2
<body bgcolor="#ffffff">
4
<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
5
hspace="10" align="left" />
7
<h1 class="head0">Chapter 12. Troubleshooting Samba</h1>
10
<p><a name="INDEX-1"/><a name="INDEX-2"/>Samba is extremely robust. Once you have
11
everything set up the way you want, you'll probably
12
forget that it is running. When trouble occurs, it's
13
typically during installation or when you're trying
14
to reconfigure the server. Fortunately, a wide variety of resources
15
are available to diagnose these troubles. While we
16
can't describe in detail the solution to every
17
problem you might encounter, you should be able to get a good start
18
at resolving the problem by following the advice given in this
21
<p>The first section of this chapter lists the tool bag, a collection of
22
tools available for troubleshooting Samba; the second section is a
23
detailed how-to; the last section lists extra resources to track down
24
particularly stubborn problems.</p>
28
<div class="sect1"><a name="samba2-CHP-12-SECT-1"/>
30
<h2 class="head1">The Tool Box</h2>
32
<p><a name="INDEX-3"/><a name="INDEX-4"/>Sometimes Unix
33
seems to be made up of a grab bag of applications and tools. There
34
are tools to troubleshoot tools. And of course, there are several
35
ways to accomplish the same task. When trying to solve a problem
36
related to Samba, a good plan of attack is to use the following:</p>
41
<p>Samba test utilities</p>
47
<p>Documentation and FAQs</p>
49
<p>Samba newsgroups</p>
51
<p>Searchable mailing list archives</p>
53
<p>Let's go over each of these one-by-one in the
54
following sections.</p>
57
<div class="sect2"><a name="samba2-CHP-12-SECT-1.1"/>
59
<h3 class="head2">Samba Logs</h3>
61
<p><a name="INDEX-5"/><a name="INDEX-6"/>Your first line of attack should always
62
be to check the log files. The Samba log files can help diagnose the
63
vast majority of the problems faced by beginning- to
64
intermediate-level Samba administrators. Samba is quite flexible when
65
it comes to logging. You can set up the server to log as little or as
66
much information as you want. Using substitution variables in the
67
Samba configuration file allows you to isolate individual logs for
68
each system, share, or combination thereof.</p>
70
<p>Logs are placed in <em class="filename">/usr/local/samba/var/smbd.log</em>
71
and <em class="filename">/usr/local/samba/var/nmbd.log</em> by default.
72
You can specify a log directory to use with the
73
<em class="emphasis">-l</em> flag on the command line when starting the
74
Samba daemons. For example:</p>
76
<blockquote><pre class="code"># <tt class="userinput"><b>smbd -l /var/log/samba</b></tt>
77
# <tt class="userinput"><b>nmbd -l /var/log/samba</b></tt></pre></blockquote>
79
<p>Alternatively, you can override the location and name using the
80
<tt class="literal">log</tt><a name="INDEX-7"/> <tt class="literal">file</tt> configuration
81
option in <em class="filename">smb.conf</em>. This option accepts all the
82
substitution variables, so you could easily have the server keep a
83
separate log for each connecting client system by specifying the
86
<blockquote><pre class="code">[global]
87
log file = %m.log</pre></blockquote>
89
<p>Another useful trick is to have the server keep a log for each
90
service (share) that is offered, especially if you suspect a
91
particular share is causing trouble. To do this, use the
92
<tt class="literal">%S</tt> variable, like this:</p>
94
<blockquote><pre class="code">[global]
95
log file = %S.log</pre></blockquote>
98
<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.1"/>
100
<h3 class="head3">Log levels</h3>
102
<p><a name="INDEX-8"/>The level of logging that Samba uses
103
can be set in the <em class="filename">smb.conf</em> file using the global
104
<tt class="literal">log</tt> <tt class="literal">level</tt> or
105
<tt class="literal">debug</tt> <tt class="literal">level</tt> option; they are
106
equivalent. The logging level is an integer that can range from 0 to
107
10. At level 0, no logging is done. Higher values result in more
108
voluminous logging. For example, let's assume that
109
we will use a Windows client to browse a directory on a Samba server.
110
For a small amount of log information, you can use
111
<tt class="literal">log</tt> <tt class="literal">level</tt> <tt class="literal">=</tt>
112
<tt class="literal">1</tt>, which instructs Samba to show only cursory
113
information, in this case only the connection itself:</p>
115
<blockquote><pre class="code">05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest
116
(uid=503,gid=100) (pid 3377)</pre></blockquote>
118
<p>Higher debug levels produce more detailed information. Usually, you
119
won't need more than level 3, which is fully
120
adequate for most Samba administrators. Levels above 3 are used by
121
the developers and dump enormous amounts of cryptic information.</p>
123
<p>Here is an example of output at levels 2 and 3 for the same
124
operation. Don't worry if you don't
125
understand the intricacies of an SMB connection; the point is simply
126
to show you what types of information are shown at the different
127
<a name="INDEX-9"/>logging levels:</p>
129
<blockquote><pre class="code"> /* Level 2 */
131
Processing section "[homes]"
132
Processing section "[public]"
133
Processing section "[temp]"
134
Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
135
Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/
139
05/25/02 22:15:09 Transaction 63 of length 67
140
switch message SMBtconX (pid 3377)
141
Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
142
ACCEPTED: guest account and guest ok
143
found free connection number 105
147
05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest
148
(uid=503,gid=100) (pid 3377)
149
05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105
150
05/25/02 22:15:09 Transaction 64 of length 99
151
switch message SMBtrans (pid 3377)
153
trans <\PIPE\LANMAN> data=0 params=19 setup=0
154
Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
156
RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
157
05/25/02 22:15:11 Transaction 65 of length 99
158
switch message SMBtrans (pid 3377)
161
trans <\PIPE\LANMAN> data=0 params=19 setup=0
162
Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
164
RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
165
05/25/02 22:15:11 Transaction 66 of length 95
166
switch message SMBtrans2 (pid 3377)
168
chdir to /pcdisk/public
169
call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end
170
= 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432
171
unix_clean_name [./DESKTOP.INI]
172
unix_clean_name [desktop.ini]
174
creating new dirptr 1 for path ./, expect_close = 1
175
05/25/02 22:15:11 Transaction 67 of length 53
176
switch message SMBgetatr (pid 3377)
179
<i class="lineannotation">[... deleted ...]</i></pre></blockquote>
181
<p>We cut off this listing after the first packet because it runs on for
182
many pages. However, be aware that log levels above 3 will quickly
183
consume disk space with megabytes of excruciating detail concerning
184
Samba's internal operations. Log level 3 is
185
extremely useful for following exactly what the server is doing, and
186
most of the time it will be obvious where an error occurs by glancing
187
through the log file.</p>
189
<p>Using a high log level (3 or above) will
190
<em class="emphasis">seriously</em> slow down the Samba server. Remember
191
that every log message generated causes a write to disk (an
192
inherently slow operation) and log levels greater than 2 produce
193
massive amounts of data. Essentially, you should turn on logging
194
level 3 only when you're actively tracking a problem
195
in the Samba server. <a name="INDEX-10"/></p>
202
<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.2"/>
204
<h3 class="head3">Activating and deactivating logging</h3>
206
<p><a name="INDEX-11"/><a name="INDEX-12"/>To turn logging on and off,
207
set the appropriate level in the <tt class="literal">[global]</tt> section
208
of <em class="filename">smb.conf</em>. Then, you can either restart Samba
209
or force the current daemon to reprocess the configuration file by
210
sending it a hangup (HUP) signal. You also can send the
211
<em class="emphasis">smbd</em> process a SIGUSR1 signal to increase its
212
log level by one while it's running, like this:</p>
214
<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR1 1234</b></tt></pre></blockquote>
216
<p>or a SIGUSR2 signal to decrease it by one:</p>
218
<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR2 1234</b></tt></pre></blockquote>
225
<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.3"/>
227
<h3 class="head3">Logging by individual client systems or users</h3>
229
<p>An effective way to diagnose problems without hampering other users
230
is to assign different log levels for different systems in the
231
<tt class="literal">[global]</tt> section of the
232
<em class="filename">smb.conf</em> file. We can do this by building on the
233
strategy we presented earlier:</p>
235
<blockquote><pre class="code">[global]
237
log file = /usr/local/samba/var/log.%m
238
include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
240
<p>These options instruct Samba to use unique configuration and log
241
files for each client that connects. Now all you have to do is create
242
an <em class="filename">smb.conf</em> file for a specific client system
243
with a <tt class="literal">log</tt> <tt class="literal">level</tt>
244
<tt class="literal">=</tt> <tt class="literal">3</tt> entry in it (the others
245
will pick up the default log level of 0) and use that log file to
246
track down the problem.</p>
248
<p>Similarly, if only particular users are experiencing a
249
problem—and it travels from system to system with
250
them—you can isolate logging to a specific user by adding the
251
following to the <em class="filename">smb.conf</em> file:</p>
253
<blockquote><pre class="code">[global]
255
log file = /usr/local/samba/var/log.%u
256
include = /usr/local/samba/lib/smb.conf.%u</pre></blockquote>
258
<p>Then you can create a unique <em class="filename">smb.conf</em> file for
259
each user you wish to monitor (e.g.,
260
<em class="filename">/usr/local/samba/lib/smb.conf.tim</em>). Files
261
containing the configuration option <tt class="literal">log</tt>
262
<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">3</tt>
263
and only those users will get more detailed logging.<a name="INDEX-13"/><a name="INDEX-14"/></p>
272
<div class="sect2"><a name="samba2-CHP-12-SECT-1.2"/>
274
<h3 class="head2">Samba Test Utilities</h3>
276
<p><a name="INDEX-15"/><a name="INDEX-16"/>A rigorous set of tests that exercise
277
the major parts of Samba are described in various files in the
278
<em class="emphasis">/docs/textdocs</em> directory of the Samba
279
distribution kit, starting with <em class="emphasis">DIAGNOSIS.txt</em>.
280
The fault tree in this chapter is a more detailed version of the
281
basic tests suggested by the Samba Team, but it covers only
282
installation and reconfiguration diagnosis, such as
283
<em class="emphasis">DIAGNOSIS.txt</em>. The other files in the
284
<em class="emphasis">/docs</em> subdirectories address specific problems
285
and instruct you how to troubleshoot items not included in this book.
286
If the fault tree doesn't suffice, be sure to look
288
<em class="emphasis">DIAGNOSIS.txt</em><a name="INDEX-17"/>
295
<div class="sect2"><a name="samba2-CHP-12-SECT-1.3"/>
297
<h3 class="head2">Unix Utilities</h3>
299
<p>Sometimes it's useful to use a tool outside the
300
Samba suite to examine what's happening inside the
301
server. Three diagnostic tools can be of particular help in debugging
302
Samba troubles: <em class="emphasis">trace</em>,
303
<em class="emphasis">tcpdump</em>, and <em class="emphasis">Ethereal</em>.</p>
306
<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.1"/>
308
<h3 class="head3">Using trace</h3>
310
<p>The <em class="emphasis">trace</em><a name="INDEX-18"/> command masquerades under several
311
different names, depending on the operating system you are using. On
313
<em class="emphasis">strace</em><a name="INDEX-19"/>; on Solaris you'll use
314
<em class="emphasis">truss</em><a name="INDEX-20"/>; SGI will have
315
<em class="emphasis">padc</em><a name="INDEX-21"/> and
316
<em class="emphasis">par</em><a name="INDEX-22"/>; and HP-UX will have
317
<em class="emphasis">trace</em> or
318
<em class="emphasis">tusc</em><a name="INDEX-23"/>. All have essentially the same
319
function, which is to display each operating system function call as
320
it is executed. This allows you to follow the execution of a program,
321
such as the Samba server, and often pinpoints the exact call that is
322
causing the difficulty.</p>
324
<p>One problem that <em class="emphasis">trace</em> can highlight is an
325
incorrect version of a dynamically linked library. This can happen if
326
you've downloaded prebuilt binaries of Samba.
