# seit letzem Update kein Zugriff auf Samba Share

## Tinitus

Hallo,

seit einem der letzen Updates habe ich keinen Zugriff mehr auf meine Samba Shares.

Ich habe keine Ahnung wo ich anfangen soll nach einem Fehler zu suchen...

netstat -nelpt | grep smbd

```

tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      0          2696414    14350/smbd          

tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      0          2696412    14350/smbd          

tcp6       0      0 :::139                  :::*                    LISTEN      0          2696410    14350/smbd          

tcp6       0      0 :::445                  :::*                    LISTEN      0          2696408    14350/smbd 
```

systemctl status smbd

```

● smbd.service - Samba SMB/CIFS server

   Loaded: loaded (/usr/lib64/systemd/system/smbd.service; enabled)

   Active: active (running) since Di 2014-06-17 10:09:02 CEST; 4min 4s ago

  Process: 14349 ExecStart=/usr/sbin/smbd -D (code=exited, status=0/SUCCESS)

 Main PID: 14350 (smbd)

   CGroup: /system.slice/smbd.service

           ├─14350 /usr/sbin/smbd -D

           └─14351 /usr/sbin/smbd -D

Jun 17 10:09:02 localhost systemd[1]: Started Samba SMB/CIFS server.

```

Habe jetzt schon mal die letze 3.6 Version installiert...keine Änderung.

emerge =net-fs/samba-3.6.23-r1 -pv

```

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ~] net-fs/samba-3.6.23-r1  USE="acl aio client cups doc fam ldap netapi pam readline server smbclient syslog winbind -addns -ads -avahi -caps -cluster -debug -dmapi -examples -ldb -quota (-selinux) -smbsharemodes -swat" ABI_X86="(64) -32 (-x32)" 0 kB

```

Im Log erscheint nicht mal ein Eintrag, wenn ich vom Client per IP aus zugreife...

Auch erscheint meine samba Server nicht mehr in der Liste der verfügbaren Server.

----------

## schmidicom

Laufen denn die beiden anderen nmbd und winbindd auch?

Ist dein Samba Mitglied in einer bestehenden Domäne?

----------

## Tinitus

Hallo,

beide Dienste liefen nicht. Jetzt erscheint mein Samba Server wieder im Netz. Leider kommt immer noch die Fehlermeldung, daß Benutzername und Paßwort nicht stimmen beim Zugriff.

Aus einer VM auf dem gleichen Rechner hingegen funktioniert es..

Kann das mit der Fritz!Box 7490 zusammen hängen?

----------

## schmidicom

Dann schau jetzt nochmal ins Log ob nun was brauchbares drin steht und der Inhalt deiner smb.conf wäre auch nicht schlecht.

----------

## Tinitus

Hallo,

also nachdem ich die Fritzbox mal abgeklemmt und wieder angeklemmt habe kommt dann

```
 process_name_query_request: Name query from 192.168.3.55 on subnet 192.168.3.3 for name __MSBROWSE__<01>

[2014/06/17 12:52:37,  3] nmbd/nmbd_incomingrequests.c:571(process_name_query_request)

  OK

```

Dann wird Benutzername und Paßwort akzeptiert.

Also hängt es mit der Fritzbox zusammen.

Also werden Benutzername und Paßwort gegen die FritzBox geprüft.

