On 31.01.2023 14:33, Rowland Penny via samba wrote:>
>
> On 31/01/2023 06:59, Peter Milesson via samba wrote:
>> Hi folks,
>>
>> The smb.conf and other information after specification of the problems.
>>
>> The journal on a AD domain member server is cluttered with permission
>> denied entries of this message pair:
>>
>> ??? Jan 31 07:02:26 konsrvfast smbd[436004]: [2023/01/31
>> ??? 07:02:26.083500,? 0, effective(11025, 10515), real(11025, 0)]
>> ??? ../../source3/smbd/smb2_service.c:168(chdir_current_service)
>>
>> ??? Jan 31 07:02:26 konsrvfast smbd[436004]: chdir_current_service:
>> ??? vfs_ChDir(/data/samba/profiles) failed: Permission denied. Current
>> ??? token: uid=11025, gid=10515, 5 groups: 11025 10515 3003 3004 3006
>>
>> uid=11025 is a Windows 10 workstation, and gid=10515 is the domain
>> computers object.
>>
>>
>> There are also recurring entry blocks of the following type:
>>
>> ??? Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: [2023/01/30
>> ??? 19:55:39.802586,? 0, effective(11006, 10513), real(11006, 0)]
>> ??? ../../lib/util/debug.c:1264(reopen_one_log)
>> ??? Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: reopen_one_log:
>> ??? Unable to open new log file
'/var/log/samba/log.rpcd_classic':
>> ??? Permission denied
>> ??? Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: [2023/01/30
>> ??? 19:55:39.803020,? 0, effective(11006, 10513), real(11006, 0)]
>> ??? ../../lib/util/debug.c:1264(reopen_one_log)
>> ??? Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: reopen_one_log:
>> ??? Unable to open new log file
'/var/log/samba/log.rpcd_classic':
>> ??? Permission denied
>> ??? Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: [2023/01/30
>> ??? 19:55:39.803056,? 0, effective(11006, 10513), real(11006, 0)]
>> ??? ../../lib/util/debug.c:1264(reopen_one_log)
>> ??? Jan 30 19:55:39 konsrvfast rpcd_classic[358632]: reopen_one_log:
>> ??? Unable to open new log file
'/var/log/samba/log.rpcd_classic':
>> ??? Permission denied
>> ??? Jan 30 19:55:55 konsrvfast rpcd_classic[358632]: [2023/01/30
>> ??? 19:55:55.231090,? 0, effective(11006, 10513), real(11006, 0)]
>> ??? ../../source3/lib/sharesec.c:161(share_info_db_init)
>> ??? Jan 30 19:55:55 konsrvfast rpcd_classic[358632]:?? Failed to open
>> ??? share info database /var/lib/samba/share_info.tdb (Permission
>> denied)
>> ??? Jan 30 19:55:59 konsrvfast rpcd_classic[358632]: [2023/01/30
>> ??? 19:55:59.715024,? 0, effective(11006, 10513), real(11006, 0)]
>> ??? ../../source3/lib/sharesec.c:161(share_info_db_init)
>>
>>
>> After scanning the samba logs I found the following:
>>
>> */var/log/samba/log.rpcd_classic (those 2 entries occur frequently)*
>>
>> ??? [2023/01/30 15:15:28.729356,? 0, effective(11156, 10513),
>> ??? real(11156, 0)] ../../lib/util/debug.c:1264(reopen_one_log)
>> ??? reopen_one_log: Unable to open new log file
>> ??? '/var/log/samba/log.rpcd_classic': Permission denied
>>
>> ??? [2023/01/30 20:09:09.054259,? 0, effective(11006, 10513),
>> ??? real(11006, 0)]
>> ??? ../../source3/lib/sharesec.c:161(share_info_db_init)? Failed to
open
>> ??? share info database /var/lib/samba/share_info.tdb (Permission
>> denied)
>>
>>
>> */var/log/samba/log.samba-dcerpcd (the following block repeats
>> frequently)*
>>
>> ??? [2023/01/30 15:31:55.316639,? 1, effective(0, 0), real(0, 0)]
>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
>> ??? rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed:
>> ??? No such file or directory
>> ??? [2023/01/30 15:31:55.341724,? 1, effective(0, 0), real(0, 0)]
>> ??? ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
>> ??? rpc_worker_exited: No worker with PID 328204
>> ??? [2023/01/30 15:34:13,? 0]
>> ../../source3/rpc_server/rpc_host.c:2966(main)
>>
>> When checking the directory /run/samba/ncalrpc there is really no
>> such file as EPMAPPER, but there exists /run/samba/ncalrpc/np/epmapper
>>
>>
>> */var/log/samba/smbd.log (the following entry is spawned thousands of
>> times within a second)*
>>
>> [2023/01/30 20:07:59.636915,? 1, effective(11006, 10513), real(11006,
>> 0)] ../../source3/auth/token_util.c:1020(create_token_from_sid)
>> ?? getpwuid(1011) failed
>>
>>
>> */var/log/samba/winbindd (the entries below frequently occuring)*
>>
>> [2023/01/30 23:34:57.527639,? 1, effective(0, 0), real(0, 0)]
>> ../../source3/winbindd/winbindd_getpwuid.c:118(winbindd_getpwuid_recv)
>> ?? Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
>>
>> [2023/01/31 00:17:01.889654,? 1, effective(0, 0), real(0, 0)]
>>
../../source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
>> ?? Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>>
>> (occurs several times per second, hundreds of consecutive entries)
>> [2023/01/30 23:30:50.246781,? 1, effective(0, 0), real(0, 0)]
>> ../../source3/winbindd/winbindd_getgrgid.c:124(winbindd_getgrgid_recv)
>> ?? Could not convert sid S-0-0: NT_STATUS_NO_SUCH_GROUP
>>
>>
>> ?From the users point of view everything seems normal, there have
>> been no complaints about inaccessible folders or files, or other
>> permission issues.
>>
>> The server is a member of a AD domain, and everything in the domain
>> is managed via the RSAT tools. There are only Windows ACLs, no Posix
>> ACLs. There are only a couple of local linux accounts for server
>> administration, with user names that do not conflict with AD user
>> names. The domain is working, no DNS problems.
>>
>> If would be grateful if somebody could point out what's going wrong
>> here.
>>
>
> I don't think anything is going wrong here, it just seems that,
> lately, Samba has got very chatty. You are about the third person to
> raise this 'problem', I wonder if it has something to do with all
the
> changes there have been lately ???
>
> Perhaps you would like to raise a bug report about this ?
>
> Rowland
>
>
Hi Rowland,
Thanks for taking your time with my problem.
I just had a look at the journal, and within 2 seconds, there were a
couple of hundreds of the message about permission denied. So yes, I
would definitely like to raise a bug report about this. If there is
something in red in the journal, you definitely don't want it there if
it doesn't indicate some extraordinary behavior.
Best regards,
Peter