diff options
Diffstat (limited to 'docs/htmldocs/using_samba/ch12.html')
| -rw-r--r-- | docs/htmldocs/using_samba/ch12.html | 3341 |
1 files changed, 3341 insertions, 0 deletions
diff --git a/docs/htmldocs/using_samba/ch12.html b/docs/htmldocs/using_samba/ch12.html new file mode 100644 index 0000000000..6ba643fe73 --- /dev/null +++ b/docs/htmldocs/using_samba/ch12.html @@ -0,0 +1,3341 @@ +<html> +<body bgcolor="#ffffff"> + +<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" +hspace="10" align="left" /> + +<h1 class="head0">Chapter 12. Troubleshooting Samba</h1> + + +<p><a name="INDEX-1"/><a name="INDEX-2"/>Samba is extremely robust. Once you have +everything set up the way you want, you'll probably +forget that it is running. When trouble occurs, it's +typically during installation or when you're trying +to reconfigure the server. Fortunately, a wide variety of resources +are available to diagnose these troubles. While we +can't describe in detail the solution to every +problem you might encounter, you should be able to get a good start +at resolving the problem by following the advice given in this +chapter.</p> + +<p>The first section of this chapter lists the tool bag, a collection of +tools available for troubleshooting Samba; the second section is a +detailed how-to; the last section lists extra resources to track down +particularly stubborn problems.</p> + + + +<div class="sect1"><a name="samba2-CHP-12-SECT-1"/> + +<h2 class="head1">The Tool Box</h2> + +<p><a name="INDEX-3"/><a name="INDEX-4"/>Sometimes Unix +seems to be made up of a grab bag of applications and tools. There +are tools to troubleshoot tools. And of course, there are several +ways to accomplish the same task. When trying to solve a problem +related to Samba, a good plan of attack is to use the following:</p> + +<ul><li> +<p>Samba logs</p> +</li><li> +<p>Samba test utilities</p> +</li><li> +<p>Unix utilities</p> +</li><li> +<p>Fault tree</p> +</li><li> +<p>Documentation and FAQs</p> +</li><li> +<p>Samba newsgroups</p> +</li><li> +<p>Searchable mailing list archives</p> +</li></ul> +<p>Let's go over each of these one-by-one in the +following sections.</p> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-1.1"/> + +<h3 class="head2">Samba Logs</h3> + +<p><a name="INDEX-5"/><a name="INDEX-6"/>Your first line of attack should always +be to check the log files. The Samba log files can help diagnose the +vast majority of the problems faced by beginning- to +intermediate-level Samba administrators. Samba is quite flexible when +it comes to logging. You can set up the server to log as little or as +much information as you want. Using substitution variables in the +Samba configuration file allows you to isolate individual logs for +each system, share, or combination thereof.</p> + +<p>Logs are placed in <em class="filename">/usr/local/samba/var/smbd.log</em> +and <em class="filename">/usr/local/samba/var/nmbd.log</em> by default. +You can specify a log directory to use with the +<em class="emphasis">-l</em> flag on the command line when starting the +Samba daemons. For example:</p> + +<blockquote><pre class="code"># <tt class="userinput"><b>smbd -l /var/log/samba</b></tt> +# <tt class="userinput"><b>nmbd -l /var/log/samba</b></tt></pre></blockquote> + +<p>Alternatively, you can override the location and name using the +<tt class="literal">log</tt><a name="INDEX-7"/> <tt class="literal">file</tt> configuration +option in <em class="filename">smb.conf</em>. This option accepts all the +substitution variables, so you could easily have the server keep a +separate log for each connecting client system by specifying the +following:</p> + +<blockquote><pre class="code">[global] + log file = %m.log</pre></blockquote> + +<p>Another useful trick is to have the server keep a log for each +service (share) that is offered, especially if you suspect a +particular share is causing trouble. To do this, use the +<tt class="literal">%S</tt> variable, like this:</p> + +<blockquote><pre class="code">[global] + log file = %S.log</pre></blockquote> + + +<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.1"/> + +<h3 class="head3">Log levels</h3> + +<p><a name="INDEX-8"/>The level of logging that Samba uses +can be set in the <em class="filename">smb.conf</em> file using the global +<tt class="literal">log</tt> <tt class="literal">level</tt> or +<tt class="literal">debug</tt> <tt class="literal">level</tt> option; they are +equivalent. The logging level is an integer that can range from 0 to +10. At level 0, no logging is done. Higher values result in more +voluminous logging. For example, let's assume that +we will use a Windows client to browse a directory on a Samba server. +For a small amount of log information, you can use +<tt class="literal">log</tt> <tt class="literal">level</tt> <tt class="literal">=</tt> +<tt class="literal">1</tt>, which instructs Samba to show only cursory +information, in this case only the connection itself:</p> + +<blockquote><pre class="code">05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest +(uid=503,gid=100) (pid 3377)</pre></blockquote> + +<p>Higher debug levels produce more detailed information. Usually, you +won't need more than level 3, which is fully +adequate for most Samba administrators. Levels above 3 are used by +the developers and dump enormous amounts of cryptic information.</p> + +<p>Here is an example of output at levels 2 and 3 for the same +operation. Don't worry if you don't +understand the intricacies of an SMB connection; the point is simply +to show you what types of information are shown at the different +<a name="INDEX-9"/>logging levels:</p> + +<blockquote><pre class="code"> /* Level 2 */ +Got SIGHUP +Processing section "[homes]" +Processing section "[public]" +Processing section "[temp]" +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/ + + +/* Level 3 */ +05/25/02 22:15:09 Transaction 63 of length 67 +switch message SMBtconX (pid 3377) +Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$ +ACCEPTED: guest account and guest ok +found free connection number 105 +Connect path is /tmp +chdir to /tmp +chdir to / +05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest +(uid=503,gid=100) (pid 3377) +05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105 +05/25/02 22:15:09 Transaction 64 of length 99 +switch message SMBtrans (pid 3377) +chdir to /tmp +trans <\PIPE\LANMAN> data=0 params=19 setup=0 +Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) +Doing RNetShareEnum +RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) +05/25/02 22:15:11 Transaction 65 of length 99 +switch message SMBtrans (pid 3377) +chdir to / +chdir to /tmp +trans <\PIPE\LANMAN> data=0 params=19 setup=0 +Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8) +Doing RNetShareEnum +RNetShareEnum gave 4 entries of 4 (1 4096 126 4096) +05/25/02 22:15:11 Transaction 66 of length 95 +switch message SMBtrans2 (pid 3377) +chdir to / +chdir to /pcdisk/public +call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end += 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432 +unix_clean_name [./DESKTOP.INI] +unix_clean_name [desktop.ini] +unix_clean_name [./] +creating new dirptr 1 for path ./, expect_close = 1 +05/25/02 22:15:11 Transaction 67 of length 53 +switch message SMBgetatr (pid 3377) +chdir to / + +<i class="lineannotation">[... deleted ...]</i></pre></blockquote> + +<p>We cut off this listing after the first packet because it runs on for +many pages. However, be aware that log levels above 3 will quickly +consume disk space with megabytes of excruciating detail concerning +Samba's internal operations. Log level 3 is +extremely useful for following exactly what the server is doing, and +most of the time it will be obvious where an error occurs by glancing +through the log file.</p> + +<p>Using a high log level (3 or above) will +<em class="emphasis">seriously</em> slow down the Samba server. Remember +that every log message generated causes a write to disk (an +inherently slow operation) and log levels greater than 2 produce +massive amounts of data. Essentially, you should turn on logging +level 3 only when you're actively tracking a problem +in the Samba server. <a name="INDEX-10"/></p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.2"/> + +<h3 class="head3">Activating and deactivating logging</h3> + +<p><a name="INDEX-11"/><a name="INDEX-12"/>To turn logging on and off, +set the appropriate level in the <tt class="literal">[global]</tt> section +of <em class="filename">smb.conf</em>. Then, you can either restart Samba +or force the current daemon to reprocess the configuration file by +sending it a hangup (HUP) signal. You also can send the +<em class="emphasis">smbd</em> process a SIGUSR1 signal to increase its +log level by one while it's running, like this:</p> + +<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR1 1234</b></tt></pre></blockquote> + +<p>or a SIGUSR2 signal to decrease it by one:</p> + +<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR2 1234</b></tt></pre></blockquote> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.3"/> + +<h3 class="head3">Logging by individual client systems or users</h3> + +<p>An effective way to diagnose problems without hampering other users +is to assign different log levels for different systems in the +<tt class="literal">[global]</tt> section of the +<em class="filename">smb.conf</em> file. We can do this by building on the +strategy we presented earlier:</p> + +<blockquote><pre class="code">[global] + log level = 0 + log file = /usr/local/samba/var/log.%m + include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote> + +<p>These options instruct Samba to use unique configuration and log +files for each client that connects. Now all you have to do is create +an <em class="filename">smb.conf</em> file for a specific client system +with a <tt class="literal">log</tt> <tt class="literal">level</tt> +<tt class="literal">=</tt> <tt class="literal">3</tt> entry in it (the others +will pick up the default log level of 0) and use that log file to +track down the problem.</p> + +<p>Similarly, if only particular users are experiencing a +problem—and it travels from system to system with +them—you can isolate logging to a specific user by adding the +following to the <em class="filename">smb.conf</em> file:</p> + +<blockquote><pre class="code">[global] + log level = 0 + log file = /usr/local/samba/var/log.%u + include = /usr/local/samba/lib/smb.conf.%u</pre></blockquote> + +<p>Then you can create a unique <em class="filename">smb.conf</em> file for +each user you wish to monitor (e.g., +<em class="filename">/usr/local/samba/lib/smb.conf.tim</em>). Files +containing the configuration option <tt class="literal">log</tt> +<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">3</tt> +and only those users will get more detailed logging.<a name="INDEX-13"/><a name="INDEX-14"/></p> + + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-1.2"/> + +<h3 class="head2">Samba Test Utilities</h3> + +<p><a name="INDEX-15"/><a name="INDEX-16"/>A rigorous set of tests that exercise +the major parts of Samba are described in various files in the +<em class="emphasis">/docs/textdocs</em> directory of the Samba +distribution kit, starting with <em class="emphasis">DIAGNOSIS.txt</em>. +The fault tree in this chapter is a more detailed version of the +basic tests suggested by the Samba Team, but it covers only +installation and reconfiguration diagnosis, such as +<em class="emphasis">DIAGNOSIS.txt</em>. The other files in the +<em class="emphasis">/docs</em> subdirectories address specific problems +and instruct you how to troubleshoot items not included in this book. +If the fault tree doesn't suffice, be sure to look +at +<em class="emphasis">DIAGNOSIS.txt</em><a name="INDEX-17"/> +and its friends.</p> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-1.3"/> + +<h3 class="head2">Unix Utilities</h3> + +<p>Sometimes it's useful to use a tool outside the +Samba suite to examine what's happening inside the +server. Three diagnostic tools can be of particular help in debugging +Samba troubles: <em class="emphasis">trace</em>, +<em class="emphasis">tcpdump</em>, and <em class="emphasis">Ethereal</em>.</p> + + +<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.1"/> + +<h3 class="head3">Using trace</h3> + +<p>The <em class="emphasis">trace</em><a name="INDEX-18"/> command masquerades under several +different names, depending on the operating system you are using. On +Linux it will be +<em class="emphasis">strace</em><a name="INDEX-19"/>; on Solaris you'll use +<em class="emphasis">truss</em><a name="INDEX-20"/>; SGI will have +<em class="emphasis">padc</em><a name="INDEX-21"/> and +<em class="emphasis">par</em><a name="INDEX-22"/>; and HP-UX will have +<em class="emphasis">trace</em> or +<em class="emphasis">tusc</em><a name="INDEX-23"/>. All have essentially the same +function, which is to display each operating system function call as +it is executed. This allows you to follow the execution of a program, +such as the Samba server, and often pinpoints the exact call that is +causing the difficulty.</p> + +<p>One problem that <em class="emphasis">trace</em> can highlight is an +incorrect version of a dynamically linked library. This can happen if +you've downloaded prebuilt binaries of Samba. +You'll typically see the offending call at the end +of the <em class="emphasis">trace</em>, just before the program +terminates.</p> + +<p>A sample <em class="emphasis">strace</em> output for the Linux operating +system follows. This is a small section of a larger file created +during the opening of a directory on the Samba server. Each line +lists a system call and includes its parameters and the return value. +If there was an error, the error value (e.g., +<tt class="literal">ENOENT</tt>) and its explanation are also shown. You +can look up the parameter types and the errors that can occur in the +appropriate <em class="emphasis">trace</em> manual page for the operating +system you are using.</p> + +<blockquote><pre class="code">chdir("/pcdisk/public") = 0 +stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) +stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 +stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory) +open("mini", O_RDONLY) = 5 +fcntl(5, F_SETFD, FD_CLOEXEC) = 0 +fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 +lseek(5, 0, SEEK_CUR) = 0 +SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196 +lseek(5, 0, SEEK_CUR) = 1024 +SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0 +close(5) = 0 +stat("mini/desktop.ini", 0xbffff86c) = -1 ENOENT (No such file or directory) +write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39 +SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1 +read(3, "\0\0\0?", 4) = 4 +read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63 +time(NULL) = 896143871</pre></blockquote> + +<p>This example shows several <em class="emphasis">stat() calls</em> failing +to find the files they were expecting. You don't +have to be an expert to see that the file +<em class="emphasis">desktop.ini</em> is missing from that directory. In +fact, many difficult problems can be identified by looking for +obvious, repeatable errors with <em class="emphasis">trace</em>. Often, +you need not look further than the last message before a crash.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.2"/> + +<h3 class="head3">Using tcpdump</h3> + +<p>The <em class="emphasis">tcpdump</em><a name="INDEX-24"/> program, as extended by Andrew +<a name="INDEX-25"/>Tridgell, +allows you to monitor SMB <a name="INDEX-26"/>network +traffic in real time. A variety of output formats are available, and +you can filter the output to look at only a particular type of +traffic. You can examine all conversations between client and server, +including SMB and NMB broadcast messages. While its troubleshooting +capabilities lie mainly at the OSI network layer, you can still use +its output to get a general idea of what the server and client are +attempting to do.</p> + +<p>A sample <em class="emphasis">tcpdump</em> log follows. In this instance, +the client has requested a directory listing, and the server has +responded appropriately, giving the directory names +<tt class="literal">homes</tt>, <tt class="literal">public</tt>, +<tt class="literal">IPC$</tt>, and <tt class="literal">temp</tt> +(we've added a few explanations on the right):</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>tcpdump -v -s 255 -i eth0 port not telnet</b></tt> +SMB PACKET: SMBtrans (REQUEST) <i class="lineannotation"> Request packet</i> +SMB Command = 0x25 <i class="lineannotation">Request was ls or dir</i> + +[000] 01 00 00 10 <i class="lineannotation">....