Hello!
For a long time struggling with the problem with SAMBA, is I would
appreciate your help!
Problem:
After some time working with files on the file server unexpectedly lost
access to that server. When you try to access the server using windows
explorer - a window of login / password. When you enter a correct username
/ password - again the same window with the introduction of a login /
password. This problem can occur in some domain users that work for
specific computers. Other users - are working "round the clock" without
fail. For example, one computer work 2nd shift users. At the same time a
single user problem occurs, the second - no. Accordingly, the falling off
network printing and file access. After rebooting, or just logout / login
the user computer - access is restored.
Configuration:
Samba is authenticated in the domain via winbind. Clients - most of WinXP.
Distributors and samba version:
===========bash==============================
files ~ # cat /etc/debian_version
6.0.2
files ~ # uname -a
Linux files 2.6.32-5-686 #1 SMP Mon Jun 13 04:13:06 UTC 2011 i686 GNU/Linux
files ~ # dpkg -l | grep samba
ii samba 2:3.5.6~dfsg-3squeeze4
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:3.5.6~dfsg-3squeeze4 common
files used by both the Samba server and client
ii samba-common-bin 2:3.5.6~dfsg-3squeeze4 common
files used by both the Samba server and client
files ~ # dpkg -l | grep winbi
ii libwbclient0 2:3.5.6~dfsg-3squeeze4 Samba
winbind client library
ii winbind 2:3.5.6~dfsg-3squeeze4 Samba
nameservice integration server
===========bash==============================
config samba and network:
===========bash==============================
files ~ # testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Processing section "[homes]"
Processing section "[backup$]"
Processing section "[install$]"
......
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = SAG
realm = SAG.LOCAL
server string = Файловый сервер
security = ADS
auth methods = winbind
obey pam restrictions = Yes
password server = dc.sag.local dc2.sag.local
username map = /etc/samba/userssmb
log file = /var/log/samba/log.%m
smb ports = 139
lpq cache time = 5
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
usershare path =
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /backup/SAG/%U
winbind separator = ^
winbind cache time = 600
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
cups options = raw
veto files = /autorun.inf/AUTORUN.INF/.*/Thumbs.db/
hide files = /$RECYCLE.BIN/desktop.ini/lost+found/Thumbs.db/
[printers]
comment = Очередь печати SMB
path = /var/spool/samba
printable = Yes
browseable = No
[print$]
comment = Драйверы принтера
path = /var/lib/samba/printers
[homes]
comment = Личная папка пользователя %U
read only = No
browseable = No
[backup$]
comment = Инсталяхи
path = /shares/backup
read only = No
[install$]
comment = Инсталяхи
path = /shares/install
read only = No
veto files =
files ~ # cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
files ~ # cat /etc/resolv.conf
domain SAG.local
search SAG.local
nameserver 10.0.0.1
nameserver 10.0.0.4
files ~ # ifconfig eth4
eth4 Link encap:Ethernet HWaddr 00:04:23:a6:19:c8
inet addr:10.0.0.11 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:293175177 errors:0 dropped:0 overruns:0 frame:0
TX packets:205770240 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:320660917 (305.8 MiB) TX bytes:677293276 (645.9 MiB)
files ~ # cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 files.SAG.local files
===========bash==============================
logs:
problem users have a lot of messages in the log at debug level 1:
===========bash==============================
[2011/09/08 12:54:41.805370, 1]
smbd/sesssetup.c:332(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2011/09/08 12:54:41.893536, 1]
smbd/sesssetup.c:332(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
===========bash==============================
All the diagnostic command wbinfo-u, wbinfo-g, wbinfo-t, getent passwd
domain_user_name, net ads info - work out without any problems. Time
synchronized by cron every hour command "net time set", so that option
with the divergence time is irrelevant.
The moment was lost access to the server - I have done "smbcontrol smbd
debug 3". When you try to access the server at debug level 3 log gets the
following (attachment log.scan2).
At debug level 3, with logout and login the user gets the following log
(attachment log.scan2-login).
In these logs are very interesting line:
===========bash==============================
[2011/09/08 15:33:26.776661, 3]
smbd/sesssetup.c:1232(reply_sesssetup_and_X_spnego)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
===========bash==============================
PrimaryDomain = [] lost a domain name,
as well as a string:
===========bash==============================
[2011/09/08 15:33:26.773385, 3] smbd/negprot.c:586(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2011/09/08 15:33:26.773514, 3] smbd/negprot.c:586(reply_negprot)
Requested protocol [LANMAN1.0]
[2011/09/08 15:33:26.773583, 3] smbd/negprot.c:586(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2011/09/08 15:33:26.773698, 3] smbd/negprot.c:586(reply_negprot)
Requested protocol [LM1.2X002]
[2011/09/08 15:33:26.773792, 3] smbd/negprot.c:586(reply_negprot)
Requested protocol [LANMAN2.1]
[2011/09/08 15:33:26.773891, 3] smbd/negprot.c:586(reply_negprot)
Requested protocol [NT LM 0.12]
[2011/09/08 15:33:26.774805, 3] smbd/negprot.c:404(reply_nt1)
using SPNEGO
[2011/09/08 15:33:26.774949, 3] smbd/negprot.c:691(reply_negprot)
Selected protocol NT LM 0.12
[2011/09/08 15:33:26.776019, 3] smbd/process.c:1485(process_smb)
Transaction 1 of length 1352 (0 toread)
===========bash==============================
SAMBA somehow sorts out the protocols to access shared resources on ....
But why is this happening - is unclear.
In the next loss of access to the server, I gradually increased the debug
level from 4 to 10, noted that action in the log with the message echo
"start-debug number_debug">> log. Tried to send a document to print excel
spreadsheet on a shared printer:
===========bash==============================
files ~ # echo "start-debug 4" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 4
files ~ # # printing page from problem user
files ~ # echo "stop-debug 4" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 5" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 5
files ~ # # printing page from problem user
files ~ # echo "stop-debug 5" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 6" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 6
files ~ # # printing page from problem user
files ~ # echo "stop-debug 6" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 7" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 7
files ~ # # printing page from problem user
files ~ # echo "stop-debug 7" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 8" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 8
files ~ # # printing page from problem user
files ~ # echo "stop-debug 8" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 9
files ~ # # printing page from problem user
files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 9" >> /var/log/samba/log.vipiska1
files ~ # echo "stop-debug 9" >> /var/log/samba/log.vipiska1
files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 10
files ~ # # printing page from problem user
files ~ # echo "stop-debug 10" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 0
files ~ # smbcontrol smbd debug 1
files ~ # echo "start-debug 10" >> /var/log/samba/log.vipiska1
files ~ # smbcontrol smbd debug 10
files ~ # smbcontrol smbd debug 0
===========bash==============================
After these steps to get a log (attachment log.vipiska1)
In these logs are very interesting line:
===========bash==============================
Got user=[] domain=[] workstation=[VIPISKA1] len1=1 len2=0
[2011/09/09 11:46:06.139244, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[]\[]@[VIPISKA1] with the new password interface
[2011/09/09 11:46:06.139290, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [FILES]\[]@[VIPISKA1]
[2011/09/09 11:46:06.139334, 3]
auth/auth_winbind.c:54(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [FILES] was
for this SAM.
[2011/09/09 11:46:06.139370, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [] -> [] FAILED with error
NT_STATUS_NO_SUCH_USER
===========bash==============================
samba does not show the user (samba user [] -> [] FAILED with error
NT_STATUS_NO_SUCH_USER), but why?
Help please!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
