I have samba-3.0.4 openldap-2.1.29 smbldap-tools-0.8.4-1 When connecting with an XP client, which I have logged in as administrator, and browsing the network neighbourhood I cannot connect as administrator and it allows me to connect as 'nobody' What can I do to fix this, or does anyone have any helpful hints. <snip> [2004/05/15 14:20:54, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Administrator] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER [2004/05/15 14:20:54, 2] lib/access.c:check_access(324) Allowed connection from (192.168.0.130) [2004/05/15 14:21:01, 2] lib/access.c:check_access(324) Allowed connection from (192.168.0.130) [2004/05/15 14:21:01, 2] lib/access.c:check_access(324) Allowed connection from (192.168.0.130) [2004/05/15 14:21:01, 1] smbd/service.c:make_connection_snum(619) depot (192.168.0.130) connect to service HOMEDIRS initially as user nobody (uid=99, gid=99) (pid 6935) </snip>
mrojava4@eastgranby.k12.ct.us
2004-May-15 20:01 UTC
[Samba] getpeername and intermittent roaming profile errors - circumvention
Over the past couple of months, as time permits, I?ve been looking into messages similar to: [2004/05/11 14:00:20.129507, 0] lib/util_sock.c:get_peer_addr(952) getpeername failed. Error was Transport endpoint is not connected [2004/05/11 14:00:20.130067, 0] lib/util_sock.c:write_socket_data(388) write_socket_data: write failure. Error = Connection reset by peer [2004/05/11 14:00:20.130131, 0] lib/util_sock.c:write_socket(413) write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer [2004/05/11 14:00:20.130188, 0] lib/util_sock.c:send_smb(605) Error writing 4 bytes to client. -1. (Connection reset by peer) in /var/log/log.smbd and /var/log/samba/log.xxxxxxx for many of our PC?s. Many people have reported these errors to the list and the suggested cure has always been looking at network hardware problems. In developing an approach to circumvent these messages, I believe that I have also circumvented intermittent roaming profile failures (Microsoft Knowledge Base Article ? 831651) that have also been written about in this list. Our configuration is Fedora 1 with samba3.0.2a as a PDC with WINS. We still use smbpasswd as our authentication method. We have about 60 XP Pro PC?s and about 100 W98 2nd edition PC?s in this network. We have no PC?s running W2000. There is only one server (the PDC) in this network.>From looking at /var/log/samba, I quickly determined that only XP Pro PC?slogged the above error message. After looking at some Ethernet traces, I believed that the error messages were caused by a particular sequence during the decision making between XP Pro and samba for using port 139 or port 445 for smb traffic. See https://bugzilla.samba.org/show_bug.cgi?id=1257 for more detail. As the first attempt at a circumvention, I added an iptable INPUT rule to the server to block port 445. It appeared to work, so I removed the iptable rule and added an "smb ports = 139" statement to smb.conf to block port 445 and put it into production. It worked. The getpeername messages disappeared from the log. However, for the next couple of days, I received reports of frequent, but intermittent roaming profile error messages at logon. This solution of forcing all PC?s to use Netbios over TCP greatly increased the number of complaints of roaming profile error messages. So I commented out the smb ports statement and the getpeername error messages resumed (which appear to do no harm) and the roaming profile error messages reduced to sporadic. As a second approach, I isolated all the XP Pro PC?s via DHCP to the 192.168.1.0/24 address range while the W98 PC?s remained in the 192.168.0.0/24 range. The allowed me to add the following iptables rule to the server: iptables -I INPUT 1 -p tcp -s 192.168.1.0/24 --dport 139 -j DROP With this rule, and the address separation, XP Pro PC?s use port 445 for smb traffic while W98 PC?s use port 139. The second approach has now been working for a week in production with no getpeername errors and, I believe, that there have been no roaming profile errors for the XP Pro PC?s. Again, we have a fairly simple samba configuration, so if you want to try this, test it first in your configuration. Mark