Server-Message-Block

Samba 對使用者進行身份驗證,但不回复

  • September 29, 2014

有時 samba 4.1.11 會停止為客戶端提供服務。每天,我都必須重新啟動 smbd 才能解決此問題。Windows 客戶端說,共享設備無法訪問或身份驗證失敗。

當他們嘗試連接時,會生成以下日誌:

[2014/09/17 09:37:19.739314,  2] ../source3/auth/auth.c:278(auth_check_ntlm_password)
 check_ntlm_password:  authentication for user [user] -> [user] -> [DOMAIN\user] succeeded
[2014/09/17 09:58:41.021885,  1] ../source3/param/loadparm.c:3178(lp_do_parameter)
 WARNING: The "idmap uid" option is deprecated
[2014/09/17 09:58:41.022305,  1] ../source3/param/loadparm.c:3178(lp_do_parameter)
 WARNING: The "idmap gid" option is deprecated
[2014/09/17 09:58:41.022621,  2] ../source3/param/loadparm.c:3581(do_section)
 Processing section "[home]"
[2014/09/17 09:58:41.028757,  2] ../source3/auth/auth.c:278(auth_check_ntlm_password)
 check_ntlm_password:  authentication for user [user] -> [user] -> [DOMAIN\user] succeeded

如果服務正常執行,AFAIK 應該遵循以下幾行:

[2014/09/17 09:54:43.760688,  2] ../source3/smbd/reply.c:592(reply_special)
 netbios connect: name1=SMB            0x20 name2=WORKSPACE   0x0
[2014/09/17 09:54:43.761081,  2] ../source3/smbd/reply.c:633(reply_special)
 netbios connect: local=smb remote=WORKSPACE, name type = 0

設置如下(通過 testparm):

