Samba is extremely robust. Once you have everything set up the way you want, you'll probably forget that it is running. When trouble occurs, it's typically during installation or when you're trying to reconfigure the server. Fortunately, a wide variety of resources are available to diagnose these troubles. While we can't describe in detail the solution to every problem you might encounter, you should be able to get a good start at resolving the problem by following the advice given in this chapter.
Sometimes Unix seems to be made up of a grab bag of applications and tools. There are tools to troubleshoot tools. And of course, there are several ways to accomplish the same task. When trying to solve a problem related to Samba, a good plan of attack is to use the following:
Let's go over each of these one-by-one in the following sections.
Your first line of attack should always be to check the log files. The Samba log files can help diagnose the vast majority of the problems faced by beginning- to intermediate-level Samba administrators. Samba is quite flexible when it comes to logging. You can set up the server to log as little or as much information as you want. Using substitution variables in the Samba configuration file allows you to isolate individual logs for each system, share, or combination thereof.
# smbd -l /var/log/samba # nmbd -l /var/log/samba
Alternatively, you can override the location and name using the log file configuration option in smb.conf. This option accepts all the substitution variables, so you could easily have the server keep a separate log for each connecting client system by specifying the following:
[global] log file = %m.log
[global] log file = %S.log
05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest (uid=503,gid=100) (pid 3377)
Here is an example of output at levels 2 and 3 for the same operation. Don't worry if you don't understand the intricacies of an SMB connection; the point is simply to show you what types of information are shown at the different logging levels:
/* Level 2 */ Got SIGHUP Processing section "[homes]" Processing section "[public]" Processing section "[temp]" Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/ /* Level 3 */ 05/25/02 22:15:09 Transaction 63 of length 67 switch message SMBtconX (pid 3377) Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ ACCEPTED: guest account and guest ok found free connection number 105 Connect path is /tmp chdir to /tmp chdir to / 05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest (uid=503,gid=100) (pid 3377) 05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105 05/25/02 22:15:09 Transaction 64 of length 99 switch message SMBtrans (pid 3377) chdir to /tmp trans <\PIPE\LANMAN> data=0 params=19 setup=0 Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) Doing RNetShareEnum RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) 05/25/02 22:15:11 Transaction 65 of length 99 switch message SMBtrans (pid 3377) chdir to / chdir to /tmp trans <\PIPE\LANMAN> data=0 params=19 setup=0 Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) Doing RNetShareEnum RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) 05/25/02 22:15:11 Transaction 66 of length 95 switch message SMBtrans2 (pid 3377) chdir to / chdir to /pcdisk/public call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end = 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432 unix_clean_name [./DESKTOP.INI] unix_clean_name [desktop.ini] unix_clean_name [./] creating new dirptr 1 for path ./, expect_close = 1 05/25/02 22:15:11 Transaction 67 of length 53 switch message SMBgetatr (pid 3377) chdir to / [... deleted ...]
Using a high log level (3 or above) will seriously slow down the Samba server. Remember that every log message generated causes a write to disk (an inherently slow operation) and log levels greater than 2 produce massive amounts of data. Essentially, you should turn on logging level 3 only when you're actively tracking a problem in the Samba server.
To turn logging on and off, set the appropriate level in the [global] section of smb.conf. Then, you can either restart Samba or force the current daemon to reprocess the configuration file by sending it a hangup (HUP) signal. You also can send the smbd process a SIGUSR1 signal to increase its log level by one while it's running, like this:
# kill -SIGUSR1 1234
or a SIGUSR2 signal to decrease it by one:
# kill -SIGUSR2 1234
[global] log level = 0 log file = /usr/local/samba/var/log.%m include = /usr/local/samba/lib/smb.conf.%m
[global] log level = 0 log file = /usr/local/samba/var/log.%u include = /usr/local/samba/lib/smb.conf.%u
Then you can create a unique smb.conf file for each user you wish to monitor (e.g., /usr/local/samba/lib/smb.conf.tim). Files containing the configuration option log level = 3 and only those users will get more detailed logging.
