[Samba] Log errors on domain member
Peter Milesson
miles at atmos.eu
Tue Jan 31 06:59:53 UTC 2023
Hi folks,
The smb.conf and other information after specification of the problems.
The journal on a AD domain member server is cluttered with permission
denied entries of this message pair:
Jan 31 07:02:26 konsrvfast smbd[436004]: [2023/01/31
07:02:26.083500, 0, effective(11025, 10515), real(11025, 0)]
../../source3/smbd/smb2_service.c:168(chdir_current_service)
Jan 31 07:02:26 konsrvfast smbd[436004]: chdir_current_service:
vfs_ChDir(/data/samba/profiles) failed: Permission denied. Current
token: uid=11025, gid=10515, 5 groups: 11025 10515 3003 3004 3006
uid=11025 is a Windows 10 workstation, and gid=10515 is the domain
computers object.
There are also recurring entry blocks of the following type:
Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: [2023/01/30
19:55:39.802586, 0, effective(11006, 10513), real(11006, 0)]
../../lib/util/debug.c:1264(reopen_one_log)
Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: reopen_one_log:
Unable to open new log file '/var/log/samba/log.rpcd_classic':
Permission denied
Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: [2023/01/30
19:55:39.803020, 0, effective(11006, 10513), real(11006, 0)]
../../lib/util/debug.c:1264(reopen_one_log)
Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: reopen_one_log:
Unable to open new log file '/var/log/samba/log.rpcd_classic':
Permission denied
Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: [2023/01/30
19:55:39.803056, 0, effective(11006, 10513), real(11006, 0)]
../../lib/util/debug.c:1264(reopen_one_log)
Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: reopen_one_log:
Unable to open new log file '/var/log/samba/log.rpcd_classic':
Permission denied
Jan 30 19:55:55 konsrvfast rpcd_classic[358632]: [2023/01/30
19:55:55.231090, 0, effective(11006, 10513), real(11006, 0)]
../../source3/lib/sharesec.c:161(share_info_db_init)
Jan 30 19:55:55 konsrvfast rpcd_classic[358632]: Failed to open
share info database /var/lib/samba/share_info.tdb (Permission denied)
Jan 30 19:55:59 konsrvfast rpcd_classic[358632]: [2023/01/30
19:55:59.715024, 0, effective(11006, 10513), real(11006, 0)]
../../source3/lib/sharesec.c:161(share_info_db_init)
After scanning the samba logs I found the following:
*/var/log/samba/log.rpcd_classic (those 2 entries occur frequently)*
[2023/01/30 15:15:28.729356, 0, effective(11156, 10513),
real(11156, 0)] ../../lib/util/debug.c:1264(reopen_one_log)
reopen_one_log: Unable to open new log file
'/var/log/samba/log.rpcd_classic': Permission denied
[2023/01/30 20:09:09.054259, 0, effective(11006, 10513),
real(11006, 0)]
../../source3/lib/sharesec.c:161(share_info_db_init) Failed to open
share info database /var/lib/samba/share_info.tdb (Permission denied)
*/var/log/samba/log.samba-dcerpcd (the following block repeats frequently)*
[2023/01/30 15:31:55.316639, 1, effective(0, 0), real(0, 0)]
../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed:
No such file or directory
[2023/01/30 15:31:55.341724, 1, effective(0, 0), real(0, 0)]
../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
rpc_worker_exited: No worker with PID 328204
[2023/01/30 15:34:13, 0] ../../source3/rpc_server/rpc_host.c:2966(main)
When checking the directory /run/samba/ncalrpc there is really no such
file as EPMAPPER, but there exists /run/samba/ncalrpc/np/epmapper
*/var/log/samba/smbd.log (the following entry is spawned thousands of
times within a second)*
[2023/01/30 20:07:59.636915, 1, effective(11006, 10513), real(11006,
0)] ../../source3/auth/token_util.c:1020(create_token_from_sid)
getpwuid(1011) failed
*/var/log/samba/winbindd (the entries below frequently occuring)*
[2023/01/30 23:34:57.527639, 1, effective(0, 0), real(0, 0)]
../../source3/winbindd/winbindd_getpwuid.c:118(winbindd_getpwuid_recv)
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
[2023/01/31 00:17:01.889654, 1, effective(0, 0), real(0, 0)]
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
(occurs several times per second, hundreds of consecutive entries)
[2023/01/30 23:30:50.246781, 1, effective(0, 0), real(0, 0)]
../../source3/winbindd/winbindd_getgrgid.c:124(winbindd_getgrgid_recv)
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_GROUP
From the users point of view everything seems normal, there have been
no complaints about inaccessible folders or files, or other permission
issues.
The server is a member of a AD domain, and everything in the domain is
managed via the RSAT tools. There are only Windows ACLs, no Posix ACLs.
There are only a couple of local linux accounts for server
administration, with user names that do not conflict with AD user names.
The domain is working, no DNS problems.
If would be grateful if somebody could point out what's going wrong here.
Best regards,
Peter
Server: HPE ProLiant DL325 with NVMe drives in a hardware RAID
configuration, 32GB RAM
OS: Debian Bookworm
Samba version: 4.17.4
smb.conf
# Global parameters
[global]
client signing = required
debug uid = Yes
dedicated keytab file = /etc/krb5.keytab
disable netbios = Yes
disable spoolss = Yes
kerberos method = secrets and keytab
log level = 1
panic action = /usr/share/samba/panic-action %d
printcap name = /dev/null
realm = SAMDOM.TALPS
restrict anonymous = 2
security = ADS
server role = member server
smb ports = 445
template homedir = /home/%U
template shell = /sbin/nologin
winbind use default domain = true
timestamp logs = Yes
username map = /etc/samba/user.map
winbind refresh tickets = Yes
workgroup = SAMDOM
idmap config samdom : range = 10000-99999
idmap config samdom : backend = rid
idmap config * : range = 3000-9999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
hide unreadable = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
[Homes$]
readonly = no
path = /data/samba/homes
csc policy = disable
[Profiles$]
readonly = no
path = /data/samba/profiles
csc policy = disable
[Users$]
readonly = no
path = /data/samba/users
csc policy = disable
[Share1]
readonly = no
path = /data/samba/Share1
[Share2]
readonly = no
path = /data/samba/Share2
More information about the samba
mailing list