samba - Dec 2011 - "getpeername failed" error when signed communications policy enabled

Hi,

I'm looking for help with an issue that we are seeing with the following
configuration:

We are using Samba (3.5.12-72.fc15) to share out CUPS printers from a Fedora
15 machine. However, a requirement of the system is that these printers are
not directly visible from client systems (Windows 7 SP1 32-bit), so instead
we are sharing them out from a Windows print server (Windows 2008 R2 SP1).
So the clients connect to print queues on the Windows print server, which in
turn forwards the print jobs on to CUPS.

The issue we are seeing occurs when a policy change is made on the Windows
2008 R2 print server. If the "Microsoft network client: Digitally sign
communications (always)" policy setting is enabled, we see the following
behaviour:

- Applications running on the print server can print normally.
- Applications running on client machines fail to print.

When a print job fails we see the following in the samba log for the client
machine:


[2011/12/07 10:43:23.381798,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [XXX] -> [XXX] -> [XXX]
succeeded
[2011/12/07 10:43:39.760399,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/12/07 10:43:39.760476,  0]
lib/util_sock.c:1441(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.



The smb.conf file that we are using is as follows:

[global]
#--authconfig--start-line--

# Generated by authconfig on 2011/12/05 17:22:13
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = LOW
   password server = LOWDC
   security = user
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = false
   winbind offline logon = false
   server signing = auto
   log level = 2
   log file = /var/log/samba.log.%m
   max log size = 50
   debug timestamp = yes

#--authconfig--end-line--
load printers = yes
printing = cups
printcap name = cups
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
printer admin = root, @ntadmins, @smbprintadm
use client driver = yes





If the "Microsoft network client: Digitally sign communications
(always)"
setting is disabled it all works OK, but disabling this policy setting is
not an allowed option at present. 

- David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6208 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20111207/3b7542a6/attachment.bin>

On Wed, Dec 07, 2011 at 11:01:50AM +0000, Hilton, David
wrote:
> Hi,
> 
> I'm looking for help with an issue that we are seeing with the
following
> configuration:
> 
> We are using Samba (3.5.12-72.fc15) to share out CUPS printers from a
Fedora
> 15 machine. However, a requirement of the system is that these printers are
> not directly visible from client systems (Windows 7 SP1 32-bit), so instead
> we are sharing them out from a Windows print server (Windows 2008 R2 SP1).
> So the clients connect to print queues on the Windows print server, which
in
> turn forwards the print jobs on to CUPS.
> 
> The issue we are seeing occurs when a policy change is made on the Windows
> 2008 R2 print server. If the "Microsoft network client: Digitally sign
> communications (always)" policy setting is enabled, we see the
following
> behaviour:
> 
> - Applications running on the print server can print normally.
> - Applications running on client machines fail to print.
> 
> When a print job fails we see the following in the samba log for the client
> machine:
> 
> 
> [2011/12/07 10:43:23.381798,  2] auth/auth.c:304(check_ntlm_password)
>   check_ntlm_password:  authentication for user [XXX] -> [XXX] ->
[XXX]
> succeeded
> [2011/12/07 10:43:39.760399,  0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/12/07 10:43:39.760476,  0]
> lib/util_sock.c:1441(get_peer_addr_internal)
>   getpeername failed. Error was Transport endpoint is not connected
>   read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> 
> 
> 
> The smb.conf file that we are using is as follows:
> 
> [global]
> #--authconfig--start-line--
> 
> # Generated by authconfig on 2011/12/05 17:22:13
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
> 
>    workgroup = LOW
>    password server = LOWDC
>    security = user
>    idmap uid = 16777216-33554431
>    idmap gid = 16777216-33554431
>    template shell = /bin/false
>    winbind use default domain = false
>    winbind offline logon = false
>    server signing = auto
>    log level = 2
>    log file = /var/log/samba.log.%m
>    max log size = 50
>    debug timestamp = yes
> 
> #--authconfig--end-line--
> load printers = yes
> printing = cups
> printcap name = cups
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = yes
> writable = no
> printable = yes
> printer admin = root, @ntadmins, @smbprintadm
> use client driver = yes
> 
> 
> 
> 
> 
> If the "Microsoft network client: Digitally sign communications
(always)"
> setting is disabled it all works OK, but disabling this policy setting is
> not an allowed option at present. 
That sounds like a signing error - do you see such in the
Samba logs ?

Jeremy.