diff options
Diffstat (limited to 'docs/htmldocs/using_samba/ch12.html')
| -rw-r--r-- | docs/htmldocs/using_samba/ch12.html | 3341 |
1 files changed, 0 insertions, 3341 deletions
diff --git a/docs/htmldocs/using_samba/ch12.html b/docs/htmldocs/using_samba/ch12.html deleted file mode 100644 index 6ba643fe73..0000000000 --- a/docs/htmldocs/using_samba/ch12.html +++ /dev/null @@ -1,3341 +0,0 @@ -<html> -<body bgcolor="#ffffff"> - -<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" -hspace="10" align="left" /> - -<h1 class="head0">Chapter 12. Troubleshooting Samba</h1> - - -<p><a name="INDEX-1"/><a name="INDEX-2"/>Samba is extremely robust. Once you have -everything set up the way you want, you'll probably -forget that it is running. When trouble occurs, it's -typically during installation or when you're trying -to reconfigure the server. Fortunately, a wide variety of resources -are available to diagnose these troubles. While we -can't describe in detail the solution to every -problem you might encounter, you should be able to get a good start -at resolving the problem by following the advice given in this -chapter.</p> - -<p>The first section of this chapter lists the tool bag, a collection of -tools available for troubleshooting Samba; the second section is a -detailed how-to; the last section lists extra resources to track down -particularly stubborn problems.</p> - - - -<div class="sect1"><a name="samba2-CHP-12-SECT-1"/> - -<h2 class="head1">The Tool Box</h2> - -<p><a name="INDEX-3"/><a name="INDEX-4"/>Sometimes Unix -seems to be made up of a grab bag of applications and tools. There -are tools to troubleshoot tools. And of course, there are several -ways to accomplish the same task. When trying to solve a problem -related to Samba, a good plan of attack is to use the following:</p> - -<ul><li> -<p>Samba logs</p> -</li><li> -<p>Samba test utilities</p> -</li><li> -<p>Unix utilities</p> -</li><li> -<p>Fault tree</p> -</li><li> -<p>Documentation and FAQs</p> -</li><li> -<p>Samba newsgroups</p> -</li><li> -<p>Searchable mailing list archives</p> -</li></ul> -<p>Let's go over each of these one-by-one in the -following sections.</p> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-1.1"/> - -<h3 class="head2">Samba Logs</h3> - -<p><a name="INDEX-5"/><a name="INDEX-6"/>Your first line of attack should always -be to check the log files. The Samba log files can help diagnose the -vast majority of the problems faced by beginning- to -intermediate-level Samba administrators. Samba is quite flexible when -it comes to logging. You can set up the server to log as little or as -much information as you want. Using substitution variables in the -Samba configuration file allows you to isolate individual logs for -each system, share, or combination thereof.</p> - -<p>Logs are placed in <em class="filename">/usr/local/samba/var/smbd.log</em> -and <em class="filename">/usr/local/samba/var/nmbd.log</em> by default. -You can specify a log directory to use with the -<em class="emphasis">-l</em> flag on the command line when starting the -Samba daemons. For example:</p> - -<blockquote><pre class="code"># <tt class="userinput"><b>smbd -l /var/log/samba</b></tt> -# <tt class="userinput"><b>nmbd -l /var/log/samba</b></tt></pre></blockquote> - -<p>Alternatively, you can override the location and name using the -<tt class="literal">log</tt><a name="INDEX-7"/> <tt class="literal">file</tt> configuration -option in <em class="filename">smb.conf</em>. This option accepts all the -substitution variables, so you could easily have the server keep a -separate log for each connecting client system by specifying the -following:</p> - -<blockquote><pre class="code">[global] - log file = %m.log</pre></blockquote> - -<p>Another useful trick is to have the server keep a log for each -service (share) that is offered, especially if you suspect a -particular share is causing trouble. To do this, use the -<tt class="literal">%S</tt> variable, like this:</p> - -<blockquote><pre class="code">[global] - log file = %S.log</pre></blockquote> - - -<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.1"/> - -<h3 class="head3">Log levels</h3> - -<p><a name="INDEX-8"/>The level of logging that Samba uses -can be set in the <em class="filename">smb.conf</em> file using the global -<tt class="literal">log</tt> <tt class="literal">level</tt> or -<tt class="literal">debug</tt> <tt class="literal">level</tt> option; they are -equivalent. The logging level is an integer that can range from 0 to -10. At level 0, no logging is done. Higher values result in more -voluminous logging. For example, let's assume that -we will use a Windows client to browse a directory on a Samba server. -For a small amount of log information, you can use -<tt class="literal">log</tt> <tt class="literal">level</tt> <tt class="literal">=</tt> -<tt class="literal">1</tt>, which instructs Samba to show only cursory -information, in this case only the connection itself:</p> - -<blockquote><pre class="code">05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest -(uid=503,gid=100) (pid 3377)</pre></blockquote> - -<p>Higher debug levels produce more detailed information. Usually, you -won't need more than level 3, which is fully -adequate for most Samba administrators. Levels above 3 are used by -the developers and dump enormous amounts of cryptic information.</p> - -<p>Here is an example of output at levels 2 and 3 for the same -operation. Don't worry if you don't -understand the intricacies of an SMB connection; the point is simply -to show you what types of information are shown at the different -<a name="INDEX-9"/>logging levels:</p> - -<blockquote><pre class="code"> /* Level 2 */ -Got SIGHUP -Processing section "[homes]" -Processing section "[public]" -Processing section "[temp]" -Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ -Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/ - - -/* Level 3 */ -05/25/02 22:15:09 Transaction 63 of length 67 -switch message SMBtconX (pid 3377) -Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ -ACCEPTED: guest account and guest ok -found free connection number 105 -Connect path is /tmp -chdir to /tmp -chdir to / -05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest -(uid=503,gid=100) (pid 3377) -05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105 -05/25/02 22:15:09 Transaction 64 of length 99 -switch message SMBtrans (pid 3377) -chdir to /tmp -trans <\PIPE\LANMAN> data=0 params=19 setup=0 -Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) -Doing RNetShareEnum -RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) -05/25/02 22:15:11 Transaction 65 of length 99 -switch message SMBtrans (pid 3377) -chdir to / -chdir to /tmp -trans <\PIPE\LANMAN> data=0 params=19 setup=0 -Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) -Doing RNetShareEnum -RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) -05/25/02 22:15:11 Transaction 66 of length 95 -switch message SMBtrans2 (pid 3377) -chdir to / -chdir to /pcdisk/public -call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end -= 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432 -unix_clean_name [./DESKTOP.INI] -unix_clean_name [desktop.ini] -unix_clean_name [./] -creating new dirptr 1 for path ./, expect_close = 1 -05/25/02 22:15:11 Transaction 67 of length 53 -switch message SMBgetatr (pid 3377) -chdir to / - -<i class="lineannotation">[... deleted ...]</i></pre></blockquote> - -<p>We cut off this listing after the first packet because it runs on for -many pages. However, be aware that log levels above 3 will quickly -consume disk space with megabytes of excruciating detail concerning -Samba's internal operations. Log level 3 is -extremely useful for following exactly what the server is doing, and -most of the time it will be obvious where an error occurs by glancing -through the log file.</p> - -<p>Using a high log level (3 or above) will -<em class="emphasis">seriously</em> slow down the Samba server. Remember -that every log message generated causes a write to disk (an -inherently slow operation) and log levels greater than 2 produce -massive amounts of data. Essentially, you should turn on logging -level 3 only when you're actively tracking a problem -in the Samba server. <a name="INDEX-10"/></p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.2"/> - -<h3 class="head3">Activating and deactivating logging</h3> - -<p><a name="INDEX-11"/><a name="INDEX-12"/>To turn logging on and off, -set the appropriate level in the <tt class="literal">[global]</tt> section -of <em class="filename">smb.conf</em>. Then, you can either restart Samba -or force the current daemon to reprocess the configuration file by -sending it a hangup (HUP) signal. You also can send the -<em class="emphasis">smbd</em> process a SIGUSR1 signal to increase its -log level by one while it's running, like this:</p> - -<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR1 1234</b></tt></pre></blockquote> - -<p>or a SIGUSR2 signal to decrease it by one:</p> - -<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR2 1234</b></tt></pre></blockquote> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.3"/> - -<h3 class="head3">Logging by individual client systems or users</h3> - -<p>An effective way to diagnose problems without hampering other users -is to assign different log levels for different systems in the -<tt class="literal">[global]</tt> section of the -<em class="filename">smb.conf</em> file. We can do this by building on the -strategy we presented earlier:</p> - -<blockquote><pre class="code">[global] - log level = 0 - log file = /usr/local/samba/var/log.%m - include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote> - -<p>These options instruct Samba to use unique configuration and log -files for each client that connects. Now all you have to do is create -an <em class="filename">smb.conf</em> file for a specific client system -with a <tt class="literal">log</tt> <tt class="literal">level</tt> -<tt class="literal">=</tt> <tt class="literal">3</tt> entry in it (the others -will pick up the default log level of 0) and use that log file to -track down the problem.</p> - -<p>Similarly, if only particular users are experiencing a -problem—and it travels from system to system with -them—you can isolate logging to a specific user by adding the -following to the <em class="filename">smb.conf</em> file:</p> - -<blockquote><pre class="code">[global] - log level = 0 - log file = /usr/local/samba/var/log.%u - include = /usr/local/samba/lib/smb.conf.%u</pre></blockquote> - -<p>Then you can create a unique <em class="filename">smb.conf</em> file for -each user you wish to monitor (e.g., -<em class="filename">/usr/local/samba/lib/smb.conf.tim</em>). Files -containing the configuration option <tt class="literal">log</tt> -<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">3</tt> -and only those users will get more detailed logging.<a name="INDEX-13"/><a name="INDEX-14"/></p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-1.2"/> - -<h3 class="head2">Samba Test Utilities</h3> - -<p><a name="INDEX-15"/><a name="INDEX-16"/>A rigorous set of tests that exercise -the major parts of Samba are described in various files in the -<em class="emphasis">/docs/textdocs</em> directory of the Samba -distribution kit, starting with <em class="emphasis">DIAGNOSIS.txt</em>. -The fault tree in this chapter is a more detailed version of the -basic tests suggested by the Samba Team, but it covers only -installation and reconfiguration diagnosis, such as -<em class="emphasis">DIAGNOSIS.txt</em>. The other files in the -<em class="emphasis">/docs</em> subdirectories address specific problems -and instruct you how to troubleshoot items not included in this book. -If the fault tree doesn't suffice, be sure to look -at -<em class="emphasis">DIAGNOSIS.txt</em><a name="INDEX-17"/> -and its friends.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-1.3"/> - -<h3 class="head2">Unix Utilities</h3> - -<p>Sometimes it's useful to use a tool outside the -Samba suite to examine what's happening inside the -server. Three diagnostic tools can be of particular help in debugging -Samba troubles: <em class="emphasis">trace</em>, -<em class="emphasis">tcpdump</em>, and <em class="emphasis">Ethereal</em>.</p> - - -<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.1"/> - -<h3 class="head3">Using trace</h3> - -<p>The <em class="emphasis">trace</em><a name="INDEX-18"/> command masquerades under several -different names, depending on the operating system you are using. On -Linux it will be -<em class="emphasis">strace</em><a name="INDEX-19"/>; on Solaris you'll use -<em class="emphasis">truss</em><a name="INDEX-20"/>; SGI will have -<em class="emphasis">padc</em><a name="INDEX-21"/> and -<em class="emphasis">par</em><a name="INDEX-22"/>; and HP-UX will have -<em class="emphasis">trace</em> or -<em class="emphasis">tusc</em><a name="INDEX-23"/>. All have essentially the same -function, which is to display each operating system function call as -it is executed. This allows you to follow the execution of a program, -such as the Samba server, and often pinpoints the exact call that is -causing the difficulty.</p> - -<p>One problem that <em class="emphasis">trace</em> can highlight is an -incorrect version of a dynamically linked library. This can happen if -you've downloaded prebuilt binaries of Samba. -You'll typically see the offending call at the end -of the <em class="emphasis">trace</em>, just before the program -terminates.</p> - -<p>A sample <em class="emphasis">strace</em> output for the Linux operating -system follows. This is a small section of a larger file created -during the opening of a directory on the Samba server. Each line -lists a system call and includes its parameters and the return value. -If there was an error, the error value (e.g., -<tt class="literal">ENOENT</tt>) and its explanation are also shown. You -can look up the parameter types and the errors that can occur in the -appropriate <em class="emphasis">trace</em> manual page for the operating -system you are using.</p> - -<blockquote><pre class="code">chdir("/pcdisk/public") = 0 -stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) -stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 -stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) -open("mini", O_RDONLY) = 5 -fcntl(5, F_SETFD, FD_CLOEXEC) = 0 -fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 -lseek(5, 0, SEEK_CUR) = 0 -SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196 -lseek(5, 0, SEEK_CUR) = 1024 -SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0 -close(5) = 0 -stat("mini/desktop.ini", 0xbffff86c) = -1 ENOENT (No such file or directory) -write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39 -SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1 -read(3, "\0\0\0?", 4) = 4 -read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63 -time(NULL) = 896143871</pre></blockquote> - -<p>This example shows several <em class="emphasis">stat() calls</em> failing -to find the files they were expecting. You don't -have to be an expert to see that the file -<em class="emphasis">desktop.ini</em> is missing from that directory. In -fact, many difficult problems can be identified by looking for -obvious, repeatable errors with <em class="emphasis">trace</em>. Often, -you need not look further than the last message before a crash.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.2"/> - -<h3 class="head3">Using tcpdump</h3> - -<p>The <em class="emphasis">tcpdump</em><a name="INDEX-24"/> program, as extended by Andrew -<a name="INDEX-25"/>Tridgell, -allows you to monitor SMB <a name="INDEX-26"/>network -traffic in real time. A variety of output formats are available, and -you can filter the output to look at only a particular type of -traffic. You can examine all conversations between client and server, -including SMB and NMB broadcast messages. While its troubleshooting -capabilities lie mainly at the OSI network layer, you can still use -its output to get a general idea of what the server and client are -attempting to do.</p> - -<p>A sample <em class="emphasis">tcpdump</em> log follows. In this instance, -the client has requested a directory listing, and the server has -responded appropriately, giving the directory names -<tt class="literal">homes</tt>, <tt class="literal">public</tt>, -<tt class="literal">IPC$</tt>, and <tt class="literal">temp</tt> -(we've added a few explanations on the right):</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>tcpdump -v -s 255 -i eth0 port not telnet</b></tt> -SMB PACKET: SMBtrans (REQUEST) <i class="lineannotation"> Request packet</i> -SMB Command = 0x25 <i class="lineannotation">Request was ls or dir</i> - -[000] 01 00 00 10 <i class="lineannotation">....