocks = no
deadtime = 10
aio write behind = true
load printers = no
clustering = yes
idmap config *:backend = tdb2
store dos attributes = yes
vfs objects = acl_xattr
idmap config *:range = 1000000-1999999
acl_xattr:ignore system acls = yes
socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
netbios name = netaaa1
ctdbd socket = /var/run/ctdb/ctdbd.socket
log level = 2
security = user
Best regards!
-----邮件原件-----
发件人: samba [mailto:samba-bounces at lists.samba.org] 代表 Rowland Penny via samba
发送时间: 2017年1月22日 19:47
收件人: samba at lists.samba.org
主题: Re: [Samba] 答复: ??????: Is the "\\x.x.x.x" type tree connect request a client related feature?
On Sun, 22 Jan 2017 10:04:29 +0000
Chenyehua via samba <samba at lists.samba.org> wrote:
> Thanks for your reply, Louis
> However, I am still blocked by this problem now. !-_- I tried to set
> the samba server as the DNS server and visit the shared folder by
> input "\\aaa.bb.com" at windows 7 client. In some cases it works and
> will not fail. However the similar abnormal phenomenon also
> occasionally happens (especially at changing the authentication, such
> as local to ldap): 1) I can pass the authentication and see the shared
> folder, but when I try to open the folder , it fails with a windows
> error message like "cannot find the route to the network". It may
> recover to normal later (means I can open that folder) 2) I have
> collected the wireshark record and find it may due to the same reason:
> NT_STATUS_BAD_NETWORK_NAME Part records in the Wireshark:
> > Tree connect request Tree\\aaa.bb.com\IPC$
> > Tree connect response : SUCCESS
> > Tree connect request Tree \\aaa.bb.com
> > Tree connect response : NT_STATUS_BAD_NETWORK_NAME
> > Tree connect request Tree \\aaa.bb.com
> Tree connect response : NT_STATUS_BAD_NETWORK_NAME
> ...
> ...
>
> In your last email, you mentioned that "after the "badlock" patches,
> MS applies some checks. ". 1) Do you mean that sending "\\serverpath"
> type tree connect request is some kind of check sent by windows 7
> relevant to the badlock patches? And What does this check for? 2) Are
> those checks reasonable and normal? As they have affected the normal
> use of the samba share in my case. 3) Are there any solutions to my
> problem? 4) the badlock bug -- do you mean the bug which was
> discovered by Stefan Metzmacher, disclosed in 2016-04-12, and
> referenced by CVE-2016-2118 for samba, CVE-2016-0128/ MS16-047 for
> windows ?
>
Though there have been references to individual smb.conf lines, it seems that the full smb.conf hasn't been posted. From what has been posted, I still don't know how Samba is being run, so I think the next step is for the OP to post their full smb.conf.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Sun, 22 Jan 2017 10:04:29 +0000
Chenyehua via samba <samba at lists.samba.org> wrote:
Thanks for your reply, Louis
However, I am still blocked by this problem now. !-_- I tried to set the samba server as the DNS server and visit the shared folder by input "\\aaa.bb.com" at windows 7 client. In some cases it works and will not fail.
However the similar abnormal phenomenon also occasionally happens (especially at changing the authentication, such as local to ldap):
1) I can pass the authentication and see the shared folder, but when I try to open the folder , it fails with a windows error message like "cannot find the route to the network". It may recover to normal later (means I can open that folder)
2) I have collected the wireshark record and find it may due to the same reason: NT_STATUS_BAD_NETWORK_NAME
Part records in the Wireshark:
> Tree connect request Tree\\aaa.bb.com\IPC$
> Tree connect response : SUCCESS
> Tree connect request Tree \\aaa.bb.com
> Tree connect response : NT_STATUS_BAD_NETWORK_NAME
> Tree connect request Tree \\aaa.bb.com
Tree connect response : NT_STATUS_BAD_NETWORK_NAME
...
...
In your last email, you mentioned that "after the "badlock" patches, MS applies some checks. ".
1) Do you mean that sending "\\serverpath" type tree connect request is some kind of check sent by windows 7 relevant to the badlock patches? And What does this check for?
2) Are those checks reasonable and normal? As they have affected the normal use of the samba share in my case.
3) Are there any solutions to my problem?
4) the badlock bug -- do you mean the bug which was discovered by Stefan Metzmacher, disclosed in 2016-04-12, and referenced by CVE-2016-2118 for samba, CVE-2016-0128/ MS16-047 for windows ?
Thanks
Best wishes
-----邮件原件-----
发件人: samba [mailto:samba-bounces at lists.samba.org] 代表 L.P.H. van Belle via samba
发送时间: 2016年12月30日 16:44
收件人: samba at lists.samba.org
主题: Re: [Samba] ??????: Is the "\\x.x.x.x" type tree connect request a client related feature?
> the tree connect requests of the abnormal case may follow like this order:
>
> Tree connect request Tree \\172.16.37.96\IPC$
>
> Tree connect request Tree \\172.16.37.96
>
> Tree connect request Tree \\172.16.37.96
After the "badlock" patches, MS applies some checks.