Hier meine smb.conf

```

#======================= Global Settings =====================================

[global]

# 1. Server Naming Options:

# workgroup = NT-Domain-Name or Workgroup-Name

   workgroup = workgroup

# netbios name is the name you will see in "Network Neighbourhood",

# but defaults to your hostname

   netbios name = Samba

# server string is the equivalent of the NT Description field

   server string = Samba %v

# 2. Printing Options:

# CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK

# if you want to automatically load your printer list rather

# than setting them up individually then you'll need this

   printcap name = cups

   load printers = yes

# It should not be necessary to spell out the print system type unless

# yours is non-standard. Currently supported print systems include:

# bsd, sysv, plp, lprng, aix, hpux, qnx, cups

   printing = cups

# 3. Logging Options:

# this tells Samba to use a separate log file for each machine

# that connects

   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).

   max log size = 50

# Set the log (verbosity) level (0 <= log level <= 10)

 log level = 3

# 4. Security and Domain Membership Options:

# This option is important for security. It allows you to restrict

# connections to machines which are on your local network. The

# following example restricts access to two C class networks and

# the "loopback" interface. For more examples of the syntax see

# the smb.conf man page. Do not enable this if (tcp/ip) name resolution does

# not work for all the hosts in your network.

hosts allow = 192.168.3.0/24 192.168.2.0/24 127.0.0.1

# Uncomment this if you want a guest account, you must add this to /etc/passwd

# otherwise the user "nobody" is used

;  guest account = pcguest

# Allow users to map to guest:

  map to guest = bad user

# Security mode. Most people will want user level security. See

# security_level.txt for details.

   security = user

# Use password server option only with security = server or security = domain

# When using security = domain, you should use password server = *

;   password server = <NT-Server-Name>

;   password server = *

# Password Level allows matching of _n_ characters of the password for

# all combinations of upper and lower case.

;  password level = 8

;  username level = 8

# You may wish to use password encryption. Please read

# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.

# Do not enable this option unless you have read those documents

# Encrypted passwords are required for any use of samba in a Windows NT domain

# The smbpasswd file is only required by a server doing authentication, thus

# members of a domain do not need one.

  encrypt passwords = yes

# The following are needed to allow password changing from Windows to

# also update the Linux system password.

# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.

# NOTE2: You do NOT need these to allow workstations to change only

#        the encrypted SMB passwords. They allow the Unix password

#        to be kept in sync with the SMB password.

;  unix password sync = Yes

# You either need to setup a passwd program and passwd chat, or

# enable pam password change

;  pam password change = yes

;  passwd program = /usr/bin/passwd %u

;  passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n \

;*passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names

;  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration

# on a per machine basis. The %m gets replaced with the netbios name

# of the machine that is connecting

;   include = /etc/samba/smb.conf.%m

# Options for using winbind. Winbind allows you to do all account and

# authentication from a Windows or samba domain controller, creating

# accounts on the fly, and maintaining a mapping of Windows RIDs to unix uid's 

# and gid's. idmap uid and idmap gid are the only required parameters.

#

# winbind separator is the character a user must use between their domain

# name and username, defaults to "\"

;  winbind separator = +

#

# winbind use default domain allows you to have winbind return usernames

# in the form user instead of DOMAIN+user for the domain listed in the

# workgroup parameter.

;  winbind use default domain = yes

#

# template homedir determines the home directory for winbind users, with 

# %D expanding to their domain name and %U expanding to their username:

;  template homedir = /home/%D/%U

# When using winbind, you may want to have samba create home directories

# on the fly for authenticated users. Ensure that /etc/pam.d/samba is

# using 'service=system-auth-winbind' in pam_stack modules, and then

# enable obedience of pam restrictions below:

;  obey pam restrictions = yes

#

# template shell determines the shell users authenticated by winbind get

;  template shell = /bin/bash

# 5. Browser Control and Networking Options:

# Most people will find that this option gives better performance.

# See speed.txt and the manual pages for details

#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

# Configure Samba to use multiple interfaces

# If you have multiple network interfaces then you must list them

# here. See the man page for details.

;   interfaces = 192.168.12.2/24 192.168.13.2/24 

# Configure remote browse list synchronisation here

#  request announcement to, or browse list sync from:

#       a specific host or from / to a whole subnet (see below)

;   remote browse sync = 192.168.3.25 192.168.5.255

# Cause this host to announce itself to local subnets here

;   remote announce = 192.168.1.255 192.168.2.44

# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply

;   local master = no

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job

;   domain master = yes 