</i> - - ->>> NBT Packet <i class="lineannotation">Outer frame of SMB packet</i> -NBT Session Packet -Flags=0x0 -Length=226 -[lines skipped] - -SMB PACKET: SMBtrans (REPLY) <i class="lineannotation">Beginning of a reply to request</i> -SMB Command = 0x25 <i class="lineannotation">Command was an ls or dir</i> -Error class = 0x0 -Error code = 0 <i class="lineannotation">No errors</i> -Flags1 = 0x80 -Flags2 = 0x1 -Tree ID = 105 -Proc ID = 6075 -UID = 100 -MID = 30337 -Word Count = 10 -TotParamCnt=8 -TotDataCnt=163 -Res1=0 -ParamCnt=8 -ParamOff=55 -Res2=0 -DataCnt=163 -DataOff=63 -Res3=0 -Lsetup=0 -Param Data: (8 bytes) -[000] 00 00 00 00 05 00 05 00 ........ - -Data Data: (135 bytes) <i class="lineannotation">Actual directory contents:</i> -[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........ -[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic...... -[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp.... -[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$ -[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w... -[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........ -[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo -[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi -[080] 63 65 20 28 53 61 6D ce (Sam</pre></blockquote> - -<p>This is more of the same debugging session as we saw before with the -<em class="emphasis">trace</em> command: the listing of a directory. The options -we used were <em class="emphasis">-v</em> (verbose), <em class="emphasis">-i -eth0</em> to tell <em class="emphasis">tcpdump</em> on which -interface to listen (an Ethernet port), and <em class="emphasis">-s -255</em> to tell it to save the first 255 bytes of each packet -instead of the default: the first 68. The option -<tt class="literal">port</tt> <tt class="literal">not</tt> -<tt class="literal">telnet</tt> is used to avoid screens of telnet traffic, -because we were logged in to the server remotely. The -<em class="emphasis">tcpdump</em> program actually has quite a number of -options to filter just the traffic you want to look at. If -you've used <em class="emphasis">snoop</em> or -<em class="emphasis">etherdump</em>, it will look vaguely familiar.</p> - -<p>You can download the modified <em class="emphasis">tcpdump</em> from the -Samba FTP server, located at -<a href="ftp://samba.anu.edu.au/pub/samba/tcpdump-smb">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</a>. -Other versions might not include support for the SMB protocol; if you -don't see output such as that shown in the example, -you'll need to use the SMB-enabled version.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.3"/> - -<h3 class="head3">Using Ethereal</h3> - -<p><a name="INDEX-27"/>Ethereal (<a href="http://www.ethereal.com">http://www.ethereal.com</a>) is a GUI-based -utility that performs the same basic function as -<em class="emphasis">tcpdump</em>. You might prefer Ethereal because it is -much easier to use. Once you have Ethereal running, just do the -following:</p> - -<ol><li> -<p>Select Start from the Capture menu.</p> -</li><li> -<p>Click the OK button in the dialog box that appears. This will bring -up a dialog box showing how many packets Ethereal has seen. Perform -the actions on the system(s) in your network to reproduce the problem -you are analyzing.</p> -</li><li> -<p>Click the Stop button in the Ethereal dialog box to make it finish -collecting data.</p> -</li><li> -<p>In the main Ethereal window, click any item in the upper window to -view it in the lower window. In the lower window, click any of the -boxes containing a plus sign (<tt class="literal">+</tt>) to expand the -view.</p> -</li></ol> -<p>Ethereal does a good job of translating the content of the packets it -encounters into human-readable format, and you should have little -trouble seeing what happened on the network during the capture -period. <a name="INDEX-28"/><a name="INDEX-29"/></p> - - -</div> - - -</div> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-12-SECT-2"/> - -<h2 class="head1">The Fault Tree</h2> - -<p><a name="INDEX-30"/><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>The fault -tree presented in this section is for diagnosing and fixing problems -that occur when you're installing and reconfiguring -Samba. It's an expanded form of the trouble and -diagnostic document <em class="filename">DIAGNOSIS.txt</em>, which is part -of the Samba distribution.</p> - -<p>Before you set out to troubleshoot any part of the Samba suite, you -should know the following information:</p> - -<ul><li> -<p>Your client IP address (we use 192.168.236.10)</p> -</li><li> -<p>Your server IP address (we use 192.168.236.86)</p> -</li><li> -<p>The netmask for your network (typically 255.255.255.0)</p> -</li><li> -<p>Whether the systems are all on the same subnet (ours are)</p> -</li></ul> -<p>For clarity, we've renamed the server in the -following examples to <tt class="literal">server.example.com</tt>, and the -client system to <tt class="literal">client.example.com</tt>.</p> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.1"/> - -<h3 class="head2">How to Use the Fault Tree</h3> - -<p>Start the tests here, without skipping forward; it -won't take long (about 5 minutes) and might actually -save you time backtracking. Whenever a test succeeds, you will be -given a name of a section to which you can safely skip.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.2"/> - -<h3 class="head2">Troubleshooting Low-Level IP</h3> - -<p><a name="INDEX-34"/>The -first series of tests is that of the low-level services that Samba -needs to run. The tests in this section verify that:</p> - -<ul><li> -<p>The IP software works</p> -</li><li> -<p>The Ethernet hardware works</p> -</li><li> -<p>Basic name service is in place</p> -</li></ul> -<p>Subsequent sections add TCP software, the Samba daemons -<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>, host-based -access control, authentication and per-user access control, file -services, and browsing. The tests are described in considerable -detail to make them understandable by both technically oriented end -users and experienced systems and network administrators.</p> - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.1"/> - -<h3 class="head3">Testing the networking software with ping</h3> - -<p><a name="INDEX-35"/>The first command to enter -on both the server and the client is -<tt class="literal">ping</tt><a name="INDEX-36"/><a name="INDEX-37"/> -<tt class="literal">127.0.0.1</tt>. This pings the loopback address and -indicates whether any networking support is functioning. On Unix, you -can use <tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> with the -statistics option and interrupt it after a few lines. On Sun -workstations, the command is typically -<tt class="literal">/usr/etc/ping</tt> <tt class="literal">-s</tt> -<tt class="literal">127.0.0.1</tt>; on Linux, just <tt class="literal">ping</tt> -<tt class="literal">127.0.0.1</tt>. On Windows clients, run -<tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> in an MS-DOS -(command prompt) window, and it will stop by itself after four lines.</p> - -<p>Here is an example on a Linux server:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>ping 127.0.0.1 </b></tt> -PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): -icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): -icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): -icmp-seq=2. time=1. ms ^C -----127.0.0.1 PING Statistics---- -3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) -min/avg/max = 0/0/1</pre></blockquote> - -<p>If you get "ping: no answer from . . . -" or "100% packet -loss," you have no IP networking installed on the -system. The address <tt class="literal">127.0.0.1</tt> is the internal -loopback address and doesn't depend on the computer -being physically connected to a network. If this test fails, you have -a serious local problem. TCP/IP either isn't -installed or is seriously misconfigured. See your operating system -documentation if it's a Unix server. If -it's a Windows client, follow the instructions in -<a href="ch03.html">Chapter 3</a> to install networking support.</p> - -<a name="samba2-CHP-12-NOTE-155"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>If <em class="emphasis">you're</em> the network manager, -some good references are Craig Hunt's -<em class="emphasis">TCP/IP Network Administration</em>, Chapter 11, and Craig Hunt and Robert Bruce -Thompson's <em class="emphasis">Windows NT TCP/IP Network -Administration</em>, both published by -O'Reilly.</p> -</blockquote> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.2"/> - -<h3 class="head3">Testing local name services with ping</h3> - -<p><a name="INDEX-38"/>Next, try to ping -<tt class="literal">localhost</tt> on the Samba server. The -<tt class="literal">localhost</tt> hostname is the conventional hostname -for the <tt class="literal">127.0.0.1</tt> loopback interface, and it -should resolve to that address. After typing <tt class="literal">ping</tt> -<tt class="literal">localhost</tt>, you should see output similar to the -following:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>ping localhost </b></tt> -PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): -icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1): -icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): -icmp-seq=2. time=0. ms ^C</pre></blockquote> - -<p>If this succeeds, try the same test on the client. Otherwise:</p> - -<ul><li> -<p>If you get "unknown host: -localhost," there is a problem resolving the -hostname <em class="filename">localhost</em> into a valid IP address. -(This might be as simple as a missing entry in a local -<em class="emphasis">hosts</em> file.) From here, skip down to -<a href="ch03.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a> later in this chapter.</p> -</li><li> -<p>If you get "ping: no answer," or -"100% packet loss," but pinging -<tt class="literal">127.0.0.1</tt> worked, name services is resolving to an -address, but it isn't the correct one. Check the -file or database (typically <em class="filename">/etc/hosts</em> on a Unix -system) that the name service is using to resolve addresses to ensure -that the entry is correct.</p> -</li></ul> - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.3"/> - -<h3 class="head3">Testing the networking hardware with ping</h3> - -<p><a name="INDEX-39"/>Next, ping the -server's network IP address from itself. This should -get you exactly the same results as pinging -<tt class="literal">127.0.0.1</tt>:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>ping 192.168.236.86 </b></tt> -PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): -icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): -icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): -icmp-seq=2. time=1. ms ^C -----192.168.236.86 PING Statistics---- -3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) -min/avg/max = 0/0/1</pre></blockquote> - -<p>If this works on the server, repeat it for the client. Otherwise:</p> - -<ul><li> -<p>If <tt class="literal">ping</tt> <em class="replaceable">network_ip</em> -fails on either the server or client, but <tt class="literal">ping</tt> -<tt class="literal">127.0.0.1</tt> works on that system, you have a TCP/IP -problem that is specific to the Ethernet network interface card on -the computer. Check with the documentation for the network card or -host operating system to determine how to configure it correctly. -However, be aware that on some operating systems, the -<em class="emphasis">ping</em> command appears to work even if the network -is disconnected, so this test doesn't always -diagnose all hardware problems.</p> -</li></ul> - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.4"/> - -<h3 class="head3">Testing connections with ping</h3> - -<p><a name="INDEX-40"/>Now, ping the server by name (instead -of its IP address)—once from the server and once from the -client. This is the general test for working network hardware:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>ping server </b></tt> -PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): -icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): -icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): -icmp-seq=2. time=1. ms ^C -----server.example.com PING Statistics---- -3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) -min/avg/max = 0/0/1</pre></blockquote> - -<p>If successful, this test tells us five things:</p> - -<ul><li> -<p>The hostname (e.g., <tt class="literal">server</tt>) is being found by your -local name server.</p> -</li><li> -<p>The hostname has been expanded to the full name (e.g., -<tt class="literal">server.example.com</tt>).</p> -</li><li> -<p>Its address is being returned (<tt class="literal">192.168.236.86</tt>).</p> -</li><li> -<p>The client has sent the Samba server four 56-byte UDP/IP packets.</p> -</li><li> -<p>The Samba server has replied to all four packets.</p> -</li></ul> -<p>If this test isn't successful, one of several things -can be wrong with the network:</p> - -<ul><li> -<p>First, if you get <tt class="literal">ping</tt>: <tt class="literal">no</tt> -<tt class="literal">answer</tt>, or <tt class="literal">100%</tt> -<tt class="literal">packet</tt> <tt class="literal">loss</tt>, -you're not connecting to the network, the other -system isn't connecting, or one of the addresses is -incorrect. Check the addresses that the <em class="emphasis">ping</em> -command reports on each system, and ensure that they match the ones -you set up initially.</p> - -<p>If not, there is at least one mismatched address between the two -systems. Try entering the command <tt class="literal">arp</tt> -<tt class="literal">-a</tt>, and see if there is an entry for the other -system. (The <em class="emphasis">arp</em> command stands for the Address -Resolution Protocol. The <tt class="literal">arp</tt> <tt class="literal">-a</tt> -command lists all the addresses known on the local system.) Here are -some things to try:</p> -<ul><li> -<p>If you receive a message like <tt class="literal">192.168.236.86</tt> -<tt class="literal">at</tt> <tt class="literal">(incomplete)</tt>, the Ethernet -address of 192.168.236.86 is unknown. This indicates a complete lack -of connectivity, and you're likely having a problem -at the very bottom of the TCP/IP protocol stack—the Ethernet -interface layer. This is discussed in Chapters 5 and 6 of -<em class="citetitle">TCP/IP Network Administration -</em>(O'Reilly).</p> -</li><li> -<p>If you receive a response similar to server -<tt class="literal">(192.168.236.86)</tt> <tt class="literal">at</tt> -<tt class="literal">8:0:20:12:7c:94</tt>, the server has been reached at -some time, or another system is answering on its behalf. However, -this means that <em class="emphasis">ping</em> should have worked: you may -have an intermittent networking or ARP problem.</p> -</li><li> -<p>If the IP address from ARP doesn't match the -addresses you expected, investigate and correct the addresses -manually.</p> -</li> -</ul> -</li> - -<li> -<p>If each system can ping itself but not another, something is wrong on -the network between them.</p> -</li><li> -<p>If you get <tt class="literal">ping</tt>: <tt class="literal">network</tt> -<tt class="literal">unreachable</tt> or <tt class="literal">ICMP</tt> -<tt class="literal">Host</tt> <tt class="literal">Unreachable</tt>, -you're not receiving an answer, and more than one -network is probably involved.</p> - -<p>In principle, you shouldn't try to troubleshoot SMB -clients and servers on different networks. Try to test a server and -client that are on the same network:</p> - -<ol><li> -<p>First, perform the tests for <tt class="literal">ping</tt>: -<tt class="literal">no</tt> <tt class="literal">answer</tt> described earlier in -this section. If this doesn't identify the problem, -the remaining possibilities are the following: an address is wrong, -your netmask is wrong, a network is down, or the packets have been -stopped by a firewall.