( and this is default as of windows server 2008)
1) make user HOSTNAME and IP are correct in DNS. And hosts file.
2) Dont use \\hostname or \\ip if you dont have a REVERSE dns setup.
3) use \\hostname.domain.tld
4) If you want to use \\hostname then make user DNS A and PTR records are there. ( so the hostname resolves back to ) \\hostname.domain.tld
Now point 4. If you setup like this and you really correct.
\\ip
\\hostname
\\hostname.domain.tld
Will all work by default if you logged in with a domain joined pc and user.
Its all in nameing and DNS related problems.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Gaiseric
> Vandal via samba
> Verzonden: donderdag 29 december 2016 15:42
> Aan: Chenyehua
> CC: 'samba at lists.samba.org'
> Onderwerp: Re: [Samba] ??????: Is the "\\x.x.x.x" type tree connect
> request a client related feature?
>
> It seems like you have two problems going on at once with your server
>
> 1. User authentication following a change to LDAP (as per other
> posts)
> 2. Accessing shares
>
>
> I suggest you resolve your LDAP backend issues first.
>
>
> In Windows, the "net view" and "net use" commands may help with
> diagnosing problems.
>
> I don't know if Samba tries to do a reverse DNS lookup on the IP
> addresses of the client PC's. I try to make sure I have DNS entries
> for all system even DHCP clients (e.g.
> dhcpclient-192.168.10.10 at mydomain.com.)
>
>
> What is your "name resolve order" parameter set to ? I think the
> default is as follows
>
> name resolve order = host wins bcast
>
>
> My issues with SMB2 was that I could get the first network connection
> from a Windows 7 PC or Windows 2008 server to a samba server share BUT
> seconndary connections would fail. I would try downgrading to NT1 ,
> making sure everything works, then switching back to SMB2.
>
>
> On 12/29/16 04:42, Chenyehua wrote:
> > Thanks for your attention, Gaiseric.
> > Sorry , but I had a little confused. Did you mean that the problem
> > was
> something relevant with the DNS? However in my impression, I might not
> do anything about the DNS.
> >
> > I have some clues that might be helped:
> > 1) First of all, my samba server version set is "max protocol =
> > SMB2",
> and the final protocol according to the negotiation result is smb2.10.
> The problem is more likely to appear when the authentication
> changes(like
> user->ldap) or the password changes.
> > 2)The direct fact that leading to the failure may be the bad tree
> connect request with the format of "\\x.x.x.x", which should be
> "\\x.x.x.x\xx" required by SMB2 protocol
> > 3)So my key questions are:
> > a???When and why does the windows 7 sometimes sends the tree
> > connect
> request (like \\x.x.x.x, which is not accepted by SMB2 protocol) to
> the samba server?
> > b???Is this a win7 bug or a problem with the relevant options
> > set? Or
> anything else?
> > c???How to solve this problem???
> >
> > -----????????????-----
> > ?????????: samba [mailto:samba-bounces at lists.samba.org] ??????
> > Gaiseric
> Vandal via samba
> > ????????????: 2016???12???27??? 23:32
> > ?????????: samba at lists.samba.org
> > ??????: Re: [Samba] Is the "\\x.x.x.x" type tree connect request a
> client related feature?
> >
> > Is the samba server a domain controller? Is this a classic domain
> > or an
> Active Directory domain.
> >
> > If you are using a classic domain you probably want a WINS server
> > configured. I find it works better if the primary domain controller
> > is also the WINS server. In a classic domain, keep the "smb
> > ports" as the default ( "smb ports = 445 139.") What is the "max
> > protocol" version set ? I had trouble with SMB2 so I set "max
> > protocol = NT1."
> >
> > Do you have forward and reverse DNS entries for all servers ("A"
> > host
> and "PTR" records.)
> >
> > I also found that connections to "myservername.mydomain.com\myshare"
> > would be treated differently on windows 7 clients that connections to
> > "myservername\myshare" in a classic domain. If the Samba domain name
> > is "MYDOMAIN" then connections to "myservername.mydomain.com" would
> result in a conflict of the samba domain name with the DNS domain name.
> > This caused problems with Microsoft Excel and Powerpoint not
> > trusting
> documents from an "insecure" source.
> >
> >
> >
> >
> >
> > On 12/27/16 05:44, Chenyehua via samba wrote:
> >> Hi folks
> >>
> >> I face a problem when using the samba share, Here is the detail:
> >>
> >> 1) Phenomenon
> >>
> >> In windows 7, sometimes, I type the samba server ip address
> >> and can see the shared folder. (the samba version is 4.3.11)
> >>
> >> a???However when I try to open the shared folder, it fails with a
> windows error message like “please check the spelling of the name, or
> some problem may related to the network”, and returns the error code
> 0x80070035(cannot find the network path).
> >>
> >> The shared folder may be opened successfully in a while. Or it will
> >> always fail in a long period with the error returned above(not sure
> >> if it will automatically recover finally)
> >>
> >> b???The problem in a may be client-related and occasionally appeared.