327
You'll typically see the offending call at the end
328
of the <em class="emphasis">trace</em>, just before the program
331
<p>A sample <em class="emphasis">strace</em> output for the Linux operating
332
system follows. This is a small section of a larger file created
333
during the opening of a directory on the Samba server. Each line
334
lists a system call and includes its parameters and the return value.
335
If there was an error, the error value (e.g.,
336
<tt class="literal">ENOENT</tt>) and its explanation are also shown. You
337
can look up the parameter types and the errors that can occur in the
338
appropriate <em class="emphasis">trace</em> manual page for the operating
339
system you are using.</p>
341
<blockquote><pre class="code">chdir("/pcdisk/public") = 0
342
stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory)
343
stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
344
stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory)
345
open("mini", O_RDONLY) = 5
346
fcntl(5, F_SETFD, FD_CLOEXEC) = 0
347
fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
348
lseek(5, 0, SEEK_CUR) = 0
349
SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196
350
lseek(5, 0, SEEK_CUR) = 1024
351
SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0
353
stat("mini/desktop.ini", 0xbffff86c) = -1 ENOENT (No such file or directory)
354
write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39
355
SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1
356
read(3, "\0\0\0?", 4) = 4
357
read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63
358
time(NULL) = 896143871</pre></blockquote>
360
<p>This example shows several <em class="emphasis">stat() calls</em> failing
361
to find the files they were expecting. You don't
362
have to be an expert to see that the file
363
<em class="emphasis">desktop.ini</em> is missing from that directory. In
364
fact, many difficult problems can be identified by looking for
365
obvious, repeatable errors with <em class="emphasis">trace</em>. Often,
366
you need not look further than the last message before a crash.</p>
373
<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.2"/>
375
<h3 class="head3">Using tcpdump</h3>
377
<p>The <em class="emphasis">tcpdump</em><a name="INDEX-24"/> program, as extended by Andrew
378
<a name="INDEX-25"/>Tridgell,
379
allows you to monitor SMB <a name="INDEX-26"/>network
380
traffic in real time. A variety of output formats are available, and
381
you can filter the output to look at only a particular type of
382
traffic. You can examine all conversations between client and server,
383
including SMB and NMB broadcast messages. While its troubleshooting
384
capabilities lie mainly at the OSI network layer, you can still use
385
its output to get a general idea of what the server and client are
386
attempting to do.</p>
388
<p>A sample <em class="emphasis">tcpdump</em> log follows. In this instance,
389
the client has requested a directory listing, and the server has
390
responded appropriately, giving the directory names
391
<tt class="literal">homes</tt>, <tt class="literal">public</tt>,
392
<tt class="literal">IPC$</tt>, and <tt class="literal">temp</tt>
393
(we've added a few explanations on the right):</p>
395
<blockquote><pre class="code">$ <tt class="userinput"><b>tcpdump -v -s 255 -i eth0 port not telnet</b></tt>
396
SMB PACKET: SMBtrans (REQUEST) <i class="lineannotation"> Request packet</i>
397
SMB Command = 0x25 <i class="lineannotation">Request was ls or dir</i>
399
[000] 01 00 00 10 <i class="lineannotation">....</i>
402
>>> NBT Packet <i class="lineannotation">Outer frame of SMB packet</i>
408
SMB PACKET: SMBtrans (REPLY) <i class="lineannotation">Beginning of a reply to request</i>
409
SMB Command = 0x25 <i class="lineannotation">Command was an ls or dir</i>
411
Error code = 0 <i class="lineannotation">No errors</i>
429
Param Data: (8 bytes)
430
[000] 00 00 00 00 05 00 05 00 ........
432
Data Data: (135 bytes) <i class="lineannotation">Actual directory contents:</i>
433
[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........
434
[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic......
435
[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp....
436
[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$
437
[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w...
438
[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........
439
[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo
440
[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi
441
[080] 63 65 20 28 53 61 6D ce (Sam</pre></blockquote>
443
<p>This is more of the same debugging session as we saw before with the
444
<em class="emphasis">trace</em> command: the listing of a directory. The options
445
we used were <em class="emphasis">-v</em> (verbose), <em class="emphasis">-i
446
eth0</em> to tell <em class="emphasis">tcpdump</em> on which
447
interface to listen (an Ethernet port), and <em class="emphasis">-s
448
255</em> to tell it to save the first 255 bytes of each packet
449
instead of the default: the first 68. The option
450
<tt class="literal">port</tt> <tt class="literal">not</tt>
451
<tt class="literal">telnet</tt> is used to avoid screens of telnet traffic,
452
because we were logged in to the server remotely. The
453
<em class="emphasis">tcpdump</em> program actually has quite a number of
454
options to filter just the traffic you want to look at. If
455
you've used <em class="emphasis">snoop</em> or
456
<em class="emphasis">etherdump</em>, it will look vaguely familiar.</p>
458
<p>You can download the modified <em class="emphasis">tcpdump</em> from the
459
Samba FTP server, located at
460
<a href="ftp://samba.anu.edu.au/pub/samba/tcpdump-smb">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</a>.
461
Other versions might not include support for the SMB protocol; if you
462
don't see output such as that shown in the example,
463
you'll need to use the SMB-enabled version.</p>
470
<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.3"/>
472
<h3 class="head3">Using Ethereal</h3>
474
<p><a name="INDEX-27"/>Ethereal (<a href="http://www.ethereal.com">http://www.ethereal.com</a>) is a GUI-based
475
utility that performs the same basic function as
476
<em class="emphasis">tcpdump</em>. You might prefer Ethereal because it is
477
much easier to use. Once you have Ethereal running, just do the
481
<p>Select Start from the Capture menu.</p>
483
<p>Click the OK button in the dialog box that appears. This will bring
484
up a dialog box showing how many packets Ethereal has seen. Perform
485
the actions on the system(s) in your network to reproduce the problem
486
you are analyzing.</p>
488
<p>Click the Stop button in the Ethereal dialog box to make it finish
491
<p>In the main Ethereal window, click any item in the upper window to
492
view it in the lower window. In the lower window, click any of the
493
boxes containing a plus sign (<tt class="literal">+</tt>) to expand the
496
<p>Ethereal does a good job of translating the content of the packets it
497
encounters into human-readable format, and you should have little
498
trouble seeing what happened on the network during the capture
499
period. <a name="INDEX-28"/><a name="INDEX-29"/></p>
512
<div class="sect1"><a name="samba2-CHP-12-SECT-2"/>
514
<h2 class="head1">The Fault Tree</h2>
516
<p><a name="INDEX-30"/><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>The fault
517
tree presented in this section is for diagnosing and fixing problems
518
that occur when you're installing and reconfiguring
519
Samba. It's an expanded form of the trouble and
520
diagnostic document <em class="filename">DIAGNOSIS.txt</em>, which is part
521
of the Samba distribution.</p>
523
<p>Before you set out to troubleshoot any part of the Samba suite, you
524
should know the following information:</p>
527
<p>Your client IP address (we use 192.168.236.10)</p>
529
<p>Your server IP address (we use 192.168.236.86)</p>
531
<p>The netmask for your network (typically 255.255.255.0)</p>
533
<p>Whether the systems are all on the same subnet (ours are)</p>
535
<p>For clarity, we've renamed the server in the
536
following examples to <tt class="literal">server.example.com</tt>, and the
537
client system to <tt class="literal">client.example.com</tt>.</p>
540
<div class="sect2"><a name="samba2-CHP-12-SECT-2.1"/>
542
<h3 class="head2">How to Use the Fault Tree</h3>
544
<p>Start the tests here, without skipping forward; it
545
won't take long (about 5 minutes) and might actually
546
save you time backtracking. Whenever a test succeeds, you will be
547
given a name of a section to which you can safely skip.</p>
553
<div class="sect2"><a name="samba2-CHP-12-SECT-2.2"/>
555
<h3 class="head2">Troubleshooting Low-Level IP</h3>
557
<p><a name="INDEX-34"/>The
558
first series of tests is that of the low-level services that Samba
559
needs to run. The tests in this section verify that:</p>
562
<p>The IP software works</p>
564
<p>The Ethernet hardware works</p>
566
<p>Basic name service is in place</p>
568
<p>Subsequent sections add TCP software, the Samba daemons
569
<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>, host-based
570
access control, authentication and per-user access control, file
571
services, and browsing. The tests are described in considerable
572
detail to make them understandable by both technically oriented end
573
users and experienced systems and network administrators.</p>
576
<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.1"/>
578
<h3 class="head3">Testing the networking software with ping</h3>
580
<p><a name="INDEX-35"/>The first command to enter
581
on both the server and the client is
582
<tt class="literal">ping</tt><a name="INDEX-36"/><a name="INDEX-37"/>
583
<tt class="literal">127.0.0.1</tt>. This pings the loopback address and
584
indicates whether any networking support is functioning. On Unix, you
585
can use <tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> with the
586
statistics option and interrupt it after a few lines. On Sun
587
workstations, the command is typically
588
<tt class="literal">/usr/etc/ping</tt> <tt class="literal">-s</tt>
589
<tt class="literal">127.0.0.1</tt>; on Linux, just <tt class="literal">ping</tt>
590
<tt class="literal">127.0.0.1</tt>. On Windows clients, run
591
<tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> in an MS-DOS
592
(command prompt) window, and it will stop by itself after four lines.</p>
594
<p>Here is an example on a Linux server:</p>
596
<blockquote><pre class="code">$ <tt class="userinput"><b>ping 127.0.0.1 </b></tt>
597
PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1):
598
icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1):
599
icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1):
600
icmp-seq=2. time=1. ms ^C
601
----127.0.0.1 PING Statistics----
602
3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
603
min/avg/max = 0/0/1</pre></blockquote>
605
<p>If you get "ping: no answer from . . .
606
" or "100% packet
607
loss," you have no IP networking installed on the
608
system. The address <tt class="literal">127.0.0.1</tt> is the internal
609
loopback address and doesn't depend on the computer
610
being physically connected to a network. If this test fails, you have
611
a serious local problem. TCP/IP either isn't
612
installed or is seriously misconfigured. See your operating system
613
documentation if it's a Unix server. If
614
it's a Windows client, follow the instructions in
615
<a href="ch03.html">Chapter 3</a> to install networking support.</p>
617
<a name="samba2-CHP-12-NOTE-155"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
618
<p>If <em class="emphasis">you're</em> the network manager,
619
some good references are Craig Hunt's
620
<em class="emphasis">TCP/IP Network Administration</em>, Chapter 11, and Craig Hunt and Robert Bruce
621
Thompson's <em class="emphasis">Windows NT TCP/IP Network
622
Administration</em>, both published by
631
<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.2"/>
633
<h3 class="head3">Testing local name services with ping</h3>
635
<p><a name="INDEX-38"/>Next, try to ping
636
<tt class="literal">localhost</tt> on the Samba server. The
637
<tt class="literal">localhost</tt> hostname is the conventional hostname
638
for the <tt class="literal">127.0.0.1</tt> loopback interface, and it
639
should resolve to that address. After typing <tt class="literal">ping</tt>
640
<tt class="literal">localhost</tt>, you should see output similar to the
643
<blockquote><pre class="code">$ <tt class="userinput"><b>ping localhost </b></tt>
644
PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1):
645
icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1):
646
icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1):
647
icmp-seq=2. time=0. ms ^C</pre></blockquote>
649
<p>If this succeeds, try the same test on the client. Otherwise:</p>
652
<p>If you get "unknown host:
653
localhost," there is a problem resolving the
654
hostname <em class="filename">localhost</em> into a valid IP address.