</p> -</li> -<li> -<p>Check both the address and the netmasks on source and destination -systems to see if something is obviously wrong. Assuming both systems -really are on the same network, they both should have the same -netmasks, and <em class="emphasis">ping</em> should report the correct -addresses. If the addresses are wrong, you'll need -to correct them. If they are correct, the programs might be confused -by an incorrect netmask. See <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter.</p> -</li> -<li> -<p>If the commands are still reporting that the network is unreachable -and neither of the previous two conditions are in error, one network -really might be unreachable from the other. This, too, is an issue -for the network manager.</p> -</li></ol> -</li><li> -<p>If you get <tt class="literal">ICMP</tt> -<tt class="literal">Administratively</tt> <tt class="literal">Prohibited</tt>, -you've struck a firewall of some sort or a -misconfigured router. You will need to speak to your network security -officer.</p> -</li><li> -<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt> -<tt class="literal">redirect</tt> and <em class="emphasis">ping</em> reports -packets getting through, this is generally harmless: -you're simply being rerouted over the network.</p> -</li><li> -<p>If you get a host redirect and no <em class="emphasis">ping</em> -responses, you are being redirected, but no one is responding. Treat -this just like the <tt class="literal">Network</tt> -<tt class="literal">unreachable</tt> response, and check your addresses and -netmasks.</p> -</li><li> -<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt> -<tt class="literal">Unreachable</tt> <tt class="literal">from</tt> -<tt class="literal">gateway</tt> <tt class="literal">gateway</tt> -<tt class="literal">name</tt>, ping packets are being routed to another -network, but the other system isn't responding and -the router is reporting the problem on its behalf. Again, treat this -like a <tt class="literal">Network</tt> <tt class="literal">unreachable</tt> -response, and start checking addresses and netmasks.</p> -</li><li> -<p>If you get <tt class="literal">ping</tt>: <tt class="literal">unknown</tt> -<tt class="literal">host</tt> <tt class="literal">hostname</tt>, your -system's name is not known. This tends to indicate a -name service problem, which didn't affect -<tt class="literal">localhost</tt>. Have a look at <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p> -</li><li> -<p>If you get a partial success—with some pings failing but others -succeeding—you have either an intermittent problem between the -systems or an overloaded network. Ping a bit longer, and see if more -than about three percent of the packets fail. If so, check it with -your network manager: a problem might just be starting. However, if -only a few fail, or if you happen to know some massive network -program is running, don't worry unduly. The ICMP -(and UDP) protocols used by <em class="emphasis">ping</em> are allowed to -drop occasional packets.</p> -</li><li> -<p>If you get a response such as <tt class="literal">smtsvr.antares.net</tt> -<tt class="literal">is</tt> <tt class="literal">alive</tt> when you actually -pinged <tt class="literal">client.example.com</tt>, either -you're using someone else's address -or the system has multiple names and addresses. If the address is -wrong, the name service is clearly the culprit; -you'll need to change the address in the name -service database to refer to the correct system. This is discussed in -<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this -chapter.</p> - -<p>Servers are often <em class="emphasis">multihomed</em> —i.e., -connected to more than one network, with different names on each net. -If you are getting a response from an unexpected name on a multihomed -server, look at the address and see if it's on your -network (see <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter). If -so, you should use that address, rather than one on a different -network, for both performance and reliability reasons.</p> - -<p>Servers can also have multiple names for a single Ethernet address, -especially if they are web servers. This is harmless, albeit -startling. You probably will want to use the official (and permanent) -name, rather than an alias that might change.</p> -</li><li> -<p>If everything works but the IP address reported is -<tt class="literal">127.0.0.1</tt>, you have a name service error. This -typically occurs when an operating-system installation program -generates an <em class="filename">/etc/hosts</em> line similar to -<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> -<em class="emphasis">hostname.domainname</em>. The localhost line should -say <tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> or -<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> -<tt class="literal">loghost</tt>. Correct it, lest it cause failures to -negotiate who is the master browse list holder and who is the master -browser. It can also cause (ambiguous) errors in later tests.</p> -</li></ul> -<p>If this worked from the server, repeat it from the client. <a name="INDEX-41"/> -<a name="INDEX-42"/><a name="INDEX-43"/></p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.3"/> - -<h3 class="head2">Troubleshooting TCP</h3> - -<p><a name="INDEX-44"/><a name="INDEX-45"/>Now that -you've tested IP, UDP, and a name service with -<em class="emphasis">ping</em>, it's time to test TCP. -Browsing and <em class="emphasis">ping</em> use ICMP and UDP; file and -print services (shares) use TCP. Both depend on IP as a lower layer, -and all four depend on name services. Testing TCP is most -conveniently done using the FTP program.</p> - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.3.1"/> - -<h3 class="head3">Testing TCP with FTP</h3> - -<p>Try connecting via FTP, once from the server to itself, and once from -the client to the server:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>ftp server</b></tt> -Connected to server.example.com. -220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready. - Name (server:davecb): -331 Password required for davecb. -Password: -230 User davecb logged in. - ftp><tt class="userinput"><b> quit </b></tt> -221 Goodbye.</pre></blockquote> - -<p>If this worked, skip to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>. Otherwise:</p> - -<ul><li> -<p>If you received the message <tt class="literal">server</tt>: -<tt class="literal">unknown</tt> <tt class="literal">host</tt>, name service has -failed. Go back to the corresponding <em class="emphasis">ping</em> step, -<a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>, and rerun those tests -to see why name lookup failed.</p> -</li><li> -<p>If you received <tt class="literal">ftp</tt>: <tt class="literal">connect</tt>: -<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the system -isn't running an FTP daemon. This is mildly unusual -on Unix servers. Optionally, you might try this test by connecting to -the system using <em class="emphasis">telnet</em> instead of -<em class="emphasis">ftp</em>; the messages are very similar, and -<em class="emphasis">telnet</em> uses TCP as well.</p> -</li><li> -<p>If there was a long pause, and then <tt class="literal">ftp</tt>: -<tt class="literal">connect</tt>: <tt class="literal">Connection</tt> -<tt class="literal">timed</tt> <tt class="literal">out</tt>, the system -isn't reachable. Return to <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>.</p> -</li><li> -<p>If you received <tt class="literal">530</tt> <tt class="literal">Logon</tt> -<tt class="literal">Incorrect</tt>, you connected successfully, but -you've just found a different problem. You likely -provided an incorrect username or password. Try again, making sure -you use your username from the Unix server and type your password -correctly.</p> -</li></ul> - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.4"/> - -<h3 class="head2">Troubleshooting Server Daemons</h3> - -<p><a name="INDEX-46"/>Once -you've confirmed that TCP networking is working -properly, the next step is to make sure the daemons are running on -the server. This takes three separate tests because no single one of -the following will decisively prove that they're -working correctly.</p> - -<p>To be sure they're running, you need to find out -whether the daemons:</p> - -<ol><li> -<p>Have started</p> -</li><li> -<p>Are registered or bound to a TCP/IP port by the operating system</p> -</li><li> -<p>Are actually paying attention</p> -</li></ol> - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.1"/> - -<h3 class="head3">Tracking daemon startup</h3> - -<p><a name="INDEX-47"/>First, check the Samba logs. If -you've started the daemons, the message -<tt class="literal">smbd</tt> <tt class="literal">version</tt> -<tt class="literal">number</tt> <tt class="literal">started</tt> should appear. -If it doesn't, you need to restart the Samba -daemons.</p> - -<p>If the daemon reports that it has indeed started, look out for -<tt class="literal">bind</tt> <tt class="literal">failed</tt> -<tt class="literal">on</tt> <tt class="literal">port</tt> <tt class="literal">139</tt> -<tt class="literal">socket_addr=0</tt> <tt class="literal">(Address</tt> -<tt class="literal">already</tt> <tt class="literal">in</tt> -<tt class="literal">use)</tt>. This means another daemon has been started -on port 139 (<em class="emphasis">smbd</em> ). Also, -<em class="emphasis">nmbd</em> will report a similar failure if it cannot -bind to port 137. Either you've started them twice, -or the <em class="emphasis">inetd</em> server has tried to provide a -daemon for you. If it's the latter, -we'll diagnose that in a moment.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.2"/> - -<h3 class="head3">Looking for daemon processes with ps</h3> - -<p><a name="INDEX-48"/>Another way to make sure the daemons are -running is to check their processes on the system. Use the -<em class="emphasis">ps</em><a name="INDEX-49"/> command on the server with the -"long" option for your system type -(commonly <tt class="literal">ps</tt> <tt class="literal">ax</tt> or -<tt class="literal">ps</tt> <tt class="literal">-ef</tt>), and see whether -<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> are already -running. This often looks like the following:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>ps ax</b></tt> - PID TTY STAT TIME COMMAND - 1 ? S 0:03 init [2] - 2 ? SW 0:00 (kflushd) -<i class="lineannotation">(...many lines of processes...) </i> - 234 ? S 0:14 nmbd -D3 - 237 ? S 0:11 smbd -D3 -<i class="lineannotation">(...more lines, possibly including more smbd lines...)</i></pre></blockquote> - -<p>This example illustrates that <em class="emphasis">smbd</em> and -<em class="emphasis">nmbd</em> have already started as standalone daemons -(the <em class="emphasis">-D</em> option) at log level 3.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.3"/> - -<h3 class="head3">Looking for daemons bound to ports</h3> - -<p><a name="INDEX-50"/>Next, the daemons have to be registered -with the operating system so that they can get access to TCP/IP -ports. The <em class="emphasis">netstat</em> command will tell you if this -has been done. Run the command <tt class="literal">netstat</tt> -<tt class="literal">-a</tt> on the server, and look for lines mentioning -<tt class="literal">netbios</tt>, <tt class="literal">137</tt>, or -<tt class="literal">139</tt>:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>netstat -a </b></tt> -Active Internet connections (including servers) -Proto Recv-Q Send-Q Local Address Foreign Address (state) -udp 0 0 *.137 *.* -tcp 0 0 *.139 *.* LISTEN -tcp 8370 8760 server.139 client.1439 ESTABLISHED</pre></blockquote> - -<p>Among similar lines, there should be at least one UDP line for -<tt class="literal">*.netbios-</tt> or <tt class="literal">*.137</tt>. This -indicates that the <em class="emphasis">nmbd</em> server is registered and -(we hope) is waiting to answer requests. There should also be at -least one TCP line mentioning <tt class="literal">*.netbios-</tt> or -<tt class="literal">*.139</tt>, and it will probably be in the LISTEN -state. This means that <em class="emphasis">smbd</em> is up and listening -for connections.</p> - -<p>There might be other TCP lines indicating connections from -<em class="emphasis">smbd</em> to clients, one for each client. These are -usually in the ESTABLISHED state. If there are -<em class="emphasis">smbd</em> lines in the ESTABLISHED state, -<em class="emphasis">smbd</em> is definitely running. If there is only one -line in the LISTEN state, we're not sure yet. If -both of the lines are missing, a daemon has not succeeded in -starting, so it's time to check the logs and then go -back to <a href="ch02.html">Chapter 2</a>.</p> - -<p>If there is a line for each client, it might be coming either from a -Samba daemon or from the master IP daemon, -<em class="emphasis">inetd</em>. It's quite possible that -your <em class="emphasis">inetd</em> startup file contains lines that -start Samba daemons without your realizing it; for instance, the -lines might have been placed there if you installed Samba as part of -a Linux distribution. The daemons started by -<em class="emphasis">inetd</em> prevent ours from running. This problem -typically produces log messages such as <tt class="literal">bind</tt> -<tt class="literal">failed</tt> <tt class="literal">on</tt> -<tt class="literal">port</tt> <tt class="literal">139</tt> -<tt class="literal">socket</tt> <tt class="literal">addr=0</tt> -<tt class="literal">(Address</tt> <tt class="literal">already</tt> -<tt class="literal">in</tt> <tt class="literal">use)</tt>.</p> - -<p>Check your <em class="filename">/etc/inetd.conf</em> ; unless -you're intentionally starting the daemons from -there, <tt class="literal">netbios-ns</tt> (UDP port 137) or -<tt class="literal">netbios-ssn</tt> (tcp port 139) servers should be -mentioned there. If your system is providing an SMB daemon via -<em class="emphasis">inetd</em>, lines such as the following will appear -in the <em class="filename">inetd.conf</em> file:</p> - -<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd -netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote> - -<p>If your system uses <em class="emphasis">xinetd</em> instead of -<em class="emphasis">inetd</em>, see <a href="ch02.html">Chapter 2</a> for -details concerning its configuration.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.4"/> - -<h3 class="head3">Checking smbd with telnet</h3> - -<p><a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>Ironically, the easiest way to test that -the <em class="emphasis">smbd</em> server is actually working is to send -it a meaningless message and see if it is rejected. Try something -such as the following:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>echo "hello" | telnet localhost 139 </b></tt> -Trying -Trying 192.168.236.86 ... -Connected to localhost. Escape character is '^]'. -Connection closed by foreign host.</pre></blockquote> - -<p>This sends an erroneous but harmless message to -<em class="emphasis">smbd</em>. If you get a <tt class="literal">Connected</tt> -message followed by a <tt class="literal">Connection</tt> -<tt class="literal">closed</tt> message, the test was a success. You have -an <em class="emphasis">smbd</em> daemon listening on the port and -rejecting improper connection messages. On the other hand, if you get -<tt class="literal">telnet</tt>: <tt class="literal">connect</tt>: -<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, most likely -no daemon is present. Check the logs and go back to <a href="ch02.html">Chapter 2</a>.</p> - -<p>Regrettably, there isn't an easy test for -<em class="emphasis">nmbd</em>. If the <em class="emphasis">telnet</em> test -and the <em class="emphasis">netstat</em> test both say that an -<em class="emphasis">smbd</em> is running, there is a good chance that -<em class="emphasis">netstat</em> will also be correct about -<em class="emphasis">nmbd</em> running.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.5"/> - -<h3 class="head3">Testing daemons with testparm</h3> - -<p><a name="INDEX-54"/><a name="INDEX-55"/>Once you know -there's a daemon, you should always run -<em class="emphasis">testparm</em>, in hopes of getting something such as -the following:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>testparm </b></tt> -Load smb config files from /opt/samba/lib/smb.conf -Processing section "[homes]" -Processing section "[printers]" ... -Processing section "[tmp]" -Loaded services file OK. ...