A rigorous set of tests that exercise the major parts of Samba are described in various files in the /docs/textdocs directory of the Samba distribution kit, starting with DIAGNOSIS.txt. The fault tree in this chapter is a more detailed version of the basic tests suggested by the Samba Team, but it covers only installation and reconfiguration diagnosis, such as DIAGNOSIS.txt. The other files in the /docs subdirectories address specific problems and instruct you how to troubleshoot items not included in this book. If the fault tree doesn't suffice, be sure to look at DIAGNOSIS.txt and its friends.
The trace command masquerades under several different names, depending on the operating system you are using. On Linux it will be strace; on Solaris you'll use truss; SGI will have padc and par; and HP-UX will have trace or tusc. All have essentially the same function, which is to display each operating system function call as it is executed. This allows you to follow the execution of a program, such as the Samba server, and often pinpoints the exact call that is causing the difficulty.
chdir("/pcdisk/public") = 0 stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) open("mini", O_RDONLY) = 5 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 lseek(5, 0, SEEK_CUR) = 0 SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196 lseek(5, 0, SEEK_CUR) = 1024 SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0 close(5) = 0 stat("mini/desktop.ini", 0xbffff86c) = -1 ENOENT (No such file or directory) write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39 SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1 read(3, "\0\0\0?", 4) = 4 read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63 time(NULL) = 896143871
The tcpdump program, as extended by Andrew Tridgell, allows you to monitor SMB network traffic in real time. A variety of output formats are available, and you can filter the output to look at only a particular type of traffic. You can examine all conversations between client and server, including SMB and NMB broadcast messages. While its troubleshooting capabilities lie mainly at the OSI network layer, you can still use its output to get a general idea of what the server and client are attempting to do.
$ tcpdump -v -s 255 -i eth0 port not telnet SMB PACKET: SMBtrans (REQUEST) Request packet SMB Command = 0x25 Request was ls or dir [000] 01 00 00 10 .... >>> NBT Packet Outer frame of SMB packet NBT Session Packet Flags=0x0 Length=226 [lines skipped] SMB PACKET: SMBtrans (REPLY) Beginning of a reply to request SMB Command = 0x25 Command was an ls or dir Error class = 0x0 Error code = 0 No errors Flags1 = 0x80 Flags2 = 0x1 Tree ID = 105 Proc ID = 6075 UID = 100 MID = 30337 Word Count = 10 TotParamCnt=8 TotDataCnt=163 Res1=0 ParamCnt=8 ParamOff=55 Res2=0 DataCnt=163 DataOff=63 Res3=0 Lsetup=0 Param Data: (8 bytes) [000] 00 00 00 00 05 00 05 00 ........ Data Data: (135 bytes) Actual directory contents: [000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........ [010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic...... [020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp.... [030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$ [040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w... [050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........ [060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo [070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi [080] 63 65 20 28 53 61 6D ce (Sam
You can download the modified tcpdump from the Samba FTP server, located at ftp://samba.anu.edu.au/pub/samba/tcpdump-smb. Other versions might not include support for the SMB protocol; if you don't see output such as that shown in the example, you'll need to use the SMB-enabled version.
Ethereal (http://www.ethereal.com) is a GUI-based utility that performs the same basic function as tcpdump. You might prefer Ethereal because it is much easier to use. Once you have Ethereal running, just do the following:
Select Start from the Capture menu.
Click the OK button in the dialog box that appears. This will bring up a dialog box showing how many packets Ethereal has seen. Perform the actions on the system(s) in your network to reproduce the problem you are analyzing.
Click the Stop button in the Ethereal dialog box to make it finish collecting data.
In the main Ethereal window, click any item in the upper window to view it in the lower window. In the lower window, click any of the boxes containing a plus sign (+) to expand the view.
Ethereal does a good job of translating the content of the packets it encounters into human-readable format, and you should have little trouble seeing what happened on the network during the capture period.
The fault tree presented in this section is for diagnosing and fixing problems that occur when you're installing and reconfiguring Samba. It's an expanded form of the trouble and diagnostic document DIAGNOSIS.txt, which is part of the Samba distribution.
