samba - Sep 2009 - samba w/o openvpn: OK - else strange issues

Hello,

I do have a very strange behavior. For some reason, I only observe
this, when I access a samba share through an openvpn tunnel.

(1) objective

have a share, have SECURITY USERS (to control access rights), but NULL
PASSWORDS (authentication is fine enough by vpn). Find config files
below.

This is samba 3.3.2. Openvpn 2.1_rc11.

(2) issue

I connect via vpn from winXP ... fine
I access some shares ... fine
I access some directories and files ... fine (btw: access rights work
perfectly)
I create a file or a folder ... sometimes works, sometimes not
THEN: If it works I try to rename the file or folder. It does not
*ALWAYS* work. Sometimes it does. More often it does not. WinXP throws
"access denied". I played around with the parameters "nt acl
support no", "directory mask", "create mask",
"force directory mask". Nothing
really works out (latest version attached below). The logfiles are
very busy and I cannot figure out what is really going on.

=> did anybody ever observe this?
=> this does not occur, when I do *not* access the share through VPN!
Or is this coincidence?
=> real issue is, that sometimes it works. In this successful case,
the renamed folder appears only after various F5 in winXP (refresh).

(3) config file smb.conf

[global]
       log file = /var/log/samba/log.%m
       passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*
\spassword:* %n\n *password\supdated\ssuccessfully* .
       obey pam restrictions = yes
       null passwords = yes
       encrypt passwords = yes
       passwd program = /usr/bin/passwd %u
       passdb backend = tdbsam
       dns proxy = no
       server string = %h server (Samba, Ubuntu)
       unix password sync = yes
       workgroup = DALL-ARMI
       security = user
       syslog = 0
       usershare allow guests = yes
       panic action = /usr/share/samba/panic-action %d
       unix charset = UTF8
       max log size = 1000
       pam password change = yes
       log level = 0
       nt acl support = no
[share]
   path=/mnt/workspace/share
   comment = share-workspace
   browsable = yes
   read only = no
   create mask = 777
   directory mask = 777
   force directory mode = 0770
   #guest ok = true

All other options of smb.conf are (or should be :-) "default".

(4) samba log files with a "log level 3"

Here are some snippets which seem strange to me:

<snip>

[2009/09/10 01:50:00,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID
[S-1-5-21-3561405685-2395757788-2122654243-501]
[2009/09/10 01:50:00,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-5-2]
[2009/09/10 01:50:00,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-5-32-546]

<snip>
[2009/09/10 01:50:00,  3] smbd/password.c:register_existing_vuid(289)
 register_existing_vuid: User name: nobody     Real name: nobody
[2009/09/10 01:50:00,  3] smbd/password.c:register_existing_vuid(299)
 register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will
be vuid 100
<snip>

[2009/09/10 01:50:01,  3] smbd/msdfs.c:get_referred_path(813)
 get_referred_path: |piazza| in dfs path \10.8.0.1\piazza is not a
dfs root.
[2009/09/10 01:50:01,  3] smbd/error.c:error_packet_set(61)
 error packet at smbd/trans2.c(7299) cmd=50 (SMBtrans2)
NT_STATUS_NOT_FOUND
<snip>

[2009/09/10 01:50:01,  3] auth/auth.c:check_ntlm_password(220)
 check_ntlm_password:  Checking password for unmapped user [MB-LAPTOP]
\[mra]@[MB-LAPTOP] with the new password interface
[2009/09/10 01:50:01,  3] auth/auth.c:check_ntlm_password(223)
 check_ntlm_password:  mapped user is: [MASTER]\[mra]@[MB-LAPTOP]

<snip>

[2009/09/10 01:50:01,  3] auth/auth_sam.c:sam_password_ok(47)
 Account for user 'mra' has no password and null passwords are
allowed.

<snip>

[2009/09/10 01:50:01,  2] auth/auth.c:check_ntlm_password(308)
 check_ntlm_password:  authentication for user [mra] -> [mra] ->
[mra] succeeded

<snip>

[2009/09/10 01:50:01,  3] auth/token_util.c:create_local_nt_token(433)
 Failed to fetch domain sid for DALL-ARMI

<snip>

[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID
[S-1-5-21-3561405685-2395757788-2122654243-1014]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-22-2-1000]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-5-2]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-5-11]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-22-2-4]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-22-2-110]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-22-2-112]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-22-2-1002]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-22-2-1010]
[2009/09/10 01:50:01,  3] lib/privileges.c:get_privileges(63)
 get_privileges: No privileges assigned to SID [S-1-22-2-1009]

[2009/09/10 01:50:01,  3] smbd/password.c:register_existing_vuid(289)
 register_existing_vuid: User name: mra        Real name: Michael Rau
[2009/09/10 01:50:01,  3] smbd/password.c:register_existing_vuid(299)
 register_existing_vuid: UNIX uid 1000 is UNIX user mra, and will be
vuid 101
[2009/09/10 01:50:01,  3] smbd/password.c:register_homes_share(231)
 Adding homes service for user 'mra' using home directory: '/home/
mra'