</i> + + +>>> NBT Packet <i class="lineannotation">Outer frame of SMB packet</i> +NBT Session Packet +Flags=0x0 +Length=226 +[lines skipped] + +SMB PACKET: SMBtrans (REPLY) <i class="lineannotation">Beginning of a reply to request</i> +SMB Command = 0x25 <i class="lineannotation">Command was an ls or dir</i> +Error class = 0x0 +Error code = 0 <i class="lineannotation">No errors</i> +Flags1 = 0x80 +Flags2 = 0x1 +Tree ID = 105 +Proc ID = 6075 +UID = 100 +MID = 30337 +Word Count = 10 +TotParamCnt=8 +TotDataCnt=163 +Res1=0 +ParamCnt=8 +ParamOff=55 +Res2=0 +DataCnt=163 +DataOff=63 +Res3=0 +Lsetup=0 +Param Data: (8 bytes) +[000] 00 00 00 00 05 00 05 00 ........ + +Data Data: (135 bytes) <i class="lineannotation">Actual directory contents:</i> +[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........ +[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic...... +[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp.... +[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$ +[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w... +[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........ +[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo +[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi +[080] 63 65 20 28 53 61 6D ce (Sam</pre></blockquote> + +<p>This is more of the same debugging session as we saw before with the +<em class="emphasis">trace</em> command: the listing of a directory. The options +we used were <em class="emphasis">-v</em> (verbose), <em class="emphasis">-i +eth0</em> to tell <em class="emphasis">tcpdump</em> on which +interface to listen (an Ethernet port), and <em class="emphasis">-s +255</em> to tell it to save the first 255 bytes of each packet +instead of the default: the first 68. The option +<tt class="literal">port</tt> <tt class="literal">not</tt> +<tt class="literal">telnet</tt> is used to avoid screens of telnet traffic, +because we were logged in to the server remotely. The +<em class="emphasis">tcpdump</em> program actually has quite a number of +options to filter just the traffic you want to look at. If +you've used <em class="emphasis">snoop</em> or +<em class="emphasis">etherdump</em>, it will look vaguely familiar.</p> + +<p>You can download the modified <em class="emphasis">tcpdump</em> from the +Samba FTP server, located at +<a href="ftp://samba.anu.edu.au/pub/samba/tcpdump-smb">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</a>. +Other versions might not include support for the SMB protocol; if you +don't see output such as that shown in the example, +you'll need to use the SMB-enabled version.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.3"/> + +<h3 class="head3">Using Ethereal</h3> + +<p><a name="INDEX-27"/>Ethereal (<a href="http://www.ethereal.com">http://www.ethereal.com</a>) is a GUI-based +utility that performs the same basic function as +<em class="emphasis">tcpdump</em>. You might prefer Ethereal because it is +much easier to use. Once you have Ethereal running, just do the +following:</p> + +<ol><li> +<p>Select Start from the Capture menu.</p> +</li><li> +<p>Click the OK button in the dialog box that appears. This will bring +up a dialog box showing how many packets Ethereal has seen. Perform +the actions on the system(s) in your network to reproduce the problem +you are analyzing.</p> +</li><li> +<p>Click the Stop button in the Ethereal dialog box to make it finish +collecting data.</p> +</li><li> +<p>In the main Ethereal window, click any item in the upper window to +view it in the lower window. In the lower window, click any of the +boxes containing a plus sign (<tt class="literal">+</tt>) to expand the +view.</p> +</li></ol> +<p>Ethereal does a good job of translating the content of the packets it +encounters into human-readable format, and you should have little +trouble seeing what happened on the network during the capture +period. <a name="INDEX-28"/><a name="INDEX-29"/></p> + + +</div> + + +</div> + + +</div> + + + +<div class="sect1"><a name="samba2-CHP-12-SECT-2"/> + +<h2 class="head1">The Fault Tree</h2> + +<p><a name="INDEX-30"/><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>The fault +tree presented in this section is for diagnosing and fixing problems +that occur when you're installing and reconfiguring +Samba. It's an expanded form of the trouble and +diagnostic document <em class="filename">DIAGNOSIS.txt</em>, which is part +of the Samba distribution.</p> + +<p>Before you set out to troubleshoot any part of the Samba suite, you +should know the following information:</p> + +<ul><li> +<p>Your client IP address (we use 192.168.236.10)</p> +</li><li> +<p>Your server IP address (we use 192.168.236.86)</p> +</li><li> +<p>The netmask for your network (typically 255.255.255.0)</p> +</li><li> +<p>Whether the systems are all on the same subnet (ours are)</p> +</li></ul> +<p>For clarity, we've renamed the server in the +following examples to <tt class="literal">server.example.com</tt>, and the +client system to <tt class="literal">client.example.com</tt>.</p> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.1"/> + +<h3 class="head2">How to Use the Fault Tree</h3> + +<p>Start the tests here, without skipping forward; it +won't take long (about 5 minutes) and might actually +save you time backtracking. Whenever a test succeeds, you will be +given a name of a section to which you can safely skip.</p> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.2"/> + +<h3 class="head2">Troubleshooting Low-Level IP</h3> + +<p><a name="INDEX-34"/>The +first series of tests is that of the low-level services that Samba +needs to run. The tests in this section verify that:</p> + +<ul><li> +<p>The IP software works</p> +</li><li> +<p>The Ethernet hardware works</p> +</li><li> +<p>Basic name service is in place</p> +</li></ul> +<p>Subsequent sections add TCP software, the Samba daemons +<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>, host-based +access control, authentication and per-user access control, file +services, and browsing. The tests are described in considerable +detail to make them understandable by both technically oriented end +users and experienced systems and network administrators.</p> + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.1"/> + +<h3 class="head3">Testing the networking software with ping</h3> + +<p><a name="INDEX-35"/>The first command to enter +on both the server and the client is +<tt class="literal">ping</tt><a name="INDEX-36"/><a name="INDEX-37"/> +<tt class="literal">127.0.0.1</tt>. This pings the loopback address and +indicates whether any networking support is functioning. On Unix, you +can use <tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> with the +statistics option and interrupt it after a few lines. On Sun +workstations, the command is typically +<tt class="literal">/usr/etc/ping</tt> <tt class="literal">-s</tt> +<tt class="literal">127.0.0.1</tt>; on Linux, just <tt class="literal">ping</tt> +<tt class="literal">127.0.0.1</tt>. On Windows clients, run +<tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> in an MS-DOS +(command prompt) window, and it will stop by itself after four lines.</p> + +<p>Here is an example on a Linux server:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>ping 127.0.0.1 </b></tt> +PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): +icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=2. time=1. ms ^C +----127.0.0.1 PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</pre></blockquote> + +<p>If you get "ping: no answer from . . . +" or "100% packet +loss," you have no IP networking installed on the +system. The address <tt class="literal">127.0.0.1</tt> is the internal +loopback address and doesn't depend on the computer +being physically connected to a network. If this test fails, you have +a serious local problem. TCP/IP either isn't +installed or is seriously misconfigured. See your operating system +documentation if it's a Unix server. If +it's a Windows client, follow the instructions in +<a href="ch03.html">Chapter 3</a> to install networking support.</p> + +<a name="samba2-CHP-12-NOTE-155"/><blockquote class="note"><h4 class="objtitle">TIP</h4> +<p>If <em class="emphasis">you're</em> the network manager, +some good references are Craig Hunt's +<em class="emphasis">TCP/IP Network Administration</em>, Chapter 11, and Craig Hunt and Robert Bruce +Thompson's <em class="emphasis">Windows NT TCP/IP Network +Administration</em>, both published by +O'Reilly.</p> +</blockquote> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.2"/> + +<h3 class="head3">Testing local name services with ping</h3> + +<p><a name="INDEX-38"/>Next, try to ping +<tt class="literal">localhost</tt> on the Samba server. The +<tt class="literal">localhost</tt> hostname is the conventional hostname +for the <tt class="literal">127.0.0.1</tt> loopback interface, and it +should resolve to that address. After typing <tt class="literal">ping</tt> +<tt class="literal">localhost</tt>, you should see output similar to the +following:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>ping localhost </b></tt> +PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1): +icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1): +icmp-seq=2. time=0. ms ^C</pre></blockquote> + +<p>If this succeeds, try the same test on the client. Otherwise:</p> + +<ul><li> +<p>If you get "unknown host: +localhost," there is a problem resolving the +hostname <em class="filename">localhost</em> into a valid IP address. +(This might be as simple as a missing entry in a local +<em class="emphasis">hosts</em> file.) From here, skip down to +<a href="ch03.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a> later in this chapter.</p> +</li><li> +<p>If you get "ping: no answer," or +"100% packet loss," but pinging +<tt class="literal">127.0.0.1</tt> worked, name services is resolving to an +address, but it isn't the correct one. Check the +file or database (typically <em class="filename">/etc/hosts</em> on a Unix +system) that the name service is using to resolve addresses to ensure +that the entry is correct.</p> +</li></ul> + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.3"/> + +<h3 class="head3">Testing the networking hardware with ping</h3> + +<p><a name="INDEX-39"/>Next, ping the +server's network IP address from itself. This should +get you exactly the same results as pinging +<tt class="literal">127.0.0.1</tt>:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>ping 192.168.236.86 </b></tt> +PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86): +icmp-seq=2. time=1. ms ^C +----192.168.236.86 PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</pre></blockquote> + +<p>If this works on the server, repeat it for the client. Otherwise:</p> + +<ul><li> +<p>If <tt class="literal">ping</tt> <em class="replaceable">network_ip</em> +fails on either the server or client, but <tt class="literal">ping</tt> +<tt class="literal">127.0.0.1</tt> works on that system, you have a TCP/IP +problem that is specific to the Ethernet network interface card on +the computer. Check with the documentation for the network card or +host operating system to determine how to configure it correctly. +However, be aware that on some operating systems, the +<em class="emphasis">ping</em> command appears to work even if the network +is disconnected, so this test doesn't always +diagnose all hardware problems.</p> +</li></ul> + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.4"/> + +<h3 class="head3">Testing connections with ping</h3> + +<p><a name="INDEX-40"/>Now, ping the server by name (instead +of its IP address)—once from the server and once from the +client. This is the general test for working network hardware:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>ping server </b></tt> +PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86): +icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86): +icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86): +icmp-seq=2. time=1. ms ^C +----server.example.com PING Statistics---- +3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) +min/avg/max = 0/0/1</pre></blockquote> + +<p>If successful, this test tells us five things:</p> + +<ul><li> +<p>The hostname (e.g., <tt class="literal">server</tt>) is being found by your +local name server.</p> +</li><li> +<p>The hostname has been expanded to the full name (e.g., +<tt class="literal">server.example.com</tt>).</p> +</li><li> +<p>Its address is being returned (<tt class="literal">192.168.236.86</tt>).</p> +</li><li> +<p>The client has sent the Samba server four 56-byte UDP/IP packets.</p> +</li><li> +<p>The Samba server has replied to all four packets.</p> +</li></ul> +<p>If this test isn't successful, one of several things +can be wrong with the network:</p> + +<ul><li> +<p>First, if you get <tt class="literal">ping</tt>: <tt class="literal">no</tt> +<tt class="literal">answer</tt>, or <tt class="literal">100%</tt> +<tt class="literal">packet</tt> <tt class="literal">loss</tt>, +you're not connecting to the network, the other +system isn't connecting, or one of the addresses is +incorrect. Check the addresses that the <em class="emphasis">ping</em> +command reports on each system, and ensure that they match the ones +you set up initially.</p> + +<p>If not, there is at least one mismatched address between the two +systems. Try entering the command <tt class="literal">arp</tt> +<tt class="literal">-a</tt>, and see if there is an entry for the other +system. (The <em class="emphasis">arp</em> command stands for the Address +Resolution Protocol. The <tt class="literal">arp</tt> <tt class="literal">-a</tt> +command lists all the addresses known on the local system.) Here are +some things to try:</p> +<ul><li> +<p>If you receive a message like <tt class="literal">192.168.236.86</tt> +<tt class="literal">at</tt> <tt class="literal">(incomplete)</tt>, the Ethernet +address of 192.168.236.86 is unknown. This indicates a complete lack +of connectivity, and you're likely having a problem +at the very bottom of the TCP/IP protocol stack—the Ethernet +interface layer. This is discussed in Chapters 5 and 6 of +<em class="citetitle">TCP/IP Network Administration +</em>(O'Reilly).</p> +</li><li> +<p>If you receive a response similar to server +<tt class="literal">(192.168.236.86)</tt> <tt class="literal">at</tt> +<tt class="literal">8:0:20:12:7c:94</tt>, the server has been reached at +some time, or another system is answering on its behalf. However, +this means that <em class="emphasis">ping</em> should have worked: you may +have an intermittent networking or ARP problem.</p> +</li><li> +<p>If the IP address from ARP doesn't match the +addresses you expected, investigate and correct the addresses +manually.</p> +</li> +</ul> +</li> + +<li> +<p>If each system can ping itself but not another, something is wrong on +the network between them.</p> +</li><li> +<p>If you get <tt class="literal">ping</tt>: <tt class="literal">network</tt> +<tt class="literal">unreachable</tt> or <tt class="literal">ICMP</tt> +<tt class="literal">Host</tt> <tt class="literal">Unreachable</tt>, +you're not receiving an answer, and more than one +network is probably involved.</p> + +<p>In principle, you shouldn't try to troubleshoot SMB +clients and servers on different networks. Try to test a server and +client that are on the same network:</p> + +<ol><li> +<p>First, perform the tests for <tt class="literal">ping</tt>: +<tt class="literal">no</tt> <tt class="literal">answer</tt> described earlier in +this section. If this doesn't identify the problem, +the remaining possibilities are the following: an address is wrong, +your netmask is wrong, a network is down, or the packets have been +stopped by a firewall.</p> +</li> +<li> +<p>Check both the address and the netmasks on source and destination +systems to see if something is obviously wrong. Assuming both systems +really are on the same network, they both should have the same +netmasks, and <em class="emphasis">ping</em> should report the correct +addresses. If the addresses are wrong, you'll need +to correct them. If they are correct, the programs might be confused +by an incorrect netmask. See <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter.</p> +</li> +<li> +<p>If the commands are still reporting that the network is unreachable +and neither of the previous two conditions are in error, one network +really might be unreachable from the other. This, too, is an issue +for the network manager.</p> +</li></ol> +</li><li> +<p>If you get <tt class="literal">ICMP</tt> +<tt class="literal">Administratively</tt> <tt class="literal">Prohibited</tt>, +you've struck a firewall of some sort or a +misconfigured router. You will need to speak to your network security +officer.</p> +</li><li> +<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt> +<tt class="literal">redirect</tt> and <em class="emphasis">ping</em> reports +packets getting through, this is generally harmless: +you're simply being rerouted over the network.</p> +</li><li> +<p>If you get a host redirect and no <em class="emphasis">ping</em> +responses, you are being redirected, but no one is responding. Treat +this just like the <tt class="literal">Network</tt> +<tt class="literal">unreachable</tt> response, and check your addresses and +netmasks.</p> +</li><li> +<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt> +<tt class="literal">Unreachable</tt> <tt class="literal">from</tt> +<tt class="literal">gateway</tt> <tt class="literal">gateway</tt> +<tt class="literal">name</tt>, ping packets are being routed to another +network, but the other system isn't responding and +the router is reporting the problem on its behalf. Again, treat this +like a <tt class="literal">Network</tt> <tt class="literal">unreachable</tt> +response, and start checking addresses and netmasks.</p> +</li><li> +<p>If you get <tt class="literal">ping</tt>: <tt class="literal">unknown</tt> +<tt class="literal">host</tt> <tt class="literal">hostname</tt>, your +system's name is not known. This tends to indicate a +name service problem, which didn't affect +<tt class="literal">localhost</tt>. Have a look at <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p> +</li><li> +<p>If you get a partial success—with some pings failing but others +succeeding—you have either an intermittent problem between the +systems or an overloaded network. Ping a bit longer, and see if more +than about three percent of the packets fail. If so, check it with +your network manager: a problem might just be starting. However, if +only a few fail, or if you happen to know some massive network +program is running, don't worry unduly. The ICMP +(and UDP) protocols used by <em class="emphasis">ping</em> are allowed to +drop occasional packets.</p> +</li><li> +<p>If you get a response such as <tt class="literal">smtsvr.antares.net</tt> +<tt class="literal">is</tt> <tt class="literal">alive</tt> when you actually +pinged <tt class="literal">client.example.com</tt>, either +you're using someone else's address +or the system has multiple names and addresses. If the address is +wrong, the name service is clearly the culprit; +you'll need to change the address in the name +service database to refer to the correct system. This is discussed in +<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this +chapter.</p> + +<p>Servers are often <em class="emphasis">multihomed</em> —i.e., +connected to more than one network, with different names on each net. +If you are getting a response from an unexpected name on a multihomed +server, look at the address and see if it's on your +network (see <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter). If +so, you should use that address, rather than one on a different +network, for both performance and reliability reasons.</p> + +<p>Servers can also have multiple names for a single Ethernet address, +especially if they are web servers. This is harmless, albeit +startling. You probably will want to use the official (and permanent) +name, rather than an alias that might change.</p> +</li><li> +<p>If everything works but the IP address reported is +<tt class="literal">127.0.0.1</tt>, you have a name service error. This +typically occurs when an operating-system installation program +generates an <em class="filename">/etc/hosts</em> line similar to +<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> +<em class="emphasis">hostname.domainname</em>. The localhost line should +say <tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> or +<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> +<tt class="literal">loghost</tt>. Correct it, lest it cause failures to +negotiate who is the master browse list holder and who is the master +browser. It can also cause (ambiguous) errors in later tests.</p> +</li></ul> +<p>If this worked from the server, repeat it from the client. <a name="INDEX-41"/> +<a name="INDEX-42"/><a name="INDEX-43"/></p> + + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.3"/> + +<h3 class="head2">Troubleshooting TCP</h3> + +<p><a name="INDEX-44"/><a name="INDEX-45"/>Now that +you've tested IP, UDP, and a name service with +<em class="emphasis">ping</em>, it's time to test TCP. +Browsing and <em class="emphasis">ping</em> use ICMP and UDP; file and +print services (shares) use TCP. Both depend on IP as a lower layer, +and all four depend on name services. Testing TCP is most +conveniently done using the FTP program.</p> + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.3.1"/> + +<h3 class="head3">Testing TCP with FTP</h3> + +<p>Try connecting via FTP, once from the server to itself, and once from +the client to the server:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>ftp server</b></tt> +Connected to server.example.com. +220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready. + Name (server:davecb): +331 Password required for davecb. +Password: +230 User davecb logged in. + ftp><tt class="userinput"><b> quit </b></tt> +221 Goodbye.</pre></blockquote> + +<p>If this worked, skip to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>. Otherwise:</p> + +<ul><li> +<p>If you received the message <tt class="literal">server</tt>: +<tt class="literal">unknown</tt> <tt class="literal">host</tt>, name service has +failed. Go back to the corresponding <em class="emphasis">ping</em> step, +<a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>, and rerun those tests +to see why name lookup failed.</p> +</li><li> +<p>If you received <tt class="literal">ftp</tt>: <tt class="literal">connect</tt>: +<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the system +isn't running an FTP daemon. This is mildly unusual +on Unix servers. Optionally, you might try this test by connecting to +the system using <em class="emphasis">telnet</em> instead of +<em class="emphasis">ftp</em>; the messages are very similar, and +<em class="emphasis">telnet</em> uses TCP as well.</p> +</li><li> +<p>If there was a long pause, and then <tt class="literal">ftp</tt>: +<tt class="literal">connect</tt>: <tt class="literal">Connection</tt> +<tt class="literal">timed</tt> <tt class="literal">out</tt>, the system +isn't reachable. Return to <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>.</p> +</li><li> +<p>If you received <tt class="literal">530</tt> <tt class="literal">Logon</tt> +<tt class="literal">Incorrect</tt>, you connected successfully, but +you've just found a different problem. You likely +provided an incorrect username or password. Try again, making sure +you use your username from the Unix server and type your password +correctly.</p> +</li></ul> + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.4"/> + +<h3 class="head2">Troubleshooting Server Daemons</h3> + +<p><a name="INDEX-46"/>Once +you've confirmed that TCP networking is working +properly, the next step is to make sure the daemons are running on +the server. This takes three separate tests because no single one of +the following will decisively prove that they're +working correctly.</p> + +<p>To be sure they're running, you need to find out +whether the daemons:</p> + +<ol><li> +<p>Have started</p> +</li><li> +<p>Are registered or bound to a TCP/IP port by the operating system</p> +</li><li> +<p>Are actually paying attention</p> +</li></ol> + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.1"/> + +<h3 class="head3">Tracking daemon startup</h3> + +<p><a name="INDEX-47"/>First, check the Samba logs. If +you've started the daemons, the message +<tt class="literal">smbd</tt> <tt class="literal">version</tt> +<tt class="literal">number</tt> <tt class="literal">started</tt> should appear. +If it doesn't, you need to restart the Samba +daemons.</p> + +<p>If the daemon reports that it has indeed started, look out for +<tt class="literal">bind</tt> <tt class="literal">failed</tt> +<tt class="literal">on</tt> <tt class="literal">port</tt> <tt class="literal">139</tt> +<tt class="literal">socket_addr=0</tt> <tt class="literal">(Address</tt> +<tt class="literal">already</tt> <tt class="literal">in</tt> +<tt class="literal">use)</tt>. This means another daemon has been started +on port 139 (<em class="emphasis">smbd</em> ). Also, +<em class="emphasis">nmbd</em> will report a similar failure if it cannot +bind to port 137. Either you've started them twice, +or the <em class="emphasis">inetd</em> server has tried to provide a +daemon for you. If it's the latter, +we'll diagnose that in a moment.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.2"/> + +<h3 class="head3">Looking for daemon processes with ps</h3> + +<p><a name="INDEX-48"/>Another way to make sure the daemons are +running is to check their processes on the system. Use the +<em class="emphasis">ps</em><a name="INDEX-49"/> command on the server with the +"long" option for your system type +(commonly <tt class="literal">ps</tt> <tt class="literal">ax</tt> or +<tt class="literal">ps</tt> <tt class="literal">-ef</tt>), and see whether +<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> are already +running. This often looks like the following:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>ps ax</b></tt> + PID TTY STAT TIME COMMAND + 1 ? S 0:03 init [2] + 2 ? SW 0:00 (kflushd) +<i class="lineannotation">(...many lines of processes...) </i> + 234 ? S 0:14 nmbd -D3 + 237 ? S 0:11 smbd -D3 +<i class="lineannotation">(...more lines, possibly including more smbd lines...)</i></pre></blockquote> + +<p>This example illustrates that <em class="emphasis">smbd</em> and +<em class="emphasis">nmbd</em> have already started as standalone daemons +(the <em class="emphasis">-D</em> option) at log level 3.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.3"/> + +<h3 class="head3">Looking for daemons bound to ports</h3> + +<p><a name="INDEX-50"/>Next, the daemons have to be registered +with the operating system so that they can get access to TCP/IP +ports. The <em class="emphasis">netstat</em> command will tell you if this +has been done. Run the command <tt class="literal">netstat</tt> +<tt class="literal">-a</tt> on the server, and look for lines mentioning +<tt class="literal">netbios</tt>, <tt class="literal">137</tt>, or +<tt class="literal">139</tt>:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>netstat -a </b></tt> +Active Internet connections (including servers) +Proto Recv-Q Send-Q Local Address Foreign Address (state) +udp 0 0 *.137 *.* +tcp 0 0 *.139 *.* LISTEN +tcp 8370 8760 server.139 client.1439 ESTABLISHED</pre></blockquote> + +<p>Among similar lines, there should be at least one UDP line for +<tt class="literal">*.netbios-</tt> or <tt class="literal">*.137</tt>. This +indicates that the <em class="emphasis">nmbd</em> server is registered and +(we hope) is waiting to answer requests. There should also be at +least one TCP line mentioning <tt class="literal">*.netbios-</tt> or +<tt class="literal">*.139</tt>, and it will probably be in the LISTEN +state. This means that <em class="emphasis">smbd</em> is up and listening +for connections.</p> + +<p>There might be other TCP lines indicating connections from +<em class="emphasis">smbd</em> to clients, one for each client. These are +usually in the ESTABLISHED state. If there are +<em class="emphasis">smbd</em> lines in the ESTABLISHED state, +<em class="emphasis">smbd</em> is definitely running. If there is only one +line in the LISTEN state, we're not sure yet. If +both of the lines are missing, a daemon has not succeeded in +starting, so it's time to check the logs and then go +back to <a href="ch02.html">Chapter 2</a>.</p> + +<p>If there is a line for each client, it might be coming either from a +Samba daemon or from the master IP daemon, +<em class="emphasis">inetd</em>. It's quite possible that +your <em class="emphasis">inetd</em> startup file contains lines that +start Samba daemons without your realizing it; for instance, the +lines might have been placed there if you installed Samba as part of +a Linux distribution. The daemons started by +<em class="emphasis">inetd</em> prevent ours from running. This problem +typically produces log messages such as <tt class="literal">bind</tt> +<tt class="literal">failed</tt> <tt class="literal">on</tt> +<tt class="literal">port</tt> <tt class="literal">139</tt> +<tt class="literal">socket</tt> <tt class="literal">addr=0</tt> +<tt class="literal">(Address</tt> <tt class="literal">already</tt> +<tt class="literal">in</tt> <tt class="literal">use)</tt>.</p> + +<p>Check your <em class="filename">/etc/inetd.conf</em> ; unless +you're intentionally starting the daemons from +there, <tt class="literal">netbios-ns</tt> (UDP port 137) or +<tt class="literal">netbios-ssn</tt> (tcp port 139) servers should be +mentioned there. If your system is providing an SMB daemon via +<em class="emphasis">inetd</em>, lines such as the following will appear +in the <em class="filename">inetd.conf</em> file:</p> + +<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd +netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote> + +<p>If your system uses <em class="emphasis">xinetd</em> instead of +<em class="emphasis">inetd</em>, see <a href="ch02.html">Chapter 2</a> for +details concerning its configuration.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.4"/> + +<h3 class="head3">Checking smbd with telnet</h3> + +<p><a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>Ironically, the easiest way to test that +the <em class="emphasis">smbd</em> server is actually working is to send +it a meaningless message and see if it is rejected. Try something +such as the following:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>echo "hello" | telnet localhost 139 </b></tt> +Trying +Trying 192.168.236.86 ... +Connected to localhost. Escape character is '^]'. +Connection closed by foreign host.</pre></blockquote> + +<p>This sends an erroneous but harmless message to +<em class="emphasis">smbd</em>. If you get a <tt class="literal">Connected</tt> +message followed by a <tt class="literal">Connection</tt> +<tt class="literal">closed</tt> message, the test was a success. You have +an <em class="emphasis">smbd</em> daemon listening on the port and +rejecting improper connection messages. On the other hand, if you get +<tt class="literal">telnet</tt>: <tt class="literal">connect</tt>: +<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, most likely +no daemon is present. Check the logs and go back to <a href="ch02.html">Chapter 2</a>.</p> + +<p>Regrettably, there isn't an easy test for +<em class="emphasis">nmbd</em>. If the <em class="emphasis">telnet</em> test +and the <em class="emphasis">netstat</em> test both say that an +<em class="emphasis">smbd</em> is running, there is a good chance that +<em class="emphasis">netstat</em> will also be correct about +<em class="emphasis">nmbd</em> running.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.5"/> + +<h3 class="head3">Testing daemons with testparm</h3> + +<p><a name="INDEX-54"/><a name="INDEX-55"/>Once you know +there's a daemon, you should always run +<em class="emphasis">testparm</em>, in hopes of getting something such as +the following:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>testparm </b></tt> +Load smb config files from /opt/samba/lib/smb.conf +Processing section "[homes]" +Processing section "[printers]" ... +Processing section "[tmp]" +Loaded services file OK. ...