The first command to enter on both the server and the client is ping 127.0.0.1. This pings the loopback address and indicates whether any networking support is functioning. On Unix, you can use ping 127.0.0.1 with the statistics option and interrupt it after a few lines. On Sun workstations, the command is typically /usr/etc/ping -s 127.0.0.1; on Linux, just ping 127.0.0.1. On Windows clients, run ping 127.0.0.1 in an MS-DOS (command prompt) window, and it will stop by itself after four lines.
Here is an example on a Linux server:
$ ping 127.0.0.1 PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): icmp-seq=2. time=1. ms ^C ----127.0.0.1 PING Statistics---- 3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/1
If you get "ping: no answer from . . . " or "100% packet loss," you have no IP networking installed on the system. The address 127.0.0.1 is the internal loopback address and doesn't depend on the computer being physically connected to a network. If this test fails, you have a serious local problem. TCP/IP either isn't installed or is seriously misconfigured. See your operating system documentation if it's a Unix server. If it's a Windows client, follow the instructions in Chapter 3 to install networking support.
TIP
$ ping localhost PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1): icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): icmp-seq=2. time=0. ms ^C
If this succeeds, try the same test on the client. Otherwise:
If you get "unknown host: localhost," there is a problem resolving the hostname localhost into a valid IP address. (This might be as simple as a missing entry in a local hosts file.) From here, skip down to Section 12.2.7 later in this chapter.
If you get "ping: no answer," or "100% packet loss," but pinging 127.0.0.1 worked, name services is resolving to an address, but it isn't the correct one. Check the file or database (typically /etc/hosts on a Unix system) that the name service is using to resolve addresses to ensure that the entry is correct.
$ ping 192.168.236.86 PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): icmp-seq=2. time=1. ms ^C ----192.168.236.86 PING Statistics---- 3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/1
If this works on the server, repeat it for the client. Otherwise:
$ ping server PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): icmp-seq=2. time=1. ms ^C ----server.example.com PING Statistics---- 3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/0/1
If successful, this test tells us five things:
The hostname (e.g., server) is being found by your local name server.
The hostname has been expanded to the full name (e.g., server.example.com).
The client has sent the Samba server four 56-byte UDP/IP packets.
If this test isn't successful, one of several things can be wrong with the network:
If each system can ping itself but not another, something is wrong on the network between them.
Check both the address and the netmasks on source and destination systems to see if something is obviously wrong. Assuming both systems really are on the same network, they both should have the same netmasks, and ping should report the correct addresses. If the addresses are wrong, you'll need to correct them. If they are correct, the programs might be confused by an incorrect netmask. See Section 12.2.8.1, later in this chapter.
If the commands are still reporting that the network is unreachable and neither of the previous two conditions are in error, one network really might be unreachable from the other. This, too, is an issue for the network manager.
If you get ICMP Administratively Prohibited, you've struck a firewall of some sort or a misconfigured router. You will need to speak to your network security officer.
If you get ICMP Host redirect and ping reports packets getting through, this is generally harmless: you're simply being rerouted over the network.
If you get a host redirect and no ping responses, you are being redirected, but no one is responding. Treat this just like the Network unreachable response, and check your addresses and netmasks.
If you get ICMP Host Unreachable from gateway gateway name, ping packets are being routed to another network, but the other system isn't responding and the router is reporting the problem on its behalf. Again, treat this like a Network unreachable response, and start checking addresses and netmasks.
If you get ping: unknown host hostname, your system's name is not known. This tends to indicate a name service problem, which didn't affect localhost. Have a look at Section 12.2.7, later in this chapter.
If you get a partial success—with some pings failing but others succeeding—you have either an intermittent problem between the systems or an overloaded network. Ping a bit longer, and see if more than about three percent of the packets fail. If so, check it with your network manager: a problem might just be starting. However, if only a few fail, or if you happen to know some massive network program is running, don't worry unduly. The ICMP (and UDP) protocols used by ping are allowed to drop occasional packets.
If you get a response such as smtsvr.antares.net is alive when you actually pinged client.example.com, either you're using someone else's address or the system has multiple names and addresses. If the address is wrong, the name service is clearly the culprit; you'll need to change the address in the name service database to refer to the correct system. This is discussed in Section 12.2.7, later in this chapter.
