[Samba] debugging
Michael Tokarev
mjt at tls.msk.ru
Tue Nov 11 12:49:16 UTC 2025
Hi!
I'm, once again, trying to debug an awfully working samba
in our network. It is a domain member, with as standard
config as possible, joined to a windows server 2012R2 domain.
It has a read-only share, from which it serves files - it's
an application which is run from that share.
The problem I'm faced with right now is that I don't see how
to attack this from the debugging/tracing side. No matter
how I tried, I weren't able to see file transactions which
are being performed - besides the successful ones, like
"client opened file.." "client closed file". Unsuccessful
opens are really difficult to catch: either a higher debug
level is needed - in which case the amount of logs becomes
huge, and there's no way to find log entries belonging to
a single session (most clients are large terminal servers,
where multiple users are working at the same time). Or
nothing of interest is logged.
It is more, - I removed `debug level=` setting from smb.conf,
I increase it dynamically (smbcontrol smbd debug xxx), - things
starts flowing in the logs, but in a few minutes the logging
stops, like if someone turned it off, while the server
continues to serve requests. Another `smbcontrol debug` brings
up another cycle, which stops in a few minutes again.
Sometimes I try to enable debug for a single process, - but
`smbcontrol $pid debug XXX` is being ignored, - at least,
there's nothing in the logs from that pid at all.
I've set `log file = /var/log/samba/log.%I` - this somewhat
helps (not for multi-user machines still), but it also makes,
say, winbindd logs to appear as log.0.0.0.0, which is kinda
wrong - it looks like `log file` setting should be different
for smbd and others, say, `smbd log file =` etc.
Now, in the logs, I see things like this:
[2025/11/11 14:54:42.221984, 3, pid=4026463]
source3/smbd/smb2_server.c:4052(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_OBJECT_NAME_NOT_FOUND] || at source3/smbd/smb2_create.c:362
[2025/11/11 14:54:42.222407, 3, pid=4060945]
source3/smbd/smb2_server.c:4052(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at source3/smbd/smb2_getinfo.c:159
[2025/11/11 14:54:42.462298, 3, pid=4060978]
source3/smbd/smb2_server.c:4052(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_SUPPORTED] || at source3/smbd/smb2_getinfo.c:159
[2025/11/11 14:54:42.494356, 3, pid=4027463]
source3/smbd/smb2_server.c:4052(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[5]
status[NT_STATUS_INFO_LENGTH_MISMATCH] || at
source3/smbd/smb2_query_directory.c:161
and so on (there's a large amount of this in logs), and increasing
debug level does not make them clearer. Which object(s) they refer to,
how to find out? Should I worry about these messages?
(this is samba 4.21, last version which works here *somehow*).
I tried enabling auditing. But this was even more "fun" -
vfs_extd_audit logs to syslog even if extd_audit channel
is configured in `log level` to be logged to a file, and
global `logging` is set to `file`. This fills up systemd journal
quite fast (several gigs at least), and the system dies due to
out of free space in /var. Turning off auditing at runtime
doesn't seem to work - I set `vfs modules = (empty)` explicitly
in smb.conf, do `smbcontrol all reload-config`, but numerous
smbds keep logging audit actions anyway.
For next attempts, I'll try to enable logging/auditing on a per-client
basis at least, by including client-specific smb.conf.%I. Unfortunately
I can't predict which client I'll have to debug, since the problems are
all intermittent and can occur on any client from many. And reloading
stuff at runtime doesn't seem to work (as per above).
How one can debug such stuff, any suggestions?
Thanks,
/mjt
More information about the samba
mailing list