thr3ads.net - samba - [Samba] Intermittent ACCESS DENIED [Sep 2006]

If this information is useful, please help other people find it:
Share via:

Steven Cardinal

2006-Sep-27 13:22 UTC

[Samba] Intermittent ACCESS DENIED

In a follow-up to a previous post a couple weeks back, we've implemented a
Samba 3.0.20 (Suse packages on 10.0 - recompiled to include idmap_rid)
server to replace the Windows 2000 file server in our Win2003 Active
Directory. For the most part things have been going well, but occassionally
people will get access denied errors to things that they were accessing just
fine minutes before. With file shares, they can access the share via UNC
and, if they unmap and remap the share, it works. The recommendation was to
increase the log level to 10. I was finally able to capture a log while
someone was having a problem. In this instance they were getting access
denied to the printers.

To date, I've only seen these errors on Windows 2000 workstations and not
our XP workstations, but since this is so intermittent and we have only a
few XP boxes, I'm not sure that is signficant, but I figured I'd throw
it
out there anyway. Here's my config (with the names changed to protect the
innocent)

[global]
    unix charset = LOCALE
    workgroup = MYDOMAIN
    realm = MYDOMAIN.INT
    server string = Production File Server 03
    security = ADS
    allow trusted domains = No
    enable privileges = Yes
    username map = /etc/samba/smbusers
    log level = 10
    log file = /var/log/samba/%m
    max log size = 50
    deadtime = 15
    socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
    printcap name = cups
    wins server = 10.0.0.10
    ldap ssl = no
    idmap backend = idmap_rid:MYDOMAIN=10000-50000
    idmap uid = 10000-50000
    idmap gid = 10000-50000
    template shell = /bin/bash
    winbind separator = +
    cups options = raw

[Software]
    comment = Adheris Software
    path = /srv/public/software
    valid users = @MYDOMAIN+grpIT, @MYDOMAIN+grpDevelopers
    admin users = "@MYDOMAIN+Domain Admins"
    read only = No
    create mask = 0664
    directory mask = 0775
    dos filemode = Yes

[Home$]
    path = /srv/private/home
    valid users = "@MYDOMAIN+Domain Users"
    admin users = "@MYDOMAIN+Domain Admins"
    read only = No
    create mask = 0660
    directory mask = 0770
    dos filemode = Yes

[Users]
    comment = Adheris User Data
    path = /srv/public/users
    valid users = "@MYDOMAIN+Domain Users"
    admin users = "@MYDOMAIN+Domain Admins"
    read only = No
    create mask = 02664
    directory mask = 02775
    dos filemode = Yes

[Printers]
    comment = All Printers
    path = /var/tmp
    create mask = 0600
    printable = Yes
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = root, "@MYDOMAIN+Domain Admins"

And here is the debug information. The thing that stands out to me is the
request for spoolss that fails. We do not have the iptables firewall
enabled, but we seem to be getting a pipe issue perhaps? I'm weak on the
programming/debugging side but take directions well if anyone has some
suggestions. Thanks

[2006/09/26 16:19:51, 10]
lib/util_sock.c:read_smb_length_return_keepalive(615)
  got smb length of 49
[2006/09/26 16:19:51, 6] smbd/process.c:process_smb(1113)
  got message type 0x0 of len 0x31
[2006/09/26 16:19:51, 3] smbd/process.c:process_smb(1114)
  Transaction 1145 of length 53
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(454)
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(464)
  size=49
  smb_com=0x2b
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=49219
  smb_tid=65535
  smb_pid=65279
  smb_uid=0
  smb_mid=65534
  smt_wct=1
  smb_vwv[ 0]=    1 (0x1)
  smb_bcc=12
[2006/09/26 16:19:51, 10] lib/util.c:dump_data(2053)
  [000] 4A 6C 4A 6D 49 68 43 6C  42 73 72 00              JlJmIhCl Bsr.
[2006/09/26 16:19:51, 3] smbd/process.c:switch_message(900)
  switch message SMBecho (pid 23178) conn 0x0
[2006/09/26 16:19:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_nt_user_token(452)
  NT user token: (NULL)
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/09/26 16:19:51, 5] smbd/uid.c:change_to_root_user(319)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(454)
[2006/09/26 16:19:51, 5] lib/util.c:show_msg(464)
  size=49
  smb_com=0x2b
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=65535
  smb_pid=65279
  smb_uid=0
  smb_mid=65534
  smt_wct=1
  smb_vwv[ 0]=    1 (0x1)
  smb_bcc=12
[2006/09/26 16:19:51, 10] lib/util.c:dump_data(2053)
  [000] 4A 6C 4A 6D 49 68 43 6C  42 73 72 00              JlJmIhCl Bsr.
[2006/09/26 16:19:51, 3] smbd/reply.c:reply_echo(3499)
  echo 1 times
[2006/09/26 16:19:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_nt_user_token(452)
  NT user token: (NULL)
[2006/09/26 16:19:51, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/09/26 16:19:51, 5] smbd/uid.c:change_to_root_user(319)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/09/26 16:19:51, 6] param/loadparm.c:lp_file_list_changed(2959)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Wed Sep 20
10:13:30 2006