Servers are often multihomed —i.e., connected to more than one network, with different names on each net. If you are getting a response from an unexpected name on a multihomed server, look at the address and see if it's on your network (see Section 12.2.8.1, later in this chapter). If so, you should use that address, rather than one on a different network, for both performance and reliability reasons.
Servers can also have multiple names for a single Ethernet address, especially if they are web servers. This is harmless, albeit startling. You probably will want to use the official (and permanent) name, rather than an alias that might change.
If everything works but the IP address reported is 127.0.0.1, you have a name service error. This typically occurs when an operating-system installation program generates an /etc/hosts line similar to 127.0.0.1 localhost hostname.domainname. The localhost line should say 127.0.0.1 localhost or 127.0.0.1 localhost loghost. Correct it, lest it cause failures to negotiate who is the master browse list holder and who is the master browser. It can also cause (ambiguous) errors in later tests.
Now that you've tested IP, UDP, and a name service with ping, it's time to test TCP. Browsing and ping use ICMP and UDP; file and print services (shares) use TCP. Both depend on IP as a lower layer, and all four depend on name services. Testing TCP is most conveniently done using the FTP program.
Try connecting via FTP, once from the server to itself, and once from the client to the server:
$ ftp server Connected to server.example.com. 220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready. Name (server:davecb): 331 Password required for davecb. Password: 230 User davecb logged in. ftp> quit 221 Goodbye.
If this worked, skip to the next section, Section 12.2.4. Otherwise:
If you received the message server: unknown host, name service has failed. Go back to the corresponding ping step, Section 12.2.2.2, and rerun those tests to see why name lookup failed.
If you received ftp: connect: Connection refused, the system isn't running an FTP daemon. This is mildly unusual on Unix servers. Optionally, you might try this test by connecting to the system using telnet instead of ftp; the messages are very similar, and telnet uses TCP as well.
If there was a long pause, and then ftp: connect: Connection timed out, the system isn't reachable. Return to Section 12.2.2.4.
If you received 530 Logon Incorrect, you connected successfully, but you've just found a different problem. You likely provided an incorrect username or password. Try again, making sure you use your username from the Unix server and type your password correctly.
To be sure they're running, you need to find out whether the daemons:
Another way to make sure the daemons are running is to check their processes on the system. Use the ps command on the server with the "long" option for your system type (commonly ps ax or ps -ef), and see whether smbd and nmbd are already running. This often looks like the following:
$ ps ax PID TTY STAT TIME COMMAND 1 ? S 0:03 init [2] 2 ? SW 0:00 (kflushd) (...many lines of processes...) 234 ? S 0:14 nmbd -D3 237 ? S 0:11 smbd -D3 (...more lines, possibly including more smbd lines...)
$ netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 *.137 *.* tcp 0 0 *.139 *.* LISTEN tcp 8370 8760 server.139 client.1439 ESTABLISHED
There might be other TCP lines indicating connections from smbd to clients, one for each client. These are usually in the ESTABLISHED state. If there are smbd lines in the ESTABLISHED state, smbd is definitely running. If there is only one line in the LISTEN state, we're not sure yet. If both of the lines are missing, a daemon has not succeeded in starting, so it's time to check the logs and then go back to Chapter 2.
If there is a line for each client, it might be coming either from a Samba daemon or from the master IP daemon, inetd. It's quite possible that your inetd startup file contains lines that start Samba daemons without your realizing it; for instance, the lines might have been placed there if you installed Samba as part of a Linux distribution. The daemons started by inetd prevent ours from running. This problem typically produces log messages such as bind failed on port 139 socket addr=0 (Address already in use).
Check your /etc/inetd.conf ; unless you're intentionally starting the daemons from there, netbios-ns (UDP port 137) or netbios-ssn (tcp port 139) servers should be mentioned there. If your system is providing an SMB daemon via inetd, lines such as the following will appear in the inetd.conf file:
netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd
If your system uses xinetd instead of inetd, see Chapter 2 for details concerning its configuration.
Ironically, the easiest way to test that the smbd server is actually working is to send it a meaningless message and see if it is rejected. Try something such as the following:
$ echo "hello" | telnet localhost 139 Trying Trying 192.168.236.86 ... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.