</pre></blockquote> + +<p>The <em class="emphasis">testparm</em> program normally reports the +processing of a series of sections and responds with +<tt class="literal">Loaded</tt> <tt class="literal">services</tt> +<tt class="literal">file</tt> <tt class="literal">OK</tt> if it succeeds. If not, +it reports one or more of the following messages, which also appear +in the logs as noted:</p> + +<dl> +<dt><b>Allow/Deny connection from account (n) to service</b></dt> +<dd> +<p>A <em class="emphasis">testparm</em>-only message produced if you have +<tt class="literal">valid</tt> <tt class="literal">user</tt> or +<tt class="literal">invalid</tt> <tt class="literal">user</tt> options set in +your <em class="emphasis">smb.conf</em>. You will want to make sure that +you are on the valid user list, and that <tt class="literal">root</tt>, +<tt class="literal">bin</tt>, etc., are on the invalid user list. If you +don't, you will not be able to connect, or users who +shouldn't <em class="emphasis">will</em> be able to.</p> +</dd> + + + +<dt><b>Warning: You have some share names that are longer than eight chars</b></dt> +<dd> +<p>For anyone using Windows for Workgroups and older clients. They fail +to connect to shares with long names, producing an overflow message +that sounds confusingly like a memory overflow.</p> +</dd> + + + +<dt><b>Warning: [name] service MUST be printable!</b></dt> +<dd> +<p>A printer share lacks a <tt class="literal">printable</tt> +<tt class="literal">=</tt> <tt class="literal">yes</tt> option.</p> +</dd> + + + +<dt><b>No path in service name using [name]</b></dt> +<dd> +<p>A file share doesn't know which directory to provide +to the user, or a print share doesn't know which +directory to use for spooling. If no path is specified, the service +will try to run with a path of <em class="emphasis">/tmp</em>, which might +not be what you want.</p> +</dd> + + + +<dt><b>Note: Servicename is flagged unavailable</b></dt> +<dd> +<p>Just a reminder that you have used the <tt class="literal">available</tt> +<tt class="literal">=</tt> <tt class="literal">no</tt> option in a share.</p> +</dd> + + + +<dt><b>Can't find include file [name] </b></dt> +<dd> +<p>A configuration file referred to by an <tt class="literal">include</tt> +option did not exist. If you were including the file unconditionally, +this is an error and probably a serious one: the share will not have +the configuration you intended. If you were including it based on one +of the <tt class="literal">%</tt> variables, such as <tt class="literal">%a</tt> +(architecture), you will need to decide whether, for example, a +missing Windows for Workgroups configuration file is a problem. It +often isn't.</p> +</dd> + + + +<dt><b>Can't copy service name, unable to copy to itself</b></dt> +<dd> +<p>You tried to copy an <em class="filename">smb.conf</em> section into +itself.</p> +</dd> + + + +<dt><b>Unable to copy service—source not found: [name]</b></dt> +<dd> +<p>Indicates a missing or misspelled section in a +<tt class="literal">copy</tt> <tt class="literal">=</tt> option.</p> +</dd> + + + +<dt><b>Ignoring unknown parameter name </b></dt> +<dd> +<p>Typically indicates an obsolete, misspelled, or unsupported option.</p> +</dd> + + + +<dt><b>Global parameter name found in service section </b></dt> +<dd> +<p>Indicates that a global-only parameter has been used in an individual +share. Samba ignores the parameter.</p> +</dd> + +</dl> + +<p>After the <em class="emphasis">testparm</em> test, repeat it with +(exactly) three parameters: the name of your +<em class="filename">smb.conf</em> file, the name of your client, and its +IP address:</p> + +<blockquote><pre class="code"># <tt class="userinput"><b>testparm /usr/local/samba/lib/smb.conf client 192.168.236.10</b></tt></pre></blockquote> + +<p>This will run one more test that checks the hostname and address +against <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and +<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options and might +produce the <tt class="literal">Allow</tt> <tt class="literal">connection</tt> +<tt class="literal">from</tt> <tt class="literal">hostname</tt> +<tt class="literal">to</tt> <tt class="literal">service</tt> and/or +<tt class="literal">Deny</tt> <tt class="literal">connection</tt> +<tt class="literal">from</tt> <tt class="literal">hostname</tt> +<tt class="literal">to</tt> <tt class="literal">service</tt> messages for the +client system. These messages indicate that you have +<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and/or +<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options in your +<em class="filename">smb.conf</em>, and they prohibit access from the +client system. <a name="INDEX-56"/></p> + + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.5"/> + +<h3 class="head2">Troubleshooting SMB Connections</h3> + +<p><a name="INDEX-57"/><a name="INDEX-58"/>Now +that you know the servers are up, you need to make sure +they're running properly. We start by placing a +simple <em class="filename">smb.conf</em> file in the +<em class="filename">/usr/local/samba/lib</em> directory.</p> + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.1"/> + +<h3 class="head3">A minimal smb.conf file</h3> + +<p>In the following tests, we assume you have a +<tt class="literal">[temp]</tt> share suitable for testing, plus at least +one account. An <em class="filename">smb.conf</em> file that includes just +these is as follows:</p> + +<blockquote><pre class="code">[global] + workgroup = <em class="replaceable">EXAMPLE</em> + security = user + browsable = yes + local master = yes +[homes] + guest ok = no + browsable = no +[temp] + path = /tmp + public = yes</pre></blockquote> +<a name="samba2-CHP-12-NOTE-156"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> +<p>The <tt class="literal">public</tt> <tt class="literal">=</tt> +<tt class="literal">yes</tt> option in the <tt class="literal">[temp]</tt> share +is just for testing. You probably don't want people +without accounts storing things on your Samba server, so you should +comment it out when you're done.</p> +</blockquote> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.2"/> + +<h3 class="head3">Testing locally with smbclient</h3> + +<p><a name="INDEX-59"/><a name="INDEX-60"/>The first test is to ensure that the +server can list its own services (shares). Run the command +<tt class="literal">smbclient</tt> <em class="emphasis">-L</em> +<tt class="literal">localhost</tt> <tt class="literal">-U%</tt> to connect to the +server from itself, and specify the guest user. You should see the +following:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L localhost -U% </b></tt> +Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0 +Server=[localhost] +User=[davecb] +Workgroup=[EXAMPLE] +Domain=[EXAMPLE] + Sharename Type Comment + --------- ----- ---------- + temp Disk + IPC$ IPC IPC Service (Samba 1.9.18) + homes Disk Home directories +This machine does not have a browse list</pre></blockquote> + +<p>If you received this output, move on to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>. On the other hand, if you +receive an error, check the following:</p> + +<ul><li> +<p>If you get <tt class="literal">Get_hostbyname</tt>: +<tt class="literal">unknown</tt> <tt class="literal">host</tt> +<tt class="literal">localhost</tt>, either you've spelled +its name wrong or there actually is a problem (which should have been +seen back in <a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>). In the +latter case, move on to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p> +</li><li> +<p>If you get <tt class="literal">Connect</tt> <tt class="literal">error</tt>: +<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the server +was found, but it wasn't running an +<em class="emphasis">nmbd</em> daemon. Skip back to +<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>, +earlier in this chapter, and retest the daemons.</p> +</li><li> +<p>If you get the message <tt class="literal">Your</tt> +<tt class="literal">server</tt> <tt class="literal">software</tt> +<tt class="literal">is</tt> <tt class="literal">being</tt> +<tt class="literal">unfriendly</tt>, the initial session request packet got +a garbage response from the server. The server might have crashed or +started improperly. The common causes of this can be discovered by +scanning the logs for the following:</p> +<ul><li> +<p>Invalid command-line parameters to <em class="emphasis">smbd</em> ; see +the <em class="emphasis">smbd</em> manual page.</p> +</li><li> +<p>A fatal problem with the <em class="filename">smb.conf</em> file that +prevents the startup of <em class="emphasis">smbd</em>. Always check your +changes with <em class="emphasis">testparm</em>, as was done in <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>, earlier in this chapter.</p> +</li><li> +<p>Missing directories where Samba is supposed to keep its log and lock +files.</p> +</li><li> +<p>The presence of a server already on the port (139 for +<em class="emphasis">smbd</em>, 137 for <em class="emphasis">nmbd</em> ), +preventing the daemon from starting.</p> +</li></ul> +</li> +<li> +<p>If you're using <em class="emphasis">inetd</em> (or +xinetd ) instead of standalone daemons, be sure to check your +<em class="filename">/etc/inetd.conf</em> (or xinetd configuration files) +and <em class="filename">/etc/services</em> entries against their manual +pages for errors as well.</p> +</li><li> +<p>If you get a <tt class="literal">Password</tt>: prompt, your guest account +is not set up properly. The <em class="emphasis">-U%</em> option tells +<em class="emphasis">smbclient</em> to do a "null +login," which requires that the guest account be +present but does not require it to have any privileges.</p> +</li><li> +<p>If you get the message <tt class="literal">SMBtconX</tt> +<tt class="literal">failed</tt>. <tt class="literal">ERRSRV--ERRaccess</tt>, you +aren't permitted access to the server. This normally +means you have a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> +option that doesn't include the server or a +<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does. +Recheck with the command <tt class="literal">testparm</tt> +<tt class="literal">smb.conf</tt> <em class="replaceable">your_hostname</em> +<em class="replaceable">your_ip_address</em> (see +<a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>), +and correct any unintended prohibitions.</p> +</li></ul> + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.3"/> + +<h3 class="head3">Testing connections with smbclient</h3> + +<p><a name="INDEX-61"/><a name="INDEX-62"/>Run the command +<tt class="literal">smbclient</tt> +<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt> +to connect to the server's <tt class="literal">[temp]</tt> +share and to see if you can connect to a file service. You should get +the following response:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient '\\server\temp' </b></tt> +Server time is Tue May 5 09:49:32 2002 Timezone is UTC-4.0 Password: +<b class="emphasis-bold">smb: \> quit</b></pre></blockquote> +<p>You might receive the following errors:</p> + +<ul><li> +<p>If you get <tt class="literal">Get_Hostbyname</tt>: +<tt class="literal">Unknown</tt> <tt class="literal">host</tt> +<tt class="literal">name</tt>, <tt class="literal">Connect</tt> +<tt class="literal">error</tt>: <tt class="literal">Connection</tt> +<tt class="literal">refused</tt>, or <tt class="literal">Your</tt> +<tt class="literal">server</tt> <tt class="literal">software</tt> +<tt class="literal">is</tt> <tt class="literal">being</tt> +<tt class="literal">unfriendly</tt>, see the previous section, +<a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, for +the diagnoses.</p> +</li><li> +<p>If you get the message <tt class="literal">servertemp</tt>: +<tt class="literal">Not</tt> <tt class="literal">enough</tt> +<tt class="literal">`\</tt>' +<tt class="literal">characters</tt> <tt class="literal">in</tt> +<tt class="literal">service</tt>, you likely didn't quote +the address, so Unix stripped off backslashes. You can also write the +command:</p> + +<blockquote><pre class="code">smbclient \\\\<em class="replaceable">server</em>\\temp</pre></blockquote> + +<p>or:</p> +<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/temp</pre></blockquote> +</li> +</ul> +<p>Now, provide your Unix account password to the +<tt class="literal">Password</tt>: prompt. If you then get an +<tt class="literal">smb</tt>: <tt class="literal">\></tt> prompt, it worked. +Enter <tt class="literal">quit</tt> and continue on to the next section, +<a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If +you got <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>. +<tt class="literal">ERRSRV--ERRinvnetname</tt>, the problem can be any of +the following:</p> + +<ul><li> +<p>A wrong share name: you might have spelled it wrong, it might be too +long, it might be in mixed case, or it might not be available. Check +that it's what you expect with +<em class="emphasis">testparm</em> (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p> +</li><li> +<p>A <tt class="literal">security</tt> <tt class="literal">=</tt> +<tt class="literal">share</tt> parameter in your Samba configuration file, +in which case you might have to add <tt class="literal">-U</tt> +<em class="replaceable">your_account</em> to the +<em class="emphasis">smbclient</em> command.</p> +</li><li> +<p>An erroneous username.</p> +</li><li> +<p>An erroneous password.</p> +</li><li> +<p>An <tt class="literal">invalid</tt> <tt class="literal">users</tt> or +<tt class="literal">valid</tt> <tt class="literal">users</tt> option in your +<em class="emphasis">smb.conf</em> file that doesn't +allow your account to connect. Recheck using +<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt> +<em class="replaceable">your_hostname your_ip_address</em> (see the +earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p> +</li><li> +<p>A <tt class="literal">valid</tt> <tt class="literal">hosts</tt> option that +doesn't include the server, or an +<tt class="literal">invalid</tt> <tt class="literal">hosts</tt> option that does. +Also test this with <em class="emphasis">testparm</em>.</p> +</li><li> +<p>A problem in authentication, such as if shadow passwords or the +Password Authentication Module (PAM) is used on the server, but Samba +is not compiled to use it. This is rare, but it occasionally happens +when a SunOS 4 Samba binary (with no shadow passwords) is run without +recompilation on a Solaris system (with shadow passwords).</p> +</li><li> +<p>The <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt> +<tt class="literal">=</tt> <tt class="literal">yes</tt> option is in the +configuration file, but no password for your account is in the +<em class="emphasis">smbpasswd</em> file.</p> +</li><li> +<p>You have a null password entry, either in Unix +<em class="filename">/etc/passwd</em> or in the +<em class="emphasis">smbpasswd</em> file.</p> +</li><li> +<p>You are connecting to <tt class="literal">[temp]</tt>, and you do not have +the <tt class="literal">guest</tt> <tt class="literal">ok</tt> +<tt class="literal">=</tt> <tt class="literal">yes</tt> option in the +<tt class="literal">[temp]</tt> section of the +<em class="emphasis">smb.conf</em> file.</p> +</li><li> +<p>You are connecting to <tt class="literal">[temp]</tt> before connecting to +your home directory, and your guest account isn't +set up correctly. If you can connect to your home directory and then +connect to <tt class="literal">[temp]</tt>, that's the +problem. See <a href="ch02.html">Chapter 2</a> for more information on +creating a basic Samba configuration file.</p> + +<p>A bad guest account will also prevent you from printing or browsing +until after you've logged in to your home directory.</p> +</li></ul> +<p>There is one more reason for this failure that has nothing at all to +do with passwords: the <tt class="literal">path</tt> parameter in your +<em class="filename">smb.conf</em> file might point somewhere that +doesn't exist. This will not be diagnosed by +<em class="emphasis">testparm</em>, and most SMB clients +can't distinguish it from other types of bad user +accounts. You will have to check it manually.</p> + +<p>Once you have connected to <tt class="literal">[temp]</tt> successfully, +repeat the test, this time logging in to your home directory (e.g., +map network drive +<em class="replaceable">server</em><tt class="literal">\davecb</tt>). If you +have to change anything to get that to work, retest +<tt class="literal">[temp]</tt> again afterward.