Jeff Hodge
2016-Aug-30 15:57 UTC
[Samba] Certain systems can no longer access samba post upgrade to 4.3.9
On Mon, Aug 29, 2016 at 6:13 PM, Jeremy Allison <jra at samba.org> wrote:> On Mon, Aug 29, 2016 at 11:41:53AM -0400, Jeff Hodge via samba wrote: > > During an ubuntu 14.04 update samba was updated from 4.1.6 to 4.3.9. We > > had no problems with any windows system accessing the server prior to the > > upgrade to 4.3.9. It seems to affect access to the entire samba server > as > > no shares are able to be seen or accessed when trying to view > \\servername > > or \\servname.domain.local > > > > The "fix" seems to be to use the fully qualified name, but after a while > > that will stop working and you have to change to the short name and vice > > versa. I am trying to correlate the times to see if there is a pattern, > > but no pattern has emerged yet. > > > > What is odd is if the short name is failing and you change to fully > > qualified and the share comes up, you will then be able to use the short > > name to pull up the share after you have made the successful connection > to > > the fully qualified name. > > > > The one log entry that seems to identify systems with this issue is this, > > repeated over and over: > > > > [2016/08/29 08:35:56.694436, 0] > > ../source3/param/loadparm.c:1460(canonicalize_servicename) > > canonicalize_servicename: NULL source name! > > > > [2016/08/29 08:35:57.694984, 0] > > ../source3/param/loadparm.c:1460(canonicalize_servicename) > > canonicalize_servicename: NULL source name! > > > > [2016/08/29 08:35:58.694495, 0] > > ../source3/param/loadparm.c:1460(canonicalize_servicename) > > canonicalize_servicename: NULL source name! > > > > The majority of our servers are not having any problems accessing the > samba > > shares, but a few key high use systems are having this issue. > > > > Has anyone seen this error and may have an idea what may be causing and > > possible system setting that may need to be changed/enabled in 4.3.9 to > > allow all systems to connect reliably? > > Can you post your smb.conf, plus a debug level 10 log from one > of the machines having the problem ? >It seems a workaround is to to set guest ok = yes on the user share. We have not seen the error since we made that change. We also changed another share from user share to one configured in the smb.conf file and have not seen the issue on that server since yesterday. This may be a more permanent fix as we did not have to set guest ok = yes on its share. I will try to get an output of the logs at log level 10, however I have been unable to reproduce this in our Dev environment. Which class do you want me to set logging level 10 on, or to be safe just use all? Here is the smb.conf file in case anyone sees anything in there: [global] security = ads netbios name = server104 netbios aliases = server04 realm = DOMAIN.LOCAL idmap config * : range = 500-10000000 idmap config * : backend = tdb winbind enum users = no winbind enum groups = no winbind refresh tickets = true template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no create mask = 0664 directory mask = 0775 machine password timeout = 0 hosts deny = 172.17.4.0/255.255.255.0 interfaces = eth1 bind interfaces only = yes winbind max clients = 1000 winbind max domain connections = 10 log level = 1 workgroup = DOMAIN server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no User share: #VERSION 2 path=/home/DOMAIN/ commentusershare_acl=S-1-1-0:F guest ok = yes
Jeff Hodge
2016-Aug-31 13:42 UTC
[Samba] Certain systems can no longer access samba post upgrade to 4.3.9