This sends an erroneous but harmless message to smbd. If you get a Connected message followed by a Connection closed message, the test was a success. You have an smbd daemon listening on the port and rejecting improper connection messages. On the other hand, if you get telnet: connect: Connection refused, most likely no daemon is present. Check the logs and go back to Chapter 2.
Regrettably, there isn't an easy test for nmbd. If the telnet test and the netstat test both say that an smbd is running, there is a good chance that netstat will also be correct about nmbd running.
Once you know there's a daemon, you should always run testparm, in hopes of getting something such as the following:
$ testparm Load smb config files from /opt/samba/lib/smb.conf Processing section "[homes]" Processing section "[printers]" ... Processing section "[tmp]" Loaded services file OK. ...
Just a reminder that you have used the available = no option in a share.
Indicates a missing or misspelled section in a copy = option.
Typically indicates an obsolete, misspelled, or unsupported option.
# testparm /usr/local/samba/lib/smb.conf client 192.168.236.10
This will run one more test that checks the hostname and address against hosts allow and hosts deny options and might produce the Allow connection from hostname to service and/or Deny connection from hostname to service messages for the client system. These messages indicate that you have hosts allow and/or hosts deny options in your smb.conf, and they prohibit access from the client system.
Now that you know the servers are up, you need to make sure they're running properly. We start by placing a simple smb.conf file in the /usr/local/samba/lib directory.
[global] workgroup = EXAMPLE security = user browsable = yes local master = yes [homes] guest ok = no browsable = no [temp] path = /tmp public = yes
WARNING
The first test is to ensure that the server can list its own services (shares). Run the command smbclient -L localhost -U% to connect to the server from itself, and specify the guest user. You should see the following:
$ smbclient -L localhost -U% Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0 Server=[localhost] User=[davecb] Workgroup=[EXAMPLE] Domain=[EXAMPLE] Sharename Type Comment --------- ----- ---------- temp Disk IPC$ IPC IPC Service (Samba 1.9.18) homes Disk Home directories This machine does not have a browse list
If you received this output, move on to the next section, Section 12.2.5.3. On the other hand, if you receive an error, check the following:
If you get Get_hostbyname: unknown host localhost, either you've spelled its name wrong or there actually is a problem (which should have been seen back in Section 12.2.2.2). In the latter case, move on to Section 12.2.7, later in this chapter.
If you get Connect error: Connection refused, the server was found, but it wasn't running an nmbd daemon. Skip back to Section 12.2.4, earlier in this chapter, and retest the daemons.
If you get the message Your server software is being unfriendly, the initial session request packet got a garbage response from the server. The server might have crashed or started improperly. The common causes of this can be discovered by scanning the logs for the following:
Invalid command-line parameters to smbd ; see the smbd manual page.
A fatal problem with the smb.conf file that prevents the startup of smbd. Always check your changes with testparm, as was done in Section 12.2.4.5, earlier in this chapter.
Missing directories where Samba is supposed to keep its log and lock files.
The presence of a server already on the port (139 for smbd, 137 for nmbd ), preventing the daemon from starting.
If you're using inetd (or xinetd ) instead of standalone daemons, be sure to check your /etc/inetd.conf (or xinetd configuration files) and /etc/services entries against their manual pages for errors as well.
If you get a Password: prompt, your guest account is not set up properly. The -U% option tells smbclient to do a "null login," which requires that the guest account be present but does not require it to have any privileges.
If you get the message SMBtconX failed. ERRSRV--ERRaccess, you aren't permitted access to the server. This normally means you have a hosts allow option that doesn't include the server or a hosts deny option that does. Recheck with the command testparm smb.conf your_hostname your_ip_address (see Section 12.2.4.5), and correct any unintended prohibitions.
Run the command smbclient \\server\temp to connect to the server's [temp] share and to see if you can connect to a file service. You should get the following response:
$ smbclient '\\server\temp' Server time is Tue May 5 09:49:32 2002 Timezone is UTC-4.0 Password: smb: \> quit
You might receive the following errors:
If you get Get_Hostbyname: Unknown host name, Connect error: Connection refused, or Your server software is being unfriendly, see the previous section, Section 12.2.5.2, for the diagnoses.
