samba - Mar 2007 - Fatal Samba bug? Why can't anyone answer this question?

Hi all,

I ran into a problem with samba and immediately googles for answers. I 
found 30-odd references to places where this question has been asked 
before, but no answers. I asked it myself here and got no answer.

Perhaps this is this a fatal bug in samba if no one knows how to fix it. 
Below is my original question:

----------------------------------------------------------------------

Subject: Can't solve: ERRSRV - ERRbadpw (Bad password - name/password pair

Hi, I have four computers on a home network:

A) A 2004-era debian machine
B) A 2005-era debian machine
C) A 2007 xandros machine
D) A 2007 kubuntu machine

The problem: Machines B and C allow users to mount samba shares, but 
machines A and D don't. I get:

smbmount //spk/homes ~/mnt
Password:
3573: tree connect failed: ERRSRV - ERRbadpw (Bad password - 
name/password pair in a Tree Connect or Session Setup are invalid.)
SMB connection failed

I have gone crazy trying to fix this problem, but it doesn't seem to 
depend at all on what is in the /etc/samba/smb.conf file. I even copied 
the working conf file from C to D (suitably editing machine names etc.), 
but got exactly the same error. I have run through so many totally 
different smb.conf files, I am sure that it isn't that that is causing 
the trouble. For example, here is one that works on C but not on D:

[global]
workgroup = gemmie
server string=%h (Kubuntu Desktop)
dns proxy=no
name resolve order=lmhosts host wins bcast
log file=/var/log/samba/log.%m
max log size=1000
syslog=0
panic action=/usr/share/samba/panic-action %d
security=SHARE
encrypt passwords = true
passdb backend=tdbsam
ldap delete dn=yes
obey pam restrictions=yes
invalid users=root
map to guest=Bad User
passwd program=/usr/bin/passwd %u
passwd chat=*Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
client use spnego=no
load printers=no
printing=cups
printcap name=cups
dos filetimes=yes
socket options=TCP_NODELAY
display charset=iso8859-1
unix charset=iso8859-1
preserve case=yes
case sensitive=no
short preserve case=yes
os level=20

[homes]
         create mask = 0775
     comment = Home Directories
     directory mask = 0775
     writeable = yes
         path = /home/%u
         case sensitive = yes

A few more facts: the user attempting to mount the share has the same 
uid and password on all machines, so unless there is some other password 
somewhere in the samba system, it _is_ getting the right password. 
Furthermore, all machines can ssh and scp to/from all others.

To make matters worse, I can't find any error logs. A recursive grep on 
/var/log for samba only finds the startup messages from when the machine 
is turned on.

I am desperate, desperate, I tell ya! All ideas VERY gratefully accepted!!!

BTW, when changing smb.conf, what is the recommended way to restart the 
samba server with the new settings? The man pages aren't too clear on that.

-- 
Ron House       house@usq.edu.au
                 http://www.sci.usq.edu.au/staff/house

This email (including any attached files) is confidential and is for the
intended recipient(s) only.  If you received this email by mistake,
please, as a courtesy, tell the sender, then delete this email.

The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland.  Although all
reasonable precautions were taken to ensure that this email contained no
viruses at the time it was sent we accept no liability for any losses
arising from its receipt.

The University of Southern Queensland is a registered provider of
education with the Australian Government (CRICOS Institution Code No's.
QLD 00244B / NSW 02225M)

On Mon, 12 Mar 2007 16:00:23 +1000, Ron House wrote:
> A few more facts: the user attempting to mount the share has the same uid
> and password on all machines, so unless there is some other password
> somewhere in the samba system, it _is_ getting the right password.
> Furthermore, all machines can ssh and scp to/from all others.
Have you looked at the /etc/samba/passwd file?  It could be
/etc/samba/smbpasswd depending on the distro.
> BTW, when changing smb.conf, what is the recommended way to restart the
> samba server with the new settings? The man pages aren't too clear on
> that.
/etc/init.d/samba restart
(or /etc/init.d/smb restart -- check the /etc/init.d directory)

HTH,
Akemi

Ron House wrote:
> Perhaps this is this a fatal bug in samba if no one knows how to fix 
> it. Below is my original question:
In general people (developers especially) aren't terribly likely to 
respond to anything that blames a a bug and then proceeds to describe a 
problem that sounds more like a configuration error than anything else
> The problem: Machines B and C allow users to mount samba shares, but 
> machines A and D don't. I get:
>
> smbmount //spk/homes ~/mnt
> Password:
> 3573: tree connect failed: ERRSRV - ERRbadpw (Bad password - 
> name/password pair in a Tree Connect or Session Setup are invalid.)
> SMB connection failed
 From this I assume all 4 machines are attempting to mount the same 
share off a single server? First off, afaik smb is depreciated, use 
cifs. Don't call smbmount directly, use mount -t smb (or mount -t cifs). 
Neither of those are likely to cause your problem but thats how its done
> client use spnego=no
This could be your problem. Why do you have this line? Do you really 
need it?