655
(This might be as simple as a missing entry in a local
656
<em class="emphasis">hosts</em> file.) From here, skip down to
657
<a href="ch03.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a> later in this chapter.</p>
659
<p>If you get "ping: no answer," or
660
"100% packet loss," but pinging
661
<tt class="literal">127.0.0.1</tt> worked, name services is resolving to an
662
address, but it isn't the correct one. Check the
663
file or database (typically <em class="filename">/etc/hosts</em> on a Unix
664
system) that the name service is using to resolve addresses to ensure
665
that the entry is correct.</p>
672
<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.3"/>
674
<h3 class="head3">Testing the networking hardware with ping</h3>
676
<p><a name="INDEX-39"/>Next, ping the
677
server's network IP address from itself. This should
678
get you exactly the same results as pinging
679
<tt class="literal">127.0.0.1</tt>:</p>
681
<blockquote><pre class="code">$ <tt class="userinput"><b>ping 192.168.236.86 </b></tt>
682
PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86):
683
icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86):
684
icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86):
685
icmp-seq=2. time=1. ms ^C
686
----192.168.236.86 PING Statistics----
687
3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
688
min/avg/max = 0/0/1</pre></blockquote>
690
<p>If this works on the server, repeat it for the client. Otherwise:</p>
693
<p>If <tt class="literal">ping</tt> <em class="replaceable">network_ip</em>
694
fails on either the server or client, but <tt class="literal">ping</tt>
695
<tt class="literal">127.0.0.1</tt> works on that system, you have a TCP/IP
696
problem that is specific to the Ethernet network interface card on
697
the computer. Check with the documentation for the network card or
698
host operating system to determine how to configure it correctly.
699
However, be aware that on some operating systems, the
700
<em class="emphasis">ping</em> command appears to work even if the network
701
is disconnected, so this test doesn't always
702
diagnose all hardware problems.</p>
709
<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.4"/>
711
<h3 class="head3">Testing connections with ping</h3>
713
<p><a name="INDEX-40"/>Now, ping the server by name (instead
714
of its IP address)—once from the server and once from the
715
client. This is the general test for working network hardware:</p>
717
<blockquote><pre class="code">$ <tt class="userinput"><b>ping server </b></tt>
718
PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86):
719
icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86):
720
icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86):
721
icmp-seq=2. time=1. ms ^C
722
----server.example.com PING Statistics----
723
3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
724
min/avg/max = 0/0/1</pre></blockquote>
726
<p>If successful, this test tells us five things:</p>
729
<p>The hostname (e.g., <tt class="literal">server</tt>) is being found by your
730
local name server.</p>
732
<p>The hostname has been expanded to the full name (e.g.,
733
<tt class="literal">server.example.com</tt>).</p>
735
<p>Its address is being returned (<tt class="literal">192.168.236.86</tt>).</p>
737
<p>The client has sent the Samba server four 56-byte UDP/IP packets.</p>
739
<p>The Samba server has replied to all four packets.</p>
741
<p>If this test isn't successful, one of several things
742
can be wrong with the network:</p>
745
<p>First, if you get <tt class="literal">ping</tt>: <tt class="literal">no</tt>
746
<tt class="literal">answer</tt>, or <tt class="literal">100%</tt>
747
<tt class="literal">packet</tt> <tt class="literal">loss</tt>,
748
you're not connecting to the network, the other
749
system isn't connecting, or one of the addresses is
750
incorrect. Check the addresses that the <em class="emphasis">ping</em>
751
command reports on each system, and ensure that they match the ones
752
you set up initially.</p>
754
<p>If not, there is at least one mismatched address between the two
755
systems. Try entering the command <tt class="literal">arp</tt>
756
<tt class="literal">-a</tt>, and see if there is an entry for the other
757
system. (The <em class="emphasis">arp</em> command stands for the Address
758
Resolution Protocol. The <tt class="literal">arp</tt> <tt class="literal">-a</tt>
759
command lists all the addresses known on the local system.) Here are
760
some things to try:</p>
762
<p>If you receive a message like <tt class="literal">192.168.236.86</tt>
763
<tt class="literal">at</tt> <tt class="literal">(incomplete)</tt>, the Ethernet
764
address of 192.168.236.86 is unknown. This indicates a complete lack
765
of connectivity, and you're likely having a problem
766
at the very bottom of the TCP/IP protocol stack—the Ethernet
767
interface layer. This is discussed in Chapters 5 and 6 of
768
<em class="citetitle">TCP/IP Network Administration
771
<p>If you receive a response similar to server
772
<tt class="literal">(192.168.236.86)</tt> <tt class="literal">at</tt>
773
<tt class="literal">8:0:20:12:7c:94</tt>, the server has been reached at
774
some time, or another system is answering on its behalf. However,
775
this means that <em class="emphasis">ping</em> should have worked: you may
776
have an intermittent networking or ARP problem.</p>
778
<p>If the IP address from ARP doesn't match the
779
addresses you expected, investigate and correct the addresses
786
<p>If each system can ping itself but not another, something is wrong on
787
the network between them.</p>
789
<p>If you get <tt class="literal">ping</tt>: <tt class="literal">network</tt>
790
<tt class="literal">unreachable</tt> or <tt class="literal">ICMP</tt>
791
<tt class="literal">Host</tt> <tt class="literal">Unreachable</tt>,
792
you're not receiving an answer, and more than one
793
network is probably involved.</p>
795
<p>In principle, you shouldn't try to troubleshoot SMB
796
clients and servers on different networks. Try to test a server and
797
client that are on the same network:</p>
800
<p>First, perform the tests for <tt class="literal">ping</tt>:
801
<tt class="literal">no</tt> <tt class="literal">answer</tt> described earlier in
802
this section. If this doesn't identify the problem,
803
the remaining possibilities are the following: an address is wrong,
804
your netmask is wrong, a network is down, or the packets have been
805
stopped by a firewall.</p>
808
<p>Check both the address and the netmasks on source and destination
809
systems to see if something is obviously wrong. Assuming both systems
810
really are on the same network, they both should have the same
811
netmasks, and <em class="emphasis">ping</em> should report the correct
812
addresses. If the addresses are wrong, you'll need
813
to correct them. If they are correct, the programs might be confused
814
by an incorrect netmask. See <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter.</p>
817
<p>If the commands are still reporting that the network is unreachable
818
and neither of the previous two conditions are in error, one network
819
really might be unreachable from the other. This, too, is an issue
820
for the network manager.</p>
823
<p>If you get <tt class="literal">ICMP</tt>
824
<tt class="literal">Administratively</tt> <tt class="literal">Prohibited</tt>,
825
you've struck a firewall of some sort or a
826
misconfigured router. You will need to speak to your network security
829
<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
830
<tt class="literal">redirect</tt> and <em class="emphasis">ping</em> reports
831
packets getting through, this is generally harmless:
832
you're simply being rerouted over the network.</p>
834
<p>If you get a host redirect and no <em class="emphasis">ping</em>
835
responses, you are being redirected, but no one is responding. Treat
836
this just like the <tt class="literal">Network</tt>
837
<tt class="literal">unreachable</tt> response, and check your addresses and
840
<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
841
<tt class="literal">Unreachable</tt> <tt class="literal">from</tt>
842
<tt class="literal">gateway</tt> <tt class="literal">gateway</tt>
843
<tt class="literal">name</tt>, ping packets are being routed to another
844
network, but the other system isn't responding and
845
the router is reporting the problem on its behalf. Again, treat this
846
like a <tt class="literal">Network</tt> <tt class="literal">unreachable</tt>
847
response, and start checking addresses and netmasks.</p>
849
<p>If you get <tt class="literal">ping</tt>: <tt class="literal">unknown</tt>
850
<tt class="literal">host</tt> <tt class="literal">hostname</tt>, your
851
system's name is not known. This tends to indicate a
852
name service problem, which didn't affect
853
<tt class="literal">localhost</tt>. Have a look at <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
855
<p>If you get a partial success—with some pings failing but others
856
succeeding—you have either an intermittent problem between the
857
systems or an overloaded network. Ping a bit longer, and see if more
858
than about three percent of the packets fail. If so, check it with
859
your network manager: a problem might just be starting. However, if
860
only a few fail, or if you happen to know some massive network
861
program is running, don't worry unduly. The ICMP
862
(and UDP) protocols used by <em class="emphasis">ping</em> are allowed to
863
drop occasional packets.</p>
865
<p>If you get a response such as <tt class="literal">smtsvr.antares.net</tt>
866
<tt class="literal">is</tt> <tt class="literal">alive</tt> when you actually
867
pinged <tt class="literal">client.example.com</tt>, either
868
you're using someone else's address
869
or the system has multiple names and addresses. If the address is
870
wrong, the name service is clearly the culprit;
871
you'll need to change the address in the name
872
service database to refer to the correct system. This is discussed in
873
<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this
876
<p>Servers are often <em class="emphasis">multihomed</em> —i.e.,
877
connected to more than one network, with different names on each net.
878
If you are getting a response from an unexpected name on a multihomed
879
server, look at the address and see if it's on your
880
network (see <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter). If
881
so, you should use that address, rather than one on a different
882
network, for both performance and reliability reasons.</p>
884
<p>Servers can also have multiple names for a single Ethernet address,
885
especially if they are web servers. This is harmless, albeit
886
startling. You probably will want to use the official (and permanent)
887
name, rather than an alias that might change.</p>
889
<p>If everything works but the IP address reported is
890
<tt class="literal">127.0.0.1</tt>, you have a name service error. This
891
typically occurs when an operating-system installation program
892
generates an <em class="filename">/etc/hosts</em> line similar to
893
<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
894
<em class="emphasis">hostname.domainname</em>. The localhost line should
895
say <tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> or
896
<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
897
<tt class="literal">loghost</tt>. Correct it, lest it cause failures to
898
negotiate who is the master browse list holder and who is the master
899
browser. It can also cause (ambiguous) errors in later tests.</p>
901
<p>If this worked from the server, repeat it from the client. <a name="INDEX-41"/>
902
<a name="INDEX-42"/><a name="INDEX-43"/></p>
911
<div class="sect2"><a name="samba2-CHP-12-SECT-2.3"/>
913
<h3 class="head2">Troubleshooting TCP</h3>
915
<p><a name="INDEX-44"/><a name="INDEX-45"/>Now that
916
you've tested IP, UDP, and a name service with
917
<em class="emphasis">ping</em>, it's time to test TCP.
918
Browsing and <em class="emphasis">ping</em> use ICMP and UDP; file and
919
print services (shares) use TCP. Both depend on IP as a lower layer,
920
and all four depend on name services. Testing TCP is most
921
conveniently done using the FTP program.</p>
924
<div class="sect3"><a name="samba2-CHP-12-SECT-2.3.1"/>
926
<h3 class="head3">Testing TCP with FTP</h3>
928
<p>Try connecting via FTP, once from the server to itself, and once from
929
the client to the server:</p>
931
<blockquote><pre class="code">$ <tt class="userinput"><b>ftp server</b></tt>
932
Connected to server.example.com.
933
220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready.