[2006/09/26 16:20:25, 10]
lib/util_sock.c:read_smb_length_return_keepalive(615)
  got smb length of 49
[2006/09/26 16:20:25, 6] smbd/process.c:process_smb(1113)
  got message type 0x0 of len 0x31
[2006/09/26 16:20:25, 3] smbd/process.c:process_smb(1114)
  Transaction 1146 of length 53
[2006/09/26 16:20:25, 5] lib/util.c:show_msg(454)
[2006/09/26 16:20:25, 5] lib/util.c:show_msg(464)
  size=49
  smb_com=0x2b
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=49219
  smb_tid=65535
  smb_pid=65279
  smb_uid=0
  smb_mid=65534
  smt_wct=1
  smb_vwv[ 0]=    1 (0x1)
  smb_bcc=12
[2006/09/26 16:20:25, 10] lib/util.c:dump_data(2053)
  [000] 4A 6C 4A 6D 49 68 43 6C  42 73 72 00              JlJmIhCl Bsr.
[2006/09/26 16:20:25, 3] smbd/process.c:switch_message(900)
  switch message SMBecho (pid 23178) conn 0x0
[2006/09/26 16:20:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/26 16:20:25, 5] auth/auth_util.c:debug_nt_user_token(452)
  NT user token: (NULL)
[2006/09/26 16:20:25, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/09/26 16:20:25, 5] smbd/uid.c:change_to_root_user(319)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/09/26 16:20:25, 5] lib/util.c:show_msg(454)
[2006/09/26 16:20:25, 5] lib/util.c:show_msg(464)
  size=49
  smb_com=0x2b
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=51201
  smb_tid=65535
  smb_pid=65279
  smb_uid=0
  smb_mid=65534
  smt_wct=1
  smb_vwv[ 0]=    1 (0x1)
  smb_bcc=12
[2006/09/26 16:20:25, 10] lib/util.c:dump_data(2053)
  [000] 4A 6C 4A 6D 49 68 43 6C  42 73 72 00              JlJmIhCl Bsr.
[2006/09/26 16:20:25, 3] smbd/reply.c:reply_echo(3499)
  echo 1 times
[2006/09/26 16:20:25, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/26 16:20:25, 5] auth/auth_util.c:debug_nt_user_token(452)
  NT user token: (NULL)
[2006/09/26 16:20:25, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/09/26 16:20:25, 5] smbd/uid.c:change_to_root_user(319)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/09/26 16:20:44, 10]
lib/util_sock.c:read_smb_length_return_keepalive(615)
  got smb length of 102
[2006/09/26 16:20:44, 6] smbd/process.c:process_smb(1113)
  got message type 0x0 of len 0x66
[2006/09/26 16:20:44, 3] smbd/process.c:process_smb(1114)
  Transaction 1147 of length 106
[2006/09/26 16:20:44, 5] lib/util.c:show_msg(454)
[2006/09/26 16:20:44, 5] lib/util.c:show_msg(464)
  size=102
  smb_com=0xa2
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51207
  smb_tid=2
  smb_pid=452
  smb_uid=101
  smb_mid=48515
  smt_wct=24
  smb_vwv[ 0]=  255 (0xFF)
  smb_vwv[ 1]=57054 (0xDEDE)
  smb_vwv[ 2]= 4096 (0x1000)
  smb_vwv[ 3]= 5632 (0x1600)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=40704 (0x9F00)
  smb_vwv[ 8]=  513 (0x201)
  smb_vwv[ 9]=    0 (0x0)
  smb_vwv[10]=    0 (0x0)
  smb_vwv[11]=    0 (0x0)
  smb_vwv[12]=    0 (0x0)
  smb_vwv[13]=    0 (0x0)
  smb_vwv[14]=    0 (0x0)
  smb_vwv[15]=  768 (0x300)
  smb_vwv[16]=    0 (0x0)
  smb_vwv[17]=  256 (0x100)
  smb_vwv[18]=    0 (0x0)
  smb_vwv[19]=16384 (0x4000)
  smb_vwv[20]=16384 (0x4000)
  smb_vwv[21]=  512 (0x200)
  smb_vwv[22]=    0 (0x0)
  smb_vwv[23]=  768 (0x300)
  smb_bcc=19
[2006/09/26 16:20:44, 10] lib/util.c:dump_data(2053)
  [000] 00 5C 00 73 00 70 00 6F  00 6F 00 6C 00 73 00 73  .\.s.p.o .o.l.s.s
  [010] 00 00 00                                          ...
[2006/09/26 16:20:44, 3] smbd/process.c:switch_message(900)
  switch message SMBntcreateX (pid 23178) conn 0x803c0bf8
[2006/09/26 16:20:44, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (11999, 10513) - sec_ctx_stack_ndx = 0
[2006/09/26 16:20:44, 5] auth/auth_util.c:debug_nt_user_token(457)
  NT user token of user S-1-5-21-3400670868-1557003858-4011083039-24998
  contains 19 SIDs