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.4"/> + +<h3 class="head3">Testing connections with net use</h3> + +<p><a name="INDEX-63"/><a name="INDEX-64"/>Run the command +<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">*</tt> +<tt class="literal">\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt> +on the Windows client to see if it can connect to the server. You +should be prompted for a password, then receive the response +<tt class="literal">The</tt> <tt class="literal">command</tt> +<tt class="literal">was</tt> <tt class="literal">completed</tt> +<tt class="literal">successfully</tt>.</p> + +<p>If that worked, continue with the steps in the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.5">Section 12.2.5.5</a>. Otherwise:</p> + +<ul><li> +<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt> +<tt class="literal">shared</tt> <tt class="literal">directory</tt> +<tt class="literal">cannot</tt> <tt class="literal">be</tt> +<tt class="literal">found</tt>, or <tt class="literal">Cannot</tt> +<tt class="literal">locate</tt> <tt class="literal">specified</tt> +<tt class="literal">share</tt> <tt class="literal">name</tt>, the directory name +is either misspelled or not in the <em class="emphasis">smb.conf</em> +file. This message can also warn of a name that is in mixed case, +including spaces, or that is longer than eight characters.</p> +</li><li> +<p>If you get <tt class="literal">The</tt> <tt class="literal">computer</tt> +<tt class="literal">name</tt> <tt class="literal">specified</tt> +<tt class="literal">in</tt> <tt class="literal">the</tt> +<tt class="literal">network</tt> <tt class="literal">path</tt> +<tt class="literal">cannot</tt> <tt class="literal">be</tt> +<tt class="literal">located</tt> or <tt class="literal">Cannot</tt> +<tt class="literal">locate</tt> <tt class="literal">specified</tt> +<tt class="literal">computer</tt>, the directory name has been misspelled, +the name service has failed, there is a networking problem, or the +<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option includes your +host.</p> +<ul><li> +<p>If it is not a spelling mistake, you need to double back at least to +<a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a> to +investigate why it doesn't connect.</p> +</li><li> +<p>If <em class="emphasis">smbclient</em> does work, there is a name service +problem with the client name service, and you need to go forward to +<a href="ch12.html#samba2-CHP-12-SECT-2.6.2">Section 12.2.6.2</a> and see if +you can look up both the client and server with +<em class="emphasis">nmblookup</em>.</p> +</li> +</ul> +</li> + +<li> +<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt> +<tt class="literal">is</tt> <tt class="literal">invalid</tt> +<tt class="literal">for</tt> <tt class="literal">\server\username</tt>, your +locally cached copy on the client doesn't match the +one on the server. You will be prompted for a replacement.</p> + +<a name="samba2-CHP-12-NOTE-157"/><blockquote class="note"><h4 class="objtitle">TIP</h4> +<p>Each Windows 95/98/Me client keeps a local +<em class="emphasis">password</em> file, but it's really +just a cached copy of the password it sends to Samba and NT/2000/XP +servers to authenticate you. That's what is being +prompted for here. You can still log on to a Windows system without a +password (but not to NT/2000/XP).</p> +</blockquote> + +<p>If you provide your password and it still fails, your password is not +being matched on the server, you have a <tt class="literal">valid</tt> +<tt class="literal">users</tt> or <tt class="literal">invalid</tt> +<tt class="literal">users</tt> list denying you permission, NetBEUI is +interfering, or the encrypted password problem described in the next +paragraph exists.</p> +</li><li> +<p>If your client is Windows NT 4.0, NT 3.5 with Patch 3, Windows 95 +with Patch 3, Windows 98, any of these with Internet Explorer 4.0, or +any subsequent version of Windows, the system will default to +Microsoft encryption for passwords. In general, if you have installed +a major Microsoft product on any of the older Windows versions, you +might have applied an update and turned on encrypted passwords. If +the client is defaulting to encrypted passwords, you will need to +specify <tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> +<tt class="literal">=</tt> <tt class="literal">yes</tt> in your Samba +configuration file if you are using a version of Samba prior to Samba +3.0.</p> + +<a name="samba2-CHP-12-NOTE-158"/><blockquote class="note"><h4 class="objtitle">TIP</h4> +<p>Because of Internet Explorer's willingness to honor +URLs such as <em class="filename">file://somehost/somefile</em> by making +SMB connections, clients up to and including Windows 95 Patch Level 2 +would happily send your password, in plain text, to SMB servers +anywhere on the Internet. This was considered a bad idea, and +Microsoft switched to using only encrypted passwords in the SMB +protocol. All subsequent releases of Microsoft's +products have included this correction.</p> +</blockquote> +</li> + +<li> +<p>If you have a mixed-case password on Unix, the client is probably +sending it in all one case. If changing your password to all one case +works, this was the problem. Regrettably, all but the oldest clients +support uppercase passwords, so Samba will try once with the password +in uppercase and once in lowercase. If you wish to use mixed-case +passwords, see the <tt class="literal">password</tt> +<tt class="literal">level</tt> option in <a href="ch09.html">Chapter 9</a> for a +workaround.</p> +</li><li> +<p>You might have a <tt class="literal">valid</tt> <tt class="literal">users</tt> +problem, as tested with <em class="emphasis">smbclient</em> (see the +earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>).</p> +</li><li> +<p>You might have the NetBEUI protocol bound to the Microsoft client. +This often produces long timeouts and erratic failures and is known +to have caused failures to accept passwords in the past. Unless you +absolutely need the NetBEUI protocol, remove it.</p> +</li></ul> +<a name="samba2-CHP-12-NOTE-159"/><blockquote class="note"><h4 class="objtitle">TIP</h4> +<p>The term "bind" is used here to +mean connecting one piece of software to another. When configured +correctly, the Microsoft SMB client is "bound +to" TCP/IP in the bindings section of the TCP/IP +properties panel under the Windows 95/98/Me Network icon in the +Control Panel. TCP/IP in turn is bound to an Ethernet card. This is +not the same sense of the word as binding an SMB daemon to a TCP/IP +port.</p> +</blockquote> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.5"/> + +<h3 class="head3">Testing connections with Windows Explorer</h3> + +<p><a name="INDEX-65"/><a name="INDEX-66"/>Start Windows Explorer +(not Internet Explorer), select Map Network Drive from the Tools +menu, and specify the UNC for one of your shares on the Samba server +to see if you can make Explorer connect to it. If so, +you've succeeded and can skip to the next section, +<a href="ch12.html#samba2-CHP-12-SECT-2.6">Section 12.2.6</a>.</p> + +<p>Windows Explorer is a rather poor diagnostic tool: it tells you that +something's wrong, but rarely what it is. If you get +a failure, you'll need to track it down with the +Windows <em class="emphasis">net use</em> command, which has far superior +error reporting:</p> + +<ul><li> +<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt> +<tt class="literal">for</tt> <tt class="literal">this</tt> +<tt class="literal">connection</tt> <tt class="literal">that</tt> +<tt class="literal">is</tt> <tt class="literal">in</tt> <tt class="literal">your</tt> +<tt class="literal">password</tt> <tt class="literal">file</tt> +<tt class="literal">is</tt> <tt class="literal">no</tt> <tt class="literal">longer</tt> +<tt class="literal">correct</tt>, you might have any of the following:</p> +<ul><li> +<p>Your locally cached copy on the client doesn't match +the one on the server.</p> +</li><li> +<p>You didn't provide a username and password when +logging on to the client. Some versions of Explorer will continue to +send a null username and password, even if you provide a password.</p> +</li><li> +<p>You have misspelled the password.</p> +</li><li> +<p>You have an <tt class="literal">invalid</tt> <tt class="literal">users</tt> or +<tt class="literal">valid</tt> <tt class="literal">users</tt> list denying +permission.</p> +</li><li> +<p>Your client is defaulting to encrypted passwords, but Samba is +configured with the <tt class="literal">encrypt</tt> +<tt class="literal">passwords</tt> <tt class="literal">=</tt> +<tt class="literal">no</tt> configuration file parameter.</p> +</li><li> +<p>You have a mixed-case password, which the client is supplying in all +one case.</p> +</li> +</ul> +</li> +<li> +<p>If you get <tt class="literal">The</tt> <tt class="literal">network</tt> +<tt class="literal">name</tt> <tt class="literal">is</tt> +<tt class="literal">either</tt> <tt class="literal">incorrect</tt>, +<tt class="literal">or</tt> <tt class="literal">a</tt> <tt class="literal">network</tt> +<tt class="literal">to</tt> <tt class="literal">which</tt> <tt class="literal">you</tt> +<tt class="literal">do</tt> <tt class="literal">not</tt> <tt class="literal">have</tt> +<tt class="literal">full</tt> <tt class="literal">access</tt>, or +<tt class="literal">Cannot</tt> <tt class="literal">locate</tt> +<tt class="literal">specified</tt> <tt class="literal">computer</tt>, you might +have any of the following:</p> +<ul><li> +<p>Misspelled name</p> +</li><li> +<p>Malfunctioning service</p> +</li><li> +<p>Failed share</p> +</li><li> +<p>Networking problem</p> +</li><li> +<p>Bad <tt class="literal">path</tt> parameter in +<em class="filename">smb.conf</em></p> +</li><li> +<p><tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that excludes +you</p> +</li> +</ul> +</li> +<li> +<p>If you get <tt class="literal">You</tt> <tt class="literal">must</tt> +<tt class="literal">supply</tt> <tt class="literal">a</tt> +<tt class="literal">password</tt> <tt class="literal">to</tt> +<tt class="literal">make</tt> <tt class="literal">this</tt> +<tt class="literal">connection</tt>, the password on the client is out of +synchronization with the server, or this is the first time +you've tried from this client system and the client +hasn't cached it locally yet.</p> +</li><li> +<p>If you get <tt class="literal">Cannot</tt> <tt class="literal">locate</tt> +<tt class="literal">specified</tt> <tt class="literal">share</tt> +<tt class="literal">name</tt>, you have a wrong share name or a syntax +error in specifying it, a share name longer than eight characters, or +one containing spaces or in mixed case.</p> +</li></ul> +<p>Once you can reliably connect to the share, try again, this time +using your home directory. If you have to change something to get +home directories working, retest with the first share, and vice +versa, as we showed in the earlier section, "Testing +connections with net use." As always, if Explorer +fails, drop back to that section and debug the connection there. +<a name="INDEX-67"/><a name="INDEX-68"/></p> + + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.6"/> + +<h3 class="head2">Troubleshooting Browsing</h3> + +<p><a name="INDEX-69"/><a name="INDEX-70"/>Finally, we +come to browsing. We've left this for last, not +because it is the most difficult, but because it's +both optional and partially dependent on a protocol that +doesn't guarantee delivery of a packet. Browsing is +hard to diagnose if you don't already know that all +the other services are running.</p> + +<p>Browsing is purely optional: it's just a way to find +the servers on your network and the shares that they provide. Unix +has nothing of the sort and happily does without. Browsing also +assumes all your systems are on a local area network (LAN) where +broadcasts are allowable.</p> + +<p>First, the browsing mechanism identifies a system using the +unreliable UDP protocol; it then makes a normal (reliable) TCP/IP +connection to list the shares the system provides.</p> + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.1"/> + +<h3 class="head3">Testing browsing with smbclient</h3> + +<p><a name="INDEX-71"/><a name="INDEX-72"/>We'll start with +testing the reliable connection first. From the server, try listing +its own shares using <em class="emphasis">smbclient</em> with a +<tt class="literal">-L</tt> option and your server's name. +You should get something resembling the following:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L server</b></tt> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server +time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0 +Password: +Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5] + + Sharename Type Comment + --------- ---- ------- + cdrom Disk CD-ROM + cl Printer Color Printer 1 + davecb Disk Home Directories + + Server Comment + --------- ------- + SERVER Samba 2.2.5 + + Workgroup Master + --------- ------- + EXAMPLE SERVER</pre></blockquote> + +<ul><li> +<p>If you didn't get a Sharename list, the server is +not allowing you to browse any shares. This should not be the case if +you've tested any of the shares with Windows +Explorer or the <em class="emphasis">net use</em> command. If you +haven't done the <tt class="literal">smbclient</tt> +<tt class="literal">-L</tt> <tt class="literal">localhost</tt> +<tt class="literal">-U%</tt> test yet (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), do it now. An erroneous +guest account can prevent the shares from being seen. Also, check the +<em class="filename">smb.conf</em> file to make sure you do not have the +option <tt class="literal">browsable</tt> <tt class="literal">=</tt> +<tt class="literal">no</tt> anywhere in it: we suggest using a minimal +<em class="filename">smb.conf</em> file (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.1">Section 12.2.5.1</a>). You need to have +<tt class="literal">browsable</tt> enabled (which is the default) to see +the share.</p> +</li><li> +<p>If you didn't get a browse list, the server is not +providing information about the systems on the network. At least one +system on the net must support browse lists. Make sure you have +<tt class="literal">local</tt> <tt class="literal">master</tt> +<tt class="literal">=</tt> <tt class="literal">yes</tt> in the +<em class="filename">smb.conf</em> file if you want Samba to be the local +master browser.</p> +</li><li> +<p>If you got a browse list but didn't get +<em class="emphasis">/tmp</em>, you probably have a +<em class="filename">smb.conf</em> problem. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>.</p> +</li><li> +<p>If you didn't get a workgroup list with your +workgroup name in it, it is possible that your workgroup is set +incorrectly in the <em class="filename">smb.conf</em> file.</p> +</li><li> +<p>If you didn't get a workgroup list at all, ensure +that <tt class="literal">workgroup</tt> <tt class="literal">=</tt> +<tt class="literal">EXAMPLE</tt> is present in the +<em class="filename">smb.conf</em> file.</p> +</li><li> +<p>If you get nothing, try once more with the options +<tt class="literal">-I</tt> <em class="emphasis">ip_address</em> +<tt class="literal">-n</tt> <em class="emphasis">netbios_name</em> +<tt class="literal">-W</tt> <em class="emphasis">workgroup</em> +<tt class="literal">-d3</tt> with the NetBIOS and workgroup name in +uppercase. (The <tt class="literal">-d3</tt> option sets the log /debugging +level to 3.) Then check the Samba logs for clues.</p> +</li></ul> +<p>If you're still getting nothing, you +shouldn't have gotten this far; double back to at +least <a href="ch12.html#samba2-CHP-12-SECT-2.3.1">Section 12.2.3.1</a>, or perhaps +<a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. On the other hand:</p> + +<ul><li> +<p>If you get <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>. +<tt class="literal">ERRSRV--ERRaccess</tt>, you aren't +permitted access to the server. This normally means you have a +<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option that +doesn't include the server or a +<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.