934
Name (server:davecb):
935
331 Password required for davecb.
937
230 User davecb logged in.
938
ftp><tt class="userinput"><b> quit </b></tt>
939
221 Goodbye.</pre></blockquote>
941
<p>If this worked, skip to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>. Otherwise:</p>
944
<p>If you received the message <tt class="literal">server</tt>:
945
<tt class="literal">unknown</tt> <tt class="literal">host</tt>, name service has
946
failed. Go back to the corresponding <em class="emphasis">ping</em> step,
947
<a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>, and rerun those tests
948
to see why name lookup failed.</p>
950
<p>If you received <tt class="literal">ftp</tt>: <tt class="literal">connect</tt>:
951
<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the system
952
isn't running an FTP daemon. This is mildly unusual
953
on Unix servers. Optionally, you might try this test by connecting to
954
the system using <em class="emphasis">telnet</em> instead of
955
<em class="emphasis">ftp</em>; the messages are very similar, and
956
<em class="emphasis">telnet</em> uses TCP as well.</p>
958
<p>If there was a long pause, and then <tt class="literal">ftp</tt>:
959
<tt class="literal">connect</tt>: <tt class="literal">Connection</tt>
960
<tt class="literal">timed</tt> <tt class="literal">out</tt>, the system
961
isn't reachable. Return to <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>.</p>
963
<p>If you received <tt class="literal">530</tt> <tt class="literal">Logon</tt>
964
<tt class="literal">Incorrect</tt>, you connected successfully, but
965
you've just found a different problem. You likely
966
provided an incorrect username or password. Try again, making sure
967
you use your username from the Unix server and type your password
977
<div class="sect2"><a name="samba2-CHP-12-SECT-2.4"/>
979
<h3 class="head2">Troubleshooting Server Daemons</h3>
981
<p><a name="INDEX-46"/>Once
982
you've confirmed that TCP networking is working
983
properly, the next step is to make sure the daemons are running on
984
the server. This takes three separate tests because no single one of
985
the following will decisively prove that they're
986
working correctly.</p>
988
<p>To be sure they're running, you need to find out
989
whether the daemons:</p>
994
<p>Are registered or bound to a TCP/IP port by the operating system</p>
996
<p>Are actually paying attention</p>
999
<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.1"/>
1001
<h3 class="head3">Tracking daemon startup</h3>
1003
<p><a name="INDEX-47"/>First, check the Samba logs. If
1004
you've started the daemons, the message
1005
<tt class="literal">smbd</tt> <tt class="literal">version</tt>
1006
<tt class="literal">number</tt> <tt class="literal">started</tt> should appear.
1007
If it doesn't, you need to restart the Samba
1010
<p>If the daemon reports that it has indeed started, look out for
1011
<tt class="literal">bind</tt> <tt class="literal">failed</tt>
1012
<tt class="literal">on</tt> <tt class="literal">port</tt> <tt class="literal">139</tt>
1013
<tt class="literal">socket_addr=0</tt> <tt class="literal">(Address</tt>
1014
<tt class="literal">already</tt> <tt class="literal">in</tt>
1015
<tt class="literal">use)</tt>. This means another daemon has been started
1016
on port 139 (<em class="emphasis">smbd</em> ). Also,
1017
<em class="emphasis">nmbd</em> will report a similar failure if it cannot
1018
bind to port 137. Either you've started them twice,
1019
or the <em class="emphasis">inetd</em> server has tried to provide a
1020
daemon for you. If it's the latter,
1021
we'll diagnose that in a moment.</p>
1028
<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.2"/>
1030
<h3 class="head3">Looking for daemon processes with ps</h3>
1032
<p><a name="INDEX-48"/>Another way to make sure the daemons are
1033
running is to check their processes on the system. Use the
1034
<em class="emphasis">ps</em><a name="INDEX-49"/> command on the server with the
1035
"long" option for your system type
1036
(commonly <tt class="literal">ps</tt> <tt class="literal">ax</tt> or
1037
<tt class="literal">ps</tt> <tt class="literal">-ef</tt>), and see whether
1038
<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> are already
1039
running. This often looks like the following:</p>
1041
<blockquote><pre class="code">$ <tt class="userinput"><b>ps ax</b></tt>
1042
PID TTY STAT TIME COMMAND
1044
2 ? SW 0:00 (kflushd)
1045
<i class="lineannotation">(...many lines of processes...) </i>
1046
234 ? S 0:14 nmbd -D3
1047
237 ? S 0:11 smbd -D3
1048
<i class="lineannotation">(...more lines, possibly including more smbd lines...)</i></pre></blockquote>
1050
<p>This example illustrates that <em class="emphasis">smbd</em> and
1051
<em class="emphasis">nmbd</em> have already started as standalone daemons
1052
(the <em class="emphasis">-D</em> option) at log level 3.</p>
1059
<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.3"/>
1061
<h3 class="head3">Looking for daemons bound to ports</h3>
1063
<p><a name="INDEX-50"/>Next, the daemons have to be registered
1064
with the operating system so that they can get access to TCP/IP
1065
ports. The <em class="emphasis">netstat</em> command will tell you if this
1066
has been done. Run the command <tt class="literal">netstat</tt>
1067
<tt class="literal">-a</tt> on the server, and look for lines mentioning
1068
<tt class="literal">netbios</tt>, <tt class="literal">137</tt>, or
1069
<tt class="literal">139</tt>:</p>
1071
<blockquote><pre class="code">$ <tt class="userinput"><b>netstat -a </b></tt>
1072
Active Internet connections (including servers)
1073
Proto Recv-Q Send-Q Local Address Foreign Address (state)
1075
tcp 0 0 *.139 *.* LISTEN
1076
tcp 8370 8760 server.139 client.1439 ESTABLISHED</pre></blockquote>
1078
<p>Among similar lines, there should be at least one UDP line for
1079
<tt class="literal">*.netbios-</tt> or <tt class="literal">*.137</tt>. This
1080
indicates that the <em class="emphasis">nmbd</em> server is registered and
1081
(we hope) is waiting to answer requests. There should also be at
1082
least one TCP line mentioning <tt class="literal">*.netbios-</tt> or
1083
<tt class="literal">*.139</tt>, and it will probably be in the LISTEN
1084
state. This means that <em class="emphasis">smbd</em> is up and listening
1085
for connections.</p>
1087
<p>There might be other TCP lines indicating connections from
1088
<em class="emphasis">smbd</em> to clients, one for each client. These are
1089
usually in the ESTABLISHED state. If there are
1090
<em class="emphasis">smbd</em> lines in the ESTABLISHED state,
1091
<em class="emphasis">smbd</em> is definitely running. If there is only one
1092
line in the LISTEN state, we're not sure yet. If
1093
both of the lines are missing, a daemon has not succeeded in
1094
starting, so it's time to check the logs and then go
1095
back to <a href="ch02.html">Chapter 2</a>.</p>
1097
<p>If there is a line for each client, it might be coming either from a
1098
Samba daemon or from the master IP daemon,
1099
<em class="emphasis">inetd</em>. It's quite possible that
1100
your <em class="emphasis">inetd</em> startup file contains lines that
1101
start Samba daemons without your realizing it; for instance, the
1102
lines might have been placed there if you installed Samba as part of
1103
a Linux distribution. The daemons started by
1104
<em class="emphasis">inetd</em> prevent ours from running. This problem
1105
typically produces log messages such as <tt class="literal">bind</tt>
1106
<tt class="literal">failed</tt> <tt class="literal">on</tt>
1107
<tt class="literal">port</tt> <tt class="literal">139</tt>
1108
<tt class="literal">socket</tt> <tt class="literal">addr=0</tt>
1109
<tt class="literal">(Address</tt> <tt class="literal">already</tt>
1110
<tt class="literal">in</tt> <tt class="literal">use)</tt>.</p>
1112
<p>Check your <em class="filename">/etc/inetd.conf</em> ; unless
1113
you're intentionally starting the daemons from
1114
there, <tt class="literal">netbios-ns</tt> (UDP port 137) or
1115
<tt class="literal">netbios-ssn</tt> (tcp port 139) servers should be
1116
mentioned there. If your system is providing an SMB daemon via
1117
<em class="emphasis">inetd</em>, lines such as the following will appear
1118
in the <em class="filename">inetd.conf</em> file:</p>
1120
<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
1121
netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
1123
<p>If your system uses <em class="emphasis">xinetd</em> instead of
1124
<em class="emphasis">inetd</em>, see <a href="ch02.html">Chapter 2</a> for
1125
details concerning its configuration.</p>
1132
<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.4"/>
1134
<h3 class="head3">Checking smbd with telnet</h3>
1136
<p><a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>Ironically, the easiest way to test that
1137
the <em class="emphasis">smbd</em> server is actually working is to send
1138
it a meaningless message and see if it is rejected. Try something
1139
such as the following:</p>
1141
<blockquote><pre class="code">$ <tt class="userinput"><b>echo "hello" | telnet localhost 139 </b></tt>
1143
Trying 192.168.236.86 ...
1144
Connected to localhost. Escape character is '^]'.
1145
Connection closed by foreign host.</pre></blockquote>
1147
<p>This sends an erroneous but harmless message to
1148
<em class="emphasis">smbd</em>. If you get a <tt class="literal">Connected</tt>
1149
message followed by a <tt class="literal">Connection</tt>
1150
<tt class="literal">closed</tt> message, the test was a success. You have
1151
an <em class="emphasis">smbd</em> daemon listening on the port and
1152
rejecting improper connection messages. On the other hand, if you get
1153
<tt class="literal">telnet</tt>: <tt class="literal">connect</tt>:
1154
<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, most likely
1155
no daemon is present. Check the logs and go back to <a href="ch02.html">Chapter 2</a>.</p>
1157
<p>Regrettably, there isn't an easy test for
1158
<em class="emphasis">nmbd</em>. If the <em class="emphasis">telnet</em> test
1159
and the <em class="emphasis">netstat</em> test both say that an
1160
<em class="emphasis">smbd</em> is running, there is a good chance that
1161
<em class="emphasis">netstat</em> will also be correct about
1162
<em class="emphasis">nmbd</em> running.</p>
1169
<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.5"/>
1171
<h3 class="head3">Testing daemons with testparm</h3>
1173
<p><a name="INDEX-54"/><a name="INDEX-55"/>Once you know
1174
there's a daemon, you should always run
1175
<em class="emphasis">testparm</em>, in hopes of getting something such as
1178
<blockquote><pre class="code">$ <tt class="userinput"><b>testparm </b></tt>
1179
Load smb config files from /opt/samba/lib/smb.conf
1180
Processing section "[homes]"
1181
Processing section "[printers]" ...