</pre></blockquote> - -<p>The <em class="emphasis">testparm</em> program normally reports the -processing of a series of sections and responds with -<tt class="literal">Loaded</tt> <tt class="literal">services</tt> -<tt class="literal">file</tt> <tt class="literal">OK</tt> if it succeeds. If not, -it reports one or more of the following messages, which also appear -in the logs as noted:</p> - -<dl> -<dt><b>Allow/Deny connection from account (n) to service</b></dt> -<dd> -<p>A <em class="emphasis">testparm</em>-only message produced if you have -<tt class="literal">valid</tt> <tt class="literal">user</tt> or -<tt class="literal">invalid</tt> <tt class="literal">user</tt> options set in -your <em class="emphasis">smb.conf</em>. You will want to make sure that -you are on the valid user list, and that <tt class="literal">root</tt>, -<tt class="literal">bin</tt>, etc., are on the invalid user list. If you -don't, you will not be able to connect, or users who -shouldn't <em class="emphasis">will</em> be able to.</p> -</dd> - - - -<dt><b>Warning: You have some share names that are longer than eight chars</b></dt> -<dd> -<p>For anyone using Windows for Workgroups and older clients. They fail -to connect to shares with long names, producing an overflow message -that sounds confusingly like a memory overflow.</p> -</dd> - - - -<dt><b>Warning: [name] service MUST be printable!</b></dt> -<dd> -<p>A printer share lacks a <tt class="literal">printable</tt> -<tt class="literal">=</tt> <tt class="literal">yes</tt> option.</p> -</dd> - - - -<dt><b>No path in service name using [name]</b></dt> -<dd> -<p>A file share doesn't know which directory to provide -to the user, or a print share doesn't know which -directory to use for spooling. If no path is specified, the service -will try to run with a path of <em class="emphasis">/tmp</em>, which might -not be what you want.</p> -</dd> - - - -<dt><b>Note: Servicename is flagged unavailable</b></dt> -<dd> -<p>Just a reminder that you have used the <tt class="literal">available</tt> -<tt class="literal">=</tt> <tt class="literal">no</tt> option in a share.</p> -</dd> - - - -<dt><b>Can't find include file [name] </b></dt> -<dd> -<p>A configuration file referred to by an <tt class="literal">include</tt> -option did not exist. If you were including the file unconditionally, -this is an error and probably a serious one: the share will not have -the configuration you intended. If you were including it based on one -of the <tt class="literal">%</tt> variables, such as <tt class="literal">%a</tt> -(architecture), you will need to decide whether, for example, a -missing Windows for Workgroups configuration file is a problem. It -often isn't.</p> -</dd> - - - -<dt><b>Can't copy service name, unable to copy to itself</b></dt> -<dd> -<p>You tried to copy an <em class="filename">smb.conf</em> section into -itself.</p> -</dd> - - - -<dt><b>Unable to copy service—source not found: [name]</b></dt> -<dd> -<p>Indicates a missing or misspelled section in a -<tt class="literal">copy</tt> <tt class="literal">=</tt> option.</p> -</dd> - - - -<dt><b>Ignoring unknown parameter name </b></dt> -<dd> -<p>Typically indicates an obsolete, misspelled, or unsupported option.</p> -</dd> - - - -<dt><b>Global parameter name found in service section </b></dt> -<dd> -<p>Indicates that a global-only parameter has been used in an individual -share. Samba ignores the parameter.</p> -</dd> - -</dl> - -<p>After the <em class="emphasis">testparm</em> test, repeat it with -(exactly) three parameters: the name of your -<em class="filename">smb.conf</em> file, the name of your client, and its -IP address:</p> - -<blockquote><pre class="code"># <tt class="userinput"><b>testparm /usr/local/samba/lib/smb.conf client 192.168.236.10</b></tt></pre></blockquote> - -<p>This will run one more test that checks the hostname and address -against <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and -<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options and might -produce the <tt class="literal">Allow</tt> <tt class="literal">connection</tt> -<tt class="literal">from</tt> <tt class="literal">hostname</tt> -<tt class="literal">to</tt> <tt class="literal">service</tt> and/or -<tt class="literal">Deny</tt> <tt class="literal">connection</tt> -<tt class="literal">from</tt> <tt class="literal">hostname</tt> -<tt class="literal">to</tt> <tt class="literal">service</tt> messages for the -client system. These messages indicate that you have -<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and/or -<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options in your -<em class="filename">smb.conf</em>, and they prohibit access from the -client system. <a name="INDEX-56"/></p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.5"/> - -<h3 class="head2">Troubleshooting SMB Connections</h3> - -<p><a name="INDEX-57"/><a name="INDEX-58"/>Now -that you know the servers are up, you need to make sure -they're running properly. We start by placing a -simple <em class="filename">smb.conf</em> file in the -<em class="filename">/usr/local/samba/lib</em> directory.</p> - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.1"/> - -<h3 class="head3">A minimal smb.conf file</h3> - -<p>In the following tests, we assume you have a -<tt class="literal">[temp]</tt> share suitable for testing, plus at least -one account. An <em class="filename">smb.conf</em> file that includes just -these is as follows:</p> - -<blockquote><pre class="code">[global] - workgroup = <em class="replaceable">EXAMPLE</em> - security = user - browsable = yes - local master = yes -[homes] - guest ok = no - browsable = no -[temp] - path = /tmp - public = yes</pre></blockquote> -<a name="samba2-CHP-12-NOTE-156"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> -<p>The <tt class="literal">public</tt> <tt class="literal">=</tt> -<tt class="literal">yes</tt> option in the <tt class="literal">[temp]</tt> share -is just for testing. You probably don't want people -without accounts storing things on your Samba server, so you should -comment it out when you're done.</p> -</blockquote> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.2"/> - -<h3 class="head3">Testing locally with smbclient</h3> - -<p><a name="INDEX-59"/><a name="INDEX-60"/>The first test is to ensure that the -server can list its own services (shares). Run the command -<tt class="literal">smbclient</tt> <em class="emphasis">-L</em> -<tt class="literal">localhost</tt> <tt class="literal">-U%</tt> to connect to the -server from itself, and specify the guest user. You should see the -following:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L localhost -U% </b></tt> -Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0 -Server=[localhost] -User=[davecb] -Workgroup=[EXAMPLE] -Domain=[EXAMPLE] - Sharename Type Comment - --------- ----- ---------- - temp Disk - IPC$ IPC IPC Service (Samba 1.9.18) - homes Disk Home directories -This machine does not have a browse list</pre></blockquote> - -<p>If you received this output, move on to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>. On the other hand, if you -receive an error, check the following:</p> - -<ul><li> -<p>If you get <tt class="literal">Get_hostbyname</tt>: -<tt class="literal">unknown</tt> <tt class="literal">host</tt> -<tt class="literal">localhost</tt>, either you've spelled -its name wrong or there actually is a problem (which should have been -seen back in <a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>). In the -latter case, move on to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p> -</li><li> -<p>If you get <tt class="literal">Connect</tt> <tt class="literal">error</tt>: -<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the server -was found, but it wasn't running an -<em class="emphasis">nmbd</em> daemon. Skip back to -<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>, -earlier in this chapter, and retest the daemons.</p> -</li><li> -<p>If you get the message <tt class="literal">Your</tt> -<tt class="literal">server</tt> <tt class="literal">software</tt> -<tt class="literal">is</tt> <tt class="literal">being</tt> -<tt class="literal">unfriendly</tt>, the initial session request packet got -a garbage response from the server. The server might have crashed or -started improperly. The common causes of this can be discovered by -scanning the logs for the following:</p> -<ul><li> -<p>Invalid command-line parameters to <em class="emphasis">smbd</em> ; see -the <em class="emphasis">smbd</em> manual page.</p> -</li><li> -<p>A fatal problem with the <em class="filename">smb.conf</em> file that -prevents the startup of <em class="emphasis">smbd</em>. Always check your -changes with <em class="emphasis">testparm</em>, as was done in <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>, earlier in this chapter.</p> -</li><li> -<p>Missing directories where Samba is supposed to keep its log and lock -files.</p> -</li><li> -<p>The presence of a server already on the port (139 for -<em class="emphasis">smbd</em>, 137 for <em class="emphasis">nmbd</em> ), -preventing the daemon from starting.</p> -</li></ul> -</li> -<li> -<p>If you're using <em class="emphasis">inetd</em> (or -xinetd ) instead of standalone daemons, be sure to check your -<em class="filename">/etc/inetd.conf</em> (or xinetd configuration files) -and <em class="filename">/etc/services</em> entries against their manual -pages for errors as well.</p> -</li><li> -<p>If you get a <tt class="literal">Password</tt>: prompt, your guest account -is not set up properly. The <em class="emphasis">-U%</em> option tells -<em class="emphasis">smbclient</em> to do a "null -login," which requires that the guest account be -present but does not require it to have any privileges.</p> -</li><li> -<p>If you get the message <tt class="literal">SMBtconX</tt> -<tt class="literal">failed</tt>. <tt class="literal">ERRSRV--ERRaccess</tt>, you -aren't permitted access to the server. This normally -means you have a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> -option that doesn't include the server or a -<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does. -Recheck with the command <tt class="literal">testparm</tt> -<tt class="literal">smb.conf</tt> <em class="replaceable">your_hostname</em> -<em class="replaceable">your_ip_address</em> (see -<a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>), -and correct any unintended prohibitions.</p> -</li></ul> - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.3"/> - -<h3 class="head3">Testing connections with smbclient</h3> - -<p><a name="INDEX-61"/><a name="INDEX-62"/>Run the command -<tt class="literal">smbclient</tt> -<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt> -to connect to the server's <tt class="literal">[temp]</tt> -share and to see if you can connect to a file service. You should get -the following response:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient '\\server\temp' </b></tt> -Server time is Tue May 5 09:49:32 2002 Timezone is UTC-4.0 Password: -<b class="emphasis-bold">smb: \> quit</b></pre></blockquote> -<p>You might receive the following errors:</p> - -<ul><li> -<p>If you get <tt class="literal">Get_Hostbyname</tt>: -<tt class="literal">Unknown</tt> <tt class="literal">host</tt> -<tt class="literal">name</tt>, <tt class="literal">Connect</tt> -<tt class="literal">error</tt>: <tt class="literal">Connection</tt> -<tt class="literal">refused</tt>, or <tt class="literal">Your</tt> -<tt class="literal">server</tt> <tt class="literal">software</tt> -<tt class="literal">is</tt> <tt class="literal">being</tt> -<tt class="literal">unfriendly</tt>, see the previous section, -<a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, for -the diagnoses.</p> -</li><li> -<p>If you get the message <tt class="literal">servertemp</tt>: -<tt class="literal">Not</tt> <tt class="literal">enough</tt> -<tt class="literal">`\</tt>' -<tt class="literal">characters</tt> <tt class="literal">in</tt> -<tt class="literal">service</tt>, you likely didn't quote -the address, so Unix stripped off backslashes. You can also write the -command:</p> - -<blockquote><pre class="code">smbclient \\\\<em class="replaceable">server</em>\\temp</pre></blockquote> - -<p>or:</p> -<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/temp</pre></blockquote> -</li> -</ul> -<p>Now, provide your Unix account password to the -<tt class="literal">Password</tt>: prompt. If you then get an -<tt class="literal">smb</tt>: <tt class="literal">\></tt> prompt, it worked. -Enter <tt class="literal">quit</tt> and continue on to the next section, -<a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If -you got <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>. -<tt class="literal">ERRSRV--ERRinvnetname</tt>, the problem can be any of -the following:</p> - -<ul><li> -<p>A wrong share name: you might have spelled it wrong, it might be too -long, it might be in mixed case, or it might not be available. Check -that it's what you expect with -<em class="emphasis">testparm</em> (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p> -</li><li> -<p>A <tt class="literal">security</tt> <tt class="literal">=</tt> -<tt class="literal">share</tt> parameter in your Samba configuration file, -in which case you might have to add <tt class="literal">-U</tt> -<em class="replaceable">your_account</em> to the -<em class="emphasis">smbclient</em> command.</p> -</li><li> -<p>An erroneous username.</p> -</li><li> -<p>An erroneous password.</p> -</li><li> -<p>An <tt class="literal">invalid</tt> <tt class="literal">users</tt> or -<tt class="literal">valid</tt> <tt class="literal">users</tt> option in your -<em class="emphasis">smb.conf</em> file that doesn't -allow your account to connect. Recheck using -<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt> -<em class="replaceable">your_hostname your_ip_address</em> (see the -earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p> -</li><li> -<p>A <tt class="literal">valid</tt> <tt class="literal">hosts</tt> option that -doesn't include the server, or an -<tt class="literal">invalid</tt> <tt class="literal">hosts</tt> option that does. -Also test this with <em class="emphasis">testparm</em>.</p> -</li><li> -<p>A problem in authentication, such as if shadow passwords or the -Password Authentication Module (PAM) is used on the server, but Samba -is not compiled to use it. This is rare, but it occasionally happens -when a SunOS 4 Samba binary (with no shadow passwords) is run without -recompilation on a Solaris system (with shadow passwords).</p> -</li><li> -<p>The <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt> -<tt class="literal">=</tt> <tt class="literal">yes</tt> option is in the -configuration file, but no password for your account is in the -<em class="emphasis">smbpasswd</em> file.</p> -</li><li> -<p>You have a null password entry, either in Unix -<em class="filename">/etc/passwd</em> or in the -<em class="emphasis">smbpasswd</em> file.</p> -</li><li> -<p>You are connecting to <tt class="literal">[temp]</tt>, and you do not have -the <tt class="literal">guest</tt> <tt class="literal">ok</tt> -<tt class="literal">=</tt> <tt class="literal">yes</tt> option in the -<tt class="literal">[temp]</tt> section of the -<em class="emphasis">smb.conf</em> file.</p> -</li><li> -<p>You are connecting to <tt class="literal">[temp]</tt> before connecting to -your home directory, and your guest account isn't -set up correctly. If you can connect to your home directory and then -connect to <tt class="literal">[temp]</tt>, that's the -problem. See <a href="ch02.html">Chapter 2</a> for more information on -creating a basic Samba configuration file.</p> - -<p>A bad guest account will also prevent you from printing or browsing -until after you've logged in to your home directory.</p> -</li></ul> -<p>There is one more reason for this failure that has nothing at all to -do with passwords: the <tt class="literal">path</tt> parameter in your -<em class="filename">smb.conf</em> file might point somewhere that -doesn't exist. This will not be diagnosed by -<em class="emphasis">testparm</em>, and most SMB clients -can't distinguish it from other types of bad user -accounts. You will have to check it manually.</p> - -<p>Once you have connected to <tt class="literal">[temp]</tt> successfully, -repeat the test, this time logging in to your home directory (e.g., -map network drive -<em class="replaceable">server</em><tt class="literal">\davecb</tt>). If you -have to change anything to get that to work, retest -<tt class="literal">[temp]</tt> again afterward.