</p> +</li><li> +<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>, you +presumably have one of the following:</p> +<ul><li> +<p>An incorrect <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or +<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line</p> +</li><li> +<p>An incorrect <tt class="literal">invalid</tt> <tt class="literal">users</tt> or +<tt class="literal">valid</tt> <tt class="literal">users</tt> line</p> +</li><li> +<p>A lowercase password and OS/2 or Windows for Workgroups clients</p> +</li><li> +<p>A missing or invalid guest account</p> +</li></ul> +<p>Check what your guest account is (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), change or comment out any +<tt class="literal">hosts</tt> <tt class="literal">allow</tt>, +<tt class="literal">hosts</tt> <tt class="literal">deny</tt>, +<tt class="literal">valid</tt> <tt class="literal">users</tt>, or +<tt class="literal">invalid</tt> <tt class="literal">users</tt> lines, and verify +your <em class="filename">smb.conf</em> file with +<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt> +<em class="replaceable">your_hostname your_ip_address</em> (see the +earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p> +</li><li> +<p>If you get <tt class="literal">Connection</tt> <tt class="literal">refused</tt>, +the <em class="emphasis">smbd</em> server is not running or has crashed. +Check that it's up, running, and listening to the +network with <em class="emphasis">netstat</em>. See the earlier section, +<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>.</p> +</li><li> +<p>If you get <tt class="literal">Get_Hostbyname</tt>: +<tt class="literal">Unknown</tt> <tt class="literal">host</tt> +<tt class="literal">name</tt>, you've made a spelling +error, there is a mismatch between the Unix and NetBIOS hostname, or +there is a name service problem. Start name service debugging as +discussed in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If this works, suspect a +name mismatch, and go to the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p> +</li><li> +<p>If you get <tt class="literal">Session</tt> <tt class="literal">request</tt> +<tt class="literal">failed</tt>, the server refused the connection. This +usually indicates an internal error, such as insufficient memory to +fork a process.</p> +</li><li> +<p>If you get <tt class="literal">Your</tt> <tt class="literal">server</tt> +<tt class="literal">software</tt> <tt class="literal">is</tt> +<tt class="literal">being</tt> <tt class="literal">unfriendly</tt>, the initial +session request packet received a garbage response from the server. +The server might have crashed or started improperly. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, where the +problem is first analyzed.</p> +</li><li> +<p>If you suspect the server is not running, go back to +<a href="ch12.html#samba2-CHP-12-SECT-2.4.2">Section 12.2.4.2</a> to see why the server +daemon isn't responding.</p> +</li></ul> + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.2"/> + +<h3 class="head3">Testing the server with nmblookup</h3> + +<p><a name="INDEX-73"/><a name="INDEX-74"/>This will test the +"advertising" system used for +Windows name services and browsing. Advertising works by broadcasting +one's presence or willingness to provide services. +It is the part of browsing that uses an unreliable protocol (UDP) and +works only on broadcast networks such as Ethernets. The +<em class="emphasis">nmblookup</em> program broadcasts name queries for +the hostname you provide and returns its IP address and the name of +the system, much as <em class="emphasis">nslookup</em> does with DNS. +Here, the <em class="emphasis">-d</em> (debug or log-level) and +<em class="emphasis">-B</em> (broadcast address) options direct queries to +specific systems.</p> + +<p>First, we check the server from itself. Run +<em class="emphasis">nmblookup</em> with a <em class="emphasis">-B</em> option +of your server's name (to tell it to send the query +to the Samba server) and a parameter of <tt class="literal">_ _SAMBA_ +_</tt> as the symbolic name to look up. You should get:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -B server _ _SAMBA_ _</b></tt> +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 +Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre></blockquote> + +<p>You should get the IP address of the server, followed by the name +<tt class="literal">_ _SAMBA_ _</tt> , which means that the server has +successfully advertised that it has a service called <tt class="literal">_ +_SAMBA_ _</tt> , and therefore at least part of NetBIOS name +service works.</p> + +<ul><li> +<p>If you get <tt class="literal">Name_query</tt> <tt class="literal">failed</tt> +<tt class="literal">to</tt> <tt class="literal">find</tt> <tt class="literal">name</tt> +<tt class="literal">_ _SAMBA_ _</tt>, you might have specified the server +name to the <em class="emphasis">-B</em> option, or +<em class="emphasis">nmbd</em> is not running. The <em class="emphasis">-B</em> +option actually takes a broadcast address: we're +using a computer name to get a unicast address and to ask the server +if it has claimed <tt class="literal">_ _SAMBA_ _</tt>. Try again with +<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> +<em class="replaceable">ip_address</em>, and if that fails too, +<em class="emphasis">nmbd</em> isn't claiming the name. +Go back briefly to the earlier section, "Testing +daemons with testparm," to see if +<em class="emphasis">nmbd</em> is running. If so, it might not be claiming +names; this means that Samba is not providing the browsing +service—a configuration problem. If that is the case, make sure +that <em class="filename">smb.conf</em> doesn't contain +the option <tt class="literal">browsing</tt> <tt class="literal">=</tt> +<tt class="literal">no</tt>.</p> +</li></ul> + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.3"/> + +<h3 class="head3">Testing the client with nmblookup</h3> + +<p><a name="INDEX-75"/><a name="INDEX-76"/>Next, check the IP address of the +client from the server with <em class="emphasis">nmblookup</em> using the +<tt class="literal">-B</tt> option for the client's name +and a parameter of '<tt class="literal">*</tt>' meaning +"anything," as shown here:</p> + +<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -B client '*</b>' +Sending queries to 192.168.236.10 192.168.236.10 * +Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre></blockquote> + +<p>You might get the following error:</p> + +<ul><li> +<p>If you receive <tt class="literal">Name-query</tt> +<tt class="literal">failed</tt> <tt class="literal">to</tt> +<tt class="literal">find</tt> <tt class="literal">name</tt> <tt class="literal">*</tt>, +you have made a spelling mistake, or the client software on the PC +isn't installed, started, or bound to TCP/IP. Double +back to <a href="ch03.html">Chapter 3</a> and ensure that you have a +client installed that is listening to the network.</p> +</li></ul> +<p>Repeat the command with the following options if you had any failures:</p> + +<ul><li> +<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> +<em class="replaceable">client_IP_address</em> succeeds but +<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> +<em class="replaceable">client_name</em> fails, there is a name service +problem with the client's name; go to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p> +</li><li> +<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> +<tt class="literal">127.0.0.1</tt> '<tt class="literal">*</tt>' succeeds, but +<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> +<em class="replaceable">client_IP_address</em> fails, there is a +hardware problem, and <em class="emphasis">ping</em> should have failed. +See your network manager.</p> +</li></ul> + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.4"/> + +<h3 class="head3">Testing the network with nmblookup</h3> + +<p><a name="INDEX-77"/><a name="INDEX-78"/>Run the command +<em class="emphasis">nmblookup</em> again with a <em class="emphasis">-d2</em> +option (for a debug level of 2) and a parameter of +'<tt class="literal">*</tt>'. This time we are testing the ability of +programs (such as <em class="emphasis">nmbd</em> ) to use broadcast. +It's essentially a connectivity test, done via a +broadcast to the default broadcast address.</p> + +<p>A number of NetBIOS over TCP/IP hosts on the network should respond +with <tt class="literal">got</tt> <tt class="literal">a</tt> +<tt class="literal">positive</tt> <tt class="literal">name</tt> +<tt class="literal">query</tt> <tt class="literal">response</tt> messages. Samba +might not catch all the responses in the short time it listens, so +you won't always see all the SMB clients on the +network. However, you should see most of them:</p> + +<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -d 2 '*</b>' +Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending +queries to 192.168.236.255 +Got a positive name query response from 192.168.236.191 (192.168.236.191) +Got a positive name query response from 192.168.236.228 (192.168.236.228) +Got a positive name query response from 192.168.236.75 (192.168.236.75) +Got a positive name query response from 192.168.236.79 (192.168.236.79) +Got a positive name query response from 192.168.236.206 (192.168.236.206) +Got a positive name query response from 192.168.236.207 (192.168.236.207) +Got a positive name query response from 192.168.236.217 (192.168.236.217) +Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre></blockquote> + +<p>However:</p> + +<ul><li> +<p>If this doesn't give at least the client address you +previously tested, the default broadcast address is wrong. Try +<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt> +<tt class="literal">255.255.255.255</tt> <tt class="literal">-d</tt> +<tt class="literal">2</tt> '<tt class="literal">*</tt>', which is a last-ditch +variant (using a broadcast address of all 1s). If this draws +responses, the broadcast address you've been using +before is wrong. Troubleshooting these is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this +chapter.</p> +</li><li> +<p>If the address 255.255.255.255 fails too, check your notes to see if +your PC and server are on different subnets, as discovered in the +earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. You +should try to diagnose this step with a server and client on the same +subnet, but if you can't, you can try specifying the +remote subnet's broadcast address with +<em class="emphasis">-B</em>. Finding that address is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this +chapter. The <em class="emphasis">-B</em> option will work if your router +supports directed broadcasts; if it doesn't, you +might be forced to test with a client on the same network.</p> +</li></ul> +<p>As usual, you can check the Samba log files for additional clues.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.5"/> + +<h3 class="head3">Testing client browsing with net view</h3> + +<p><a name="INDEX-79"/><a name="INDEX-80"/>On the client, run the +command <em class="replaceable">net view \\server</em> in an MS-DOS +(command prompt) window to see if you can connect to the client and +ask what shares it provides. You should get back a list of available +shares on the server.</p> + +<p>If this works, continue with the later section <a href="ch12.html#samba2-CHP-12-SECT-3.1">Section 12.3.1</a>. Otherwise:</p> + +<ul><li> +<p>If you get <tt class="literal">Network</tt> <tt class="literal">name</tt> +<tt class="literal">not</tt> <tt class="literal">found</tt> for the name you just +tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.3">Section 12.2.6.3</a>, there is a problem with the +client software itself. Double-check this by running +<em class="emphasis">nmblookup</em> on the client; if it works and +<em class="emphasis">net view</em> doesn't, the client is +at fault.</p> +</li><li> +<p>If <em class="emphasis">nmblookup</em> fails, there is a NetBIOS name +service problem, as discussed in the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p> +</li><li> +<p>If you get <tt class="literal">You</tt> <tt class="literal">do</tt> +<tt class="literal">not</tt> <tt class="literal">have</tt> <tt class="literal">the</tt> +<tt class="literal">necessary</tt> <tt class="literal">access</tt> +<tt class="literal">rights</tt>, or <tt class="literal">This</tt> +<tt class="literal">server</tt> <tt class="literal">is</tt> +<tt class="literal">not</tt> <tt class="literal">configured</tt> +<tt class="literal">to</tt> <tt class="literal">list</tt> +<tt class="literal">shared</tt> <tt class="literal">resources</tt>, either your +guest account is misconfigured (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>) or you have a +<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or +<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that prohibits +connections from your system. These problems should have been +detected by the <em class="emphasis">smbclient</em> tests starting in the +earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.1">Section 12.2.6.1</a>.</p> +</li><li> +<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt> +<tt class="literal">computer</tt> <tt class="literal">is</tt> +<tt class="literal">not</tt> <tt class="literal">receiving</tt> +<tt class="literal">requests</tt>, you have misspelled the name, the system +is unreachable by broadcast (tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.4">Section 12.2.6.4</a>), or it's +not running <em class="emphasis">nmbd</em>.</p> +</li><li> +<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt> +<tt class="literal">error</tt>, you're probably +encountering the Microsoft-encrypted password problem, as discussed +earlier in this chapter and in <a href="ch09.html">Chapter 9</a>, with its +corrections.</p> +</li></ul> + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.6"/> + +<h3 class="head3">Browsing the server from the client</h3> + +<p><a name="INDEX-81"/><a name="INDEX-82"/>From the Windows Network +Neighborhood (or My Network Places in newer releases), try to browse +the server. Your Samba server should appear in the browse list of +your local workgroup. You should be able to double-click the name of +the server to get a list of shares.</p> + +<ul><li> +<p>If you get an <tt class="literal">Invalid</tt> <tt class="literal">password</tt> +error, it's most likely the encryption problem +again.</p> +</li><li> +<p>If you receive an <tt class="literal">Unable</tt> <tt class="literal">to</tt> +<tt class="literal">browse</tt> <tt class="literal">the</tt> +<tt class="literal">network</tt> error, one of the following has occurred:</p> +<ul><li> +<p>You have looked too soon, before the broadcasts and updates have +completed. Wait 30 seconds and try again.</p> +</li><li> +<p>There is a network problem you've not yet diagnosed.</p> +</li><li> +<p>There is no browse master. Add the configuration option +<tt class="literal">local</tt> <tt class="literal">master</tt> +<tt class="literal">=</tt> <tt class="literal">yes</tt> to your +<em class="emphasis">smb.conf</em> file.</p> +</li><li> +<p>No shares are made browsable in the <em class="emphasis">smb.conf</em> +file.</p> +</li></ul> +</li> +<li> +<p>If you receive the message <tt class="literal">\\server</tt> +<tt class="literal">is</tt> <tt class="literal">not</tt> +<tt class="literal">accessible</tt> then:</p> +<ul><li> +<p>You have the encrypted password problem.</p> +</li><li> +<p>The system really isn't accessible.</p> +</li><li> +<p>The system doesn't support browsing.</p> +</li></ul> +</li> +</ul> + +<p>If you've made it this far and the problem is not +yet solved, either the problem is one we've not yet +seen, or it is a problem related to a topic we have already covered, +and further analysis is required. Name resolution is often related to +difficulties with Samba, so we cover it in more detail in the next +sections. If you know your problem is not related to name resolution, +skip to the <a href="ch12.html#samba2-CHP-12-SECT-3">Section 12.3</a> at the end of the chapter. <a name="INDEX-83"/><a name="INDEX-84"/></p> + + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.7"/> + +<h3 class="head2">Troubleshooting Name Services</h3> + +<p><a name="INDEX-85"/><a name="INDEX-86"/>This +section looks at simple troubleshooting of all the name services +you'll encounter, but only for the common problems +that affect Samba.</p> + +<p>There are several good references for troubleshooting particular name +services: Paul <a name="INDEX-87"/>Albitz and Cricket <a name="INDEX-88"/>Liu's <em class="emphasis">DNS and +Bind</em> (O'Reilly) covers the DNS, Hal +<a name="INDEX-89"/>Stern's <em class="emphasis">NFS and +NIS</em> (O'Reilly) covers NIS +("Yellow pages"), while Windows +Internet Name Service (WINS), <em class="filename">hosts/LMHOSTS</em> +files, and NIS+ are best covered by their respective +vendors' manuals.