1182
Processing section "[tmp]"
1183
Loaded services file OK. ...</pre></blockquote>
1185
<p>The <em class="emphasis">testparm</em> program normally reports the
1186
processing of a series of sections and responds with
1187
<tt class="literal">Loaded</tt> <tt class="literal">services</tt>
1188
<tt class="literal">file</tt> <tt class="literal">OK</tt> if it succeeds. If not,
1189
it reports one or more of the following messages, which also appear
1190
in the logs as noted:</p>
1193
<dt><b>Allow/Deny connection from account (n) to service</b></dt>
1195
<p>A <em class="emphasis">testparm</em>-only message produced if you have
1196
<tt class="literal">valid</tt> <tt class="literal">user</tt> or
1197
<tt class="literal">invalid</tt> <tt class="literal">user</tt> options set in
1198
your <em class="emphasis">smb.conf</em>. You will want to make sure that
1199
you are on the valid user list, and that <tt class="literal">root</tt>,
1200
<tt class="literal">bin</tt>, etc., are on the invalid user list. If you
1201
don't, you will not be able to connect, or users who
1202
shouldn't <em class="emphasis">will</em> be able to.</p>
1207
<dt><b>Warning: You have some share names that are longer than eight chars</b></dt>
1209
<p>For anyone using Windows for Workgroups and older clients. They fail
1210
to connect to shares with long names, producing an overflow message
1211
that sounds confusingly like a memory overflow.</p>
1216
<dt><b>Warning: [name] service MUST be printable!</b></dt>
1218
<p>A printer share lacks a <tt class="literal">printable</tt>
1219
<tt class="literal">=</tt> <tt class="literal">yes</tt> option.</p>
1224
<dt><b>No path in service name using [name]</b></dt>
1226
<p>A file share doesn't know which directory to provide
1227
to the user, or a print share doesn't know which
1228
directory to use for spooling. If no path is specified, the service
1229
will try to run with a path of <em class="emphasis">/tmp</em>, which might
1230
not be what you want.</p>
1235
<dt><b>Note: Servicename is flagged unavailable</b></dt>
1237
<p>Just a reminder that you have used the <tt class="literal">available</tt>
1238
<tt class="literal">=</tt> <tt class="literal">no</tt> option in a share.</p>
1243
<dt><b>Can't find include file [name] </b></dt>
1245
<p>A configuration file referred to by an <tt class="literal">include</tt>
1246
option did not exist. If you were including the file unconditionally,
1247
this is an error and probably a serious one: the share will not have
1248
the configuration you intended. If you were including it based on one
1249
of the <tt class="literal">%</tt> variables, such as <tt class="literal">%a</tt>
1250
(architecture), you will need to decide whether, for example, a
1251
missing Windows for Workgroups configuration file is a problem. It
1257
<dt><b>Can't copy service name, unable to copy to itself</b></dt>
1259
<p>You tried to copy an <em class="filename">smb.conf</em> section into
1265
<dt><b>Unable to copy service—source not found: [name]</b></dt>
1267
<p>Indicates a missing or misspelled section in a
1268
<tt class="literal">copy</tt> <tt class="literal">=</tt> option.</p>
1273
<dt><b>Ignoring unknown parameter name </b></dt>
1275
<p>Typically indicates an obsolete, misspelled, or unsupported option.</p>
1280
<dt><b>Global parameter name found in service section </b></dt>
1282
<p>Indicates that a global-only parameter has been used in an individual
1283
share. Samba ignores the parameter.</p>
1288
<p>After the <em class="emphasis">testparm</em> test, repeat it with
1289
(exactly) three parameters: the name of your
1290
<em class="filename">smb.conf</em> file, the name of your client, and its
1293
<blockquote><pre class="code"># <tt class="userinput"><b>testparm /usr/local/samba/lib/smb.conf client 192.168.236.10</b></tt></pre></blockquote>
1295
<p>This will run one more test that checks the hostname and address
1296
against <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
1297
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options and might
1298
produce the <tt class="literal">Allow</tt> <tt class="literal">connection</tt>
1299
<tt class="literal">from</tt> <tt class="literal">hostname</tt>
1300
<tt class="literal">to</tt> <tt class="literal">service</tt> and/or
1301
<tt class="literal">Deny</tt> <tt class="literal">connection</tt>
1302
<tt class="literal">from</tt> <tt class="literal">hostname</tt>
1303
<tt class="literal">to</tt> <tt class="literal">service</tt> messages for the
1304
client system. These messages indicate that you have
1305
<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and/or
1306
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options in your
1307
<em class="filename">smb.conf</em>, and they prohibit access from the
1308
client system. <a name="INDEX-56"/></p>
1317
<div class="sect2"><a name="samba2-CHP-12-SECT-2.5"/>
1319
<h3 class="head2">Troubleshooting SMB Connections</h3>
1321
<p><a name="INDEX-57"/><a name="INDEX-58"/>Now
1322
that you know the servers are up, you need to make sure
1323
they're running properly. We start by placing a
1324
simple <em class="filename">smb.conf</em> file in the
1325
<em class="filename">/usr/local/samba/lib</em> directory.</p>
1328
<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.1"/>
1330
<h3 class="head3">A minimal smb.conf file</h3>
1332
<p>In the following tests, we assume you have a
1333
<tt class="literal">[temp]</tt> share suitable for testing, plus at least
1334
one account. An <em class="filename">smb.conf</em> file that includes just
1335
these is as follows:</p>
1337
<blockquote><pre class="code">[global]
1338
workgroup = <em class="replaceable">EXAMPLE</em>
1347
public = yes</pre></blockquote>
1348
<a name="samba2-CHP-12-NOTE-156"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
1349
<p>The <tt class="literal">public</tt> <tt class="literal">=</tt>
1350
<tt class="literal">yes</tt> option in the <tt class="literal">[temp]</tt> share
1351
is just for testing. You probably don't want people
1352
without accounts storing things on your Samba server, so you should
1353
comment it out when you're done.</p>
1361
<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.2"/>
1363
<h3 class="head3">Testing locally with smbclient</h3>
1365
<p><a name="INDEX-59"/><a name="INDEX-60"/>The first test is to ensure that the
1366
server can list its own services (shares). Run the command
1367
<tt class="literal">smbclient</tt> <em class="emphasis">-L</em>
1368
<tt class="literal">localhost</tt> <tt class="literal">-U%</tt> to connect to the
1369
server from itself, and specify the guest user. You should see the
1372
<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L localhost -U% </b></tt>
1373
Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0
1378
Sharename Type Comment
1379
--------- ----- ----------
1381
IPC$ IPC IPC Service (Samba 1.9.18)
1382
homes Disk Home directories
1383
This machine does not have a browse list</pre></blockquote>
1385
<p>If you received this output, move on to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>. On the other hand, if you
1386
receive an error, check the following:</p>
1389
<p>If you get <tt class="literal">Get_hostbyname</tt>:
1390
<tt class="literal">unknown</tt> <tt class="literal">host</tt>
1391
<tt class="literal">localhost</tt>, either you've spelled
1392
its name wrong or there actually is a problem (which should have been
1393
seen back in <a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>). In the
1394
latter case, move on to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
1396
<p>If you get <tt class="literal">Connect</tt> <tt class="literal">error</tt>:
1397
<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the server
1398
was found, but it wasn't running an
1399
<em class="emphasis">nmbd</em> daemon. Skip back to
1400
<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>,
1401
earlier in this chapter, and retest the daemons.</p>
1403
<p>If you get the message <tt class="literal">Your</tt>
1404
<tt class="literal">server</tt> <tt class="literal">software</tt>
1405
<tt class="literal">is</tt> <tt class="literal">being</tt>
1406
<tt class="literal">unfriendly</tt>, the initial session request packet got
1407
a garbage response from the server. The server might have crashed or
1408
started improperly. The common causes of this can be discovered by
1409
scanning the logs for the following:</p>
1411
<p>Invalid command-line parameters to <em class="emphasis">smbd</em> ; see
1412
the <em class="emphasis">smbd</em> manual page.</p>
1414
<p>A fatal problem with the <em class="filename">smb.conf</em> file that
1415
prevents the startup of <em class="emphasis">smbd</em>. Always check your
1416
changes with <em class="emphasis">testparm</em>, as was done in <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>, earlier in this chapter.</p>
1418
<p>Missing directories where Samba is supposed to keep its log and lock
1421
<p>The presence of a server already on the port (139 for
1422
<em class="emphasis">smbd</em>, 137 for <em class="emphasis">nmbd</em> ),
1423
preventing the daemon from starting.</p>
1427
<p>If you're using <em class="emphasis">inetd</em> (or
1428
xinetd ) instead of standalone daemons, be sure to check your
1429
<em class="filename">/etc/inetd.conf</em> (or xinetd configuration files)
1430
and <em class="filename">/etc/services</em> entries against their manual
1431
pages for errors as well.</p>
1433
<p>If you get a <tt class="literal">Password</tt>: prompt, your guest account
1434
is not set up properly. The <em class="emphasis">-U%</em> option tells
1435
<em class="emphasis">smbclient</em> to do a "null
1436
login," which requires that the guest account be
1437
present but does not require it to have any privileges.</p>
1439
<p>If you get the message <tt class="literal">SMBtconX</tt>
1440
<tt class="literal">failed</tt>. <tt class="literal">ERRSRV--ERRaccess</tt>, you
1441
aren't permitted access to the server. This normally
1442
means you have a <tt class="literal">hosts</tt> <tt class="literal">allow</tt>
1443
option that doesn't include the server or a
1444
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.
1445
Recheck with the command <tt class="literal">testparm</tt>
1446
<tt class="literal">smb.conf</tt> <em class="replaceable">your_hostname</em>
1447
<em class="replaceable">your_ip_address</em> (see
1448
<a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>),
1449
and correct any unintended prohibitions.</p>
1456
<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.3"/>
1458
<h3 class="head3">Testing connections with smbclient</h3>
1460
<p><a name="INDEX-61"/><a name="INDEX-62"/>Run the command
1461
<tt class="literal">smbclient</tt>
1462
<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
1463
to connect to the server's <tt class="literal">[temp]</tt>
1464
share and to see if you can connect to a file service. You should get
1465
the following response:</p>
1467
<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient '\\server\temp' </b></tt>
1468
Server time is Tue May 5 09:49:32 2002 Timezone is UTC-4.0 Password:
1469
<b class="emphasis-bold">smb: \> quit</b></pre></blockquote>
1470
<p>You might receive the following errors:</p>
1473
<p>If you get <tt class="literal">Get_Hostbyname</tt>:
1474
<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
1475
<tt class="literal">name</tt>, <tt class="literal">Connect</tt>
1476
<tt class="literal">error</tt>: <tt class="literal">Connection</tt>
1477
<tt class="literal">refused</tt>, or <tt class="literal">Your</tt>
1478
<tt class="literal">server</tt> <tt class="literal">software</tt>
1479
<tt class="literal">is</tt> <tt class="literal">being</tt>
1480
<tt class="literal">unfriendly</tt>, see the previous section,
1481
<a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, for
1484
<p>If you get the message <tt class="literal">servertemp</tt>:
1485
<tt class="literal">Not</tt> <tt class="literal">enough</tt>
1486
<tt class="literal">`\</tt>'
1487
<tt class="literal">characters</tt> <tt class="literal">in</tt>
1488
<tt class="literal">service</tt>, you likely didn't quote
1489
the address, so Unix stripped off backslashes. You can also write the
1492
<blockquote><pre class="code">smbclient \\\\<em class="replaceable">server</em>\\temp</pre></blockquote>
1495
<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/temp</pre></blockquote>
1498
<p>Now, provide your Unix account password to the
1499
<tt class="literal">Password</tt>: prompt. If you then get an
1500
<tt class="literal">smb</tt>: <tt class="literal">\></tt> prompt, it worked.
1501
Enter <tt class="literal">quit</tt> and continue on to the next section,
1502
<a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If
1503
you got <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
1504
<tt class="literal">ERRSRV--ERRinvnetname</tt>, the problem can be any of
1508
<p>A wrong share name: you might have spelled it wrong, it might be too
1509
long, it might be in mixed case, or it might not be available. Check
1510
that it's what you expect with
1511
<em class="emphasis">testparm</em> (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
1513
<p>A <tt class="literal">security</tt> <tt class="literal">=</tt>
1514
<tt class="literal">share</tt> parameter in your Samba configuration file,
1515
in which case you might have to add <tt class="literal">-U</tt>
1516
<em class="replaceable">your_account</em> to the
1517
<em class="emphasis">smbclient</em> command.</p>
1519
<p>An erroneous username.</p>
1521
<p>An erroneous password.</p>
1523
<p>An <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
1524
<tt class="literal">valid</tt> <tt class="literal">users</tt> option in your
1525
<em class="emphasis">smb.conf</em> file that doesn't
1526
allow your account to connect. Recheck using
1527
<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
1528
<em class="replaceable">your_hostname your_ip_address</em> (see the
1529
earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
1531
<p>A <tt class="literal">valid</tt> <tt class="literal">hosts</tt> option that
1532
doesn't include the server, or an
1533
<tt class="literal">invalid</tt> <tt class="literal">hosts</tt> option that does.
