Samba 验证用户身份,但不回复

Samba 验证用户身份,但不回复

有时 samba 4.1.11 会停止为客户端提供服务。每天,我都必须重新启动 smbd 才能修复此问题。Windows 客户端会提示共享设备无法访问或身份验证失败。

当他们尝试连接时,会生成以下日志:

[2014/09/17 09:37:19.739314,  2] ../source3/auth/auth.c:278(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [user] -> [user] -> [DOMAIN\user] succeeded
[2014/09/17 09:58:41.021885,  1] ../source3/param/loadparm.c:3178(lp_do_parameter)
  WARNING: The "idmap uid" option is deprecated
[2014/09/17 09:58:41.022305,  1] ../source3/param/loadparm.c:3178(lp_do_parameter)
  WARNING: The "idmap gid" option is deprecated
[2014/09/17 09:58:41.022621,  2] ../source3/param/loadparm.c:3581(do_section)
  Processing section "[home]"
[2014/09/17 09:58:41.028757,  2] ../source3/auth/auth.c:278(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [user] -> [user] -> [DOMAIN\user] succeeded

据我所知,如果服务正常运行,则应该遵循以下几行:

[2014/09/17 09:54:43.760688,  2] ../source3/smbd/reply.c:592(reply_special)
  netbios connect: name1=SMB            0x20 name2=WORKSPACE   0x0
[2014/09/17 09:54:43.761081,  2] ../source3/smbd/reply.c:633(reply_special)
  netbios connect: local=smb remote=WORKSPACE, name type = 0

设置如下(由 testparm 提供):