</p> + +<p>The problems addressed in this section are as follows:</p> + +<ul><li> +<p>Name services are identified.</p> +</li><li> +<p>A hostname can't be looked up.</p> +</li><li> +<p>The long (FQDN) form of a hostname works but the short form +doesn't.</p> +</li><li> +<p>The short form of the name works, but the long form +doesn't.</p> +</li><li> +<p>A long delay occurs before the expected result.</p> +</li></ul> + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.1"/> + +<h3 class="head3">Identifying what's in use</h3> + +<p><a name="INDEX-90"/>First, see if both the +server and the client are using DNS, WINS, NIS, or +<em class="filename">hosts</em> files to look up IP addresses when you +give them a name. Each kind of system has a different preference:</p> + +<ul><li> +<p>Windows 95/98/Me tries WINS and the <em class="filename">LMHOSTS</em> file +first, then broadcast, and finally DNS and <em class="filename">HOSTS</em> +files.</p> +</li><li> +<p>Windows NT/2000/XP tries WINS, then broadcast, then the +<em class="filename">LMHOSTS</em> file, and finally +<em class="filename">HOSTS</em> and DNS.</p> +</li><li> +<p>Windows programs using the WINSOCK standard use the HOSTS file, DNS, +WINS, and then broadcast. Don't assume that if a +different program's name service works, the SMB +client program's name service will!</p> +</li><li> +<p>Samba daemons use <em class="filename">lmhosts</em>, WINS, the Unix +system's name resolution, and then broadcast.</p> +</li><li> +<p>Unix systems can be configured to use any combination of DNS, +<em class="filename">HOSTS</em> files, NIS or NIS+, and winbind, generally +in any order.</p> +</li></ul> +<p>We recommend that the client systems be configured to use WINS and +DNS, the Samba daemons to use WINS and DNS, and the Unix server to +use DNS, <em class="filename">hosts</em> files, and perhaps NIS+. +You'll have to look at your notes and the actual +systems to see which is in use.</p> + +<p>On the clients, the name services are all set in the TCP/IP +Properties panel of the Networking Control Panel, as discussed in +<a href="ch03.html">Chapter 3</a>. You might need to check there to see +what you've actually turned on. On the server, see +if a <em class="filename">/etc/resolv.conf</em> file exists. If it does, +you're using DNS. You might be using the others as +well, though. You'll need to check for NIS and +combinations of services.</p> + +<p>Check for a <em class="filename">/etc/nsswitch.conf</em> file on Solaris +and other System V Unix operating systems. If you have one, look for +a line that begins with <tt class="literal">host</tt>: followed by one or +more of <tt class="literal">files</tt>, <tt class="literal">bind</tt>, +<tt class="literal">nis</tt>, or <tt class="literal">nis+</tt>. These are the +name services to use, in order, with optional extra material in +square brackets. The <tt class="literal">files</tt> keyword is for +using <em class="emphasis">HOSTS</em> files, while <tt class="literal">bind</tt> +(the Berkeley Internet Name Daemon) refers to using DNS.</p> + +<p>If the client and server differ, the first thing to do is to get them +in sync. Clients can use DNS, WINS, <em class="emphasis">HOSTS</em>, and +<em class="emphasis">LMHOSTS</em> files, but not NIS or NIS+. Servers can +use <em class="emphasis">HOSTS</em> and <em class="filename">LMHOSTS</em> +files, DNS, NIS or NIS+, and winbind, but not WINS—even if your +Samba server provides WINS services. If you can't +get all the systems to use the same services, you'll +have to check the server and the client carefully for the same data.</p> + +<p>You can also make use of the <em class="emphasis">-R</em> (resolve order) +option for <em class="emphasis">smbclient</em>. If you want to +troubleshoot WINS, for example, you'd say:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L </b></tt><em class="replaceable">server</em> <tt class="userinput"><b>-R wins</b></tt></pre></blockquote> + +<p>The possible settings are <tt class="literal">hosts</tt> (which means +whatever the Unix system is using, not just<em class="filename"> +/etc/hosts</em> files), <tt class="literal">lmhosts</tt>, +<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt> (broadcast).</p> + +<p>In the following sections, we use the term <em class="emphasis">long +name</em> for a fully qualified domain name (FQDN), such as +<tt class="literal">server.example.com</tt> , and the term <em class="emphasis">short +name</em> for the host part of an FQDN, such as +<tt class="literal">server</tt>.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.2"/> + +<h3 class="head3">Cannot look up hostnames</h3> + +<p><a name="INDEX-91"/>Try the +following:</p> + +<dl> +<dt><b>DNS</b></dt> +<dd> +<p>Run <tt class="literal">nslookup</tt> <em class="replaceable">name</em>. If +this fails, look for a <em class="filename">resolv.conf</em> error, a +downed DNS server, or a short/long name problem (see the next +section). Try the following:</p> + + +<ul><li> +<p>Your <em class="filename">/etc/resolv.conf</em> file should contain one or +more <tt class="literal">nameserver</tt> lines, each with an IP address. +These are the addresses of your DNS servers.</p> +</li><li> +<p>Ping each server address you find. If this fails for one, suspect the +system. If it fails for each, suspect your network.</p> +</li><li> +<p>Retry the lookup using the full domain name (e.g., +<tt class="literal">server.example.com</tt>) if you tried the short name +first, or the short name if you tried the long name first. If results +differ, skip to the next section.</p> +</li></ul> +</dd> + + + +<dt><b>Broadcast/ WINS</b></dt> +<dd> +<p>Broadcast/ WINS does only short names such as +<tt class="literal">server</tt>, and not long ones, such as +<tt class="literal">server.example.com</tt>. Run +<tt class="literal">nmblookup</tt> <tt class="literal">-S</tt> +<em class="replaceable">server</em>. This reports everything broadcast +has registered for the name. In our example, it looks like this:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S server</b></tt> +Looking up status of 192.168.236.86 +received 10 names + SERVER <00> - M <ACTIVE> + SERVER <03> - M <ACTIVE> + SERVER <1f> - M <ACTIVE> + SERVER <20> - M <ACTIVE> + ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE> + MYGROUP <00> - <GROUP> M <ACTIVE> + MYGROUP <1b> - M <ACTIVE> + MYGROUP <1c> - <GROUP> M <ACTIVE> + MYGROUP <1d> - M <ACTIVE> + MYGROUP <1e> - <GROUP> M <ACTIVE></pre></blockquote> + +<p>The required entry is <tt class="literal">SERVER</tt> +<tt class="literal"><00></tt>, which identifies +<em class="replaceable">server</em> as being this +system's NetBIOS name. You should also see your +workgroup mentioned one or more times. If these lines are missing, +Broadcast/WINS cannot look up names and will need attention.</p> + +<a name="samba2-CHP-12-NOTE-160"/><blockquote class="note"><h4 class="objtitle">TIP</h4> +<p>The numbers in angle brackets in the previous output identify NetBIOS +names as being workgroups, workstations, and file users of the +messenger service, master browsers, domain master browsers, domain +controllers, and a plethora of others. We primarily use +<tt class="literal"><00></tt> to identify system and workgroup names +and <tt class="literal"><20></tt> to identify systems as servers. The +complete list is available at <a href="http://support.microsoft.com/support/kb/articles/q163/4/09.asp">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</a>.</p> +</blockquote> +</dd> + + + +<dt><b>NIS</b></dt> +<dd> +<p>Try <tt class="literal">ypmatch</tt> <tt class="literal">name</tt> +<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the +NIS server's name by running +<em class="emphasis">ypwhich</em>, and ping the system to see if +it's accessible.</p> +</dd> + + + +<dt><b>NIS+</b></dt> +<dd> +<p>If you're running NIS+, try +<tt class="literal">nismatch</tt> <tt class="literal">name</tt> +<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the +NIS+ server's name by running +<em class="emphasis">niswhich</em>, and ping that system to see if +it's accessible.</p> +</dd> + + + +<dt><b>hosts and HOSTS files</b></dt> +<dd> +<p>Inspect the <em class="filename">HOSTS</em> file on the client +(<em class="filename">C:\Windows\ Hosts</em> on Windows 95/98/Me, and +<em class="filename">C:\WINNT \system32\drivers\etc\hosts</em> on Windows +NT/2000/XP). Each line should have an IP number and one or more +names, the primary name first, then any optional aliases. An example +follows:</p> + + +<blockquote><pre class="code">127.0.0.1 localhost +192.168.236.1 dns.svc.example.com +192.168.236.10 client.example.com client +192.168.236.11 backup.example.com loghost +192.168.236.86 server.example.com server +192.168.236.254 router.svc.example.com</pre></blockquote> + +<p>On Unix, <tt class="literal">localhost</tt> should always be 127.0.0.1, +although it might be just an alias for a hostname on the PC. On the +client, check that there are no <tt class="literal">#XXX</tt> directives at +the ends of the lines; these are LAN Manager/NetBIOS directives and +should appear only in <em class="emphasis">LMHOSTS</em> files.</p> +</dd> + + + +<dt><b>LMHOSTS files</b></dt> +<dd> +<p>This file is a local source for LAN Manager (NetBIOS) names. It has a +format similar to <em class="filename">hosts</em> files, but it does not +support long-form domain names (e.g., +<tt class="literal">server.example.com</tt>) and can have a number of +optional <tt class="literal">#XXX</tt> directives following the NetBIOS +names. There is usually an <em class="emphasis">lmhosts.sam</em> (for +sample) file located in <em class="filename">C:\Windows</em> on Windows +95/98/Me, and in <em class="filename">C:\WINNT\system32\drivers\etc</em> +on Windows NT/2000/XP, but it's not used unless it +is renamed to <em class="emphasis">Lmhosts</em> in the same directory.</p> +</dd> + +</dl> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.3"/> + +<h3 class="head3">Long and short hostnames</h3> + +<p><a name="INDEX-92"/>Where the long (FQDN) form of a hostname +works but the short name doesn't (for example, +<tt class="literal">client.example.com</tt> works but +<tt class="literal">client</tt> doesn't), consider the +following:</p> + +<dl> +<dt><b>DNS </b></dt> +<dd> +<p>This usually indicates that there is no default domain in which to +look up the short names. Look for a <tt class="literal">default</tt> line +in <em class="filename">/etc/resolv.conf</em> on the Samba server with +your domain in it, or look for a <tt class="literal">search</tt> line with +one or more domains in it. One or the other might need to be present +to make short names usable; which one depends on the vendor and +version of the DNS resolver. Try adding <tt class="literal">domain</tt> +<em class="replaceable">your_domain</em> to +<em class="filename">resolv.conf</em>, and ask your network or DNS +administrator what should be in the file.</p> +</dd> + + + +<dt><b>Broadcast/WINS </b></dt> +<dd> +<p>Broadcast/WINS doesn't support long names; it +won't suffer from this problem.</p> +</dd> + + + +<dt><b>NIS </b></dt> +<dd> +<p>Try the command <tt class="literal">ypmatch</tt> +<em class="replaceable">hostname</em> <tt class="literal">hosts</tt>. If you +don't get a match, your tables +don't include short names. Speak to your network +manager; short names might be missing by accident or might be +unsupported as a matter of policy. Some sites don't +ever use (ambiguous) short names.</p> +</dd> + + + +<dt><b>NIS+</b></dt> +<dd> +<p>Try <tt class="literal">nismatch</tt> <em class="replaceable">hostname</em> +<tt class="literal">hosts</tt>, and treat failure exactly as with NIS.</p> +</dd> + + + +<dt><b>hosts </b></dt> +<dd> +<p>If the short name is not in <em class="filename">/etc/hosts</em>, consider +adding it as an alias. Avoid, if you can, short names as primary +names (the first one on a line). Have them as aliases if your system +permits.</p> +</dd> + + + +<dt><b>LMHOSTS </b></dt> +<dd> +<p>LAN Manager doesn't support long names, so it +won't suffer from this problem.</p> +</dd> + +</dl> + +<p>On the other hand, if the short form of the name works and the long +form doesn't, consider the following:</p> + +<dl> +<dt><b>DNS </b></dt> +<dd> +<p>This is bizarre; see your network or DNS administrator, as this is +probably a DNS setup error.</p> +</dd> + + + +<dt><b>Broadcast/WINS </b></dt> +<dd> +<p>This is normal; Broadcast/WINS can't use the long +form. Optionally, consider DNS. (Be aware that Microsoft has stated +that it will eventually switch entirely to DNS, even though DNS does +not provide name types such as <00>.)</p> +</dd> + + + +<dt><b>NIS</b></dt> +<dd> +<p>If you can use <em class="emphasis">ypmatch</em> to look up the short form +but not the long, consider adding the long form to the table as at +least an alias.</p> +</dd> + + + +<dt><b>NIS+ </b></dt> +<dd> +<p>Same as NIS, except you use <em class="emphasis">nismatch</em> instead of +<em class="emphasis">ypmatch</em> to look up names.</p> +</dd> + + + +<dt><b>hosts and HOSTS</b></dt> +<dd> +<p>Add the long name as at least an alias, and preferably as the primary +form. Also consider using DNS if it's practical.</p> +</dd> + + + +<dt><b>LMHOSTS </b></dt> +<dd> +<p>This is normal. LAN Manager can't use the long form; +consider switching to DNS or <em class="filename">hosts</em>.</p> +</dd> + +</dl> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.4"/> + +<h3 class="head3">Unusual delays</h3> + +<p><a name="INDEX-93"/>When there is a long delay before the +expected result:</p> + +<dl> +<dt><b>DNS </b></dt> +<dd> +<p>Test the same name with the <em class="emphasis">nslookup</em> command on +the system that is slow (client or server). If +<em class="emphasis">nslookup</em> is also slow, you have a DNS problem. +If it's slower on a client, you might have too many +protocols bound to the Ethernet card. Eliminate NetBEUI, which is +infamously slow, and, optionally, Novell—assuming you +don't need them. This is especially important on +Windows 95, which is particularly sensitive to excess protocols.</p> +</dd> + + + +<dt><b>Broadcast/ WINS</b></dt> +<dd> +<p>Test the client using <em class="emphasis">nmblookup</em>; if +it's faster, you probably have the protocols problem +as mentioned in the previous item.</p> +</dd> + + + +<dt><b>NIS</b></dt> +<dd> +<p>Try <em class="emphasis">ypmatch</em>; if it's slow, +report the problem to your network manager.</p> +</dd> + + + +<dt><b>NIS+ </b></dt> +<dd> +<p>Try <em class="emphasis">nismatch</em>, similarly.</p> +</dd> + + + +<dt><b>hosts and HOSTS</b></dt> +<dd> +<p>The <em class="emphasis">hosts</em> files, if of reasonable size, are +always fast. You probably have the protocols problem mentioned +previously under DNS.</p> +</dd> + + + +<dt><b>lmhosts and LMHOSTS</b></dt> +<dd> +<p>This is not a name lookup problem; <em class="emphasis">LMHOSTS</em> files +are as fast as <em class="emphasis">hosts</em> and +<em class="filename">HOSTS</em> files.</p> +</dd> + +</dl> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.5"/> + +<h3 class="head3">Localhost issues</h3> + +<p><a name="INDEX-94"/>When a localhost isn't +127.0.0.1, try the following:</p> + +<dl> +<dt><b>DNS</b></dt> +<dd> +<p>There is probably no record for <tt class="literal">localhost</tt>. +<tt class="literal">A</tt> <tt class="literal">127.0.0.1</tt>. Arrange to add +one, as well as a reverse entry, +<tt class="literal">1.0.0.127.IN-ADDR.ARPA</tt> <tt class="literal">PTR</tt> +<tt class="literal">127.0.0.1</tt>.</p> +</dd> + + + +<dt><b>Broadcast/WINS</b></dt> +<dd> +<p>Not applicable.</p> +</dd> + + + +<dt><b>NIS</b></dt> +<dd> +<p>If <tt class="literal">localhost</tt> isn't in the table, +add it.</p> +</dd> + + + +<dt><b>NIS+ </b></dt> +<dd> +<p>If <tt class="literal">localhost</tt> isn't in the table, +add it.</p> +</dd> + + + +<dt><b>hosts and HOSTS</b></dt> +<dd> +<p>Add a line that says <tt class="literal">127.0.0.1</tt> +<tt class="literal">localhost</tt>.</p> +</dd> + + + +<dt><b>LMHOSTS</b></dt> +<dd> +<p>Not applicable. <a name="INDEX-95"/><a name="INDEX-96"/></p> +</dd> + +</dl> + + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.8"/> + +<h3 class="head2">Troubleshooting Network Addresses</h3> + +<p><a name="INDEX-97"/><a name="INDEX-98"/>A +number of common problems are caused by incorrect routing of Internet +addresses or by the incorrect assignment of addresses. This section +helps you determine what your addresses are.