1534
Also test this with <em class="emphasis">testparm</em>.</p>
1536
<p>A problem in authentication, such as if shadow passwords or the
1537
Password Authentication Module (PAM) is used on the server, but Samba
1538
is not compiled to use it. This is rare, but it occasionally happens
1539
when a SunOS 4 Samba binary (with no shadow passwords) is run without
1540
recompilation on a Solaris system (with shadow passwords).</p>
1542
<p>The <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
1543
<tt class="literal">=</tt> <tt class="literal">yes</tt> option is in the
1544
configuration file, but no password for your account is in the
1545
<em class="emphasis">smbpasswd</em> file.</p>
1547
<p>You have a null password entry, either in Unix
1548
<em class="filename">/etc/passwd</em> or in the
1549
<em class="emphasis">smbpasswd</em> file.</p>
1551
<p>You are connecting to <tt class="literal">[temp]</tt>, and you do not have
1552
the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
1553
<tt class="literal">=</tt> <tt class="literal">yes</tt> option in the
1554
<tt class="literal">[temp]</tt> section of the
1555
<em class="emphasis">smb.conf</em> file.</p>
1557
<p>You are connecting to <tt class="literal">[temp]</tt> before connecting to
1558
your home directory, and your guest account isn't
1559
set up correctly. If you can connect to your home directory and then
1560
connect to <tt class="literal">[temp]</tt>, that's the
1561
problem. See <a href="ch02.html">Chapter 2</a> for more information on
1562
creating a basic Samba configuration file.</p>
1564
<p>A bad guest account will also prevent you from printing or browsing
1565
until after you've logged in to your home directory.</p>
1567
<p>There is one more reason for this failure that has nothing at all to
1568
do with passwords: the <tt class="literal">path</tt> parameter in your
1569
<em class="filename">smb.conf</em> file might point somewhere that
1570
doesn't exist. This will not be diagnosed by
1571
<em class="emphasis">testparm</em>, and most SMB clients
1572
can't distinguish it from other types of bad user
1573
accounts. You will have to check it manually.</p>
1575
<p>Once you have connected to <tt class="literal">[temp]</tt> successfully,
1576
repeat the test, this time logging in to your home directory (e.g.,
1578
<em class="replaceable">server</em><tt class="literal">\davecb</tt>). If you
1579
have to change anything to get that to work, retest
1580
<tt class="literal">[temp]</tt> again afterward.</p>
1587
<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.4"/>
1589
<h3 class="head3">Testing connections with net use</h3>
1591
<p><a name="INDEX-63"/><a name="INDEX-64"/>Run the command
1592
<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">*</tt>
1593
<tt class="literal">\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
1594
on the Windows client to see if it can connect to the server. You
1595
should be prompted for a password, then receive the response
1596
<tt class="literal">The</tt> <tt class="literal">command</tt>
1597
<tt class="literal">was</tt> <tt class="literal">completed</tt>
1598
<tt class="literal">successfully</tt>.</p>
1600
<p>If that worked, continue with the steps in the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.5">Section 12.2.5.5</a>. Otherwise:</p>
1603
<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
1604
<tt class="literal">shared</tt> <tt class="literal">directory</tt>
1605
<tt class="literal">cannot</tt> <tt class="literal">be</tt>
1606
<tt class="literal">found</tt>, or <tt class="literal">Cannot</tt>
1607
<tt class="literal">locate</tt> <tt class="literal">specified</tt>
1608
<tt class="literal">share</tt> <tt class="literal">name</tt>, the directory name
1609
is either misspelled or not in the <em class="emphasis">smb.conf</em>
1610
file. This message can also warn of a name that is in mixed case,
1611
including spaces, or that is longer than eight characters.</p>
1613
<p>If you get <tt class="literal">The</tt> <tt class="literal">computer</tt>
1614
<tt class="literal">name</tt> <tt class="literal">specified</tt>
1615
<tt class="literal">in</tt> <tt class="literal">the</tt>
1616
<tt class="literal">network</tt> <tt class="literal">path</tt>
1617
<tt class="literal">cannot</tt> <tt class="literal">be</tt>
1618
<tt class="literal">located</tt> or <tt class="literal">Cannot</tt>
1619
<tt class="literal">locate</tt> <tt class="literal">specified</tt>
1620
<tt class="literal">computer</tt>, the directory name has been misspelled,
1621
the name service has failed, there is a networking problem, or the
1622
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option includes your
1625
<p>If it is not a spelling mistake, you need to double back at least to
1626
<a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a> to
1627
investigate why it doesn't connect.</p>
1629
<p>If <em class="emphasis">smbclient</em> does work, there is a name service
1630
problem with the client name service, and you need to go forward to
1631
<a href="ch12.html#samba2-CHP-12-SECT-2.6.2">Section 12.2.6.2</a> and see if
1632
you can look up both the client and server with
1633
<em class="emphasis">nmblookup</em>.</p>
1639
<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
1640
<tt class="literal">is</tt> <tt class="literal">invalid</tt>
1641
<tt class="literal">for</tt> <tt class="literal">\server\username</tt>, your
1642
locally cached copy on the client doesn't match the
1643
one on the server. You will be prompted for a replacement.</p>
1645
<a name="samba2-CHP-12-NOTE-157"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
1646
<p>Each Windows 95/98/Me client keeps a local
1647
<em class="emphasis">password</em> file, but it's really
1648
just a cached copy of the password it sends to Samba and NT/2000/XP
1649
servers to authenticate you. That's what is being
1650
prompted for here. You can still log on to a Windows system without a
1651
password (but not to NT/2000/XP).</p>
1654
<p>If you provide your password and it still fails, your password is not
1655
being matched on the server, you have a <tt class="literal">valid</tt>
1656
<tt class="literal">users</tt> or <tt class="literal">invalid</tt>
1657
<tt class="literal">users</tt> list denying you permission, NetBEUI is
1658
interfering, or the encrypted password problem described in the next
1659
paragraph exists.</p>
1661
<p>If your client is Windows NT 4.0, NT 3.5 with Patch 3, Windows 95
1662
with Patch 3, Windows 98, any of these with Internet Explorer 4.0, or
1663
any subsequent version of Windows, the system will default to
1664
Microsoft encryption for passwords. In general, if you have installed
1665
a major Microsoft product on any of the older Windows versions, you
1666
might have applied an update and turned on encrypted passwords. If
1667
the client is defaulting to encrypted passwords, you will need to
1668
specify <tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
1669
<tt class="literal">=</tt> <tt class="literal">yes</tt> in your Samba
1670
configuration file if you are using a version of Samba prior to Samba
1673
<a name="samba2-CHP-12-NOTE-158"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
1674
<p>Because of Internet Explorer's willingness to honor
1675
URLs such as <em class="filename">file://somehost/somefile</em> by making
1676
SMB connections, clients up to and including Windows 95 Patch Level 2
1677
would happily send your password, in plain text, to SMB servers
1678
anywhere on the Internet. This was considered a bad idea, and
1679
Microsoft switched to using only encrypted passwords in the SMB
1680
protocol. All subsequent releases of Microsoft's
1681
products have included this correction.</p>
1686
<p>If you have a mixed-case password on Unix, the client is probably
1687
sending it in all one case. If changing your password to all one case
1688
works, this was the problem. Regrettably, all but the oldest clients
1689
support uppercase passwords, so Samba will try once with the password
1690
in uppercase and once in lowercase. If you wish to use mixed-case
1691
passwords, see the <tt class="literal">password</tt>
1692
<tt class="literal">level</tt> option in <a href="ch09.html">Chapter 9</a> for a
1695
<p>You might have a <tt class="literal">valid</tt> <tt class="literal">users</tt>
1696
problem, as tested with <em class="emphasis">smbclient</em> (see the
1697
earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>).</p>
1699
<p>You might have the NetBEUI protocol bound to the Microsoft client.
1700
This often produces long timeouts and erratic failures and is known
1701
to have caused failures to accept passwords in the past. Unless you
1702
absolutely need the NetBEUI protocol, remove it.</p>
1704
<a name="samba2-CHP-12-NOTE-159"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
1705
<p>The term "bind" is used here to
1706
mean connecting one piece of software to another. When configured
1707
correctly, the Microsoft SMB client is "bound
1708
to" TCP/IP in the bindings section of the TCP/IP
1709
properties panel under the Windows 95/98/Me Network icon in the
1710
Control Panel. TCP/IP in turn is bound to an Ethernet card. This is
1711
not the same sense of the word as binding an SMB daemon to a TCP/IP
1720
<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.5"/>
1722
<h3 class="head3">Testing connections with Windows Explorer</h3>
1724
<p><a name="INDEX-65"/><a name="INDEX-66"/>Start Windows Explorer
1725
(not Internet Explorer), select Map Network Drive from the Tools
1726
menu, and specify the UNC for one of your shares on the Samba server
1727
to see if you can make Explorer connect to it. If so,
1728
you've succeeded and can skip to the next section,
1729
<a href="ch12.html#samba2-CHP-12-SECT-2.6">Section 12.2.6</a>.</p>
1731
<p>Windows Explorer is a rather poor diagnostic tool: it tells you that
1732
something's wrong, but rarely what it is. If you get
1733
a failure, you'll need to track it down with the
1734
Windows <em class="emphasis">net use</em> command, which has far superior
1735
error reporting:</p>
1738
<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
1739
<tt class="literal">for</tt> <tt class="literal">this</tt>
1740
<tt class="literal">connection</tt> <tt class="literal">that</tt>
1741
<tt class="literal">is</tt> <tt class="literal">in</tt> <tt class="literal">your</tt>
1742
<tt class="literal">password</tt> <tt class="literal">file</tt>
1743
<tt class="literal">is</tt> <tt class="literal">no</tt> <tt class="literal">longer</tt>
1744
<tt class="literal">correct</tt>, you might have any of the following:</p>
1746
<p>Your locally cached copy on the client doesn't match
1747
the one on the server.</p>
1749
<p>You didn't provide a username and password when
1750
logging on to the client. Some versions of Explorer will continue to
1751
send a null username and password, even if you provide a password.</p>
1753
<p>You have misspelled the password.</p>
1755
<p>You have an <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
1756
<tt class="literal">valid</tt> <tt class="literal">users</tt> list denying
1759
<p>Your client is defaulting to encrypted passwords, but Samba is
1760
configured with the <tt class="literal">encrypt</tt>
1761
<tt class="literal">passwords</tt> <tt class="literal">=</tt>
1762
<tt class="literal">no</tt> configuration file parameter.</p>
1764
<p>You have a mixed-case password, which the client is supplying in all
1770
<p>If you get <tt class="literal">The</tt> <tt class="literal">network</tt>
1771
<tt class="literal">name</tt> <tt class="literal">is</tt>
1772
<tt class="literal">either</tt> <tt class="literal">incorrect</tt>,
1773
<tt class="literal">or</tt> <tt class="literal">a</tt> <tt class="literal">network</tt>
1774
<tt class="literal">to</tt> <tt class="literal">which</tt> <tt class="literal">you</tt>
1775
<tt class="literal">do</tt> <tt class="literal">not</tt> <tt class="literal">have</tt>
1776
<tt class="literal">full</tt> <tt class="literal">access</tt>, or
1777
<tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
1778
<tt class="literal">specified</tt> <tt class="literal">computer</tt>, you might
1779
have any of the following:</p>
1781
<p>Misspelled name</p>
1783
<p>Malfunctioning service</p>
1787
<p>Networking problem</p>
1789
<p>Bad <tt class="literal">path</tt> parameter in
1790
<em class="filename">smb.conf</em></p>
1792
<p><tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that excludes
1798
<p>If you get <tt class="literal">You</tt> <tt class="literal">must</tt>
1799
<tt class="literal">supply</tt> <tt class="literal">a</tt>
1800
<tt class="literal">password</tt> <tt class="literal">to</tt>
1801
<tt class="literal">make</tt> <tt class="literal">this</tt>
1802
<tt class="literal">connection</tt>, the password on the client is out of
1803
synchronization with the server, or this is the first time
1804
you've tried from this client system and the client
1805
hasn't cached it locally yet.</p>
1807
<p>If you get <tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
1808
<tt class="literal">specified</tt> <tt class="literal">share</tt>
1809
<tt class="literal">name</tt>, you have a wrong share name or a syntax
1810
error in specifying it, a share name longer than eight characters, or
1811
one containing spaces or in mixed case.</p>
1813
<p>Once you can reliably connect to the share, try again, this time
1814
using your home directory. If you have to change something to get
1815
home directories working, retest with the first share, and vice
1816
versa, as we showed in the earlier section, "Testing
1817
connections with net use." As always, if Explorer
1818
fails, drop back to that section and debug the connection there.