<snip>


[2009/09/10 01:50:11,  3] lib/sysquotas.c:sys_get_quota(453)
 sys_get_vfs_quota() failed for mntpath[/mnt/workspace] bdev[/dev/
sdb5] qtype[2] id[1000]: Invalid argument
[2009/09/10 01:50:11,  3] lib/sysquotas.c:sys_get_quota(453)
 sys_get_vfs_quota() failed for mntpath[/mnt/workspace] bdev[/dev/
sdb5] qtype[4] id[1000]: Invalid argument
[2009/09/10 01:50:11,  3] smbd/process.c:process_smb(1554)
 Transaction 23 of length 74 (0 toread)
[2009/09/10 01:50:11,  3] smbd/process.c:switch_message(1378)
 switch message SMBtrans2 (pid 13672) conn 0x7f17e59acfa0
[2009/09/10 01:50:11,  3] smbd/trans2.c:call_trans2qfsinfo(2592)
 call_trans2qfsinfo: level = 1007
[2009/09/10 01:50:11,  3] lib/sysquotas.c:sys_get_quota(453)
 sys_get_vfs_quota() failed for mntpath[/mnt/wo<snip>

rkspace] bdev[/dev/sdb5] qtype[2] id[1000]: Invalid argument
[2009/09/10 01:50:11,  3] lib/sysquotas.c:sys_get_quota(453)
 sys_get_vfs_quota() failed for mntpath[/mnt/workspace] bdev[/dev/
sdb5] qtype[4] id[1000]: Invalid argument

<snip>

[2009/09/10 01:50:11,  3] smbd/error.c:error_packet_set(61)
 error packet at smbd/trans2.c(4038) cmd=50 (SMBtrans2)
NT_STATUS_OBJECT_NAME_NOT_FOUND

<snip>

[2009/09/10 01:50:11,  3] lib/sysquotas.c:sys_get_quota(453)
 sys_get_vfs_quota() failed for mntpath[/mnt/workspace] bdev[/dev/
sdb5] qtype[2] id[1000]: Invalid argument
[2009/09/10 01:50:11,  3] lib/sysquotas.c:sys_get_quota(453)
 sys_get_vfs_quota() failed for mntpath[/mnt/workspace] bdev[/dev/
sdb5] qtype[4] id[1000]: Invalid argument

<snip>
 get_referred_path: |piazza| in dfs path \10.8.0.1\piazza is not a
dfs root.

<snip>

[[2009/09/10 01:50:32,  3] smbd/trans2.c:call_trans2qfilepathinfo
(4057)
 call_trans2qfilepathinfo piazza_doc/09-07-03.Business_Plan/Neuer
Ordner (fnum = 10831) level=1007 call=7 total_data=0
[2009/09/10 01:50:32,  3] smbd/process.c:process_smb(1554)
 Transaction 269 of length 45 (0 toread)
[2009/09/10 01:50:32,  3] smbd/process.c:switch_message(1378)
 switch message SMBclose (pid 13672) conn 0x7f17e59acfa0
[2009/09/10 01:50:32,  3] smbd/reply.c:reply_close(4338)
 close directory fnum=10829
[2009/09/10 01:50:32,  3] smbd/process.c:process_smb(1554)
 Transaction 270 of length 220 (0 toread)
[2009/09/10 01:50:32,  3] smbd/process.c:switch_message(1378)
 switch message SMBmv (pid 13672) conn 0x7f17e59acfa0
[2009/09/10 01:50:32,  3] smbd/reply.c:reply_mv(6104)
 reply_mv : piazza_doc/09-07-03.Business_Plan/Neuer Ordner ->
piazza_doc/09-07-03.Business_Plan/test
[2009/09/10 01:50:32,  3] smbd/reply.c:rename_internals(5832)
 rename_internals: case_sensitive = 0, case_preserve = 1, short case
preserve = 1, directory = piazza_doc/09-07-03.Business_Plan/Neuer
Ordner, newname = piazza_doc/09-07-03.Business_Plan/test,
last_component_dest = test, is_8_3 = 0
[2009/09/10 01:50:32,  3] smbd/reply.c:rename_internals_fsp(5642)
 rename_internals_fsp: Error NT_STATUS_ACCESS_DENIED rename
piazza_doc/09-07-03.Business_Plan/Neuer Ordner -> piazza_doc/
09-07-03.Business_Plan/test
[2009/09/10 01:50:32,  3] smbd/reply.c:rename_internals(5887)
 rename_internals: Error NT_STATUS_ACCESS_DENIED rename piazza_doc/
09-07-03.Business_Plan/Neuer Ordner -> piazza_doc/
09-07-03.Business_Plan/test
[2009/09/10 01:50:32,  3] smbd/error.c:error_packet_set(61)
 error packet at smbd/reply.c(6114) cmd=7 (SMBmv)
NT_STATUS_ACCESS_DENIED

But acutally, with level 3 the log file is very busy (attached in this
email). And with level 2
nothing really happens.

Help is very much appreciated. If no help possible, then any advice
for alternative groups is welcome.

Michael.

> I create a file or a folder ... sometimes works, sometimes not
> THEN: If it works I try to rename the file or folder. It does not
> *ALWAYS* work. Sometimes it does. More often it does not. WinXP throws
> "access denied". I played around with the parameters "nt acl
support > no", "directory mask", "create mask",
"force directory mask". Nothing
> really works out (latest version attached below). The logfiles are
> very busy and I cannot figure out what is really going on.
> 
> => did anybody ever observe this?
> => this does not occur, when I do *not* access the share through VPN!
> Or is this coincidence?
Forwarding traffic over a tunnel like this can be problematic, as
different MTUs etc. can result in dropped packets and other odd issues.
 IIRC OpenVPN doesn't normally tunnel broadcasted traffic either, but
that's usually only used when trying to connect to the machine in the
first place.
> => real issue is, that sometimes it works. In this successful case,
> the renamed folder appears only after various F5 in winXP (refresh).
If you get an access denied error it would seem that the connection is
fine, but for some reason you end up connected as a different user.
When this happens I would temporarily grant full access to the share
(chmod a+rwx) then create a new file.  If you look at the file on the
server you will see what user and group it was created by, and
presumably this user didn't have access to rename the original file.

If that's the case it means you'll need to investigate why suddenly that
user has no access, or why suddenly you end up connected as a different
user.

Cheers,
Adam.