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.4"/> - -<h3 class="head3">Testing connections with net use</h3> - -<p><a name="INDEX-63"/><a name="INDEX-64"/>Run the command -<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">*</tt> -<tt class="literal">\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt> -on the Windows client to see if it can connect to the server. You -should be prompted for a password, then receive the response -<tt class="literal">The</tt> <tt class="literal">command</tt> -<tt class="literal">was</tt> <tt class="literal">completed</tt> -<tt class="literal">successfully</tt>.</p> - -<p>If that worked, continue with the steps in the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.5">Section 12.2.5.5</a>. Otherwise:</p> - -<ul><li> -<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt> -<tt class="literal">shared</tt> <tt class="literal">directory</tt> -<tt class="literal">cannot</tt> <tt class="literal">be</tt> -<tt class="literal">found</tt>, or <tt class="literal">Cannot</tt> -<tt class="literal">locate</tt> <tt class="literal">specified</tt> -<tt class="literal">share</tt> <tt class="literal">name</tt>, the directory name -is either misspelled or not in the <em class="emphasis">smb.conf</em> -file. This message can also warn of a name that is in mixed case, -including spaces, or that is longer than eight characters.</p> -</li><li> -<p>If you get <tt class="literal">The</tt> <tt class="literal">computer</tt> -<tt class="literal">name</tt> <tt class="literal">specified</tt> -<tt class="literal">in</tt> <tt class="literal">the</tt> -<tt class="literal">network</tt> <tt class="literal">path</tt> -<tt class="literal">cannot</tt> <tt class="literal">be</tt> -<tt class="literal">located</tt> or <tt class="literal">Cannot</tt> -<tt class="literal">locate</tt> <tt class="literal">specified</tt> -<tt class="literal">computer</tt>, the directory name has been misspelled, -the name service has failed, there is a networking problem, or the -<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option includes your -host.</p> -<ul><li> -<p>If it is not a spelling mistake, you need to double back at least to -<a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a> to -investigate why it doesn't connect.</p> -</li><li> -<p>If <em class="emphasis">smbclient</em> does work, there is a name service -problem with the client name service, and you need to go forward to -<a href="ch12.html#samba2-CHP-12-SECT-2.6.2">Section 12.2.6.2</a> and see if -you can look up both the client and server with -<em class="emphasis">nmblookup</em>.</p> -</li> -</ul> -</li> - -<li> -<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt> -<tt class="literal">is</tt> <tt class="literal">invalid</tt> -<tt class="literal">for</tt> <tt class="literal">\server\username</tt>, your -locally cached copy on the client doesn't match the -one on the server. You will be prompted for a replacement.</p> - -<a name="samba2-CHP-12-NOTE-157"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>Each Windows 95/98/Me client keeps a local -<em class="emphasis">password</em> file, but it's really -just a cached copy of the password it sends to Samba and NT/2000/XP -servers to authenticate you. That's what is being -prompted for here. You can still log on to a Windows system without a -password (but not to NT/2000/XP).</p> -</blockquote> - -<p>If you provide your password and it still fails, your password is not -being matched on the server, you have a <tt class="literal">valid</tt> -<tt class="literal">users</tt> or <tt class="literal">invalid</tt> -<tt class="literal">users</tt> list denying you permission, NetBEUI is -interfering, or the encrypted password problem described in the next -paragraph exists.</p> -</li><li> -<p>If your client is Windows NT 4.0, NT 3.5 with Patch 3, Windows 95 -with Patch 3, Windows 98, any of these with Internet Explorer 4.0, or -any subsequent version of Windows, the system will default to -Microsoft encryption for passwords. In general, if you have installed -a major Microsoft product on any of the older Windows versions, you -might have applied an update and turned on encrypted passwords. If -the client is defaulting to encrypted passwords, you will need to -specify <tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> -<tt class="literal">=</tt> <tt class="literal">yes</tt> in your Samba -configuration file if you are using a version of Samba prior to Samba -3.0.</p> - -<a name="samba2-CHP-12-NOTE-158"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>Because of Internet Explorer's willingness to honor -URLs such as <em class="filename">file://somehost/somefile</em> by making -SMB connections, clients up to and including Windows 95 Patch Level 2 -would happily send your password, in plain text, to SMB servers -anywhere on the Internet. This was considered a bad idea, and -Microsoft switched to using only encrypted passwords in the SMB -protocol. All subsequent releases of Microsoft's -products have included this correction.</p> -</blockquote> -</li> - -<li> -<p>If you have a mixed-case password on Unix, the client is probably -sending it in all one case. If changing your password to all one case -works, this was the problem. Regrettably, all but the oldest clients -support uppercase passwords, so Samba will try once with the password -in uppercase and once in lowercase. If you wish to use mixed-case -passwords, see the <tt class="literal">password</tt> -<tt class="literal">level</tt> option in <a href="ch09.html">Chapter 9</a> for a -workaround.</p> -</li><li> -<p>You might have a <tt class="literal">valid</tt> <tt class="literal">users</tt> -problem, as tested with <em class="emphasis">smbclient</em> (see the -earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>).</p> -</li><li> -<p>You might have the NetBEUI protocol bound to the Microsoft client. -This often produces long timeouts and erratic failures and is known -to have caused failures to accept passwords in the past. Unless you -absolutely need the NetBEUI protocol, remove it.</p> -</li></ul> -<a name="samba2-CHP-12-NOTE-159"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>The term "bind" is used here to -mean connecting one piece of software to another. When configured -correctly, the Microsoft SMB client is "bound -to" TCP/IP in the bindings section of the TCP/IP -properties panel under the Windows 95/98/Me Network icon in the -Control Panel. TCP/IP in turn is bound to an Ethernet card. This is -not the same sense of the word as binding an SMB daemon to a TCP/IP -port.</p> -</blockquote> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.5"/> - -<h3 class="head3">Testing connections with Windows Explorer</h3> - -<p><a name="INDEX-65"/><a name="INDEX-66"/>Start Windows Explorer -(not Internet Explorer), select Map Network Drive from the Tools -menu, and specify the UNC for one of your shares on the Samba server -to see if you can make Explorer connect to it. If so, -you've succeeded and can skip to the next section, -<a href="ch12.html#samba2-CHP-12-SECT-2.6">Section 12.2.6</a>.</p> - -<p>Windows Explorer is a rather poor diagnostic tool: it tells you that -something's wrong, but rarely what it is. If you get -a failure, you'll need to track it down with the -Windows <em class="emphasis">net use</em> command, which has far superior -error reporting:</p> - -<ul><li> -<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt> -<tt class="literal">for</tt> <tt class="literal">this</tt> -<tt class="literal">connection</tt> <tt class="literal">that</tt> -<tt class="literal">is</tt> <tt class="literal">in</tt> <tt class="literal">your</tt> -<tt class="literal">password</tt> <tt class="literal">file</tt> -<tt class="literal">is</tt> <tt class="literal">no</tt> <tt class="literal">longer</tt> -<tt class="literal">correct</tt>, you might have any of the following:</p> -<ul><li> -<p>Your locally cached copy on the client doesn't match -the one on the server.</p> -</li><li> -<p>You didn't provide a username and password when -logging on to the client. Some versions of Explorer will continue to -send a null username and password, even if you provide a password.</p> -</li><li> -<p>You have misspelled the password.</p> -</li><li> -<p>You have an <tt class="literal">invalid</tt> <tt class="literal">users</tt> or -<tt class="literal">valid</tt> <tt class="literal">users</tt> list denying -permission.</p> -</li><li> -<p>Your client is defaulting to encrypted passwords, but Samba is -configured with the <tt class="literal">encrypt</tt> -<tt class="literal">passwords</tt> <tt class="literal">=</tt> -<tt class="literal">no</tt> configuration file parameter.</p> -</li><li> -<p>You have a mixed-case password, which the client is supplying in all -one case.</p> -</li> -</ul> -</li> -<li> -<p>If you get <tt class="literal">The</tt> <tt class="literal">network</tt> -<tt class="literal">name</tt> <tt class="literal">is</tt> -<tt class="literal">either</tt> <tt class="literal">incorrect</tt>, -<tt class="literal">or</tt> <tt class="literal">a</tt> <tt class="literal">network</tt> -<tt class="literal">to</tt> <tt class="literal">which</tt> <tt class="literal">you</tt> -<tt class="literal">do</tt> <tt class="literal">not</tt> <tt class="literal">have</tt> -<tt class="literal">full</tt> <tt class="literal">access</tt>, or -<tt class="literal">Cannot</tt> <tt class="literal">locate</tt> -<tt class="literal">specified</tt> <tt class="literal">computer</tt>, you might -have any of the following:</p> -<ul><li> -<p>Misspelled name</p> -</li><li> -<p>Malfunctioning service</p> -</li><li> -<p>Failed share</p> -</li><li> -<p>Networking problem</p> -</li><li> -<p>Bad <tt class="literal">path</tt> parameter in -<em class="filename">smb.conf</em></p> -</li><li> -<p><tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that excludes -you</p> -</li> -</ul> -</li> -<li> -<p>If you get <tt class="literal">You</tt> <tt class="literal">must</tt> -<tt class="literal">supply</tt> <tt class="literal">a</tt> -<tt class="literal">password</tt> <tt class="literal">to</tt> -<tt class="literal">make</tt> <tt class="literal">this</tt> -<tt class="literal">connection</tt>, the password on the client is out of -synchronization with the server, or this is the first time -you've tried from this client system and the client -hasn't cached it locally yet.</p> -</li><li> -<p>If you get <tt class="literal">Cannot</tt> <tt class="literal">locate</tt> -<tt class="literal">specified</tt> <tt class="literal">share</tt> -<tt class="literal">name</tt>, you have a wrong share name or a syntax -error in specifying it, a share name longer than eight characters, or -one containing spaces or in mixed case.</p> -</li></ul> -<p>Once you can reliably connect to the share, try again, this time -using your home directory. If you have to change something to get -home directories working, retest with the first share, and vice -versa, as we showed in the earlier section, "Testing -connections with net use." As always, if Explorer -fails, drop back to that section and debug the connection there. -<a name="INDEX-67"/><a name="INDEX-68"/></p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.6"/> - -<h3 class="head2">Troubleshooting Browsing</h3> - -<p><a name="INDEX-69"/><a name="INDEX-70"/>Finally, we -come to browsing. We've left this for last, not -because it is the most difficult, but because it's -both optional and partially dependent on a protocol that -doesn't guarantee delivery of a packet. Browsing is -hard to diagnose if you don't already know that all -the other services are running.</p> - -<p>Browsing is purely optional: it's just a way to find -the servers on your network and the shares that they provide. Unix -has nothing of the sort and happily does without. Browsing also -assumes all your systems are on a local area network (LAN) where -broadcasts are allowable.</p> - -<p>First, the browsing mechanism identifies a system using the -unreliable UDP protocol; it then makes a normal (reliable) TCP/IP -connection to list the shares the system provides.</p> - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.1"/> - -<h3 class="head3">Testing browsing with smbclient</h3> - -<p><a name="INDEX-71"/><a name="INDEX-72"/>We'll start with -testing the reliable connection first. From the server, try listing -its own shares using <em class="emphasis">smbclient</em> with a -<tt class="literal">-L</tt> option and your server's name. -You should get something resembling the following:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L server</b></tt> -Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server -time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0 -Password: -Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5] - - Sharename Type Comment - --------- ---- ------- - cdrom Disk CD-ROM - cl Printer Color Printer 1 - davecb Disk Home Directories - - Server Comment - --------- ------- - SERVER Samba 2.2.5 - - Workgroup Master - --------- ------- - EXAMPLE SERVER</pre></blockquote> - -<ul><li> -<p>If you didn't get a Sharename list, the server is -not allowing you to browse any shares. This should not be the case if -you've tested any of the shares with Windows -Explorer or the <em class="emphasis">net use</em> command. If you -haven't done the <tt class="literal">smbclient</tt> -<tt class="literal">-L</tt> <tt class="literal">localhost</tt> -<tt class="literal">-U%</tt> test yet (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), do it now. An erroneous -guest account can prevent the shares from being seen. Also, check the -<em class="filename">smb.conf</em> file to make sure you do not have the -option <tt class="literal">browsable</tt> <tt class="literal">=</tt> -<tt class="literal">no</tt> anywhere in it: we suggest using a minimal -<em class="filename">smb.conf</em> file (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.1">Section 12.2.5.1</a>). You need to have -<tt class="literal">browsable</tt> enabled (which is the default) to see -the share.</p> -</li><li> -<p>If you didn't get a browse list, the server is not -providing information about the systems on the network. At least one -system on the net must support browse lists. Make sure you have -<tt class="literal">local</tt> <tt class="literal">master</tt> -<tt class="literal">=</tt> <tt class="literal">yes</tt> in the -<em class="filename">smb.conf</em> file if you want Samba to be the local -master browser.</p> -</li><li> -<p>If you got a browse list but didn't get -<em class="emphasis">/tmp</em>, you probably have a -<em class="filename">smb.conf</em> problem. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>.</p> -</li><li> -<p>If you didn't get a workgroup list with your -workgroup name in it, it is possible that your workgroup is set -incorrectly in the <em class="filename">smb.conf</em> file.</p> -</li><li> -<p>If you didn't get a workgroup list at all, ensure -that <tt class="literal">workgroup</tt> <tt class="literal">=</tt> -<tt class="literal">EXAMPLE</tt> is present in the -<em class="filename">smb.conf</em> file.</p> -</li><li> -<p>If you get nothing, try once more with the options -<tt class="literal">-I</tt> <em class="emphasis">ip_address</em> -<tt class="literal">-n</tt> <em class="emphasis">netbios_name</em> -<tt class="literal">-W</tt> <em class="emphasis">workgroup</em> -<tt class="literal">-d3</tt> with the NetBIOS and workgroup name in -uppercase. (The <tt class="literal">-d3</tt> option sets the log /debugging -level to 3.) Then check the Samba logs for clues.</p> -</li></ul> -<p>If you're still getting nothing, you -shouldn't have gotten this far; double back to at -least <a href="ch12.html#samba2-CHP-12-SECT-2.3.1">Section 12.2.3.1</a>, or perhaps -<a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. On the other hand:</p> - -<ul><li> -<p>If you get <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>. -<tt class="literal">ERRSRV--ERRaccess</tt>, you aren't -permitted access to the server. This normally means you have a -<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option that -doesn't include the server or a -<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.