On Tue, Aug 30, 2016 at 11:57 AM, Jeff Hodge <jeff.hodge55 at gmail.com> wrote:> On Mon, Aug 29, 2016 at 6:13 PM, Jeremy Allison <jra at samba.org> wrote: > >> On Mon, Aug 29, 2016 at 11:41:53AM -0400, Jeff Hodge via samba wrote: >> > During an ubuntu 14.04 update samba was updated from 4.1.6 to 4.3.9. We >> > had no problems with any windows system accessing the server prior to >> the >> > upgrade to 4.3.9. It seems to affect access to the entire samba server >> as >> > no shares are able to be seen or accessed when trying to view >> \\servername >> > or \\servname.domain.local >> > >> > The "fix" seems to be to use the fully qualified name, but after a while >> > that will stop working and you have to change to the short name and vice >> > versa. I am trying to correlate the times to see if there is a pattern, >> > but no pattern has emerged yet. >> > >> > What is odd is if the short name is failing and you change to fully >> > qualified and the share comes up, you will then be able to use the short >> > name to pull up the share after you have made the successful connection >> to >> > the fully qualified name. >> > >> > The one log entry that seems to identify systems with this issue is >> this, >> > repeated over and over: >> > >> > [2016/08/29 08:35:56.694436, 0] >> > ../source3/param/loadparm.c:1460(canonicalize_servicename) >> > canonicalize_servicename: NULL source name! >> > >> > [2016/08/29 08:35:57.694984, 0] >> > ../source3/param/loadparm.c:1460(canonicalize_servicename) >> > canonicalize_servicename: NULL source name! >> > >> > [2016/08/29 08:35:58.694495, 0] >> > ../source3/param/loadparm.c:1460(canonicalize_servicename) >> > canonicalize_servicename: NULL source name! >> > >> > The majority of our servers are not having any problems accessing the >> samba >> > shares, but a few key high use systems are having this issue. >> > >> > Has anyone seen this error and may have an idea what may be causing and >> > possible system setting that may need to be changed/enabled in 4.3.9 to >> > allow all systems to connect reliably? >> >> Can you post your smb.conf, plus a debug level 10 log from one >> of the machines having the problem ? >> > > It seems a workaround is to to set guest ok = yes on the user share. We > have not seen the error since we made that change. > > We also changed another share from user share to one configured in the > smb.conf file and have not seen the issue on that server since yesterday. > This may be a more permanent fix as we did not have to set guest ok = yes > on its share. > > I will try to get an output of the logs at log level 10, however I have > been unable to reproduce this in our Dev environment. Which class do you > want me to set logging level 10 on, or to be safe just use all? > > Here is the smb.conf file in case anyone sees anything in there: > > [global] > security = ads > netbios name = server104 > netbios aliases = server04 > realm = DOMAIN.LOCAL > idmap config * : range = 500-10000000 > idmap config * : backend = tdb > winbind enum users = no > winbind enum groups = no > winbind refresh tickets = true > template homedir = /home/%D/%U > template shell = /bin/bash > client use spnego = yes > domain master = no > create mask = 0664 > directory mask = 0775 > machine password timeout = 0 > hosts deny = 172.17.4.0/255.255.255.0 > interfaces = eth1 > bind interfaces only = yes > winbind max clients = 1000 > winbind max domain connections = 10 > log level = 1 > > workgroup = DOMAIN > server string = %h server (Samba, Ubuntu) > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > map to guest = bad user > usershare allow guests = yes > > [printers] > comment = All Printers > browseable = no > path = /var/spool/samba > printable = yes > guest ok = no > read only = yes > create mask = 0700 > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > browseable = yes > read only = yes > guest ok = no > > > User share: > > #VERSION 2 > path=/home/DOMAIN/ > comment> usershare_acl=S-1-1-0:F > guest ok = yes > > > >We were able to reproduce the incident in dev. Here are the log entries with log level set to 10, this repeats over and over: [2016/08/31 08:00:40.640956, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/08/31 08:00:40.641051, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 66899 (position 1363) from bitmap [2016/08/31 08:00:40.641074, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 66899 [2016/08/31 08:00:40.641105, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:237(user_ok_token) user_ok_token: share (null) is ok for unix user DOMAIN\ish-prd-svc [2016/08/31 08:00:40.641123, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:284(is_share_read_only_for_token) is_share_read_only_for_user: share (null) is read-write for unix user DOMAIN\ish-prd-svc [2016/08/31 08:00:40.641139, 0, pid=6463, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1460(canonicalize_servicename) canonicalize_servicename: NULL source name! [2016/08/31 08:00:40.641155, 3, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:153(check_user_share_access) user DOMAIN\ish-prd-svc connection to (null) denied due to share security descriptor. [2016/08/31 08:00:40.641169, 2, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:302(change_to_user_internal) SMB user ish-prd-svc (unix user DOMAIN\ish-prd-svc) not permitted access to share (null). [2016/08/31 08:00:40.641183, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2789(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2207 [2016/08/31 08:00:40.641203, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2680(smbd_smb2_request_done_ex) smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2837 [2016/08/31 08:00:40.641255, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:906(smb2_set_operation_credit) smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 482/512, total granted/max/low/range 31/8192/66900/31 [2016/08/31 08:00:45.641465, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3539(smbd_smb2_io_handler) smbd_smb2_request idx[1] of 5 vectors [2016/08/31 08:00:45.641551, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:654(smb2_validate_sequence_number) smb2_validate_sequence_number: clearing id 66900 (position 1364) from bitmap [2016/08/31 08:00:45.641575, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2018(smbd_smb2_request_dispatch) smbd_smb2_request_dispatch: opcode[SMB2_OP_CREATE] mid = 66900 [2016/08/31 08:00:45.641606, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:237(user_ok_token) user_ok_token: share (null) is ok for unix user DOMAIN\ish-prd-svc [2016/08/31 08:00:45.641624, 10, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:284(is_share_read_only_for_token) is_share_read_only_for_user: share (null) is read-write for unix user DOMAIN\ish-prd-svc [2016/08/31 08:00:45.641639, 0, pid=6463, effective(0, 0), real(0, 0)] ../source3/param/loadparm.c:1460(canonicalize_servicename) canonicalize_servicename: NULL source name! [2016/08/31 08:00:45.641655, 3, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:153(check_user_share_access) user DOMAIN\ish-prd-svc connection to (null) denied due to share security descriptor. [2016/08/31 08:00:45.641669, 2, pid=6463, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:302(change_to_user_internal) SMB user ish-prd-svc (unix user DOMAIN\ish-prd-svc) not permitted access to share (null).
Rowland Penny
2016-Aug-31 15:11 UTC
[Samba] Certain systems can no longer access samba post upgrade to 4.3.9
On Wed, 31 Aug 2016 09:42:35 -0400 Jeff Hodge via samba <samba at lists.samba.org> wrote:> On Tue, Aug 30, 2016 at 11:57 AM, Jeff Hodge <jeff.hodge55 at gmail.com> > wrote: > > > On Mon, Aug 29, 2016 at 6:13 PM, Jeremy Allison <jra at samba.org> > > wrote: > > > >> On Mon, Aug 29, 2016 at 11:41:53AM -0400, Jeff Hodge via samba > >> wrote: > >> > During an ubuntu 14.04 update samba was updated from 4.1.6 to > >> > 4.3.9. We had no problems with any windows system accessing the > >> > server prior to > >> the > >> > upgrade to 4.3.9. It seems to affect access to the entire samba > >> > server > >> as > >> > no shares are able to be seen or accessed when trying to view > >> \\servername > >> > or \\servname.domain.local > >> > > >> > The "fix" seems to be to use the fully qualified name, but after > >> > a while that will stop working and you have to change to the > >> > short name and vice versa. I am trying to correlate the times > >> > to see if there is a pattern, but no pattern has emerged yet. > >> > > >> > What is odd is if the short name is failing and you change to > >> > fully qualified and the share comes up, you will then be able to > >> > use the short name to pull up the share after you have made the > >> > successful connection > >> to > >> > the fully qualified name. > >> > > >> > The one log entry that seems to identify systems with this issue > >> > is > >> this, > >> > repeated over and over: > >> > > >> > [2016/08/29 08:35:56.694436, 