Using Samba v2.0.10 on a RedHat v7.1 box, I see that the Win98 clients on our network are making sporatic requests for user "nobody" (as shown below). Anyone know what's going on here? My network has both Linux and Win98 clients, but only the Win98 clients are showing this behavior. Both the Linux and Win98 clients access the same shared drives, but only the Win98 clients use shared printers. Also, the requests are bursty. The log entries below are the entire log file for this week and are copied on Tuesday morning. So after about 48hours of silence (logs are rotated on Sunday) all of a sudden this client (Win98 SE + all MS updates) is seeking user "nobody". Hmm. Note that I actually do *not* have "nobody" defined in my smb_passwd file, so the messages are strictly accurate. Note also that I have "guest ok = yes" on a couple of shares, though these log entries are from machines with actual users, not guests, logged in. Any thoughts on this? Thanks. ------------------------------- [2001/09/18 07:17:47, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:18:19, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:18:37, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:18:50, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:19:10, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:19:32, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:19:50, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:20:07, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:20:19, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:20:41, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:21:00, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:21:18, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:21:41, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:22:22, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:22:39, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:22:46, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:23:03, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:23:21, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:23:32, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:23:50, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file. [2001/09/18 07:24:04, 1] smbd/password.c:pass_check_smb(505) Couldn't find user 'nobody' in smb_passwd file.
Steve,
Funny you should mention the nobody user. I have the same entry in my logs
except that somehow the user nobody was created and allowed a connection to be
made to IPC$. I have no guest accounts enabled in smb and have no idea as to
how this connection was allowed. I was working from home and did a netstat -an
and saw a connection being made on port 138 by an address at work (yet the smb
server is not in production and nobody knows the IPs). I shut down smb and
after perusing the logs, found the nobody entries. I am on the hunt for an
answer to this and will share any info I get on this matter. I would appreciate
if you would do the same.
Cheers,
Tony
Steve Snyder wrote:
> Using Samba v2.0.10 on a RedHat v7.1 box, I see that the Win98 clients on
> our network are making sporatic requests for user "nobody" (as
shown
> below). Anyone know what's going on here?
>
> My network has both Linux and Win98 clients, but only the Win98 clients are
> showing this behavior. Both the Linux and Win98 clients access the same
> shared drives, but only the Win98 clients use shared printers.
>
> Also, the requests are bursty. The log entries below are the entire log
> file for this week and are copied on Tuesday morning. So after about
> 48hours of silence (logs are rotated on Sunday) all of a sudden this client
> (Win98 SE + all MS updates) is seeking user "nobody". Hmm.
>
> Note that I actually do *not* have "nobody" defined in my
smb_passwd file,
> so the messages are strictly accurate. Note also that I have "guest
ok > yes" on a couple of shares, though these log entries are from
machines with
> actual users, not guests, logged in.
>
> Any thoughts on this? Thanks.
>
> -------------------------------
>
> [2001/09/18 07:17:47, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:18:19, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:18:37, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:18:50, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:19:10, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:19:32, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:19:50, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:20:07, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:20:19, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:20:41, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:21:00, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:21:18, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:21:41, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:22:22, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:22:39, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:22:46, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:23:03, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:23:21, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:23:32, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:23:50, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
> [2001/09/18 07:24:04, 1] smbd/password.c:pass_check_smb(505)
> Couldn't find user 'nobody' in smb_passwd file.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
