The next time a user comes knocking with an Access Denied error message and blames it on Samba, tell him to slow...
down. Most of the time, it's not Samba's fault, said Samba release manager Jerry Carter. "Our motto is 'Bug for bug, feature for feature, we are completely compatible with Microsoft Windows,''" he said.
Carter usually says the motto with a smile, as he did during a presentation at the LinuxWorld conference in San Francisco this month, but his claim is mostly serious. It sounds arrogant, but more often than not, Carter and the rest of the Samba team eventually discover that the "bugs" logged by users are hardware issues specific to their systems or bugs that actually exist in Windows, not Samba.Access denied
"In this scenario, the error message will say something like, 'Permission is needed to perform this action,'" Carter said. "You will never get an exact problem, because the user will just give you the error message they received and expect you to find out what the problem is. [As a system administrator], what you have to do is decipher what is popping up in front of the user and what is actually happening with Samba."
For any system administrator, the debugging process should always begin with a simple set of steps and a process of elimination, Carter said. First, ensure that you understand what the expected result should be. Then, if possible, test the same operation against a Windows server and check the physical networking hardware for issues.The basics: Check permissions with smbstatus
$ smbstatus PID Username Group Machine ----------------------------------------------------- 15215 AD\gcarter AD\unixusers vanz (192.168.1.148) Service pid machine Connected at ----------------------------------------------------- public 15215 vanz Tue Jul 3 19:58:22 2007
If things check out, Carter prescribes a recipe for basic debugging needs. The basic debugging settings recommended by the Samba Team are log level 10, log file = /var/log/samba/log.%m, where Max Log Size is set to zero, debug time stamp is set to Yes, and the debug: pid set to Yes. Limiting log file size and log levels increase performance while debugging, Carter said.Get grepping with Samba
Here's how Carter said users should deploy grep tools when Access Denied pops up on users' displays:
- Find the error and backtrack by using grep panic log.*
- Look for crashes with egrep '(WERR_|NT_STATUS)' log.* | grep -v OK
- Look for ACCESS_DENIED and so on by way of grep .api_rpcTNP.*unknown$. log.*
- Look for unknown MS-RPC calls with
grep DCERPC_FAULT_OP_RNG_ERROR log.*
Carter explained that many times in an access denied scenario, grep will return a message like this one in the log file:
unix_error_packet: error string = Permission denied error packet at smbd/trans2.c(2682) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
"So grep wants to open the log file," he said, "and finds that access is denied. But why?" The answer is the SID, or security identifier. In Microsoft Windows, the SID is a unique alphanumeric character string that identifies each operating system and each user in a network of NT/2000/XP systems.
$ getent passwd "AD\gcarter" AD\gcarter:*:100025:100000::/home/win/AD/gcarter:/bin/bash $ getent passwd "gcarter" gcarter:*:1217:1000:gcarter:/home/mist/gcarter:/bin/bashAdditional Samba debugging tools
- Formerly known as Ethereal, Wireshark is a network sniffer and protocol analysis tool that provides excellent support for Server Message Block/Common Internet File System; Network Basic I/O System; distributed computing environment/remote procedure calls, Kerberos, Lightweight Directory Access Protocol and other associated protocols.
- There are also system trace tools, such as strace, ltrace and the contents of /proc.
Email Jack Loftus with your comments and suggestions.