> At
> >> some other windows 7 environments, it may never happen(at least I
> >> have tried dozens of times, but it turns out normal each time)
> >>
> >>
> >>
> >> 2) Analysis
> >>
> >> a??? Something abnormal can be found in the samba log as below:
> >>
> >> [2016/12/26 22:15:35.238956, 0, pid=605906, effective(0, 0),
> >> real(0, 0)]
> >> ../source3/param/loadparm.c:3240(process_usershare_file)
> >>
> >> process_usershare_file: share name //172.16.37.96 contains
> >> invalid characters (any of %<>*?|/\+=;:",)
> >>
> >> [2016/12/26 22:15:35.238973, 3, pid=605906, effective(0, 0),
> >> real(0, 0)] ../source3/param/service.c:249(find_service)
> >>
> >> find_service() failed to find service //172.16.37.96
> >>
> >> [2016/12/26 22:15:35.238985, 3, pid=605906, effective(0, 0),
> >> real(0, 0)] ../source3/smbd/smb2_tcon.c:266(smbd_smb2_tree_connect)
> >>
> >> smbd_smb2_tree_connect: couldn't find service //172.16.37.96
> >>
> >> [2016/12/26 22:15:35.239004, 50, pid=605906, effective(0, 0),
> >> real(0, 0), class=tevent]
> >> ../lib/util/tevent_debug.c:66(samba_tevent_debug)
> >>
> >> s3_tevent: Schedule immediate event "tevent_req_trigger":
> >> 0x56007af6bd80
> >>
> >> [2016/12/26 22:15:35.239021, 50, pid=605906, effective(0, 0),
> >> real(0, 0), class=tevent]
> >> ../lib/util/tevent_debug.c:66(samba_tevent_debug)
> >>
> >> s3_tevent: Cancel immediate event 0x56007af6bd80
> "tevent_req_trigger"
> >>
> >> [2016/12/26 22:15:35.239035, 10, pid=605906, effective(0, 0),
> >> real(0, 0)]
> >> ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex)
> >>
> >> smbd_smb2_request_error_ex: idx[1]
> >> status[NT_STATUS_BAD_NETWORK_NAME] || at
> >> ../source3/smbd/smb2_tcon.c:135
> >>
> >> [2016/12/26 22:15:35.239053, 10, pid=605906, effective(0, 0),
> >> real(0, 0)]
> >> ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex)
> >>
> >> smbd_smb2_request_done_ex: idx[1]
> >> status[NT_STATUS_BAD_NETWORK_NAME] body[8] dyn[yes:1] at
> >> ../source3/smbd/smb2_server.c:2837
> >>
> >>
> >>
> >> b???Something abnormal may also be observed in the wireshark:
> >>
> >> the tree connect requests of the normal case may follow like this
> order:
> >>
> >> Tree connect request Tree \\172.16.37.96\IPC$
> >>
> >> Tree connect request Tree \\172.16.37.96\sharedfolder1
> >>
> >> Tree connect request Tree \\172.16.37.96\sharedfolder2
> >>
> >> …
> >>
> >> …
> >>
> >>
> >>
> >> the tree connect requests of the abnormal case may follow like this
> order:
> >>
> >> Tree connect request Tree \\172.16.37.96\IPC$
> >>
> >> Tree connect request Tree \\172.16.37.96
> >>
> >> Tree connect request Tree \\172.16.37.96
> >>
> >> …
> >>
> >> …
> >>
> >>
> >>
> >> 3) Confused
> >>
> >> I am confused about the abnormal facts above and have some questions:
> >>
> >> When and Why does the windows 7 sometimes send a pure ip address
> >> tree
> connect request (like \\x.x.x.x) to the samba server after the IPC$
> request?
> >>
> >> Is it fine for the samba 4.3.11 to accept the pure ip address tree
> connect request?
> >>
> >> Is this really a client-related phenomenon?
> >>
> >> Are there any solutions about this problem?
> >>
> >>
> >>
> >>
> >>
> >> Thanks
> >>
> >> Best regards!
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -------------------------------------------------------------------
> >> ---
> >> ---------------------------------------------------------------
> >>
> ??????????????????????????????????????????????????????????????????????????
> ??????????????????????????????????????????????
> >>
> ??????????????????????????????????????????????????????????????????????????
> ??????????????????????????????????????????????
> >>
> ??????????????????????????????????????????????????????????????????????????
> ??????????????????????????????????????????????
> >> ?????????
> >> This e-mail and its attachments contain confidential information
> >> from H3C, which is intended only for the person or entity whose
> >> address is listed above. Any use of the information contained
> >> herein in any way (including, but not limited to, total or partial
> >> disclosure, reproduction, or dissemination) by persons other than
> >> the intended
> >> recipient(s) is prohibited. If you receive this e-mail in error,
> >> please notify the sender by phone or email immediately and delete it!
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
-------------------------------------------------------------------------------------------------------------------------------------
本邮件及其附件含有杭州华三通信技术有限公司的保密信息,仅限于发送给上面地址中列出
的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、
或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本
邮件!
This e-mail and its attachments contain confidential information from H3C, which is
intended only for the person or entity whose address is listed above. Any use of the
information contained herein in any way (including, but not limited to, total or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender
by phone or email immediately and delete it!
More information about the samba
mailing list