# Preferred Master causes Samba to force a local browser election on startup

# and gives it a slightly higher chance of winning the election

;   preferred master = yes

# 6. Domain Control Options:

# Enable this if you want Samba to be a domain logon server for 

# Windows95 workstations or Primary Domain Controller for WinNT and Win2k

;   domain logons = yes

# if you enable domain logons then you may want a per-machine or

# per user logon script

# run a specific logon batch file per workstation (machine)

;   logon script = %m.bat

# run a specific logon batch file per username

;   logon script = %U.bat

# Where to store roaming profiles for WinNT and Win2k

#        %L substitutes for this servers netbios name, %U is username

#        You must uncomment the [Profiles] share below

;   logon path = \\%L\Profiles\%U

# Where to store roaming profiles for Win9x. Be careful with this as it also

# impacts where Win2k finds it's /HOME share

; logon home = \\%L\%U\.profile

# The add user script is used by a domain member to add local user accounts

# that have been authenticated by the domain controller, or when adding

# users via the Windows NT Tools (ie User Manager for Domains).

# Scripts for file (passwd, smbpasswd) backend:

; add user script = /usr/sbin/useradd -s /bin/false '%u'

; delete user script = /usr/sbin/userdel '%s'

; add user to group script = /usr/bin/gpasswd -a '%u' '%g'

; delete user from group script = /usr/bin/gpasswd -d '%u' '%g'

; set primary group script = /usr/sbin/usermod -g '%g' '%u'

; add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'

; delete group script = /usr/sbin/groupdel '%g'

# Scripts for LDAP backend (assumes nss_ldap is in use on the domain controller.

# Needs IDEALX scripts, and configuration in smbldap_conf.pm.

# This assumes you've installed the IDEALX scripts into /usr/share/samba/scripts...

; add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'

; delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'

; add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m '%u' '%g'

; delete user from group script = /usr/share/samba/scripts/smbldap-groupmod.pl -x '%u' '%g'

; set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g '%g' '%u'

; add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' && /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'

; delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'

# The add machine script is use by a samba server configured as a domain

# controller to add local machine accounts when adding machines to the domain.

# The script must work from the command line when replacing the macros,

# or the operation will fail. Check that groups exist if forcing a group.

# Script for domain controller for adding machines:

; add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false '%u'

# Script for domain controller with LDAP backend for adding machines (You need

# the IDEALX scripts, and to configure the smbldap_conf.pm first):

; add machine script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d /dev/null -g machines -c 'Machine Account' -s /bin/false '%u'

# Domain groups:

# Domain groups are now configured by using the 'net groupmap' tool

# Samba Password Database configuration:

# Samba now has runtime-configurable password database backends.

# smbpasswd is for backwards compatibility only Default (not recommended),

# new installations should use tdbsam or ldap.

; passdb backend = smbpasswd

# TDB backend 

; passdb backend = tdbsam

# LDAP with fallback to smbpasswd guest

# Enable SSL by using an ldaps url, or enable tls with 'ldap ssl' below.

; passdb backend = ldapsam:ldaps://ldap.mydomain.com

# Use the samba2 LDAP schema:

; passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com

# idmap uid account range:

# This is a range of unix user-id's that samba will map non-unix RIDs to,

# such as when using Winbind

; idmap uid = 10000-20000

; idmap gid = 10000-20000

  

# LDAP configuration for Domain Controlling:

# The account (dn) that samba uses to access the LDAP server

# This account needs to have write access to the LDAP tree

# You will need to give samba the password for this dn, by 

# running 'smbpasswd -w mypassword'

; ldap admin dn = cn=root,dc=mydomain,dc=com

; ldap ssl = start_tls

# start_tls should run on 389, but samba defaults incorrectly to 636

; ldap port = 389

; ldap suffix = dc=mydomain,dc=com

; ldap server = ldap.mydomain.com

# Seperate suffixes are available for machines, users, groups, and idmap, if 

# ldap suffix appears first, it is appended to the specific suffix.

# Example for a unix-ish directory layout:

; ldap machine suffix = ou=Hosts

; ldap user suffix = ou=People

; ldap group suffix = ou=Group

; ldap idmap suffix = ou=Idmap

# Example for AD-ish layout:

; ldap machine suffix = cn=Computers

; ldap user suffix = cn=Users

; ldap group suffix = cn=Groups

; ldap idmap suffix = cn=Idmap

# 7. Name Resolution Options:

# All NetBIOS names must be resolved to IP Addresses

# 'Name Resolve Order' allows the named resolution mechanism to be specified

# the default order is "host lmhosts wins bcast". "host" means use the unix

# system gethostbyname() function call that will use either /etc/hosts OR

# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf

# and the /etc/resolv.conf file. "host" therefore is system configuration

# dependant. This parameter is most often of use to prevent DNS lookups

# in order to resolve NetBIOS names to IP Addresses. Use with care!

# The example below excludes use of name resolution for machines that are NOT

# on the local network segment

# - OR - are not deliberately to be known via lmhosts or via WINS.

; name resolve order = wins host lmhosts bcast

# Windows Internet Name Serving Support Section:

# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server

;wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