[global]
        dos charset = CP850
        unix charset = UTF-8
        workgroup = DOMAIN
        realm = DOMAIN.ORG
        netbios name = SAMBA
        netbios aliases = 
        netbios scope = 
        server string = SAMBA
        interfaces = 
        bind interfaces only = No
        server role = auto
        security = ADS
        auth methods = 
        encrypt passwords = Yes
        client schannel = Auto
        server schannel = Auto
        allow trusted domains = Yes
        map to guest = Never
        null passwords = No
        obey pam restrictions = No
        password server = *
        smb passwd file = /private/smbpasswd
        private dir = /private
        passdb backend = tdbsam
        algorithmic rid base = 1000
        root directory = 
        guest account = nobody
        enable privileges = Yes
        pam password change = No
        passwd program = 
        passwd chat = *new*password* %n\n *new*password* %n\n *changed*
        passwd chat debug = No
        passwd chat timeout = 2
        check password script = 
        username map = 
        username level = 0
        unix password sync = No
        restrict anonymous = 0
        lanman auth = No
        ntlm auth = Yes
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        client use spnego principal = No
        preload modules = 
        dedicated keytab file = 
        kerberos method = default
        map untrusted to domain = No
        log level = 2
        syslog = 1
        syslog only = No
        log file = /var/log/samba/%m
        max log size = 500
        debug timestamp = Yes
        debug prefix timestamp = No
        debug hires timestamp = Yes
        debug pid = No
        debug uid = No
        debug class = No
        enable core files = Yes
        smb ports = 445, 139
        large readwrite = Yes
        server max protocol = SMB3
        server min protocol = LANMAN1
        client max protocol = NT1
        client min protocol = CORE
        unicode = Yes
        min receivefile size = 0
        read raw = Yes
        write raw = Yes
        disable netbios = No
        reset on zero vc = No
        log writeable files on exit = No
        defer sharing violations = Yes
        nt pipe support = Yes
        nt status support = Yes
        max mux = 50
        max xmit = 16644
        name resolve order = lmhosts, wins, host, bcast
        max ttl = 259200
        max wins ttl = 518400
        min wins ttl = 21600
        time server = No
        unix extensions = Yes
        use spnego = Yes
        client signing = required
        server signing = required
        client use spnego = Yes
        client ldap sasl wrapping = plain
        enable asu support = No
        svcctl list = 
        cldap port = 0
        dgram port = 0
        nbt port = 0
        krb5 port = 0
        kpasswd port = 0
        web port = 0
        rpc big endian = No
        deadtime = 0
        getwd cache = Yes
        keepalive = 300
        lpq cache time = 30
        max smbd processes = 0
        max disk size = 0
        max open files = 16384
        socket options = TCP_NODELAY
        use mmap = Yes
        use ntdb = No
        hostname lookups = No
        name cache timeout = 660
        ctdbd socket = 
        cluster addresses = 
        clustering = No
        ctdb timeout = 0
        ctdb locktime warn threshold = 0
        smb2 max read = 1048576
        smb2 max write = 1048576
        smb2 max trans = 1048576
        smb2 max credits = 8192
        load printers = No
        printcap cache time = 0
        printcap name = /dev/null
        cups server = 
        cups encrypt = No
        cups connection timeout = 30
        iprint server = 
        disable spoolss = No
        addport command = 
        enumports command = 
        addprinter command = 
        deleteprinter command = 
        show add printer wizard = Yes
        os2 driver map = 
        mangling method = hash2
        mangle prefix = 1
        max stat cache size = 256
        stat cache = Yes
        machine password timeout = 604800
        add user script = 
        rename user script = 
        delete user script = 
        add group script = 
        delete group script = 
        add user to group script = 
        delete user from group script = 
        set primary group script = 
        add machine script = 
        shutdown script = 
        abort shutdown script = 
        username map script = 
        username map cache time = 0
        logon script = 
        logon path = \\%N\%U\profile
        logon drive = 
        logon home = \\%N\%U
        domain logons = No
        init logon delayed hosts = 
        init logon delay = 100
        os level = 20
        lm announce = Auto
        lm interval = 60
        preferred master = No
        local master = Yes
        domain master = Auto
        browse list = Yes
        enhanced browsing = Yes
        dns proxy = Yes
        wins proxy = No
        wins server = 
        wins support = No
        wins hook = 
        lock spin time = 200
        oplock break wait time = 0
        ldap admin dn = 
        ldap delete dn = No
        ldap group suffix = 
        ldap idmap suffix = 
        ldap machine suffix = 
        ldap passwd sync = no
        ldap replication sleep = 1000
        ldap suffix = 
        ldap ssl = start tls
        ldap ssl ads = No
        ldap deref = auto
        ldap follow referral = Auto
        ldap timeout = 15
        ldap connection timeout = 2
        ldap page size = 1024
        ldap user suffix = 
        ldap debug level = 0
        ldap debug threshold = 10
        eventlog list = 
        add share command = 
        change share command = 
        delete share command = 
        preload = 
        lock directory = /var/lock
        state directory = /var/locks
        cache directory = /var/cache
        pid directory = /var/run
        ntp signd socket directory = 
        utmp directory = 
        wtmp directory = 
        utmp = No
        default service = 