[global]
       dos charset = CP850
       unix charset = UTF-8
       workgroup = DOMAIN
       realm = DOMAIN.ORG
       netbios name = SAMBA
       netbios aliases = 
       netbios scope = 
       server string = SAMBA
       interfaces = 
       bind interfaces only = No
       server role = auto
       security = ADS
       auth methods = 
       encrypt passwords = Yes
       client schannel = Auto
       server schannel = Auto
       allow trusted domains = Yes
       map to guest = Never
       null passwords = No
       obey pam restrictions = No
       password server = *
       smb passwd file = /private/smbpasswd
       private dir = /private
       passdb backend = tdbsam
       algorithmic rid base = 1000
       root directory = 
       guest account = nobody
       enable privileges = Yes
       pam password change = No
       passwd program = 
       passwd chat = *new*password* %n\n *new*password* %n\n *changed*
       passwd chat debug = No
       passwd chat timeout = 2
       check password script = 
       username map = 
       username level = 0
       unix password sync = No
       restrict anonymous = 0
       lanman auth = No
       ntlm auth = Yes
       client NTLMv2 auth = Yes
       client lanman auth = No
       client plaintext auth = No
       client use spnego principal = No
       preload modules = 
       dedicated keytab file = 
       kerberos method = default
       map untrusted to domain = No
       log level = 2
       syslog = 1
       syslog only = No
       log file = /var/log/samba/%m
       max log size = 500
       debug timestamp = Yes
       debug prefix timestamp = No
       debug hires timestamp = Yes
       debug pid = No
       debug uid = No
       debug class = No
       enable core files = Yes
       smb ports = 445, 139
       large readwrite = Yes
       server max protocol = SMB3
       server min protocol = LANMAN1
       client max protocol = NT1
       client min protocol = CORE
       unicode = Yes
       min receivefile size = 0
       read raw = Yes
       write raw = Yes
       disable netbios = No
       reset on zero vc = No
       log writeable files on exit = No
       defer sharing violations = Yes
       nt pipe support = Yes
       nt status support = Yes
       max mux = 50
       max xmit = 16644
       name resolve order = lmhosts, wins, host, bcast
       max ttl = 259200
       max wins ttl = 518400
       min wins ttl = 21600
       time server = No
       unix extensions = Yes
       use spnego = Yes
       client signing = required
       server signing = required
       client use spnego = Yes
       client ldap sasl wrapping = plain
       enable asu support = No
       svcctl list = 
       cldap port = 0
       dgram port = 0
       nbt port = 0
       krb5 port = 0
       kpasswd port = 0
       web port = 0
       rpc big endian = No
       deadtime = 0
       getwd cache = Yes
       keepalive = 300
       lpq cache time = 30
       max smbd processes = 0
       max disk size = 0
       max open files = 16384
       socket options = TCP_NODELAY
       use mmap = Yes
       use ntdb = No
       hostname lookups = No
       name cache timeout = 660
       ctdbd socket = 
       cluster addresses = 
       clustering = No
       ctdb timeout = 0
       ctdb locktime warn threshold = 0
       smb2 max read = 1048576
       smb2 max write = 1048576
       smb2 max trans = 1048576
       smb2 max credits = 8192
       load printers = No
       printcap cache time = 0
       printcap name = /dev/null
       cups server = 
       cups encrypt = No
       cups connection timeout = 30
       iprint server = 
       disable spoolss = No
       addport command = 
       enumports command = 
       addprinter command = 
       deleteprinter command = 
       show add printer wizard = Yes
       os2 driver map = 
       mangling method = hash2
       mangle prefix = 1
       max stat cache size = 256
       stat cache = Yes
       machine password timeout = 604800
       add user script = 
       rename user script = 
       delete user script = 
       add group script = 
       delete group script = 
       add user to group script = 
       delete user from group script = 
       set primary group script = 
       add machine script = 
       shutdown script = 
       abort shutdown script = 
       username map script = 
       username map cache time = 0
       logon script = 
       logon path = \\%N\%U\profile
       logon drive = 
       logon home = \\%N\%U
       domain logons = No
       init logon delayed hosts = 
       init logon delay = 100
       os level = 20
       lm announce = Auto
       lm interval = 60
       preferred master = No
       local master = Yes
       domain master = Auto
       browse list = Yes
       enhanced browsing = Yes
       dns proxy = Yes
       wins proxy = No
       wins server = 
       wins support = No
       wins hook = 
       lock spin time = 200
       oplock break wait time = 0
       ldap admin dn = 
       ldap delete dn = No
       ldap group suffix = 
       ldap idmap suffix = 
       ldap machine suffix = 
       ldap passwd sync = no
       ldap replication sleep = 1000
       ldap suffix = 
       ldap ssl = start tls
       ldap ssl ads = No
       ldap deref = auto
       ldap follow referral = Auto
       ldap timeout = 15
       ldap connection timeout = 2
       ldap page size = 1024
       ldap user suffix = 
       ldap debug level = 0
       ldap debug threshold = 10
       eventlog list = 
       add share command = 
       change share command = 
       delete share command = 
       preload = 
       lock directory = /var/lock
       state directory = /var/locks
       cache directory = /var/cache
       pid directory = /var/run
       ntp signd socket directory = 
       utmp directory = 
       wtmp directory = 
       utmp = No
       default service = 
       message command = 