  SID[  0]: S-1-5-21-3400670868-1557003858-4011083039-24998
  SID[  1]: S-1-5-21-3400670868-1557003858-4011083039-22027
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-2065454515-1881373809-78262646-513
  SID[  6]: S-1-5-21-2065454515-1881373809-78262646-2964
  SID[  7]: S-1-5-21-2065454515-1881373809-78262646-2221
  SID[  8]: S-1-5-21-2065454515-1881373809-78262646-3461
  SID[  9]: S-1-5-21-2065454515-1881373809-78262646-5176
  SID[ 10]: S-1-5-21-2065454515-1881373809-78262646-5147
  SID[ 11]: S-1-5-21-2065454515-1881373809-78262646-5114
  SID[ 12]: S-1-5-21-2065454515-1881373809-78262646-5179
  SID[ 13]: S-1-5-21-2065454515-1881373809-78262646-2128
  SID[ 14]: S-1-5-21-2065454515-1881373809-78262646-3025
  SID[ 15]: S-1-5-21-2065454515-1881373809-78262646-2222
  SID[ 16]: S-1-5-21-2065454515-1881373809-78262646-3021
  SID[ 17]: S-1-5-21-2065454515-1881373809-78262646-2129
  SID[ 18]: S-1-5-21-2065454515-1881373809-78262646-1879
  SE_PRIV  0x0 0x0 0x0 0x0
[2006/09/26 16:20:44, 5] auth/auth_util.c:debug_unix_user_token(473)
  UNIX token of user 11999
  Primary group is 10513 and contains 14 supplementary groups
  Group[  0]: 10513
  Group[  1]: 12964
  Group[  2]: 12221
  Group[  3]: 13461
  Group[  4]: 15176
  Group[  5]: 15147
  Group[  6]: 15114
  Group[  7]: 15179
  Group[  8]: 12128
  Group[  9]: 13025
  Group[ 10]: 12222
  Group[ 11]: 13021
  Group[ 12]: 12129
  Group[ 13]: 11879
[2006/09/26 16:20:44, 5] smbd/uid.c:change_to_user(304)
  change_to_user uid=(11999,11999) gid=(0,10513)
[2006/09/26 16:20:44, 10] smbd/nttrans.c:reply_ntcreate_and_X(506)
  reply_ntcreateX: flags = 0x16, access_mask = 0x2019f file_attributes 0x0,
share_access = 0x3, create_disposition = 0x1 create_options = 0x400040
root_dir_fid = 0x0
[2006/09/26 16:20:44, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file "spoolss"
[2006/09/26 16:20:44, 10] smbd/statcache.c:stat_cache_lookup(215)
  stat_cache_lookup: lookup failed for name [SPOOLSS]
[2006/09/26 16:20:44, 5] smbd/filename.c:unix_convert(175)
  unix_convert begin: name = spoolss, dirpath = , start = spoolss
[2006/09/26 16:20:44, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled spoolss ?
[2006/09/26 16:20:44, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component spoolss (len 7) ?
[2006/09/26 16:20:44, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled spoolss ?
[2006/09/26 16:20:44, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component spoolss (len 7) ?
[2006/09/26 16:20:44, 10] smbd/mangle_hash2.c:is_mangled(276)
  is_mangled spoolss ?
[2006/09/26 16:20:44, 10] smbd/mangle_hash2.c:is_mangled_component(215)
  is_mangled_component spoolss (len 7) ?
[2006/09/26 16:20:44, 5] smbd/filename.c:unix_convert(324)
  New file spoolss
[2006/09/26 16:20:44, 3] smbd/dosmode.c:unix_mode(121)
  unix_mode(spoolss) returning 0664
[2006/09/26 16:20:44, 10] smbd/open.c:open_file_ntcreate(1236)
  open_file_ntcreate: fname=spoolss, dos_attrs=0x0 access_mask=0x2019f
share_access=0x3 create_disposition = 0x1 create_options=0x400040 unix
mode=0664 oplock_request=3
[2006/09/26 16:20:44, 5] smbd/open.c:open_file_ntcreate(1327)
  open_file_ntcreate: FILE_OPEN requested for file spoolss and file doesn't
exist.
[2006/09/26 16:20:44, 10] smbd/trans2.c:set_bad_path_error(2583)
  set_bad_path_error: err = 2 bad_path = 0
[2006/09/26 16:20:44, 3] smbd/error.c:error_packet(147)
  error packet at smbd/trans2.c(2589) cmd=162 (SMBntcreateX)
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2006/09/26 16:20:44, 5] lib/util.c:show_msg(454)
[2006/09/26 16:20:44, 5] lib/util.c:show_msg(464)
  size=35
  smb_com=0xa2
  smb_rcls=52
  smb_reh=0
  smb_err=49152
  smb_flg=136
  smb_flg2=51201
  smb_tid=2
  smb_pid=452
  smb_uid=101
  smb_mid=48515
  smt_wct=0
  smb_bcc=0