Alot of the settings in your config file are contraditory, depreciated, 
or just plain wrong. Since you only talk about these machines as being 
clients I won't go into the details since they aren't really important, 
however I would suggest that for the most part samba has pretty good 
defaults and you should only be defining something in the config file if 
you understand it and know that you need it.

Aside from the line above the config file you posted doesn't appear to 
have much info related to acting as a client. Is the server a samba box? 
can you provide the config from that?
> A few more facts: the user attempting to mount the share has the same 
> uid and password on all machines, so unless there is some other 
> password somewhere in the samba system, it _is_ getting the right 
> password. Furthermore, all machines can ssh and scp to/from all others.
Samba doesn't use the unix password database, it uses its own storage 
which in your case is set to a tdbsam database. SSH and scp are not 
valid tests since they only test the unix passwords. Based on the error 
returned my guess is that it _isn't_ getting the right
password.
>
> To make matters worse, I can't find any error logs. A recursive grep 
> on /var/log for samba only finds the startup messages from when the 
> machine is turned on.
Your log files are stored as per the "log file" setting in your 
smb.conf, you may have to create the directory. Samba rarely (if ever) 
writes it's own name to it's log files (who is going to be writing to a 
samba log file but samba?) try searching for smb as samba will record 
which daemon (smbd or nmbd) is producing the errors.
> BTW, when changing smb.conf, what is the recommended way to restart 
> the samba server with the new settings? The man pages aren't too clear 
> on that.
       The  configuration  file, and any files that it includes, are 
automati-
       cally reloaded every minute, if they change. You can force a 
reload  by
       sending  a  SIGHUP to the server. Reloading the configuration 
file will
       not affect connections to any  service  that  is  already  
established.
       Either  the  user  will  have  to  disconnect from the service, 
or smbd
       killed and restarted.

Which bit is unclear? The user has to disconnect using for example "net 
use * /delete" and reconnect or you have to kill the smbd process on the 
server. Different distros will have their own way of doing this or you 
can use a combination of smbstatus, ps, kill and killall.

Basically if you can provide the config file from the server it would go 
along way towards solving your problems.

-- Michael Heydon

> All four machines are at verious times both servers and clients, as 
> they are all equivalent. I just want to be able to mount drives from 
> any machine on any other. But two of the four refuse to accept remote 
> mounts as servers, but they all can access a remote mount as a client. 
> That is why I am so puzzled. The conf file I posted is from one of the 
> working (as a server) machines, but the exact same file on one of the 
> other machines doesn't work. That is what is so confusing.
In this case, would there be any problems with standardizing the
configuration between all the machines? In your first email you
mentioned two older debian boxes, have they been updated to v3.x of
samba? Personally I would be tempted to make one clean, efficient config
file and use that as a base modifying just share definitions, tweaks,
etc for each machine.
> One of the non-working machines is a kubuntu oct 2006 version with the 
> straight conf file resulting from turning on samba shares in the gui, 
> and it doesn't work.
I tend to shy away from the GUI tools, they have a bit of a history of
making a mess of things.

We get a few users a week coming into the irc channel with "msdfs proxy
= no" in their config files, this is inserted by (I believe) the KDE
configuration tool and infact means "this share is a dfs proxy pointed
to the share called 'no'." Since the share 'no' doesn't
exist the config
doesn't work. This is just the one example that springs to mind, there
are others.

If they were my machines I would trim my config down to the absolute
minimum required for samba to start, add options one at a time until it
was doing what I wanted, then copy that config to all the machines. I
would also switch to security=user rather than security=share but maybe
thats just me.

If you need help getting the config how you want it send it through or
come chat to us in #samba on irc.freenode.org

Also depending on how these machines are used as well as standardizing
the config you might think about setting up an ldap backend, you could
share users and passwords between samba and *nix on all systems.

-- Michael Heydon