Hong K Phooey
2011-Jan-17 15:37 UTC
[Samba] samba shares fail after active directory reboot
We have a samba server that uses active directory security. We have three
active directory servers and use a dfs namespace (test.local) to encompass those
three servers. We currently are using password server = TEST.local, but have
had all three AD servers listed, but it has not helped.
Whenever ANY of those servers go down for maintenance, the samba shares do not
come up and restarting the winbind and smb services does not seem to help. We
have to reboot the linux box for the shares to show up again.
Should samba not try to query one of the other two servers when one is down? It
does not appear to do so, or we have failed to modify a setting that will allow
that.
Any assistance with this issue would be appreciated.
Here are the log entries for the failure:
[2011/01/15 11:19:28, 1] smbd/sesssetup.c:464(reply_spnego_kerberos)
Username TEST\sql-svc-agent-prod is invalid on this system
[2011/01/15 11:19:28, 0] lib/util_sock.c:738(write_data)
[2011/01/15 11:19:28, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error Broken pipe
[2011/01/15 11:19:28, 0] smbd/process.c:62(srv_send_smb)
Error writing 39 bytes to client. -1. (Transport endpoint is not connected)
PDC: windows 2008 R2
Samba: 3.4.7 on ubuntu 10.4
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = TEST
realm = TEST.LOCAL
server string = %h server (Samba, Ubuntu)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
password server = TEST.local
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
machine password timeout = 0
domain master = No
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 500-10000000
idmap gid = 500-10000000
template shell = /bin/bash
winbind refresh tickets = Yes
create mask = 0664
hosts deny = 172.17.4.0/255.255.255.0, 172.19.4.0/255.255.255.0
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
Hong K Phooey wrote:> We have a samba server that uses active directory security. We have three active directory servers and use a dfs namespace (test.local) to encompass those three servers. We currently are using password server = TEST.local, but have had all three AD servers listed, but it has not helped. > > Whenever ANY of those servers go down for maintenance, the samba shares do not come up and restarting the winbind and smb services does not seem to help. We have to reboot the linux box for the shares to show up again. > > Should samba not try to query one of the other two servers when one is down? It does not appear to do so, or we have failed to modify a setting that will allow that. > > Any assistance with this issue would be appreciated. > > Here are the log entries for the failure: > > [2011/01/15 11:19:28, 1] smbd/sesssetup.c:464(reply_spnego_kerberos) > Username TEST\sql-svc-agent-prod is invalid on this system > [2011/01/15 11:19:28, 0] lib/util_sock.c:738(write_data) > [2011/01/15 11:19:28, 0] lib/util_sock.c:1491(get_peer_addr_internal) > getpeername failed. Error was Transport endpoint is not connected > write_data: write failure in writing to client 0.0.0.0. Error Broken pipe > [2011/01/15 11:19:28, 0] smbd/process.c:62(srv_send_smb) > Error writing 39 bytes to client. -1. (Transport endpoint is not connected) > > PDC: windows 2008 R2 > Samba: 3.4.7 on ubuntu 10.4 > > Load smb config files from /etc/samba/smb.conf > rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) > Processing section "[printers]" > Processing section "[print$]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > [global] > workgroup = TEST > realm = TEST.LOCAL > server string = %h server (Samba, Ubuntu) > security = ADS > map to guest = Bad User > obey pam restrictions = Yes > password server = TEST.local > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > machine password timeout = 0 > domain master = No > dns proxy = No > usershare allow guests = Yes > panic action = /usr/share/samba/panic-action %d > idmap uid = 500-10000000 > idmap gid = 500-10000000 > template shell = /bin/bash > winbind refresh tickets = Yes > create mask = 0664 > hosts deny = 172.17.4.0/255.255.255.0, 172.19.4.0/255.255.255.0 > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > browseable = No > browsable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers >I don't have this issue. It looks like you are aiming at producing a printserver. I'm going to show you my working config. it seems to survive reboots of the ADS machines fine. We don't reboot often, but, it's a non-issue so far. I do have a significant problem with my config though. when adding printers (not drivers, just the printers part) via the APW (windows client side), I get an Access Denied error the first time I click. If I dismiss that error, wait 5-10 seconds, and click again, the printer will install correctly. Please let me know if you too run into this. If I were you, I'd pick out stuff that looks like it might be useful and place it into the new config rather than copy pasting. You'll notice there is a difference in where we put the [print$] directory anyway. Anyway, hope this helps, and if you don't have that problem.. please, please copy me your working smb.conf back. Here's my smb.conf for comparison: [global] display charset = UTF-8 workgroup = KRH realm = KRH.INT server string = Samba Server security = ADS password server = kal-dc3.krh.int, kal-dc4.krh.int, kal-dc2.krh.int, * ntlm auth = No client NTLMv2 auth = Yes syslog = 0 log level= 3 log file = /var/log/samba/log.%m debug prefix timestamp = Yes max protocol = SMB2 unix extensions = No max open files = 20000 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 hostname lookups = Yes printcap name = /usr/local/etc/printcap addprinter command = /usr/local/sbin/smbaddprinter.pl deleteprinter command = /usr/local/sbin/smbdelprinter.pl local master = No domain master = No dns proxy = No wins server = 10.6.1.21 utmp = Yes host msdfs = No idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = Yes winbind enum groups = Yes winbind cache time = 300 winbind use default domain = Yes winbind refresh tickets = Yes cups options = raw force printername = Yes wide links = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [print$] comment = Where the printer drivers are kept path = /home/printserver/drivers write list = root, jax, KRH\jdown force user = printserver force group = printserver create mask = 0666 security mask = 0666 directory mask = 0777