If you get the message servertemp: Not enough `\' characters in service, you likely didn't quote the address, so Unix stripped off backslashes. You can also write the command:
smbclient \\\\server\\temp
or:
smbclient //server/temp
Now, provide your Unix account password to the Password: prompt. If you then get an smb: \> prompt, it worked. Enter quit and continue on to the next section, Section 12.2.5.4. If you got SMBtconX failed. ERRSRV--ERRinvnetname, the problem can be any of the following:
A wrong share name: you might have spelled it wrong, it might be too long, it might be in mixed case, or it might not be available. Check that it's what you expect with testparm (see the earlier section, Section 12.2.4.5).
A security = share parameter in your Samba configuration file, in which case you might have to add -U your_account to the smbclient command.
An erroneous username.
An erroneous password.
An invalid users or valid users option in your smb.conf file that doesn't allow your account to connect. Recheck using testparm smb.conf your_hostname your_ip_address (see the earlier section, Section 12.2.4.5).
A valid hosts option that doesn't include the server, or an invalid hosts option that does. Also test this with testparm.
A problem in authentication, such as if shadow passwords or the Password Authentication Module (PAM) is used on the server, but Samba is not compiled to use it. This is rare, but it occasionally happens when a SunOS 4 Samba binary (with no shadow passwords) is run without recompilation on a Solaris system (with shadow passwords).
The encrypted passwords = yes option is in the configuration file, but no password for your account is in the smbpasswd file.
You have a null password entry, either in Unix /etc/passwd or in the smbpasswd file.
You are connecting to [temp], and you do not have the guest ok = yes option in the [temp] section of the smb.conf file.
You are connecting to [temp] before connecting to your home directory, and your guest account isn't set up correctly. If you can connect to your home directory and then connect to [temp], that's the problem. See Chapter 2 for more information on creating a basic Samba configuration file.
A bad guest account will also prevent you from printing or browsing until after you've logged in to your home directory.
There is one more reason for this failure that has nothing at all to do with passwords: the path parameter in your smb.conf file might point somewhere that doesn't exist. This will not be diagnosed by testparm, and most SMB clients can't distinguish it from other types of bad user accounts. You will have to check it manually.
Once you have connected to [temp] successfully, repeat the test, this time logging in to your home directory (e.g., map network drive server\davecb). If you have to change anything to get that to work, retest [temp] again afterward.
Run the command net use * \server\temp on the Windows client to see if it can connect to the server. You should be prompted for a password, then receive the response The command was completed successfully.
If that worked, continue with the steps in the next section, Section 12.2.5.5. Otherwise:
If you get The specified shared directory cannot be found, or Cannot locate specified share name, the directory name is either misspelled or not in the smb.conf file. This message can also warn of a name that is in mixed case, including spaces, or that is longer than eight characters.
If you get The computer name specified in the network path cannot be located or Cannot locate specified computer, the directory name has been misspelled, the name service has failed, there is a networking problem, or the hosts deny option includes your host.
If it is not a spelling mistake, you need to double back at least to Section 12.2.5.3 to investigate why it doesn't connect.
If smbclient does work, there is a name service problem with the client name service, and you need to go forward to Section 12.2.6.2 and see if you can look up both the client and server with nmblookup.
If you get The password is invalid for \server\username, your locally cached copy on the client doesn't match the one on the server. You will be prompted for a replacement.
TIP
TIP
If you have a mixed-case password on Unix, the client is probably sending it in all one case. If changing your password to all one case works, this was the problem. Regrettably, all but the oldest clients support uppercase passwords, so Samba will try once with the password in uppercase and once in lowercase. If you wish to use mixed-case passwords, see the password level option in Chapter 9 for a workaround.
You might have a valid users problem, as tested with smbclient (see the earlier section, Section 12.2.5.3).
You might have the NetBEUI protocol bound to the Microsoft client. This often produces long timeouts and erratic failures and is known to have caused failures to accept passwords in the past. Unless you absolutely need the NetBEUI protocol, remove it.