</p> -</li><li> -<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>, you -presumably have one of the following:</p> -<ul><li> -<p>An incorrect <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or -<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line</p> -</li><li> -<p>An incorrect <tt class="literal">invalid</tt> <tt class="literal">users</tt> or -<tt class="literal">valid</tt> <tt class="literal">users</tt> line</p> -</li><li> -<p>A lowercase password and OS/2 or Windows for Workgroups clients</p> -</li><li> -<p>A missing or invalid guest account</p> -</li></ul> -<p>Check what your guest account is (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), change or comment out any -<tt class="literal">hosts</tt> <tt class="literal">allow</tt>, -<tt class="literal">hosts</tt> <tt class="literal">deny</tt>, -<tt class="literal">valid</tt> <tt class="literal">users</tt>, or -<tt class="literal">invalid</tt> <tt class="literal">users</tt> lines, and verify -your <em class="filename">smb.conf</em> file with -<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt> -<em class="replaceable">your_hostname your_ip_address</em> (see the -earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p> -</li><li> -<p>If you get <tt class="literal">Connection</tt> <tt class="literal">refused</tt>, -the <em class="emphasis">smbd</em> server is not running or has crashed. -Check that it's up, running, and listening to the -network with <em class="emphasis">netstat</em>. See the earlier section, -<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>.</p> -</li><li> -<p>If you get <tt class="literal">Get_Hostbyname</tt>: -<tt class="literal">Unknown</tt> <tt class="literal">host</tt> -<tt class="literal">name</tt>, you've made a spelling -error, there is a mismatch between the Unix and NetBIOS hostname, or -there is a name service problem. Start name service debugging as -discussed in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If this works, suspect a -name mismatch, and go to the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p> -</li><li> -<p>If you get <tt class="literal">Session</tt> <tt class="literal">request</tt> -<tt class="literal">failed</tt>, the server refused the connection. This -usually indicates an internal error, such as insufficient memory to -fork a process.</p> -</li><li> -<p>If you get <tt class="literal">Your</tt> <tt class="literal">server</tt> -<tt class="literal">software</tt> <tt class="literal">is</tt> -<tt class="literal">being</tt> <tt class="literal">unfriendly</tt>, the initial -session request packet received a garbage response from the server. -The server might have crashed or started improperly. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, where the -problem is first analyzed.</p> -</li><li> -<p>If you suspect the server is not running, go back to -<a href="ch12.html#samba2-CHP-12-SECT-2.4.2">Section 12.2.4.2</a> to see why the server -daemon isn't responding.</p> -</li></ul> - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.2"/> - -<h3 class="head3">Testing the server with nmblookup</h3> - -<p><a name="INDEX-73"/><a name="INDEX-74"/>This will test the -"advertising" system used for -Windows name services and browsing. Advertising works by broadcasting -one's presence or willingness to provide services. -It is the part of browsing that uses an unreliable protocol (UDP) and -works only on broadcast networks such as Ethernets. The -<em class="emphasis">nmblookup</em> program broadcasts name queries for -the hostname you provide and returns its IP address and the name of -the system, much as <em class="emphasis">nslookup</em> does with DNS. -Here, the <em class="emphasis">-d</em> (debug or log-level) and -<em class="emphasis">-B</em> (broadcast address) options direct queries to -specific systems.</p> - -<p>First, we check the server from itself. Run -<em class="emphasis">nmblookup</em> with a <em class="emphasis">-B</em> option -of your server's name (to tell it to send the query -to the Samba server) and a parameter of <tt class="literal">_ _SAMBA_ -_</tt> as the symbolic name to look up. You should get:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -B server _ _SAMBA_ _</b></tt> -Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 -Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre></blockquote> - -<p>You should get the IP address of the server, followed by the name -<tt class="literal">_ _SAMBA_ _</tt> , which means that the server has -successfully advertised that it has a service called <tt class="literal">_ -_SAMBA_ _</tt> , and therefore at least part of NetBIOS name -service works.</p> - -<ul><li> -<p>If you get <tt class="literal">Name_query</tt> <tt class="literal">failed</tt> -<tt class="literal">to</tt> <tt class="literal">find</tt> <tt class="literal">name</tt> -<tt class="literal">_ _SAMBA_ _</tt>, you might have specified the server -name to the <em class="emphasis">-B</em> option, or -<em class="emphasis">nmbd</em> is not running. The <em class="emphasis">-B</em> -option actually takes a broadcast address: we're -using a computer name to get a unicast address and to ask the server -if it has claimed <tt class="literal">_ _SAMBA_ _</tt>. Try again with -<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> -<em class="replaceable">ip_address</em>, and if that fails too, -<em class="emphasis">nmbd</em> isn't claiming the name. -Go back briefly to the earlier section, "Testing -daemons with testparm," to see if -<em class="emphasis">nmbd</em> is running. If so, it might not be claiming -names; this means that Samba is not providing the browsing -service—a configuration problem. If that is the case, make sure -that <em class="filename">smb.conf</em> doesn't contain -the option <tt class="literal">browsing</tt> <tt class="literal">=</tt> -<tt class="literal">no</tt>.</p> -</li></ul> - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.3"/> - -<h3 class="head3">Testing the client with nmblookup</h3> - -<p><a name="INDEX-75"/><a name="INDEX-76"/>Next, check the IP address of the -client from the server with <em class="emphasis">nmblookup</em> using the -<tt class="literal">-B</tt> option for the client's name -and a parameter of '<tt class="literal">*</tt>' meaning -"anything," as shown here:</p> - -<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -B client '*</b>' -Sending queries to 192.168.236.10 192.168.236.10 * -Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre></blockquote> - -<p>You might get the following error:</p> - -<ul><li> -<p>If you receive <tt class="literal">Name-query</tt> -<tt class="literal">failed</tt> <tt class="literal">to</tt> -<tt class="literal">find</tt> <tt class="literal">name</tt> <tt class="literal">*</tt>, -you have made a spelling mistake, or the client software on the PC -isn't installed, started, or bound to TCP/IP. Double -back to <a href="ch03.html">Chapter 3</a> and ensure that you have a -client installed that is listening to the network.</p> -</li></ul> -<p>Repeat the command with the following options if you had any failures:</p> - -<ul><li> -<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> -<em class="replaceable">client_IP_address</em> succeeds but -<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> -<em class="replaceable">client_name</em> fails, there is a name service -problem with the client's name; go to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p> -</li><li> -<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> -<tt class="literal">127.0.0.1</tt> '<tt class="literal">*</tt>' succeeds, but -<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> -<em class="replaceable">client_IP_address</em> fails, there is a -hardware problem, and <em class="emphasis">ping</em> should have failed. -See your network manager.</p> -</li></ul> - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.4"/> - -<h3 class="head3">Testing the network with nmblookup</h3> - -<p><a name="INDEX-77"/><a name="INDEX-78"/>Run the command -<em class="emphasis">nmblookup</em> again with a <em class="emphasis">-d2</em> -option (for a debug level of 2) and a parameter of -'<tt class="literal">*</tt>'. This time we are testing the ability of -programs (such as <em class="emphasis">nmbd</em> ) to use broadcast. -It's essentially a connectivity test, done via a -broadcast to the default broadcast address.</p> - -<p>A number of NetBIOS over TCP/IP hosts on the network should respond -with <tt class="literal">got</tt> <tt class="literal">a</tt> -<tt class="literal">positive</tt> <tt class="literal">name</tt> -<tt class="literal">query</tt> <tt class="literal">response</tt> messages. Samba -might not catch all the responses in the short time it listens, so -you won't always see all the SMB clients on the -network. However, you should see most of them:</p> - -<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -d 2 '*</b>' -Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending -queries to 192.168.236.255 -Got a positive name query response from 192.168.236.191 (192.168.236.191) -Got a positive name query response from 192.168.236.228 (192.168.236.228) -Got a positive name query response from 192.168.236.75 (192.168.236.75) -Got a positive name query response from 192.168.236.79 (192.168.236.79) -Got a positive name query response from 192.168.236.206 (192.168.236.206) -Got a positive name query response from 192.168.236.207 (192.168.236.207) -Got a positive name query response from 192.168.236.217 (192.168.236.217) -Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre></blockquote> - -<p>However:</p> - -<ul><li> -<p>If this doesn't give at least the client address you -previously tested, the default broadcast address is wrong. Try -<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> -<tt class="literal">255.255.255.255</tt> <tt class="literal">-d</tt> -<tt class="literal">2</tt> '<tt class="literal">*</tt>', which is a last-ditch -variant (using a broadcast address of all 1s). If this draws -responses, the broadcast address you've been using -before is wrong. Troubleshooting these is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this -chapter.</p> -</li><li> -<p>If the address 255.255.255.255 fails too, check your notes to see if -your PC and server are on different subnets, as discovered in the -earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. You -should try to diagnose this step with a server and client on the same -subnet, but if you can't, you can try specifying the -remote subnet's broadcast address with -<em class="emphasis">-B</em>. Finding that address is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this -chapter. The <em class="emphasis">-B</em> option will work if your router -supports directed broadcasts; if it doesn't, you -might be forced to test with a client on the same network.</p> -</li></ul> -<p>As usual, you can check the Samba log files for additional clues.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.5"/> - -<h3 class="head3">Testing client browsing with net view</h3> - -<p><a name="INDEX-79"/><a name="INDEX-80"/>On the client, run the -command <em class="replaceable">net view \\server</em> in an MS-DOS -(command prompt) window to see if you can connect to the client and -ask what shares it provides. You should get back a list of available -shares on the server.</p> - -<p>If this works, continue with the later section <a href="ch12.html#samba2-CHP-12-SECT-3.1">Section 12.3.1</a>. Otherwise:</p> - -<ul><li> -<p>If you get <tt class="literal">Network</tt> <tt class="literal">name</tt> -<tt class="literal">not</tt> <tt class="literal">found</tt> for the name you just -tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.3">Section 12.2.6.3</a>, there is a problem with the -client software itself. Double-check this by running -<em class="emphasis">nmblookup</em> on the client; if it works and -<em class="emphasis">net view</em> doesn't, the client is -at fault.</p> -</li><li> -<p>If <em class="emphasis">nmblookup</em> fails, there is a NetBIOS name -service problem, as discussed in the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p> -</li><li> -<p>If you get <tt class="literal">You</tt> <tt class="literal">do</tt> -<tt class="literal">not</tt> <tt class="literal">have</tt> <tt class="literal">the</tt> -<tt class="literal">necessary</tt> <tt class="literal">access</tt> -<tt class="literal">rights</tt>, or <tt class="literal">This</tt> -<tt class="literal">server</tt> <tt class="literal">is</tt> -<tt class="literal">not</tt> <tt class="literal">configured</tt> -<tt class="literal">to</tt> <tt class="literal">list</tt> -<tt class="literal">shared</tt> <tt class="literal">resources</tt>, either your -guest account is misconfigured (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>) or you have a -<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or -<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that prohibits -connections from your system. These problems should have been -detected by the <em class="emphasis">smbclient</em> tests starting in the -earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.1">Section 12.2.6.1</a>.</p> -</li><li> -<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt> -<tt class="literal">computer</tt> <tt class="literal">is</tt> -<tt class="literal">not</tt> <tt class="literal">receiving</tt> -<tt class="literal">requests</tt>, you have misspelled the name, the system -is unreachable by broadcast (tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.4">Section 12.2.6.4</a>), or it's -not running <em class="emphasis">nmbd</em>.</p> -</li><li> -<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt> -<tt class="literal">error</tt>, you're probably -encountering the Microsoft-encrypted password problem, as discussed -earlier in this chapter and in <a href="ch09.html">Chapter 9</a>, with its -corrections.</p> -</li></ul> - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.6"/> - -<h3 class="head3">Browsing the server from the client</h3> - -<p><a name="INDEX-81"/><a name="INDEX-82"/>From the Windows Network -Neighborhood (or My Network Places in newer releases), try to browse -the server. Your Samba server should appear in the browse list of -your local workgroup. You should be able to double-click the name of -the server to get a list of shares.</p> - -<ul><li> -<p>If you get an <tt class="literal">Invalid</tt> <tt class="literal">password</tt> -error, it's most likely the encryption problem -again.</p> -</li><li> -<p>If you receive an <tt class="literal">Unable</tt> <tt class="literal">to</tt> -<tt class="literal">browse</tt> <tt class="literal">the</tt> -<tt class="literal">network</tt> error, one of the following has occurred:</p> -<ul><li> -<p>You have looked too soon, before the broadcasts and updates have -completed. Wait 30 seconds and try again.</p> -</li><li> -<p>There is a network problem you've not yet diagnosed.</p> -</li><li> -<p>There is no browse master. Add the configuration option -<tt class="literal">local</tt> <tt class="literal">master</tt> -<tt class="literal">=</tt> <tt class="literal">yes</tt> to your -<em class="emphasis">smb.conf</em> file.</p> -</li><li> -<p>No shares are made browsable in the <em class="emphasis">smb.conf</em> -file.</p> -</li></ul> -</li> -<li> -<p>If you receive the message <tt class="literal">\\server</tt> -<tt class="literal">is</tt> <tt class="literal">not</tt> -<tt class="literal">accessible</tt> then:</p> -<ul><li> -<p>You have the encrypted password problem.</p> -</li><li> -<p>The system really isn't accessible.</p> -</li><li> -<p>The system doesn't support browsing.</p> -</li></ul> -</li> -</ul> - -<p>If you've made it this far and the problem is not -yet solved, either the problem is one we've not yet -seen, or it is a problem related to a topic we have already covered, -and further analysis is required. Name resolution is often related to -difficulties with Samba, so we cover it in more detail in the next -sections. If you know your problem is not related to name resolution, -skip to the <a href="ch12.html#samba2-CHP-12-SECT-3">Section 12.3</a> at the end of the chapter. <a name="INDEX-83"/><a name="INDEX-84"/></p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.7"/> - -<h3 class="head2">Troubleshooting Name Services</h3> - -<p><a name="INDEX-85"/><a name="INDEX-86"/>This -section looks at simple troubleshooting of all the name services -you'll encounter, but only for the common problems -that affect Samba.</p> - -<p>There are several good references for troubleshooting particular name -services: Paul <a name="INDEX-87"/>Albitz and Cricket <a name="INDEX-88"/>Liu's <em class="emphasis">DNS and -Bind</em> (O'Reilly) covers the DNS, Hal -<a name="INDEX-89"/>Stern's <em class="emphasis">NFS and -NIS</em> (O'Reilly) covers NIS -("Yellow pages"), while Windows -Internet Name Service (WINS), <em class="filename">hosts/LMHOSTS</em> -files, and NIS+ are best covered by their respective -vendors' manuals.