;wins server = 192.168.3.3

# WINS Proxy - Tells Samba to answer name resolution queries on

# behalf of a non WINS capable client, for this to work there must be

# at least one  WINS Server on the network. The default is NO.

;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

# via DNS nslookups. The built-in default for versions 1.9.17 is yes,

# this has been changed in version 1.9.18 to no.

   dns proxy = no 

# 8. File Naming Options:

# Case Preservation can be handy - system default is _no_

# NOTE: These can be set on a per share basis

;  preserve case = no

;  short preserve case = no

# Default case is normally upper case for all DOS files

;  default case = lower

# Be very careful with case sensitivity - it can break things!

;  case sensitive = no

# Enabling internationalization:

# you can match a Windows code page with a UNIX character set.

# Windows: 437 (US), 737 (GREEK), 850 (Latin1 - Western European),

# 852 (Czech), 861 (???), 932 (Japanese),

# 936 (Simplified Chin.), 949 (Korean Hangul),

# 950 (Trad. Chin.).

# More detail about code page is in

# "http://www.microsoft.com/globaldev/reference/oslocversion.mspx"

# UNIX: ISO8859-1 (Western European), ISO8859-2 (Eastern Eu.),

# ISO8859-5 (Russian Cyrillic), KOI8-R (Alt-Russ. Cyril.)

# This is an example for french users:

;   dos charset = 850

;   unix charset = ISO8859-1

dos charset = 1255

unix charset = UTF-8

display charset = UTF-8

#============================ Share Definitions ==============================

[homes]

   comment = Home Directories

   browseable = no

   writable = yes

# You can enable VFS recycle bin on a per share basis:

# Uncomment the next 2 lines (make sure you create a

# .recycle folder in the base of the share and ensure

# all users will have write access to it. See

# examples/VFS/recycle/REAME in the samba docs for details

;   vfs object = /usr/lib/samba/vfs/recycle.so

# Un-comment the following and create the netlogon directory for Domain Logons

; [netlogon]

;   comment = Network Logon Service

;   path = /var/lib/samba/netlogon

;   guest ok = yes

;   writable = no

# Un-comment the following to provide a specific roving profile share

# the default is to use the user's home directory

;[Profiles]

;    path = /var/lib/samba/profiles

;    browseable = no

;    guest ok = yes

# This script can be enabled to create profile directories on the fly

# You may want to turn off guest acces if you enable this, as it

# hasn't been thoroughly tested.

;root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \

;                then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi

# NOTE: If you have a CUPS print system there is no need to 

# specifically define each individual printer.

# You must configure the samba printers with the appropriate Windows

# drivers on your Windows clients. On the Samba server no filtering is

# done. If you wish that the server provides the driver and the clients

# send PostScript ("Generic PostScript Printer" under Windows), you have

# to swap the 'print command' line below with the commented one.

[printers]

   comment = All Printers

   path = /var/spool/samba

   browseable = no

# set to yes to allow user 'guest account' to print.

   guest ok = yes

   writable = no

   printable = yes

# This share is used for Windows NT-style point-and-print support.

# To be able to install drivers, you need to be either root, or listed

# in the printer admin parameter above. Note that you also need write access

# to the directory and share definition to be able to upload the drivers.

# For more information on this, please see the Printing Support Section of

# /usr/share/doc/samba-<version>/Samba-HOWTO-Collection.pdf 

[print$]

   path = /var/lib/samba/printers

   browseable = yes

   read only = yes

   write list = @adm root

   guest ok = yes

# This one is useful for people to share files

;[tmp]

;   comment = Temporary file space

;   path = /tmp

;   read only = no

;   public = yes

# A publicly accessible directory, but read only, except for people in

# the "staff" group

;[public]

;   comment = Public Stuff

;   path = /home/samba/public

;   public = yes

;   writable = no

;   write list = @staff

# Audited directory through experimental VFS audit.so module:

# Uncomment next line.

;   vfs object = /usr/lib/samba/vfs/audit.so

# Other examples. 

#

# A private printer, usable only by Fred. Spool data will be placed in Fred's

# home directory. Note that fred must have write access to the spool directory,

# wherever it is.

;[fredsprn]

;   comment = Fred's Printer

;   valid users = fred

;   path = /homes/fred

;   printer = freds_printer

;   public = no

;   writable = no

;   printable = yes

# A private directory, usable only by Fred. Note that Fred requires write

# access to the directory.

[Backup]

   comment = Backup auf Samba Server

   path = /home/samba

   writable = yes

   printable = no

<---Schnipp--->

```

----------

## bbgermany

Hi,

eventuell hat das was mit dem Masterbrowser zu tun... Versuche mal mit dem OS LEVEL rum zu spielen. Je höher der Wert, desto höher die Prio im Netz für Netbios Anfragen. Ein wohl recht guter Wert wäre 64 lt einiger Dokus.  :Wink: 

MfG. Stefan

----------

## schmidicom

Mit dem Security Modus "user" kenne ich mich nicht wirklich so gut aus da meine 3 Samba-Server in der Firma als File-Server dienen und unter dem Security Modus "ads" laufen.

Aber zuhause habe ich auch eine Fritzbox und ich weiß das diese Dinger ebenfalls einen Samba-Server mit drin haben wegen der integrierten NAS Funktionalität. Nur sollte sich der eigentlich neutral verhalten und nicht gleich die ganze Workgroup an sich reisen.

Sorry, das ich hier nicht wirklich mit einer brauchbaren Idee zur Problemlösung aufwarten kann.

----------