Steve and Tony, I also have the exact same problem. What I have seen in my analysis is that these logons come from windows boxes (NT), and as you saw are sporadic, coming in bursts of connections. I have several thousand desktops, all running samba, and the problem I saw was that these connections would be going to every machine. I would see the same windows machine trying to log onto each samba box in order right down the line...then a minute later another windows device trying to authenticate to all samba machines...I have an entry of "deadtime = 5" in my smb.conf file, so these connections to IPC$ from "nobody" will hang around for 5 minutes (they seem to fail to do what they are trying to do after they connect) and then die. But at any given time I would have anywhere from 1 (normal) to 9 smbd processes running at any given time on all my samba boxes. This in turn we believe was overwhelming our NT primary domain controller with all of these connections (a different issue). I addressed this whole issue by putting in my global smb.conf section the entry "invalid users = nobody". All of these connections are now denied but don't hang around, but I still don't know how to stop them from trying. One idea we had was that it had to do with print browsing on the windows side, and the windows machines are trying to go down their lists of available print browsers, which each samba is saying it is. I don't know if that is on track or not. If either of you find out more information, please let me know as well. Thanks!>Steve, > Funny you should mention the nobody user. I have the same entry in mylogs>except that somehow the user nobody was created and allowed a connection tobe>made to IPC$. I have no guest accounts enabled in smb and have no idea asto>how this connection was allowed. I was working from home and did a netstat-an>and saw a connection being made on port 138 by an address at work (yet thesmb>server is not in production and nobody knows the IPs). I shut down smb and >after perusing the logs, found the nobody entries. I am on the hunt for an >answer to this and will share any info I get on this matter. I wouldappreciate>if you would do the same. > >Cheers, > >Tony > >Steve Snyder wrote: > > Using Samba v2.0.10 on a RedHat v7.1 box, I see that the Win98 clients on > our network are making sporatic requests for user "nobody" (as shown > below). Anyone know what's going on here? > > My network has both Linux and Win98 clients, but only the Win98 clientsare> showing this behavior. Both the Linux and Win98 clients access the same > shared drives, but only the Win98 clients use shared printers. > > Also, the requests are bursty. The log entries below are the entire log > file for this week and are copied on Tuesday morning. So after about > 48hours of silence (logs are rotated on Sunday) all of a sudden thisclient> (Win98 SE + all MS updates) is seeking user "nobody". Hmm. > > Note that I actually do *not* have "nobody" defined in my smb_passwd file, > so the messages are strictly accurate. Note also that I have "guest ok > yes" on a couple of shares, though these log entries are from machineswith> actual users, not guests, logged in. > > Any thoughts on this? Thanks.
Below is a transcript of a successful user login (with debug level = 1). I'd like to ask a question regarding the netlogon notations below. First, some background. My v2.2.2 Samba server is running on a RedHat Linux v7.2 (with kernel v2.4.14). The client logon below is from a Win98SE box. The user below, "nancy", is mapping shares in 2 passes. In the first pass a number of shares are mapped by a netlogon script when logging into the network. In the second pass, the share that nancy has elected to map, "clipart", is auto-connected by Win98. So far so good. Now what the heck is that business between the 2 sets of connections? The netlogon is connected to, the user "nobody" is looked for 3 times, then the netlogon share is closed. Huh? Although user "nobody" exists in Linux, it does not exist in smbpasswd. I have no references to this user in either smb.conf or in the logon script. What is causing this sequence of actions and how do I stop it? Thanks. -------------------------------------- [2001/11/20 14:10:19, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service netlogon as user nancy (uid=501, gid=100) (pid 30907) [2001/11/20 14:10:22, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service lj4500 as user nancy (uid=501, gid=100) (pid 30907) [2001/11/20 14:10:22, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service dj1120 as user nancy (uid=501, gid=100) (pid 30907) [2001/11/20 14:10:22, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service public as user nancy (uid=501, gid=100) (pid 30907) [2001/11/20 14:10:22, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service shared as user nancy (uid=501, gid=100) (pid 30907) [2001/11/20 14:10:22, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service nancy as user nancy (uid=501, gid=100) (pid 30907) [2001/11/20 14:10:23, 1] smbd/service.c:close_cnum(648) venus (192.168.0.3) closed connection to service netlogon [2001/11/20 14:10:23, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service netlogon as user nancy (uid=501, gid=100) (pid 30907) [2001/11/20 14:10:44, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'nobody' in passdb. [2001/11/20 14:10:44, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'nobody' in passdb. [2001/11/20 14:10:44, 1] smbd/password.c:pass_check_smb(546) Couldn't find user 'nobody' in passdb. [2001/11/20 14:12:30, 1] smbd/service.c:close_cnum(648) venus (192.168.0.3) closed connection to service netlogon [2001/11/20 14:21:46, 1] smbd/service.c:make_connection(610) venus (192.168.0.3) connect to service clipart as user nancy (uid=501, gid=100) (pid 30907)