0] > >> > ../source3/param/loadparm.c:1460(canonicalize_servicename) > >> > canonicalize_servicename: NULL source name! > >> > > >> > [2016/08/29 08:35:57.694984, 0] > >> > ../source3/param/loadparm.c:1460(canonicalize_servicename) > >> > canonicalize_servicename: NULL source name! > >> > > >> > [2016/08/29 08:35:58.694495, 0] > >> > ../source3/param/loadparm.c:1460(canonicalize_servicename) > >> > canonicalize_servicename: NULL source name! > >> > > >> > The majority of our servers are not having any problems > >> > accessing the > >> samba > >> > shares, but a few key high use systems are having this issue. > >> > > >> > Has anyone seen this error and may have an idea what may be > >> > causing and possible system setting that may need to be > >> > changed/enabled in 4.3.9 to allow all systems to connect > >> > reliably? > >> > >> Can you post your smb.conf, plus a debug level 10 log from one > >> of the machines having the problem ? > >> > > > > It seems a workaround is to to set guest ok = yes on the user > > share. We have not seen the error since we made that change. > > > > We also changed another share from user share to one configured in > > the smb.conf file and have not seen the issue on that server since > > yesterday. This may be a more permanent fix as we did not have to > > set guest ok = yes on its share. > > > > I will try to get an output of the logs at log level 10, however I > > have been unable to reproduce this in our Dev environment. Which > > class do you want me to set logging level 10 on, or to be safe just > > use all? > > > > Here is the smb.conf file in case anyone sees anything in there: > > > > [global] > > security = ads > > netbios name = server104 > > netbios aliases = server04 > > realm = DOMAIN.LOCAL > > idmap config * : range = 500-10000000 > > idmap config * : backend = tdb > > winbind enum users = no > > winbind enum groups = no > > winbind refresh tickets = true > > template homedir = /home/%D/%U > > template shell = /bin/bash > > client use spnego = yes > > domain master = no > > create mask = 0664 > > directory mask = 0775 > > machine password timeout = 0 > > hosts deny = 172.17.4.0/255.255.255.0 > > interfaces = eth1 > > bind interfaces only = yes > > winbind max clients = 1000 > > winbind max domain connections = 10 > > log level = 1 > > > > workgroup = DOMAIN > > server string = %h server (Samba, Ubuntu) > > dns proxy = no > > log file = /var/log/samba/log.%m > > max log size = 1000 > > syslog = 0 > > panic action = /usr/share/samba/panic-action %d > > encrypt passwords = true > > passdb backend = tdbsam > > obey pam restrictions = yes > > unix password sync = yes > > passwd program = /usr/bin/passwd %u > > passwd chat = *Enter\snew\s*\spassword:* %n\n > > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > > pam password change = yes > > map to guest = bad user > > usershare allow guests = yes > > > > [printers] > > comment = All Printers > > browseable = no > > path = /var/spool/samba > > printable = yes > > guest ok = no > > read only = yes > > create mask = 0700 > > [print$] > > comment = Printer Drivers > > path = /var/lib/samba/printers > > browseable = yes > > read only = yes > > guest ok = no > > > > > > User share: > > > > #VERSION 2 > > path=/home/DOMAIN/ > > comment> > usershare_acl=S-1-1-0:F > > guest ok = yesCan I suggest you try this smb.conf, yours is full of default settings and doesn't have a range for the domain, if required, you can change the numbers in the ranges, but the two ranges must not overlap. [global] workgroup = DOMAIN security = ads realm = DOMAIN.LOCAL netbios name = server104 netbios aliases = server04 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = %h server (Samba, Ubuntu) winbind enum users = no winbind enum groups = no winbind nss info = rfc2307 winbind refresh tickets = true ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 template shell = /bin/bash domain master = no create mask = 0664 directory mask = 0775 hosts deny = 172.17.4.0/255.255.255.0 interfaces = eth1 bind interfaces only = yes log level = 1 dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no User share: #VERSION 2 path=/home/DOMAIN/ comment usershare_acl=S-1-1-0:F guest ok = yes Rowland