[Samba] Debugging Samba is a total PITA and this needs to improve

Rowland penny rpenny at samba.org
Tue May 21 12:16:18 UTC 2019

On 21/05/2019 12:27, Sven Schwedas via samba wrote:
> The smb.conf hasn't changed since the last three or four times I've
> posted here asking for help:
> https://up.tao.at/u/samba/villach-file.txt
> Top level error I'm seeing is that since today *some* Windows users are
> denied SMB access to this one member server ("Network password is
> invalid"), but not all users. Worked fine before today.
> wbinfo -p/-P work, wbinfo -a shows the same problem of some users
> working, some not: Those that do work, report success with plaintext
> auth, and NT_STATUS_WRONG_PASSWORD for challenge/response auth (wtf?).
> Those that don't work at all, fail plaintext auth and report
> NT_STATUS_INTERNAL_DB_CORRUPTION for challenge/response. Not sure if
> that means anything, given that challenge/response seems to always fail
> with nonsensical error messages. All the other working member servers
> also report NT_STATUS_WRONG_PASSWORD for c/r auth.
> 15 MB/s error logs were not an exaggeration, BTW, that's what I saw when
> I cranked up the logging level to 10, since the default log level didn't
> bother even reporting the logon failures at all (which should be
> sensible defaults, but oh well). Since I don't know what component of
> Samba is responsible here, I don't know for which I should increase
> logging and for which I shouldn't.
> Now that I'm digging, there also seem to be some generic WERR_BADFILE
> DRS replication errors that our automated monitoring somehow didn't
> catch; and one DC apparently no longer has the DNS entries it should
> have, and samba_dnsupdates alternates between "FORMERR" and "GSS-TSIG
> unsuccessful" which apparently is only supposed to appear with the BIND9
> DNS backend, which we aren't using. These are probably related, but
> again I have no idea where these come from or how to debug them.
> So how was your morning?
Good, so far ;-)

You need to investigate your DB problems, but just a few comments on 
your smb.conf ;-)

I see no reason to have different smb.conf files for different Unix 
domain members, just don't have 'netbios name' in any smb.conf.

You will also be better better off having 'vfs objects = acl_xattr' in 
your smb.conf and setting the permissions from Windows.

What is the point of this:

     winbind max domain connections = 32

If you also have:

     winbind offline logon = yes

Finally and what could be contributing to your problem:

This could be set too high:
     winbind expand groups = 4

See 'man smb.conf' for more info.


More information about the samba mailing list