1819
<a name="INDEX-67"/><a name="INDEX-68"/></p>
1828
<div class="sect2"><a name="samba2-CHP-12-SECT-2.6"/>
1830
<h3 class="head2">Troubleshooting Browsing</h3>
1832
<p><a name="INDEX-69"/><a name="INDEX-70"/>Finally, we
1833
come to browsing. We've left this for last, not
1834
because it is the most difficult, but because it's
1835
both optional and partially dependent on a protocol that
1836
doesn't guarantee delivery of a packet. Browsing is
1837
hard to diagnose if you don't already know that all
1838
the other services are running.</p>
1840
<p>Browsing is purely optional: it's just a way to find
1841
the servers on your network and the shares that they provide. Unix
1842
has nothing of the sort and happily does without. Browsing also
1843
assumes all your systems are on a local area network (LAN) where
1844
broadcasts are allowable.</p>
1846
<p>First, the browsing mechanism identifies a system using the
1847
unreliable UDP protocol; it then makes a normal (reliable) TCP/IP
1848
connection to list the shares the system provides.</p>
1851
<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.1"/>
1853
<h3 class="head3">Testing browsing with smbclient</h3>
1855
<p><a name="INDEX-71"/><a name="INDEX-72"/>We'll start with
1856
testing the reliable connection first. From the server, try listing
1857
its own shares using <em class="emphasis">smbclient</em> with a
1858
<tt class="literal">-L</tt> option and your server's name.
1859
You should get something resembling the following:</p>
1861
<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L server</b></tt>
1862
Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server
1863
time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0
1865
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5]
1867
Sharename Type Comment
1868
--------- ---- -------
1870
cl Printer Color Printer 1
1871
davecb Disk Home Directories
1879
EXAMPLE SERVER</pre></blockquote>
1882
<p>If you didn't get a Sharename list, the server is
1883
not allowing you to browse any shares. This should not be the case if
1884
you've tested any of the shares with Windows
1885
Explorer or the <em class="emphasis">net use</em> command. If you
1886
haven't done the <tt class="literal">smbclient</tt>
1887
<tt class="literal">-L</tt> <tt class="literal">localhost</tt>
1888
<tt class="literal">-U%</tt> test yet (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), do it now. An erroneous
1889
guest account can prevent the shares from being seen. Also, check the
1890
<em class="filename">smb.conf</em> file to make sure you do not have the
1891
option <tt class="literal">browsable</tt> <tt class="literal">=</tt>
1892
<tt class="literal">no</tt> anywhere in it: we suggest using a minimal
1893
<em class="filename">smb.conf</em> file (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.1">Section 12.2.5.1</a>). You need to have
1894
<tt class="literal">browsable</tt> enabled (which is the default) to see
1897
<p>If you didn't get a browse list, the server is not
1898
providing information about the systems on the network. At least one
1899
system on the net must support browse lists. Make sure you have
1900
<tt class="literal">local</tt> <tt class="literal">master</tt>
1901
<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
1902
<em class="filename">smb.conf</em> file if you want Samba to be the local
1905
<p>If you got a browse list but didn't get
1906
<em class="emphasis">/tmp</em>, you probably have a
1907
<em class="filename">smb.conf</em> problem. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>.</p>
1909
<p>If you didn't get a workgroup list with your
1910
workgroup name in it, it is possible that your workgroup is set
1911
incorrectly in the <em class="filename">smb.conf</em> file.</p>
1913
<p>If you didn't get a workgroup list at all, ensure
1914
that <tt class="literal">workgroup</tt> <tt class="literal">=</tt>
1915
<tt class="literal">EXAMPLE</tt> is present in the
1916
<em class="filename">smb.conf</em> file.</p>
1918
<p>If you get nothing, try once more with the options
1919
<tt class="literal">-I</tt> <em class="emphasis">ip_address</em>
1920
<tt class="literal">-n</tt> <em class="emphasis">netbios_name</em>
1921
<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>
1922
<tt class="literal">-d3</tt> with the NetBIOS and workgroup name in
1923
uppercase. (The <tt class="literal">-d3</tt> option sets the log /debugging
1924
level to 3.) Then check the Samba logs for clues.</p>
1926
<p>If you're still getting nothing, you
1927
shouldn't have gotten this far; double back to at
1928
least <a href="ch12.html#samba2-CHP-12-SECT-2.3.1">Section 12.2.3.1</a>, or perhaps
1929
<a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. On the other hand:</p>
1932
<p>If you get <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
1933
<tt class="literal">ERRSRV--ERRaccess</tt>, you aren't
1934
permitted access to the server. This normally means you have a
1935
<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option that
1936
doesn't include the server or a
1937
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.</p>
1939
<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>, you
1940
presumably have one of the following:</p>
1942
<p>An incorrect <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
1943
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line</p>
1945
<p>An incorrect <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
1946
<tt class="literal">valid</tt> <tt class="literal">users</tt> line</p>
1948
<p>A lowercase password and OS/2 or Windows for Workgroups clients</p>
1950
<p>A missing or invalid guest account</p>
1952
<p>Check what your guest account is (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), change or comment out any
1953
<tt class="literal">hosts</tt> <tt class="literal">allow</tt>,
1954
<tt class="literal">hosts</tt> <tt class="literal">deny</tt>,
1955
<tt class="literal">valid</tt> <tt class="literal">users</tt>, or
1956
<tt class="literal">invalid</tt> <tt class="literal">users</tt> lines, and verify
1957
your <em class="filename">smb.conf</em> file with
1958
<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
1959
<em class="replaceable">your_hostname your_ip_address</em> (see the
1960
earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
1962
<p>If you get <tt class="literal">Connection</tt> <tt class="literal">refused</tt>,
1963
the <em class="emphasis">smbd</em> server is not running or has crashed.
1964
Check that it's up, running, and listening to the
1965
network with <em class="emphasis">netstat</em>. See the earlier section,
1966
<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>.</p>
1968
<p>If you get <tt class="literal">Get_Hostbyname</tt>:
1969
<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
1970
<tt class="literal">name</tt>, you've made a spelling
1971
error, there is a mismatch between the Unix and NetBIOS hostname, or
1972
there is a name service problem. Start name service debugging as
1973
discussed in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If this works, suspect a
1974
name mismatch, and go to the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
1976
<p>If you get <tt class="literal">Session</tt> <tt class="literal">request</tt>
1977
<tt class="literal">failed</tt>, the server refused the connection. This
1978
usually indicates an internal error, such as insufficient memory to
1981
<p>If you get <tt class="literal">Your</tt> <tt class="literal">server</tt>
1982
<tt class="literal">software</tt> <tt class="literal">is</tt>
1983
<tt class="literal">being</tt> <tt class="literal">unfriendly</tt>, the initial
1984
session request packet received a garbage response from the server.
1985
The server might have crashed or started improperly. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, where the
1986
problem is first analyzed.</p>
1988
<p>If you suspect the server is not running, go back to
1989
<a href="ch12.html#samba2-CHP-12-SECT-2.4.2">Section 12.2.4.2</a> to see why the server
1990
daemon isn't responding.</p>
1997
<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.2"/>
1999
<h3 class="head3">Testing the server with nmblookup</h3>
2001
<p><a name="INDEX-73"/><a name="INDEX-74"/>This will test the
2002
"advertising" system used for
2003
Windows name services and browsing. Advertising works by broadcasting
2004
one's presence or willingness to provide services.
2005
It is the part of browsing that uses an unreliable protocol (UDP) and
2006
works only on broadcast networks such as Ethernets. The
2007
<em class="emphasis">nmblookup</em> program broadcasts name queries for
2008
the hostname you provide and returns its IP address and the name of
2009
the system, much as <em class="emphasis">nslookup</em> does with DNS.
2010
Here, the <em class="emphasis">-d</em> (debug or log-level) and
2011
<em class="emphasis">-B</em> (broadcast address) options direct queries to
2012
specific systems.</p>
2014
<p>First, we check the server from itself. Run
2015
<em class="emphasis">nmblookup</em> with a <em class="emphasis">-B</em> option
2016
of your server's name (to tell it to send the query
2017
to the Samba server) and a parameter of <tt class="literal">_ _SAMBA_
2018
_</tt> as the symbolic name to look up. You should get:</p>
2020
<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -B server _ _SAMBA_ _</b></tt>
2021
Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0
2022
Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre></blockquote>
2024
<p>You should get the IP address of the server, followed by the name
2025
<tt class="literal">_ _SAMBA_ _</tt> , which means that the server has
2026
successfully advertised that it has a service called <tt class="literal">_
2027
_SAMBA_ _</tt> , and therefore at least part of NetBIOS name
2031
<p>If you get <tt class="literal">Name_query</tt> <tt class="literal">failed</tt>
2032
<tt class="literal">to</tt> <tt class="literal">find</tt> <tt class="literal">name</tt>
2033
<tt class="literal">_ _SAMBA_ _</tt>, you might have specified the server
2034
name to the <em class="emphasis">-B</em> option, or
2035
<em class="emphasis">nmbd</em> is not running. The <em class="emphasis">-B</em>
2036
option actually takes a broadcast address: we're
2037
using a computer name to get a unicast address and to ask the server
2038
if it has claimed <tt class="literal">_ _SAMBA_ _</tt>. Try again with
2039
<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
2040
<em class="replaceable">ip_address</em>, and if that fails too,
2041
<em class="emphasis">nmbd</em> isn't claiming the name.
2042
Go back briefly to the earlier section, "Testing
2043
daemons with testparm," to see if
2044
<em class="emphasis">nmbd</em> is running. If so, it might not be claiming
2045
names; this means that Samba is not providing the browsing
2046
service—a configuration problem. If that is the case, make sure
2047
that <em class="filename">smb.conf</em> doesn't contain
2048
the option <tt class="literal">browsing</tt> <tt class="literal">=</tt>
2049
<tt class="literal">no</tt>.</p>
2056
<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.3"/>
2058
<h3 class="head3">Testing the client with nmblookup</h3>
2060
<p><a name="INDEX-75"/><a name="INDEX-76"/>Next, check the IP address of the
2061
client from the server with <em class="emphasis">nmblookup</em> using the
2062
<tt class="literal">-B</tt> option for the client's name
2063
and a parameter of '<tt class="literal">*</tt>' meaning
2064
"anything," as shown here:</p>
2066
<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -B client '*</b>'
2067
Sending queries to 192.168.236.10 192.168.236.10 *
2068
Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre></blockquote>
2070
<p>You might get the following error:</p>
2073
<p>If you receive <tt class="literal">Name-query</tt>
2074
<tt class="literal">failed</tt> <tt class="literal">to</tt>
2075
<tt class="literal">find</tt> <tt class="literal">name</tt> <tt class="literal">*</tt>,
2076
you have made a spelling mistake, or the client software on the PC
2077
isn't installed, started, or bound to TCP/IP. Double
2078
back to <a href="ch03.html">Chapter 3</a> and ensure that you have a
2079
client installed that is listening to the network.</p>
2081
<p>Repeat the command with the following options if you had any failures:</p>
2084
<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
2085
<em class="replaceable">client_IP_address</em> succeeds but
2086
<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
2087
<em class="replaceable">client_name</em> fails, there is a name service
2088
problem with the client's name; go to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
2090
<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
2091
<tt class="literal">127.0.0.1</tt> '<tt class="literal">*</tt>' succeeds, but
2092
<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
2093
<em class="replaceable">client_IP_address</em> fails, there is a
2094
hardware problem, and <em class="emphasis">ping</em> should have failed.
2095
See your network manager.</p>
2102
<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.4"/>
2104
<h3 class="head3">Testing the network with nmblookup</h3>
2106
<p><a name="INDEX-77"/><a name="INDEX-78"/>Run the command
2107
<em class="emphasis">nmblookup</em> again with a <em class="emphasis">-d2</em>
2108
option (for a debug level of 2) and a parameter of
2109
'<tt class="literal">*</tt>'. This time we are testing the ability of
2110
programs (such as <em class="emphasis">nmbd</em> ) to use broadcast.