Felipe Augusto van de Wiel

2006-Oct-03 13:57 UTC

head link

[Samba] Intermittent ACCESS DENIED

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

On 09/27/2006 10:14 AM, Steven Cardinal escreveu:> In a follow-up to a previous post a couple weeks back, we've
implemented a
> Samba 3.0.20 (Suse packages on 10.0 - recompiled to include idmap_rid)
> server to replace the Windows 2000 file server in our Win2003 Active
> Directory. For the most part things have been going well, but occassionally
> people will get access denied errors to things that they were accessing
> just
> fine minutes before. With file shares, they can access the share via UNC
> and, if they unmap and remap the share, it works. The recommendation was to
> increase the log level to 10. I was finally able to capture a log while
> someone was having a problem. In this instance they were getting access
> denied to the printers.
	Printers has a particular case, usually if you change 'use client
driver' and 'disable spoolss' you can solve the Access Denied
messages.
But this is for printers and W2K.

> To date, I've only seen these errors on Windows 2000 workstations and
not
> our XP workstations, but since this is so intermittent and we have only a
> few XP boxes, I'm not sure that is signficant, but I figured I'd
throw it
> out there anyway. Here's my config (with the names changed to protect
the
> innocent)
> 
> [global]
>    unix charset = LOCALE
>    workgroup = MYDOMAIN
>    realm = MYDOMAIN.INT
>    server string = Production File Server 03
>    security = ADS
>    allow trusted domains = No
>    enable privileges = Yes
>    username map = /etc/samba/smbusers
>    log level = 10
>    log file = /var/log/samba/%m
>    max log size = 50
>    deadtime = 15
>    socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>    printcap name = cups
>    wins server = 10.0.0.10
>    ldap ssl = no
>    idmap backend = idmap_rid:MYDOMAIN=10000-50000
>    idmap uid = 10000-50000
>    idmap gid = 10000-50000
>    template shell = /bin/bash
>    winbind separator = +
>    cups options = raw
> [Software]
>    comment = Adheris Software
>    path = /srv/public/software
>    valid users = @MYDOMAIN+grpIT, @MYDOMAIN+grpDevelopers
>    admin users = "@MYDOMAIN+Domain Admins"
>    read only = No
>    create mask = 0664
>    directory mask = 0775
>    dos filemode = Yes[...]
> And here is the debug information. The thing that stands out to me is the
> request for spoolss that fails. We do not have the iptables firewall
> enabled, but we seem to be getting a pipe issue perhaps? I'm weak on
the
> programming/debugging side but take directions well if anyone has some
> suggestions. Thanks
	I would say that for the printer case you can try to change the
above mentioned parameters, it could solve the problem. For the file
shares, I have facing a similar problem recently, but so far, people
invovled with Windows keep telling that it is MS Windows related and
soon or late will cure itself. :-)

[... loglevel 10 ...]


	Kind regards,
- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFImxTCj65ZxU4gPQRAqmiAKCSUo+Wxg6UfuHNvsy2kYRVu4An6ACgnx5t
wDSx2JHRMbLm9TKF7YqAuLE=ZN/I
-----END PGP SIGNATURE-----

Possibly Parallel Threads

Search for more maybe matching threads

samba - Sep 2006 - Intermittent ACCESS DENIED

[Samba] Intermittent ACCESS DENIED

[Samba] Intermittent ACCESS DENIED

Possibly Parallel Threads