</p> - -<p>The problems addressed in this section are as follows:</p> - -<ul><li> -<p>Name services are identified.</p> -</li><li> -<p>A hostname can't be looked up.</p> -</li><li> -<p>The long (FQDN) form of a hostname works but the short form -doesn't.</p> -</li><li> -<p>The short form of the name works, but the long form -doesn't.</p> -</li><li> -<p>A long delay occurs before the expected result.</p> -</li></ul> - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.1"/> - -<h3 class="head3">Identifying what's in use</h3> - -<p><a name="INDEX-90"/>First, see if both the -server and the client are using DNS, WINS, NIS, or -<em class="filename">hosts</em> files to look up IP addresses when you -give them a name. Each kind of system has a different preference:</p> - -<ul><li> -<p>Windows 95/98/Me tries WINS and the <em class="filename">LMHOSTS</em> file -first, then broadcast, and finally DNS and <em class="filename">HOSTS</em> -files.</p> -</li><li> -<p>Windows NT/2000/XP tries WINS, then broadcast, then the -<em class="filename">LMHOSTS</em> file, and finally -<em class="filename">HOSTS</em> and DNS.</p> -</li><li> -<p>Windows programs using the WINSOCK standard use the HOSTS file, DNS, -WINS, and then broadcast. Don't assume that if a -different program's name service works, the SMB -client program's name service will!</p> -</li><li> -<p>Samba daemons use <em class="filename">lmhosts</em>, WINS, the Unix -system's name resolution, and then broadcast.</p> -</li><li> -<p>Unix systems can be configured to use any combination of DNS, -<em class="filename">HOSTS</em> files, NIS or NIS+, and winbind, generally -in any order.</p> -</li></ul> -<p>We recommend that the client systems be configured to use WINS and -DNS, the Samba daemons to use WINS and DNS, and the Unix server to -use DNS, <em class="filename">hosts</em> files, and perhaps NIS+. -You'll have to look at your notes and the actual -systems to see which is in use.</p> - -<p>On the clients, the name services are all set in the TCP/IP -Properties panel of the Networking Control Panel, as discussed in -<a href="ch03.html">Chapter 3</a>. You might need to check there to see -what you've actually turned on. On the server, see -if a <em class="filename">/etc/resolv.conf</em> file exists. If it does, -you're using DNS. You might be using the others as -well, though. You'll need to check for NIS and -combinations of services.</p> - -<p>Check for a <em class="filename">/etc/nsswitch.conf</em> file on Solaris -and other System V Unix operating systems. If you have one, look for -a line that begins with <tt class="literal">host</tt>: followed by one or -more of <tt class="literal">files</tt>, <tt class="literal">bind</tt>, -<tt class="literal">nis</tt>, or <tt class="literal">nis+</tt>. These are the -name services to use, in order, with optional extra material in -square brackets. The <tt class="literal">files</tt> keyword is for -using <em class="emphasis">HOSTS</em> files, while <tt class="literal">bind</tt> -(the Berkeley Internet Name Daemon) refers to using DNS.</p> - -<p>If the client and server differ, the first thing to do is to get them -in sync. Clients can use DNS, WINS, <em class="emphasis">HOSTS</em>, and -<em class="emphasis">LMHOSTS</em> files, but not NIS or NIS+. Servers can -use <em class="emphasis">HOSTS</em> and <em class="filename">LMHOSTS</em> -files, DNS, NIS or NIS+, and winbind, but not WINS—even if your -Samba server provides WINS services. If you can't -get all the systems to use the same services, you'll -have to check the server and the client carefully for the same data.</p> - -<p>You can also make use of the <em class="emphasis">-R</em> (resolve order) -option for <em class="emphasis">smbclient</em>. If you want to -troubleshoot WINS, for example, you'd say:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L </b></tt><em class="replaceable">server</em> <tt class="userinput"><b>-R wins</b></tt></pre></blockquote> - -<p>The possible settings are <tt class="literal">hosts</tt> (which means -whatever the Unix system is using, not just<em class="filename"> -/etc/hosts</em> files), <tt class="literal">lmhosts</tt>, -<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt> (broadcast).</p> - -<p>In the following sections, we use the term <em class="emphasis">long -name</em> for a fully qualified domain name (FQDN), such as -<tt class="literal">server.example.com</tt> , and the term <em class="emphasis">short -name</em> for the host part of an FQDN, such as -<tt class="literal">server</tt>.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.2"/> - -<h3 class="head3">Cannot look up hostnames</h3> - -<p><a name="INDEX-91"/>Try the -following:</p> - -<dl> -<dt><b>DNS</b></dt> -<dd> -<p>Run <tt class="literal">nslookup</tt> <em class="replaceable">name</em>. If -this fails, look for a <em class="filename">resolv.conf</em> error, a -downed DNS server, or a short/long name problem (see the next -section). Try the following:</p> - - -<ul><li> -<p>Your <em class="filename">/etc/resolv.conf</em> file should contain one or -more <tt class="literal">nameserver</tt> lines, each with an IP address. -These are the addresses of your DNS servers.</p> -</li><li> -<p>Ping each server address you find. If this fails for one, suspect the -system. If it fails for each, suspect your network.</p> -</li><li> -<p>Retry the lookup using the full domain name (e.g., -<tt class="literal">server.example.com</tt>) if you tried the short name -first, or the short name if you tried the long name first. If results -differ, skip to the next section.</p> -</li></ul> -</dd> - - - -<dt><b>Broadcast/ WINS</b></dt> -<dd> -<p>Broadcast/ WINS does only short names such as -<tt class="literal">server</tt>, and not long ones, such as -<tt class="literal">server.example.com</tt>. Run -<tt class="literal">nmblookup</tt> <tt class="literal">-S</tt> -<em class="replaceable">server</em>. This reports everything broadcast -has registered for the name. In our example, it looks like this:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S server</b></tt> -Looking up status of 192.168.236.86 -received 10 names - SERVER <00> - M <ACTIVE> - SERVER <03> - M <ACTIVE> - SERVER <1f> - M <ACTIVE> - SERVER <20> - M <ACTIVE> - ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE> - MYGROUP <00> - <GROUP> M <ACTIVE> - MYGROUP <1b> - M <ACTIVE> - MYGROUP <1c> - <GROUP> M <ACTIVE> - MYGROUP <1d> - M <ACTIVE> - MYGROUP <1e> - <GROUP> M <ACTIVE></pre></blockquote> - -<p>The required entry is <tt class="literal">SERVER</tt> -<tt class="literal"><00></tt>, which identifies -<em class="replaceable">server</em> as being this -system's NetBIOS name. You should also see your -workgroup mentioned one or more times. If these lines are missing, -Broadcast/WINS cannot look up names and will need attention.</p> - -<a name="samba2-CHP-12-NOTE-160"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>The numbers in angle brackets in the previous output identify NetBIOS -names as being workgroups, workstations, and file users of the -messenger service, master browsers, domain master browsers, domain -controllers, and a plethora of others. We primarily use -<tt class="literal"><00></tt> to identify system and workgroup names -and <tt class="literal"><20></tt> to identify systems as servers. The -complete list is available at <a href="http://support.microsoft.com/support/kb/articles/q163/4/09.asp">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</a>.</p> -</blockquote> -</dd> - - - -<dt><b>NIS</b></dt> -<dd> -<p>Try <tt class="literal">ypmatch</tt> <tt class="literal">name</tt> -<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the -NIS server's name by running -<em class="emphasis">ypwhich</em>, and ping the system to see if -it's accessible.</p> -</dd> - - - -<dt><b>NIS+</b></dt> -<dd> -<p>If you're running NIS+, try -<tt class="literal">nismatch</tt> <tt class="literal">name</tt> -<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the -NIS+ server's name by running -<em class="emphasis">niswhich</em>, and ping that system to see if -it's accessible.</p> -</dd> - - - -<dt><b>hosts and HOSTS files</b></dt> -<dd> -<p>Inspect the <em class="filename">HOSTS</em> file on the client -(<em class="filename">C:\Windows\ Hosts</em> on Windows 95/98/Me, and -<em class="filename">C:\WINNT \system32\drivers\etc\hosts</em> on Windows -NT/2000/XP). Each line should have an IP number and one or more -names, the primary name first, then any optional aliases. An example -follows:</p> - - -<blockquote><pre class="code">127.0.0.1 localhost -192.168.236.1 dns.svc.example.com -192.168.236.10 client.example.com client -192.168.236.11 backup.example.com loghost -192.168.236.86 server.example.com server -192.168.236.254 router.svc.example.com</pre></blockquote> - -<p>On Unix, <tt class="literal">localhost</tt> should always be 127.0.0.1, -although it might be just an alias for a hostname on the PC. On the -client, check that there are no <tt class="literal">#XXX</tt> directives at -the ends of the lines; these are LAN Manager/NetBIOS directives and -should appear only in <em class="emphasis">LMHOSTS</em> files.</p> -</dd> - - - -<dt><b>LMHOSTS files</b></dt> -<dd> -<p>This file is a local source for LAN Manager (NetBIOS) names. It has a -format similar to <em class="filename">hosts</em> files, but it does not -support long-form domain names (e.g., -<tt class="literal">server.example.com</tt>) and can have a number of -optional <tt class="literal">#XXX</tt> directives following the NetBIOS -names. There is usually an <em class="emphasis">lmhosts.sam</em> (for -sample) file located in <em class="filename">C:\Windows</em> on Windows -95/98/Me, and in <em class="filename">C:\WINNT\system32\drivers\etc</em> -on Windows NT/2000/XP, but it's not used unless it -is renamed to <em class="emphasis">Lmhosts</em> in the same directory.</p> -</dd> - -</dl> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.3"/> - -<h3 class="head3">Long and short hostnames</h3> - -<p><a name="INDEX-92"/>Where the long (FQDN) form of a hostname -works but the short name doesn't (for example, -<tt class="literal">client.example.com</tt> works but -<tt class="literal">client</tt> doesn't), consider the -following:</p> - -<dl> -<dt><b>DNS </b></dt> -<dd> -<p>This usually indicates that there is no default domain in which to -look up the short names. Look for a <tt class="literal">default</tt> line -in <em class="filename">/etc/resolv.conf</em> on the Samba server with -your domain in it, or look for a <tt class="literal">search</tt> line with -one or more domains in it. One or the other might need to be present -to make short names usable; which one depends on the vendor and -version of the DNS resolver. Try adding <tt class="literal">domain</tt> -<em class="replaceable">your_domain</em> to -<em class="filename">resolv.conf</em>, and ask your network or DNS -administrator what should be in the file.</p> -</dd> - - - -<dt><b>Broadcast/WINS </b></dt> -<dd> -<p>Broadcast/WINS doesn't support long names; it -won't suffer from this problem.</p> -</dd> - - - -<dt><b>NIS </b></dt> -<dd> -<p>Try the command <tt class="literal">ypmatch</tt> -<em class="replaceable">hostname</em> <tt class="literal">hosts</tt>. If you -don't get a match, your tables -don't include short names. Speak to your network -manager; short names might be missing by accident or might be -unsupported as a matter of policy. Some sites don't -ever use (ambiguous) short names.</p> -</dd> - - - -<dt><b>NIS+</b></dt> -<dd> -<p>Try <tt class="literal">nismatch</tt> <em class="replaceable">hostname</em> -<tt class="literal">hosts</tt>, and treat failure exactly as with NIS.</p> -</dd> - - - -<dt><b>hosts </b></dt> -<dd> -<p>If the short name is not in <em class="filename">/etc/hosts</em>, consider -adding it as an alias. Avoid, if you can, short names as primary -names (the first one on a line). Have them as aliases if your system -permits.</p> -</dd> - - - -<dt><b>LMHOSTS </b></dt> -<dd> -<p>LAN Manager doesn't support long names, so it -won't suffer from this problem.</p> -</dd> - -</dl> - -<p>On the other hand, if the short form of the name works and the long -form doesn't, consider the following:</p> - -<dl> -<dt><b>DNS </b></dt> -<dd> -<p>This is bizarre; see your network or DNS administrator, as this is -probably a DNS setup error.</p> -</dd> - - - -<dt><b>Broadcast/WINS </b></dt> -<dd> -<p>This is normal; Broadcast/WINS can't use the long -form. Optionally, consider DNS. (Be aware that Microsoft has stated -that it will eventually switch entirely to DNS, even though DNS does -not provide name types such as <00>.)</p> -</dd> - - - -<dt><b>NIS</b></dt> -<dd> -<p>If you can use <em class="emphasis">ypmatch</em> to look up the short form -but not the long, consider adding the long form to the table as at -least an alias.</p> -</dd> - - - -<dt><b>NIS+ </b></dt> -<dd> -<p>Same as NIS, except you use <em class="emphasis">nismatch</em> instead of -<em class="emphasis">ypmatch</em> to look up names.</p> -</dd> - - - -<dt><b>hosts and HOSTS</b></dt> -<dd> -<p>Add the long name as at least an alias, and preferably as the primary -form. Also consider using DNS if it's practical.</p> -</dd> - - - -<dt><b>LMHOSTS </b></dt> -<dd> -<p>This is normal. LAN Manager can't use the long form; -consider switching to DNS or <em class="filename">hosts</em>.</p> -</dd> - -</dl> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.4"/> - -<h3 class="head3">Unusual delays</h3> - -<p><a name="INDEX-93"/>When there is a long delay before the -expected result:</p> - -<dl> -<dt><b>DNS </b></dt> -<dd> -<p>Test the same name with the <em class="emphasis">nslookup</em> command on -the system that is slow (client or server). If -<em class="emphasis">nslookup</em> is also slow, you have a DNS problem. -If it's slower on a client, you might have too many -protocols bound to the Ethernet card. Eliminate NetBEUI, which is -infamously slow, and, optionally, Novell—assuming you -don't need them. This is especially important on -Windows 95, which is particularly sensitive to excess protocols.</p> -</dd> - - - -<dt><b>Broadcast/ WINS</b></dt> -<dd> -<p>Test the client using <em class="emphasis">nmblookup</em>; if -it's faster, you probably have the protocols problem -as mentioned in the previous item.</p> -</dd> - - - -<dt><b>NIS</b></dt> -<dd> -<p>Try <em class="emphasis">ypmatch</em>; if it's slow, -report the problem to your network manager.</p> -</dd> - - - -<dt><b>NIS+ </b></dt> -<dd> -<p>Try <em class="emphasis">nismatch</em>, similarly.</p> -</dd> - - - -<dt><b>hosts and HOSTS</b></dt> -<dd> -<p>The <em class="emphasis">hosts</em> files, if of reasonable size, are -always fast. You probably have the protocols problem mentioned -previously under DNS.</p> -</dd> - - - -<dt><b>lmhosts and LMHOSTS</b></dt> -<dd> -<p>This is not a name lookup problem; <em class="emphasis">LMHOSTS</em> files -are as fast as <em class="emphasis">hosts</em> and -<em class="filename">HOSTS</em> files.</p> -</dd> - -</dl> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.5"/> - -<h3 class="head3">Localhost issues</h3> - -<p><a name="INDEX-94"/>When a localhost isn't -127.0.0.1, try the following:</p> - -<dl> -<dt><b>DNS</b></dt> -<dd> -<p>There is probably no record for <tt class="literal">localhost</tt>. -<tt class="literal">A</tt> <tt class="literal">127.0.0.1</tt>. Arrange to add -one, as well as a reverse entry, -<tt class="literal">1.0.0.127.IN-ADDR.ARPA</tt> <tt class="literal">PTR</tt> -<tt class="literal">127.0.0.1</tt>.</p> -</dd> - - - -<dt><b>Broadcast/WINS</b></dt> -<dd> -<p>Not applicable.</p> -</dd> - - - -<dt><b>NIS</b></dt> -<dd> -<p>If <tt class="literal">localhost</tt> isn't in the table, -add it.</p> -</dd> - - - -<dt><b>NIS+ </b></dt> -<dd> -<p>If <tt class="literal">localhost</tt> isn't in the table, -add it.</p> -</dd> - - - -<dt><b>hosts and HOSTS</b></dt> -<dd> -<p>Add a line that says <tt class="literal">127.0.0.1</tt> -<tt class="literal">localhost</tt>.</p> -</dd> - - - -<dt><b>LMHOSTS</b></dt> -<dd> -<p>Not applicable. <a name="INDEX-95"/><a name="INDEX-96"/></p> -</dd> - -</dl> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.8"/> - -<h3 class="head2">Troubleshooting Network Addresses</h3> - -<p><a name="INDEX-97"/><a name="INDEX-98"/>A -number of common problems are caused by incorrect routing of Internet -addresses or by the incorrect assignment of addresses. This section -helps you determine what your addresses are.