       get quota command = 
       set quota command = 
       remote announce = 
       remote browse sync = 
       nbt client socket address = 0.0.0.0
       nmbd bind explicit broadcast = Yes
       homedir map = auto.home
       afs username map = 
       afs token lifetime = 604800
       log nt token command = 
       NIS homedir = No
       registry shares = No
       usershare allow guests = No
       usershare max shares = 0
       usershare owner only = Yes
       usershare path = /var/locks/usershares
       usershare prefix allow list = 
       usershare prefix deny list = 
       usershare template share = 
       async smb echo handler = No
       panic action = 
       perfcount module = 
       host msdfs = Yes
       passdb expand explicit = No
       idmap backend = tdb
       idmap cache time = 604800
       idmap negative cache time = 120
       idmap uid = 
       idmap gid = 
       template homedir = /home/%D/%U
       template shell = /sbin/nologin
       winbind separator = \
       winbind cache time = 300
       winbind reconnect delay = 30
       winbind max clients = 200
       winbind enum users = Yes
       winbind enum groups = Yes
       winbind use default domain = Yes
       winbind trusted domains only = No
       winbind nested groups = Yes
       winbind expand groups = 1
       winbind nss info = template
       winbind refresh tickets = No
       winbind offline logon = No
       winbind normalize names = No
       winbind rpc only = No
       create krb5 conf = Yes
       ncalrpc dir = /var/run/ncalrpc
       winbind max domain connections = 1
       winbindd socket directory = 
       winbindd privileged socket directory = 
       winbind sealed pipes = No
       allow dns updates = disabled
       dns forwarder = 
       dns update command = 
       nsupdate command = 
       rndc command = 
       multicast dns register = Yes
       samba kcc command = 
       server services = 
       dcerpc endpoint servers = 
       spn update command = 
       share backend = 
       tls enabled = No
       tls keyfile = 
       tls certfile = 
       tls cafile = 
       tls crlfile = 
       tls dh params file = 
       idmap config * : range = 600-20000
       idmap config * : backend = tdb
       comment = 
       path = 
       username = 
       invalid users = 
       valid users = 
       admin users = 
       read list = 
       write list = 
       force user = 
       force group = 
       read only = Yes
       acl check permissions = Yes
       acl group control = No
       acl map full control = Yes
       acl allow execute always = No
       create mask = 0744
       force create mode = 00
       directory mask = 0755
       force directory mode = 00
       force unknown acl user = No
       inherit permissions = No
       inherit acls = No
       inherit owner = No
       guest only = No
       administrative share = No
       guest ok = No
       only user = No
       hosts allow = 
       hosts deny = 
       allocation roundup size = 1048576
       aio read size = 0
       aio write size = 0
       aio write behind = 
       ea support = No
       nt acl support = Yes
       profile acls = No
       map acl inherit = No
       afs share = No
       smb encrypt = default
       durable handles = Yes
       block size = 1024
       change notify = Yes
       directory name cache size = 100
       kernel change notify = Yes
       max connections = 0
       min print space = 0
       strict allocate = No
       strict sync = No
       sync always = No
       use sendfile = No
       write cache size = 0
       max reported print jobs = 0
       max print jobs = 1000
       printable = No
       print notify backchannel = Yes
       print ok = No
       printing = cups
       cups options = 
       print command = 
       lpq command = %p
       lprm command = 
       lppause command = 
       lpresume command = 
       queuepause command = 
       queueresume command = 
       printer name = 
       use client driver = No
       default devmode = Yes
       force printername = No
       printjob username = %U
       default case = lower
       case sensitive = Auto
       preserve case = Yes
       short preserve case = Yes
       mangling char = ~
       hide dot files = Yes
       hide special files = No
       hide unreadable = No
       hide unwriteable files = No
       delete veto files = No
       veto files = 
       hide files = 
       veto oplock files = 
       map archive = Yes
       map hidden = No
       map system = No
       map readonly = yes
       mangled names = Yes
       store dos attributes = No
       dmapi support = No
       browseable = Yes
       access based share enum = No
       blocking locks = Yes
       csc policy = manual
       fake oplocks = No
       kernel oplocks = No
       kernel share modes = Yes
       locking = Yes
       oplocks = Yes
       level2 oplocks = Yes
       oplock contention limit = 2
       posix locking = Yes
       strict locking = Auto
       dfree cache time = 0
       dfree command = 
       copy = 
       preexec = 
       preexec close = No
       postexec = 
       root preexec = 
       root preexec close = No
       root postexec = 
       available = Yes
       volume = 
       fstype = NTFS
       wide links = No
       follow symlinks = Yes
       dont descend = 
       magic script = 
       magic output = 
       delete readonly = No
       dos filemode = No
       dos filetimes = Yes
       dos filetime resolution = No
       fake directory create times = No
       vfs objects = 
       msdfs root = No
       msdfs proxy = 
       ntvfs handler = 

[home]
       comment = Home Directories
       path = /home
       read only = No

任何幫助表示讚賞

事實證明,預設鎖定目錄 (/var/lock) - 在編譯時由 ‘–PREFIX="" ’ 引起 - 被 samba 鎖定機制填滿。這是一個 5MB 的 tmpfs,通常的鎖大小是 3MB 或更多。

我建議將預設目錄更改為未使用的路徑。例如:

 lock directory = /var/samba

引用自:https://serverfault.com/questions/629745