Re: [Samba] Intermittent ACCESS DENIED

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey,

On 09/27/2006 10:14 AM, Steven Cardinal escreveu:
 In a follow-up to a previous post a couple weeks back, we've implemented a
 Samba 3.0.20 (Suse packages on 10.0 - recompiled to include idmap_rid)
 server to replace the Windows 2000 file server in our Win2003 Active
 Directory. For the most part things have been going well, but occassionally
 people will get access denied errors to things that they were accessing
 just
 fine minutes before. With file shares, they can access the share via UNC
 and, if they unmap and remap the share, it works. The recommendation was to
 increase the log level to 10. I was finally able to capture a log while
 someone was having a problem. In this instance they were getting access
 denied to the printers.

Printers has a particular case, usually if you change 'use client
driver' and 'disable spoolss' you can solve the Access Denied messages.
But this is for printers and W2K.


 To date, I've only seen these errors on Windows 2000 workstations and not
 our XP workstations, but since this is so intermittent and we have only a
 few XP boxes, I'm not sure that is signficant, but I figured I'd throw it
 out there anyway. Here's my config (with the names changed to protect the
 innocent)
 
 [global]
unix charset = LOCALE
workgroup = MYDOMAIN
realm = MYDOMAIN.INT
server string = Production File Server 03
security = ADS
allow trusted domains = No
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 10
log file = /var/log/samba/%m
max log size = 50
deadtime = 15
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
 SO_SNDBUF=8192
printcap name = cups
wins server = 10.0.0.10
ldap ssl = no
idmap backend = idmap_rid:MYDOMAIN=1-5
idmap uid = 1-5
idmap gid = 1-5
template shell = /bin/bash
winbind separator = +
cups options = raw

 [Software]
comment = Adheris Software
path = /srv/public/software
valid users = @MYDOMAIN+grpIT, @MYDOMAIN+grpDevelopers
admin users = @MYDOMAIN+Domain Admins
read only = No
create mask = 0664
directory mask = 0775
dos filemode = Yes
[...]

 And here is the debug information. The thing that stands out to me is the
 request for spoolss that fails. We do not have the iptables firewall
 enabled, but we seem to be getting a pipe issue perhaps? I'm weak on the
 programming/debugging side but take directions well if anyone has some
 suggestions. Thanks

I would say that for the printer case you can try to change the
above mentioned parameters, it could solve the problem. For the file
shares, I have facing a similar problem recently, but so far, people
invovled with Windows keep telling that it is MS Windows related and
soon or late will cure itself. :-)

[... loglevel 10 ...]


Kind regards,
- --
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFImxTCj65ZxU4gPQRAqmiAKCSUo+Wxg6UfuHNvsy2kYRVu4An6ACgnx5t
wDSx2JHRMbLm9TKF7YqAuLE=
=ZN/I
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Intermittent ACCESS DENIED

[Steven Cardinal]

In a follow-up to a previous post a couple weeks back, we've implemented a
Samba 3.0.20 (Suse packages on 10.0 - recompiled to include idmap_rid)
server to replace the Windows 2000 file server in our Win2003 Active
Directory. For the most part things have been going well, but occassionally
people will get access denied errors to things that they were accessing just
fine minutes before. With file shares, they can access the share via UNC
and, if they unmap and remap the share, it works. The recommendation was to
increase the log level to 10. I was finally able to capture a log while
someone was having a problem. In this instance they were getting access
denied to the printers.