</p> - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.1"/> - -<h3 class="head3">Netmasks</h3> - -<p>Using the <a name="INDEX-99"/>netmask, it is possible to -determine which addresses can be reached directly (i.e., which are on -the local network) and which addresses require forwarding packets -through a router. If the netmask is wrong, the systems will make one -of two mistakes. One is to route local packets via a router, which is -an expensive waste of time—it might work reasonably fast, it -might run slowly, or it might fail utterly. The second mistake is to -fail to send packets from a remote system to the router, which will -prevent them from being forwarded to the remote system.</p> - -<p>The netmask is a number like an IP address, with one-bits for the -network part of an address and zero-bits for the host portion. It is -used as a bitmask to mask off parts of the address inside the TCP/IP -code. If the mask is 255.255.0.0, the first 2 bytes are the network -part and the last 2 are the host part. More common is 255.255.255.0, -in which the first 3 bytes are the network part and the last one is -the host part.</p> - -<p>For example, let's say your IP address is -192.168.0.10 and the Samba server is 192.168.236.86. If your netmask -happens to be 255.255.255.0, the network part of the address is the -first 3 bytes, and the host part is the last byte. In this case, the -network parts are different, and the systems are on different -networks:</p> - -<a name="ch12-37-fm2xml"/><table border="1"> - - - -<tr> -<th> -<p>Network part</p> -</th> -<th> -<p>Host part</p> -</th> -</tr> - - -<tr> -<td> -<p>192 168 000</p> -</td> -<td> -<p>10</p> -</td> -</tr> -<tr> -<td> -<p>192 168 235</p> -</td> -<td> -<p>86</p> -</td> -</tr> - -</table> - -<p>If your netmask happens to be 255.255.0.0, the network part is just -the first 2 bytes. In this case, the network parts match, and so the -two systems are on the same network:</p> - -<a name="ch12-38-fm2xml"/><table border="1"> - - - -<tr> -<th> -<p>Network part</p> -</th> -<th> -<p>Host part</p> -</th> -</tr> - - -<tr> -<td> -<p>192 168</p> -</td> -<td> -<p>000 10</p> -</td> -</tr> -<tr> -<td> -<p>192 168</p> -</td> -<td> -<p>236 86</p> -</td> -</tr> - -</table> - -<p>Make sure the netmask in use on each system matches the structure of -your network. On every subnet, the netmask should be identical on -each system.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.2"/> - -<h3 class="head3">Broadcast addresses</h3> - -<p>The <a name="INDEX-100"/>broadcast address is a normal address, -with the hosts part all one-bits. It means "all -hosts on your network." You can compute it easily -from your netmask and address: take the address and put one-bits in -it for all the bits that are zero at the end of the netmask (the host -part). The following table illustrates this:</p> - -<a name="ch12-39-fm2xml"/><table border="1"> - - - - -<tr> -<th> -</th> -<th> -<p>Network part</p> -</th> -<th> -<p>Host part</p> -</th> -</tr> - - -<tr> -<td> -<p>IP address</p> -</td> -<td> -<p>192 168 236</p> -</td> -<td> -<p>86</p> -</td> -</tr> -<tr> -<td> -<p>Netmask</p> -</td> -<td> -<p>255 255 255</p> -</td> -<td> -<p>000</p> -</td> -</tr> -<tr> -<td> -<p>Broadcast</p> -</td> -<td> -<p>192 168 236</p> -</td> -<td> -<p>255</p> -</td> -</tr> - -</table> - -<p>In this example, the broadcast address on the 192.168.236 network is -192.168.236.255. There is also an old -"universal" broadcast address, -255.255.255.255. Routers are prohibited from forwarding these, but -most systems on your local network will respond to broadcasts to this -address.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.3"/> - -<h3 class="head3">Network address ranges</h3> - -<p>A <a name="INDEX-101"/>number of address ranges have been -reserved for testing and for nonconnected networks; we use these for -the examples in this book. If you don't have an -address yet, feel free to use one of these to start. They include one -class A network, 10.*.*.*, a range of class B network addresses, -172.16.*.* through 172.31.*.*, and 254 class C networks, 192.168.1.* -through 192.168.254.*. The domain <tt class="literal">example.com</tt> is -also reserved for unconnected networks, explanatory examples, and -books.</p> - -<p>If you're actually connecting to the Internet, -you'll need to get an appropriate IP address and a -domain name, probably through the same company that provides your -connection.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.4"/> - -<h3 class="head3">Finding your network address</h3> - -<p><a name="INDEX-102"/>If you -haven't recorded your IP address, you can learn it -through the <em class="emphasis">ifconfig</em><a name="INDEX-103"/> command on Unix or the -<em class="emphasis">ipconfig</em> <a name="INDEX-104"/>command on Windows. (Check your manual -pages for any options required by your brand of Unix. For example, -<tt class="literal">ifconfig</tt> <tt class="literal">-a</tt> works on Solaris.) -You should see output similar to the following:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>ifconfig -a</b></tt> -le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING > - inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255 -lo0: flags=49<&lt>UP,LOOPBACK,RUNNING<&gt> - inet 127.0.0.1 netmask ff000000</pre></blockquote> - -<p>One of the interfaces will be loopback (in our examples, -<tt class="literal">lo0</tt>), and the other will be the regular IP -interface. The flags should show that the interface is running, and -Ethernet interfaces will also say they support broadcasts (PPP -interfaces don't). The other places to look for IP -addresses are <em class="filename">/etc/hosts</em> files, Windows -<em class="emphasis">HOSTS</em> files, Windows -<em class="emphasis">LMHOSTS</em> files, NIS, NIS+, and DNS. <a name="INDEX-105"/><a name="INDEX-106"/></p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-2.9"/> - -<h3 class="head2">Troubleshooting NetBIOS Names</h3> - -<p><a name="INDEX-107"/><a name="INDEX-108"/>Historically, SMB protocols have -depended on the NetBIOS name system, also called the LAN Manager name -system. This was a simple scheme where each system had a unique -20-character name and broadcast it on the LAN for everyone to know. -With TCP/IP, we tend to use names such as -<tt class="literal">client.example.com</tt>, stored in -<em class="filename">/etc/hosts</em> files through DNS or WINS.</p> - -<p>The usual mapping of domain names such as -<tt class="literal">server.example.com</tt> to NetBIOS names simply uses -the <tt class="literal">server</tt> part as the NetBIOS name and converts -it to uppercase. Alas, this doesn't always work, -especially if you have a system with a 21-character name; not -everyone uses the same NetBIOS and DNS names. For example, -<tt class="literal">corpvm1</tt> along with <tt class="literal">vm1.corp.com</tt> -is not unusual.</p> - -<p>A system with a different NetBIOS name and domain name is confusing -when you're troubleshooting; we recommend that you -try to avoid this wherever possible. NetBIOS names are discoverable -with <em class="emphasis">smbclient</em> :</p> - -<ul><li> -<p>If you can list shares on your Samba server with -<tt class="literal">smbclient</tt> <tt class="literal">-L</tt> -<tt class="literal">short_name</tt>, the short name is the NetBIOS name.</p> -</li><li> -<p>If you get <tt class="literal">Get_Hostbyname</tt>: -<tt class="literal">Unknown</tt> <tt class="literal">host</tt> -<tt class="literal">name</tt>, there is probably a mismatch. Check in the -<em class="filename">smb.conf</em> file to see if the NetBIOS name is -explicitly set.</p> -</li><li> -<p>Try to list shares again, specifying <tt class="literal">-I</tt> and the IP -address of the Samba server (e.g., <tt class="literal">smbclient</tt> -<tt class="literal">-L</tt> <tt class="literal">server</tt> <tt class="literal">-I</tt> -<tt class="literal">192.168.236.86</tt>). This overrides the name lookup -and forces the packets to go to the IP address. If this works, there -was a mismatch.</p> -</li><li> -<p>Try with <tt class="literal">-I</tt> and the full domain name of the server -(e.g., <tt class="literal">smbclient</tt> <tt class="literal">-L</tt> -<tt class="literal">server</tt> <tt class="literal">-I</tt> -<tt class="literal">server.example.com</tt>). This tests the lookup of the -domain name, using whatever scheme the Samba server uses (e.g., DNS). -If it fails, you have a name service problem. You should reread the -earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, -after you finish troubleshooting the NetBIOS names.</p> -</li><li> -<p>Try with the <tt class="literal">-n</tt> (NetBIOS name) option, giving it -the name you expect to work (e.g., <tt class="literal">smbclient</tt> -<tt class="literal">-n</tt> <tt class="literal">server</tt> <tt class="literal">-L</tt> -<tt class="literal">server-12</tt>), but without overriding the IP address -through <tt class="literal">-I</tt>. If this works, the name you specified -with <tt class="literal">-n</tt> is the actual NetBIOS name of the server. -If you receive <tt class="literal">Get-Hostbyname</tt>: -<tt class="literal">Unknown</tt> <tt class="literal">host</tt> -<tt class="literal">SERVER</tt>, it's not the right server -yet.</p> -</li><li> -<p>If nothing is working so far, repeat the tests specifying -<tt class="literal">-U</tt> <em class="emphasis">username</em> and -<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>, with the -username and workgroup in uppercase, to make sure -you're not being derailed by a user or workgroup -mismatch.</p> -</li><li> -<p>If still nothing works and you had evidence of a name service -problem, troubleshoot the name service (see the earlier section, -<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>) and then return to -the NetBIOS name service. <a name="INDEX-109"/><a name="INDEX-110"/></p> -</li></ul> - -</div> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-12-SECT-3"/> - -<h2 class="head1">Extra Resources</h2> - -<p>At some point during your work with Samba, you'll -want to turn to online or printed resources for news, updates, and -aid.</p> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-3.1"/> - -<h3 class="head2">Documentation and FAQs</h3> - -<p>It's OK to read the <a name="INDEX-111"/><a name="INDEX-112"/>documentation. Really. Nobody can see you, -and we won't tell. In fact, Samba ships with a large -set of documentation files, and it is well worth the effort to at -least browse through them, either in the distribution directory on -your computer under <em class="filename">/docs</em> or online at the Samba -web site: <a href="http://www.samba.org">http://www.samba.org</a>. The most current -FAQ list, bug information, and distribution locations are located at -the web site, with links to all the Samba manual pages and HOWTOs.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-3.2"/> - -<h3 class="head2">Samba Newsgroups</h3> - -<p><a name="INDEX-113"/>Usenet -newsgroups have always been a great place to get advice on just about -any topic. In the past few years, though, this vast pool of knowledge -has developed something that has made it into an invaluable resource: -a memory. Archival and search sites such as the one at -<a name="INDEX-114"/>Google (<a href="http://groups.google.com/advanced_group_search">http://groups.google.com/advanced_group_search</a>) -have made sifting through years of valuable solutions as simple as a -few mouse clicks.</p> - -<p>The primary newsgroup for Samba is -<em class="emphasis">comp.protocols.smb</em><a name="INDEX-115"/>. This should always be your first -stop when there's a problem. More often than not, -spending 5 minutes researching an error here will save hours of -frustration while trying to debug something yourself.</p> - -<p>When searching a newsgroup, try to be as specific as possible, but -not too wordy. Searching on actual error messages is best. If you -don't find an answer immediately in the newsgroup, -resist the temptation to post a request for help until -you've done a bit more work on the problem. You -might find that the answer is in a FAQ or one of the many -documentation files that ship with Samba, or a solution might become -evident when you run one of Samba's diagnostic -tools. If nothing works, post a request in -<em class="emphasis">comp.protocols.smb</em>, and be as specific as -possible about what you have tried and what you are seeing. Include -any error messages that appear. It might be days before you receive -help, so be patient and keep trying things while you wait.</p> - -<a name="samba2-CHP-12-NOTE-161"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>Once you post a request for help, keep poking at the problem -yourself. Most of us have had the experience of posting a Usenet -article containing hundreds of lines of intricate detail, only to -solve the problem an hour later after the article has blazed its way -across several continents. The rule of thumb goes something like -this: the more folks who have read your request, the simpler the -solution. Usually this means that once everyone in the Unix community -has seen your article, the solution will be something simple such as, -"Plug the power cord into the wall -socket."</p> -</blockquote> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-3.3"/> - -<h3 class="head2">Samba Mailing Lists</h3> - -<p>The following are <a name="INDEX-116"/>mailing lists for support with Samba. See -the Samba home page, <a href="http://www.samba.org/">http://www.samba.org/</a>, for -information on subscribing and unsubscribing to these mailing lists:</p> - -<dl> -<dt><b>samba@samba.org</b></dt> -<dd> -<p>This is the primary mailing list for general questions and discussion -regarding Samba.</p> -</dd> - - - -<dt><b>samba-announce@samba.org</b></dt> -<dd> -<p>This list is for receiving news regarding Samba, such as -announcements of new releases.</p> -</dd> - - - -<dt><b>samba-cvs@samba.org</b></dt> -<dd> -<p>By subscribing to this list, you can automatically receive a message -every time one of the Samba developers updates the Samba source code -in the CVS repository. You might want to do this if you are waiting -for a specific bug fix or feature to be applied. To avoid congesting -your email inbox, we suggest using the digest feature, which -consolidates messages into a smaller number of emails.</p> -</dd> - - - -<dt><b>samba-docs@samba.org</b></dt> -<dd> -<p>This list is for discussing Samba documentation.</p> -</dd> - - - -<dt><b>samba-vms@samba.org</b></dt> -<dd> -<p>This mailing list is for people who are running Samba on the VMS -operating system.</p> -</dd> - - - -<dt><b>samba-binaries@samba.org</b></dt> -<dd> -<p>This is a list for developers to use when discussing precompiled -Samba distributions.</p> -</dd> - - - -<dt><b>samba-technical@samba.org</b></dt> -<dd> -<p>This mailing list is for developer discussion of the Samba code.</p> -</dd> - -</dl> - -<p>Searchable versions of the Samba mailing list archives can be found -at <a href="http://marc.theaimsgroup.com">http://marc.theaimsgroup.com</a>.</p> - -<p>When posting messages to the Samba mailing lists, keep in mind that -you are sending your message to a large audience. The notes in the -previous section regarding Usenet postings also apply here. A -well-formulated question or comment is more likely to be answered, -and a poorly conceived message is <em class="emphasis">very</em> likely to -be ignored!</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-12-SECT-3.4"/> - -<h3 class="head2">Further Reading</h3> - -<ol><li> -<p>Hunt, Craig. <em class="emphasis">TCP/IP Network Administration</em>, -Third Edition. Sebastopol, CA: O'Reilly -& Associates, 1997.</p> -</li> -<li> -<p>Hunt, Craig, and Robert Bruce Thompson. <em class="emphasis">Windows NT TCP/IP -Network Administration</em>. Sebastopol, CA: -O'Reilly & Associates, 1998.</p> -</li> -<li> -<p>Albitz, Paul, and Cricket Liu. <em class="emphasis">DNS and Bind</em>, -Fourth Edition. Sebastopol, CA: O'Reilly -& Associates, 1998.</p> -</li> -<li> -<p>Stern, Hal. <em class="emphasis">Managing NFS and NIS</em>, Second -Edition. Sebastopol, CA: O'Reilly & Associates, -1991.<a name="INDEX-117"/></p> -</li></ol> - -</div> - - -</div> - -<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html> |