TIP
Start Windows Explorer (not Internet Explorer), select Map Network Drive from the Tools menu, and specify the UNC for one of your shares on the Samba server to see if you can make Explorer connect to it. If so, you've succeeded and can skip to the next section, Section 12.2.6.
Windows Explorer is a rather poor diagnostic tool: it tells you that something's wrong, but rarely what it is. If you get a failure, you'll need to track it down with the Windows net use command, which has far superior error reporting:
If you get The password for this connection that is in your password file is no longer correct, you might have any of the following:
Your locally cached copy on the client doesn't match the one on the server.
You didn't provide a username and password when logging on to the client. Some versions of Explorer will continue to send a null username and password, even if you provide a password.
You have misspelled the password.
You have an invalid users or valid users list denying permission.
Your client is defaulting to encrypted passwords, but Samba is configured with the encrypt passwords = no configuration file parameter.
You have a mixed-case password, which the client is supplying in all one case.
If you get The network name is either incorrect, or a network to which you do not have full access, or Cannot locate specified computer, you might have any of the following:
Misspelled name
Malfunctioning service
Failed share
Networking problem
Bad path parameter in smb.conf
hosts deny line that excludes you
If you get You must supply a password to make this connection, the password on the client is out of synchronization with the server, or this is the first time you've tried from this client system and the client hasn't cached it locally yet.
If you get Cannot locate specified share name, you have a wrong share name or a syntax error in specifying it, a share name longer than eight characters, or one containing spaces or in mixed case.
Once you can reliably connect to the share, try again, this time using your home directory. If you have to change something to get home directories working, retest with the first share, and vice versa, as we showed in the earlier section, "Testing connections with net use." As always, if Explorer fails, drop back to that section and debug the connection there.
Finally, we come to browsing. We've left this for last, not because it is the most difficult, but because it's both optional and partially dependent on a protocol that doesn't guarantee delivery of a packet. Browsing is hard to diagnose if you don't already know that all the other services are running.
We'll start with testing the reliable connection first. From the server, try listing its own shares using smbclient with a -L option and your server's name. You should get something resembling the following:
$ smbclient -L server Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0 Password: Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5] Sharename Type Comment --------- ---- ------- cdrom Disk CD-ROM cl Printer Color Printer 1 davecb Disk Home Directories Server Comment --------- ------- SERVER Samba 2.2.5 Workgroup Master --------- ------- EXAMPLE SERVER
If you didn't get a Sharename list, the server is not allowing you to browse any shares. This should not be the case if you've tested any of the shares with Windows Explorer or the net use command. If you haven't done the smbclient -L localhost -U% test yet (see the earlier section, Section 12.2.5.2), do it now. An erroneous guest account can prevent the shares from being seen. Also, check the smb.conf file to make sure you do not have the option browsable = no anywhere in it: we suggest using a minimal smb.conf file (see the earlier section, Section 12.2.5.1). You need to have browsable enabled (which is the default) to see the share.
If you didn't get a browse list, the server is not providing information about the systems on the network. At least one system on the net must support browse lists. Make sure you have local master = yes in the smb.conf file if you want Samba to be the local master browser.
If you got a browse list but didn't get /tmp, you probably have a smb.conf problem. Go back to Section 12.2.4.5.
If you didn't get a workgroup list with your workgroup name in it, it is possible that your workgroup is set incorrectly in the smb.conf file.
If you didn't get a workgroup list at all, ensure that workgroup = EXAMPLE is present in the smb.conf file.
If you get nothing, try once more with the options -I ip_address -n netbios_name -W workgroup -d3 with the NetBIOS and workgroup name in uppercase. (The -d3 option sets the log /debugging level to 3.) Then check the Samba logs for clues.
If you're still getting nothing, you shouldn't have gotten this far; double back to at least Section 12.2.3.1, or perhaps Section 12.2.2.4. On the other hand:
If you get SMBtconX failed. ERRSRV--ERRaccess, you aren't permitted access to the server. This normally means you have a hosts allow option that doesn't include the server or a hosts deny option that does.
If you get Bad password, you presumably have one of the following:
An incorrect hosts allow or hosts deny line
An incorrect invalid users or valid users lin