To date, I've only seen these errors on Windows 2000 workstations and not
our XP workstations, but since this is so intermittent and we have only a
few XP boxes, I'm not sure that is signficant, but I figured I'd throw it
out there anyway. Here's my config (with the names changed to protect the
innocent)

[global]
   unix charset = LOCALE
   workgroup = MYDOMAIN
   realm = MYDOMAIN.INT
   server string = Production File Server 03
   security = ADS
   allow trusted domains = No
   enable privileges = Yes
   username map = /etc/samba/smbusers
   log level = 10
   log file = /var/log/samba/%m
   max log size = 50
   deadtime = 15
   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
   printcap name = cups
   wins server = 10.0.0.10
   ldap ssl = no
   idmap backend = idmap_rid:MYDOMAIN=1-5
   idmap uid = 1-5
   idmap gid = 1-5
   template shell = /bin/bash
   winbind separator = +
   cups options = raw

[Software]
   comment = Adheris Software
   path = /srv/public/software
   valid users = @MYDOMAIN+grpIT, @MYDOMAIN+grpDevelopers
   admin users = @MYDOMAIN+Domain Admins
   read only = No
   create mask = 0664
   directory mask = 0775
   dos filemode = Yes

[Home$]
   path = /srv/private/home
   valid users = @MYDOMAIN+Domain Users
   admin users = @MYDOMAIN+Domain Admins
   read only = No
   create mask = 0660
   directory mask = 0770
   dos filemode = Yes

[Users]
   comment = Adheris User Data
   path = /srv/public/users
   valid users = @MYDOMAIN+Domain Users
   admin users = @MYDOMAIN+Domain Admins
   read only = No
   create mask = 02664
   directory mask = 02775
   dos filemode = Yes

[Printers]
   comment = All Printers
   path = /var/tmp
   create mask = 0600
   printable = Yes
   browseable = No

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/drivers
   write list = root, @MYDOMAIN+Domain Admins

And here is the debug information. The thing that stands out to me is the
request for spoolss that fails. We do not have the iptables firewall
enabled, but we seem to be getting a pipe issue perhaps? I'm weak on the
programming/debugging side but take directions well if anyone has some
suggestions. Thanks

[2006/09/26 16:19:51, 10]
lib/util_sock.c:read_smb_length_return_keepalive(615)
 got smb length of 49
[2006/09/26 16:19:51, 6] smbd/process.c:process_smb(1113)
 got message type 0x0 of len 0x31
[2006/09/26 16:19:51, 3] smbd/process.c:process_smb(1114)
 Transaction 1145 of length 53
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(454)
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(464)
 size=49
 smb_com=0x2b
 smb_rcls=0
 smb_reh=0
 smb_err=0
 smb_flg=24
 smb_flg2=49219
 smb_tid=65535
 smb_pid=65279
 smb_uid=0
 smb_mid=65534
 smt_wct=1
 smb_vwv[ 0]=1 (0x1)
 smb_bcc=12
[2006/09/26 16:19:51, 10] lib/util.c:dump_data(2053)
 [000] 4A 6C 4A 6D 49 68 43 6C  42 73 72 00  JlJmIhCl Bsr.
[2006/09/26 16:19:51, 3] smbd/process.c:switch_message(900)
 switch message SMBecho (pid 23178) conn 0x0
[2006/09/26 16:19:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_nt_user_token(452)
 NT user token: (NULL)
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_unix_user_token(473)
 UNIX token of user 0
 Primary group is 0 and contains 0 supplementary groups
[2006/09/26 16:19:51, 5] smbd/uid.c:change_to_root_user(319)
 change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(454)
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(464)
 size=49
 smb_com=0x2b
 smb_rcls=0
 smb_reh=0
 smb_err=0
 smb_flg=136
 smb_flg2=51201
 smb_tid=65535
 smb_pid=65279
 smb_uid=0
 smb_mid=65534
 smt_wct=1
 smb_vwv[ 0]=1 (0x1)
 smb_bcc=12
[2006/09/26 16:19:51, 10] lib/util.c:dump_data(2053)
 [000] 4A 6C 4A 6D 49 68 43 6C  42 73 72 00  JlJmIhCl Bsr.
[2006/09/26 16:19:51, 3] smbd/reply.c:reply_echo(3499)
 echo 1 times
[2006/09/26 16:19:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_nt_user_token(452)
 NT user token: (NULL)
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_unix_user_token(473)
 UNIX token of user 0
 Primary group is 0 and contains 0 supplementary groups
[2006/09/26 16:19:51, 5]