        message command = 
        get quota command = 
        set quota command = 
        remote announce = 
        remote browse sync = 
        nbt client socket address = 0.0.0.0
        nmbd bind explicit broadcast = Yes
        homedir map = auto.home
        afs username map = 
        afs token lifetime = 604800
        log nt token command = 
        NIS homedir = No
        registry shares = No
        usershare allow guests = No
        usershare max shares = 0
        usershare owner only = Yes
        usershare path = /var/locks/usershares
        usershare prefix allow list = 
        usershare prefix deny list = 
        usershare template share = 
        async smb echo handler = No
        panic action = 
        perfcount module = 
        host msdfs = Yes
        passdb expand explicit = No
        idmap backend = tdb
        idmap cache time = 604800
        idmap negative cache time = 120
        idmap uid = 
        idmap gid = 
        template homedir = /home/%D/%U
        template shell = /sbin/nologin
        winbind separator = \
        winbind cache time = 300
        winbind reconnect delay = 30
        winbind max clients = 200
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind trusted domains only = No
        winbind nested groups = Yes
        winbind expand groups = 1
        winbind nss info = template
        winbind refresh tickets = No
        winbind offline logon = No
        winbind normalize names = No
        winbind rpc only = No
        create krb5 conf = Yes
        ncalrpc dir = /var/run/ncalrpc
        winbind max domain connections = 1
        winbindd socket directory = 
        winbindd privileged socket directory = 
        winbind sealed pipes = No
        allow dns updates = disabled
        dns forwarder = 
        dns update command = 
        nsupdate command = 
        rndc command = 
        multicast dns register = Yes
        samba kcc command = 
        server services = 
        dcerpc endpoint servers = 
        spn update command = 
        share backend = 
        tls enabled = No
        tls keyfile = 
        tls certfile = 
        tls cafile = 
        tls crlfile = 
        tls dh params file = 
        idmap config * : range = 600-20000
        idmap config * : backend = tdb
        comment = 
        path = 
        username = 
        invalid users = 
        valid users = 
        admin users = 
        read list = 
        write list = 
        force user = 
        force group = 
        read only = Yes
        acl check permissions = Yes
        acl group control = No
        acl map full control = Yes
        acl allow execute always = No
        create mask = 0744
        force create mode = 00
        directory mask = 0755
        force directory mode = 00
        force unknown acl user = No
        inherit permissions = No
        inherit acls = No
        inherit owner = No
        guest only = No
        administrative share = No
        guest ok = No
        only user = No
        hosts allow = 
        hosts deny = 
        allocation roundup size = 1048576
        aio read size = 0
        aio write size = 0
        aio write behind = 
        ea support = No
        nt acl support = Yes
        profile acls = No
        map acl inherit = No
        afs share = No
        smb encrypt = default
        durable handles = Yes
        block size = 1024
        change notify = Yes
        directory name cache size = 100
        kernel change notify = Yes
        max connections = 0
        min print space = 0
        strict allocate = No
        strict sync = No
        sync always = No
        use sendfile = No
        write cache size = 0
        max reported print jobs = 0
        max print jobs = 1000
        printable = No
        print notify backchannel = Yes
        print ok = No
        printing = cups
        cups options = 
        print command = 
        lpq command = %p
        lprm command = 
        lppause command = 
        lpresume command = 
        queuepause command = 
        queueresume command = 
        printer name = 
        use client driver = No
        default devmode = Yes
        force printername = No
        printjob username = %U
        default case = lower
        case sensitive = Auto
        preserve case = Yes
        short preserve case = Yes
        mangling char = ~
        hide dot files = Yes
        hide special files = No
        hide unreadable = No
        hide unwriteable files = No
        delete veto files = No
        veto files = 
        hide files = 
        veto oplock files = 
        map archive = Yes
        map hidden = No
        map system = No
        map readonly = yes
        mangled names = Yes
        store dos attributes = No
        dmapi support = No
        browseable = Yes
        access based share enum = No
        blocking locks = Yes
        csc policy = manual
        fake oplocks = No
        kernel oplocks = No
        kernel share modes = Yes
        locking = Yes
        oplocks = Yes
        level2 oplocks = Yes
        oplock contention limit = 2
        posix locking = Yes
        strict locking = Auto
        dfree cache time = 0
        dfree command = 
        copy = 
        preexec = 
        preexec close = No
        postexec = 
        root preexec = 
        root preexec close = No
        root postexec = 
        available = Yes
        volume = 
        fstype = NTFS
        wide links = No
        follow symlinks = Yes
        dont descend = 
        magic script = 
        magic output = 
        delete readonly = No
        dos filemode = No
        dos filetimes = Yes
        dos filetime resolution = No
        fake directory create times = No
        vfs objects = 
        msdfs root = No
        msdfs proxy = 
        ntvfs handler = 

[home]
        comment = Home Directories
        path = /home
        read only = No

任何帮助表示感谢

答案1

事实证明,默认锁定目录 (/var/lock)(由编译时使用“ --PREFIX="" ”引起)被 samba 锁定机制填满。这是一个 5MB 的 tmpfs,而通常的锁定大小为 3MB 或更大。

我建议将默认目录更改为未使用的路径。例如:

  lock directory = /var/samba

相关内容