</p> + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.1"/> + +<h3 class="head3">Netmasks</h3> + +<p>Using the <a name="INDEX-99"/>netmask, it is possible to +determine which addresses can be reached directly (i.e., which are on +the local network) and which addresses require forwarding packets +through a router. If the netmask is wrong, the systems will make one +of two mistakes. One is to route local packets via a router, which is +an expensive waste of time—it might work reasonably fast, it +might run slowly, or it might fail utterly. The second mistake is to +fail to send packets from a remote system to the router, which will +prevent them from being forwarded to the remote system.</p> + +<p>The netmask is a number like an IP address, with one-bits for the +network part of an address and zero-bits for the host portion. It is +used as a bitmask to mask off parts of the address inside the TCP/IP +code. If the mask is 255.255.0.0, the first 2 bytes are the network +part and the last 2 are the host part. More common is 255.255.255.0, +in which the first 3 bytes are the network part and the last one is +the host part.</p> + +<p>For example, let's say your IP address is +192.168.0.10 and the Samba server is 192.168.236.86. If your netmask +happens to be 255.255.255.0, the network part of the address is the +first 3 bytes, and the host part is the last byte. In this case, the +network parts are different, and the systems are on different +networks:</p> + +<a name="ch12-37-fm2xml"/><table border="1"> + + + +<tr> +<th> +<p>Network part</p> +</th> +<th> +<p>Host part</p> +</th> +</tr> + + +<tr> +<td> +<p>192 168 000</p> +</td> +<td> +<p>10</p> +</td> +</tr> +<tr> +<td> +<p>192 168 235</p> +</td> +<td> +<p>86</p> +</td> +</tr> + +</table> + +<p>If your netmask happens to be 255.255.0.0, the network part is just +the first 2 bytes. In this case, the network parts match, and so the +two systems are on the same network:</p> + +<a name="ch12-38-fm2xml"/><table border="1"> + + + +<tr> +<th> +<p>Network part</p> +</th> +<th> +<p>Host part</p> +</th> +</tr> + + +<tr> +<td> +<p>192 168</p> +</td> +<td> +<p>000 10</p> +</td> +</tr> +<tr> +<td> +<p>192 168</p> +</td> +<td> +<p>236 86</p> +</td> +</tr> + +</table> + +<p>Make sure the netmask in use on each system matches the structure of +your network. On every subnet, the netmask should be identical on +each system.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.2"/> + +<h3 class="head3">Broadcast addresses</h3> + +<p>The <a name="INDEX-100"/>broadcast address is a normal address, +with the hosts part all one-bits. It means "all +hosts on your network." You can compute it easily +from your netmask and address: take the address and put one-bits in +it for all the bits that are zero at the end of the netmask (the host +part). The following table illustrates this:</p> + +<a name="ch12-39-fm2xml"/><table border="1"> + + + + +<tr> +<th> +</th> +<th> +<p>Network part</p> +</th> +<th> +<p>Host part</p> +</th> +</tr> + + +<tr> +<td> +<p>IP address</p> +</td> +<td> +<p>192 168 236</p> +</td> +<td> +<p>86</p> +</td> +</tr> +<tr> +<td> +<p>Netmask</p> +</td> +<td> +<p>255 255 255</p> +</td> +<td> +<p>000</p> +</td> +</tr> +<tr> +<td> +<p>Broadcast</p> +</td> +<td> +<p>192 168 236</p> +</td> +<td> +<p>255</p> +</td> +</tr> + +</table> + +<p>In this example, the broadcast address on the 192.168.236 network is +192.168.236.255. There is also an old +"universal" broadcast address, +255.255.255.255. Routers are prohibited from forwarding these, but +most systems on your local network will respond to broadcasts to this +address.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.3"/> + +<h3 class="head3">Network address ranges</h3> + +<p>A <a name="INDEX-101"/>number of address ranges have been +reserved for testing and for nonconnected networks; we use these for +the examples in this book. If you don't have an +address yet, feel free to use one of these to start. They include one +class A network, 10.*.*.*, a range of class B network addresses, +172.16.*.* through 172.31.*.*, and 254 class C networks, 192.168.1.* +through 192.168.254.*. The domain <tt class="literal">example.com</tt> is +also reserved for unconnected networks, explanatory examples, and +books.</p> + +<p>If you're actually connecting to the Internet, +you'll need to get an appropriate IP address and a +domain name, probably through the same company that provides your +connection.</p> + + +</div> + + + +<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.4"/> + +<h3 class="head3">Finding your network address</h3> + +<p><a name="INDEX-102"/>If you +haven't recorded your IP address, you can learn it +through the <em class="emphasis">ifconfig</em><a name="INDEX-103"/> command on Unix or the +<em class="emphasis">ipconfig</em> <a name="INDEX-104"/>command on Windows. (Check your manual +pages for any options required by your brand of Unix. For example, +<tt class="literal">ifconfig</tt> <tt class="literal">-a</tt> works on Solaris.) +You should see output similar to the following:</p> + +<blockquote><pre class="code">$ <tt class="userinput"><b>ifconfig -a</b></tt> +le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING > + inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255 +lo0: flags=49<&lt>UP,LOOPBACK,RUNNING<&gt> + inet 127.0.0.1 netmask ff000000</pre></blockquote> + +<p>One of the interfaces will be loopback (in our examples, +<tt class="literal">lo0</tt>), and the other will be the regular IP +interface. The flags should show that the interface is running, and +Ethernet interfaces will also say they support broadcasts (PPP +interfaces don't). The other places to look for IP +addresses are <em class="filename">/etc/hosts</em> files, Windows +<em class="emphasis">HOSTS</em> files, Windows +<em class="emphasis">LMHOSTS</em> files, NIS, NIS+, and DNS. <a name="INDEX-105"/><a name="INDEX-106"/></p> + + +</div> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-2.9"/> + +<h3 class="head2">Troubleshooting NetBIOS Names</h3> + +<p><a name="INDEX-107"/><a name="INDEX-108"/>Historically, SMB protocols have +depended on the NetBIOS name system, also called the LAN Manager name +system. This was a simple scheme where each system had a unique +20-character name and broadcast it on the LAN for everyone to know. +With TCP/IP, we tend to use names such as +<tt class="literal">client.example.com</tt>, stored in +<em class="filename">/etc/hosts</em> files through DNS or WINS.</p> + +<p>The usual mapping of domain names such as +<tt class="literal">server.example.com</tt> to NetBIOS names simply uses +the <tt class="literal">server</tt> part as the NetBIOS name and converts +it to uppercase. Alas, this doesn't always work, +especially if you have a system with a 21-character name; not +everyone uses the same NetBIOS and DNS names. For example, +<tt class="literal">corpvm1</tt> along with <tt class="literal">vm1.corp.com</tt> +is not unusual.</p> + +<p>A system with a different NetBIOS name and domain name is confusing +when you're troubleshooting; we recommend that you +try to avoid this wherever possible. NetBIOS names are discoverable +with <em class="emphasis">smbclient</em> :</p> + +<ul><li> +<p>If you can list shares on your Samba server with +<tt class="literal">smbclient</tt> <tt class="literal">-L</tt> +<tt class="literal">short_name</tt>, the short name is the NetBIOS name.</p> +</li><li> +<p>If you get <tt class="literal">Get_Hostbyname</tt>: +<tt class="literal">Unknown</tt> <tt class="literal">host</tt> +<tt class="literal">name</tt>, there is probably a mismatch. Check in the +<em class="filename">smb.conf</em> file to see if the NetBIOS name is +explicitly set.</p> +</li><li> +<p>Try to list shares again, specifying <tt class="literal">-I</tt> and the IP +address of the Samba server (e.g., <tt class="literal">smbclient</tt> +<tt class="literal">-L</tt> <tt class="literal">server</tt> <tt class="literal">-I</tt> +<tt class="literal">192.168.236.86</tt>). This overrides the name lookup +and forces the packets to go to the IP address. If this works, there +was a mismatch.</p> +</li><li> +<p>Try with <tt class="literal">-I</tt> and the full domain name of the server +(e.g., <tt class="literal">smbclient</tt> <tt class="literal">-L</tt> +<tt class="literal">server</tt> <tt class="literal">-I</tt> +<tt class="literal">server.example.com</tt>). This tests the lookup of the +domain name, using whatever scheme the Samba server uses (e.g., DNS). +If it fails, you have a name service problem. You should reread the +earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, +after you finish troubleshooting the NetBIOS names.</p> +</li><li> +<p>Try with the <tt class="literal">-n</tt> (NetBIOS name) option, giving it +the name you expect to work (e.g., <tt class="literal">smbclient</tt> +<tt class="literal">-n</tt> <tt class="literal">server</tt> <tt class="literal">-L</tt> +<tt class="literal">server-12</tt>), but without overriding the IP address +through <tt class="literal">-I</tt>. If this works, the name you specified +with <tt class="literal">-n</tt> is the actual NetBIOS name of the server. +If you receive <tt class="literal">Get-Hostbyname</tt>: +<tt class="literal">Unknown</tt> <tt class="literal">host</tt> +<tt class="literal">SERVER</tt>, it's not the right server +yet.</p> +</li><li> +<p>If nothing is working so far, repeat the tests specifying +<tt class="literal">-U</tt> <em class="emphasis">username</em> and +<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>, with the +username and workgroup in uppercase, to make sure +you're not being derailed by a user or workgroup +mismatch.</p> +</li><li> +<p>If still nothing works and you had evidence of a name service +problem, troubleshoot the name service (see the earlier section, +<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>) and then return to +the NetBIOS name service. <a name="INDEX-109"/><a name="INDEX-110"/></p> +</li></ul> + +</div> + + +</div> + + + +<div class="sect1"><a name="samba2-CHP-12-SECT-3"/> + +<h2 class="head1">Extra Resources</h2> + +<p>At some point during your work with Samba, you'll +want to turn to online or printed resources for news, updates, and +aid.</p> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-3.1"/> + +<h3 class="head2">Documentation and FAQs</h3> + +<p>It's OK to read the <a name="INDEX-111"/><a name="INDEX-112"/>documentation. Really. Nobody can see you, +and we won't tell. In fact, Samba ships with a large +set of documentation files, and it is well worth the effort to at +least browse through them, either in the distribution directory on +your computer under <em class="filename">/docs</em> or online at the Samba +web site: <a href="http://www.samba.org">http://www.samba.org</a>. The most current +FAQ list, bug information, and distribution locations are located at +the web site, with links to all the Samba manual pages and HOWTOs.</p> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-3.2"/> + +<h3 class="head2">Samba Newsgroups</h3> + +<p><a name="INDEX-113"/>Usenet +newsgroups have always been a great place to get advice on just about +any topic. In the past few years, though, this vast pool of knowledge +has developed something that has made it into an invaluable resource: +a memory. Archival and search sites such as the one at +<a name="INDEX-114"/>Google (<a href="http://groups.google.com/advanced_group_search">http://groups.google.com/advanced_group_search</a>) +have made sifting through years of valuable solutions as simple as a +few mouse clicks.</p> + +<p>The primary newsgroup for Samba is +<em class="emphasis">comp.protocols.smb</em><a name="INDEX-115"/>. This should always be your first +stop when there's a problem. More often than not, +spending 5 minutes researching an error here will save hours of +frustration while trying to debug something yourself.</p> + +<p>When searching a newsgroup, try to be as specific as possible, but +not too wordy. Searching on actual error messages is best. If you +don't find an answer immediately in the newsgroup, +resist the temptation to post a request for help until +you've done a bit more work on the problem. You +might find that the answer is in a FAQ or one of the many +documentation files that ship with Samba, or a solution might become +evident when you run one of Samba's diagnostic +tools. If nothing works, post a request in +<em class="emphasis">comp.protocols.smb</em>, and be as specific as +possible about what you have tried and what you are seeing. Include +any error messages that appear. It might be days before you receive +help, so be patient and keep trying things while you wait.</p> + +<a name="samba2-CHP-12-NOTE-161"/><blockquote class="note"><h4 class="objtitle">TIP</h4> +<p>Once you post a request for help, keep poking at the problem +yourself. Most of us have had the experience of posting a Usenet +article containing hundreds of lines of intricate detail, only to +solve the problem an hour later after the article has blazed its way +across several continents. The rule of thumb goes something like +this: the more folks who have read your request, the simpler the +solution. Usually this means that once everyone in the Unix community +has seen your article, the solution will be something simple such as, +"Plug the power cord into the wall +socket."</p> +</blockquote> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-3.3"/> + +<h3 class="head2">Samba Mailing Lists</h3> + +<p>The following are <a name="INDEX-116"/>mailing lists for support with Samba. See +the Samba home page, <a href="http://www.samba.org/">http://www.samba.org/</a>, for +information on subscribing and unsubscribing to these mailing lists:</p> + +<dl> +<dt><b>samba@samba.org</b></dt> +<dd> +<p>This is the primary mailing list for general questions and discussion +regarding Samba.</p> +</dd> + + + +<dt><b>samba-announce@samba.org</b></dt> +<dd> +<p>This list is for receiving news regarding Samba, such as +announcements of new releases.</p> +</dd> + + + +<dt><b>samba-cvs@samba.org</b></dt> +<dd> +<p>By subscribing to this list, you can automatically receive a message +every time one of the Samba developers updates the Samba source code +in the CVS repository. You might want to do this if you are waiting +for a specific bug fix or feature to be applied. To avoid congesting +your email inbox, we suggest using the digest feature, which +consolidates messages into a smaller number of emails.</p> +</dd> + + + +<dt><b>samba-docs@samba.org</b></dt> +<dd> +<p>This list is for discussing Samba documentation.</p> +</dd> + + + +<dt><b>samba-vms@samba.org</b></dt> +<dd> +<p>This mailing list is for people who are running Samba on the VMS +operating system.</p> +</dd> + + + +<dt><b>samba-binaries@samba.org</b></dt> +<dd> +<p>This is a list for developers to use when discussing precompiled +Samba distributions.</p> +</dd> + + + +<dt><b>samba-technical@samba.org</b></dt> +<dd> +<p>This mailing list is for developer discussion of the Samba code.</p> +</dd> + +</dl> + +<p>Searchable versions of the Samba mailing list archives can be found +at <a href="http://marc.theaimsgroup.com">http://marc.theaimsgroup.com</a>.</p> + +<p>When posting messages to the Samba mailing lists, keep in mind that +you are sending your message to a large audience. The notes in the +previous section regarding Usenet postings also apply here. A +well-formulated question or comment is more likely to be answered, +and a poorly conceived message is <em class="emphasis">very</em> likely to +be ignored!</p> + + +</div> + + +<div class="sect2"><a name="samba2-CHP-12-SECT-3.4"/> + +<h3 class="head2">Further Reading</h3> + +<ol><li> +<p>Hunt, Craig. <em class="emphasis">TCP/IP Network Administration</em>, +Third Edition. Sebastopol, CA: O'Reilly +& Associates, 1997.</p> +</li> +<li> +<p>Hunt, Craig, and Robert Bruce Thompson. <em class="emphasis">Windows NT TCP/IP +Network Administration</em>. Sebastopol, CA: +O'Reilly & Associates, 1998.</p> +</li> +<li> +<p>Albitz, Paul, and Cricket Liu. <em class="emphasis">DNS and Bind</em>, +Fourth Edition. Sebastopol, CA: O'Reilly +& Associates, 1998.</p> +</li> +<li> +<p>Stern, Hal. <em class="emphasis">Managing NFS and NIS</em>, Second +Edition. Sebastopol, CA: O'Reilly & Associates, +1991.<a name="INDEX-117"/></p> +</li></ol> + +</div> + + +</div> + +<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html> |