2111
It's essentially a connectivity test, done via a
2112
broadcast to the default broadcast address.</p>
2114
<p>A number of NetBIOS over TCP/IP hosts on the network should respond
2115
with <tt class="literal">got</tt> <tt class="literal">a</tt>
2116
<tt class="literal">positive</tt> <tt class="literal">name</tt>
2117
<tt class="literal">query</tt> <tt class="literal">response</tt> messages. Samba
2118
might not catch all the responses in the short time it listens, so
2119
you won't always see all the SMB clients on the
2120
network. However, you should see most of them:</p>
2122
<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -d 2 '*</b>'
2123
Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending
2124
queries to 192.168.236.255
2125
Got a positive name query response from 192.168.236.191 (192.168.236.191)
2126
Got a positive name query response from 192.168.236.228 (192.168.236.228)
2127
Got a positive name query response from 192.168.236.75 (192.168.236.75)
2128
Got a positive name query response from 192.168.236.79 (192.168.236.79)
2129
Got a positive name query response from 192.168.236.206 (192.168.236.206)
2130
Got a positive name query response from 192.168.236.207 (192.168.236.207)
2131
Got a positive name query response from 192.168.236.217 (192.168.236.217)
2132
Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre></blockquote>
2137
<p>If this doesn't give at least the client address you
2138
previously tested, the default broadcast address is wrong. Try
2139
<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
2140
<tt class="literal">255.255.255.255</tt> <tt class="literal">-d</tt>
2141
<tt class="literal">2</tt> '<tt class="literal">*</tt>', which is a last-ditch
2142
variant (using a broadcast address of all 1s). If this draws
2143
responses, the broadcast address you've been using
2144
before is wrong. Troubleshooting these is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
2147
<p>If the address 255.255.255.255 fails too, check your notes to see if
2148
your PC and server are on different subnets, as discovered in the
2149
earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. You
2150
should try to diagnose this step with a server and client on the same
2151
subnet, but if you can't, you can try specifying the
2152
remote subnet's broadcast address with
2153
<em class="emphasis">-B</em>. Finding that address is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
2154
chapter. The <em class="emphasis">-B</em> option will work if your router
2155
supports directed broadcasts; if it doesn't, you
2156
might be forced to test with a client on the same network.</p>
2158
<p>As usual, you can check the Samba log files for additional clues.</p>
2165
<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.5"/>
2167
<h3 class="head3">Testing client browsing with net view</h3>
2169
<p><a name="INDEX-79"/><a name="INDEX-80"/>On the client, run the
2170
command <em class="replaceable">net view \\server</em> in an MS-DOS
2171
(command prompt) window to see if you can connect to the client and
2172
ask what shares it provides. You should get back a list of available
2173
shares on the server.</p>
2175
<p>If this works, continue with the later section <a href="ch12.html#samba2-CHP-12-SECT-3.1">Section 12.3.1</a>. Otherwise:</p>
2178
<p>If you get <tt class="literal">Network</tt> <tt class="literal">name</tt>
2179
<tt class="literal">not</tt> <tt class="literal">found</tt> for the name you just
2180
tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.3">Section 12.2.6.3</a>, there is a problem with the
2181
client software itself. Double-check this by running
2182
<em class="emphasis">nmblookup</em> on the client; if it works and
2183
<em class="emphasis">net view</em> doesn't, the client is
2186
<p>If <em class="emphasis">nmblookup</em> fails, there is a NetBIOS name
2187
service problem, as discussed in the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
2189
<p>If you get <tt class="literal">You</tt> <tt class="literal">do</tt>
2190
<tt class="literal">not</tt> <tt class="literal">have</tt> <tt class="literal">the</tt>
2191
<tt class="literal">necessary</tt> <tt class="literal">access</tt>
2192
<tt class="literal">rights</tt>, or <tt class="literal">This</tt>
2193
<tt class="literal">server</tt> <tt class="literal">is</tt>
2194
<tt class="literal">not</tt> <tt class="literal">configured</tt>
2195
<tt class="literal">to</tt> <tt class="literal">list</tt>
2196
<tt class="literal">shared</tt> <tt class="literal">resources</tt>, either your
2197
guest account is misconfigured (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>) or you have a
2198
<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
2199
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that prohibits
2200
connections from your system. These problems should have been
2201
detected by the <em class="emphasis">smbclient</em> tests starting in the
2202
earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.1">Section 12.2.6.1</a>.</p>
2204
<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
2205
<tt class="literal">computer</tt> <tt class="literal">is</tt>
2206
<tt class="literal">not</tt> <tt class="literal">receiving</tt>
2207
<tt class="literal">requests</tt>, you have misspelled the name, the system
2208
is unreachable by broadcast (tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.4">Section 12.2.6.4</a>), or it's
2209
not running <em class="emphasis">nmbd</em>.</p>
2211
<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>
2212
<tt class="literal">error</tt>, you're probably
2213
encountering the Microsoft-encrypted password problem, as discussed
2214
earlier in this chapter and in <a href="ch09.html">Chapter 9</a>, with its
2222
<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.6"/>
2224
<h3 class="head3">Browsing the server from the client</h3>
2226
<p><a name="INDEX-81"/><a name="INDEX-82"/>From the Windows Network
2227
Neighborhood (or My Network Places in newer releases), try to browse
2228
the server. Your Samba server should appear in the browse list of
2229
your local workgroup. You should be able to double-click the name of
2230
the server to get a list of shares.</p>
2233
<p>If you get an <tt class="literal">Invalid</tt> <tt class="literal">password</tt>
2234
error, it's most likely the encryption problem
2237
<p>If you receive an <tt class="literal">Unable</tt> <tt class="literal">to</tt>
2238
<tt class="literal">browse</tt> <tt class="literal">the</tt>
2239
<tt class="literal">network</tt> error, one of the following has occurred:</p>
2241
<p>You have looked too soon, before the broadcasts and updates have
2242
completed. Wait 30 seconds and try again.</p>
2244
<p>There is a network problem you've not yet diagnosed.</p>
2246
<p>There is no browse master. Add the configuration option
2247
<tt class="literal">local</tt> <tt class="literal">master</tt>
2248
<tt class="literal">=</tt> <tt class="literal">yes</tt> to your
2249
<em class="emphasis">smb.conf</em> file.</p>
2251
<p>No shares are made browsable in the <em class="emphasis">smb.conf</em>
2256
<p>If you receive the message <tt class="literal">\\server</tt>
2257
<tt class="literal">is</tt> <tt class="literal">not</tt>
2258
<tt class="literal">accessible</tt> then:</p>
2260
<p>You have the encrypted password problem.</p>
2262
<p>The system really isn't accessible.</p>
2264
<p>The system doesn't support browsing.</p>
2269
<p>If you've made it this far and the problem is not
2270
yet solved, either the problem is one we've not yet
2271
seen, or it is a problem related to a topic we have already covered,
2272
and further analysis is required. Name resolution is often related to
2273
difficulties with Samba, so we cover it in more detail in the next
2274
sections. If you know your problem is not related to name resolution,
2275
skip to the <a href="ch12.html#samba2-CHP-12-SECT-3">Section 12.3</a> at the end of the chapter. <a name="INDEX-83"/><a name="INDEX-84"/></p>
2284
<div class="sect2"><a name="samba2-CHP-12-SECT-2.7"/>
2286
<h3 class="head2">Troubleshooting Name Services</h3>
2288
<p><a name="INDEX-85"/><a name="INDEX-86"/>This
2289
section looks at simple troubleshooting of all the name services
2290
you'll encounter, but only for the common problems
2291
that affect Samba.</p>
2293
<p>There are several good references for troubleshooting particular name
2294
services: Paul <a name="INDEX-87"/>Albitz and Cricket <a name="INDEX-88"/>Liu's <em class="emphasis">DNS and
2295
Bind</em> (O'Reilly) covers the DNS, Hal
2296
<a name="INDEX-89"/>Stern's <em class="emphasis">NFS and
2297
NIS</em> (O'Reilly) covers NIS
2298
("Yellow pages"), while Windows
2299
Internet Name Service (WINS), <em class="filename">hosts/LMHOSTS</em>
2300
files, and NIS+ are best covered by their respective
2301
vendors' manuals.</p>
2303
<p>The problems addressed in this section are as follows:</p>
2306
<p>Name services are identified.</p>
2308
<p>A hostname can't be looked up.</p>
2310
<p>The long (FQDN) form of a hostname works but the short form
2313
<p>The short form of the name works, but the long form
2316
<p>A long delay occurs before the expected result.</p>
2319
<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.1"/>
2321
<h3 class="head3">Identifying what's in use</h3>
2323
<p><a name="INDEX-90"/>First, see if both the
2324
server and the client are using DNS, WINS, NIS, or
2325
<em class="filename">hosts</em> files to look up IP addresses when you
2326
give them a name. Each kind of system has a different preference:</p>
2329
<p>Windows 95/98/Me tries WINS and the <em class="filename">LMHOSTS</em> file
2330
first, then broadcast, and finally DNS and <em class="filename">HOSTS</em>
2333
<p>Windows NT/2000/XP tries WINS, then broadcast, then the
2334
<em class="filename">LMHOSTS</em> file, and finally
2335
<em class="filename">HOSTS</em> and DNS.</p>
2337
<p>Windows programs using the WINSOCK standard use the HOSTS file, DNS,
2338
WINS, and then broadcast. Don't assume that if a
2339
different program's name service works, the SMB
2340
client program's name service will!</p>
2342
<p>Samba daemons use <em class="filename">lmhosts</em>, WINS, the Unix
2343
system's name resolution, and then broadcast.</p>
2345
<p>Unix systems can be configured to use any combination of DNS,
2346
<em class="filename">HOSTS</em> files, NIS or NIS+, and winbind, generally
2349
<p>We recommend that the client systems be configured to use WINS and
2350
DNS, the Samba daemons to use WINS and DNS, and the Unix server to
2351
use DNS, <em class="filename">hosts</em> files, and perhaps NIS+.
2352
You'll have to look at your notes and the actual
2353
systems to see which is in use.</p>
2355
<p>On the clients, the name services are all set in the TCP/IP
2356
Properties panel of the Networking Control Panel, as discussed in
2357
<a href="ch03.html">Chapter 3</a>. You might need to check there to see
2358
what you've actually turned on. On the server, see
2359
if a <em class="filename">/etc/resolv.conf</em> file exists. If it does,
2360
you're using DNS. You might be using the others as
2361
well, though. You'll need to check for NIS and
2362
combinations of services.</p>
2364
<p>Check for a <em class="filename">/etc/nsswitch.conf</em> file on Solaris
2365
and other System V Unix operating systems. If you have one, look for
2366
a line that begins with <tt class="literal">host</tt>: followed by one or
2367
more of <tt class="literal">files</tt>, <tt class="literal">bind</tt>,
2368
<tt class="literal">nis</tt>, or <tt class="literal">nis+</tt>. These are the
2369
name services to use, in order, with optional extra material in
2370
square brackets. The <tt class="literal">files</tt> keyword is for
2371
using <em class="emphasis">HOSTS</em> files, while <tt class="literal">bind</tt>
2372
(the Berkeley Internet Name Daemon) refers to using DNS.</p>
2374
<p>If the client and server differ, the first thing to do is to get them
2375
in sync. Clients can use DNS, WINS, <em class="emphasis">HOSTS</em>, and
2376
<em class="emphasis">LMHOSTS</em> files, but not NIS or NIS+. Servers can
2377
use <em class="emphasis">HOSTS</em> and <em class="filename">LMHOSTS</em>
2378
files, DNS, NIS or NIS+, and winbind, but not WINS—even if your
2379
Samba server provides WINS services. If you can't
2380
get all the systems to use the same services, you'll
2381
have to check the server and the client carefully for the same data.</p>
2383
<p>You can also make use of the <em class="emphasis">-R</em> (resolve order)
2384
option for <em class="emphasis">smbclient</em>. If you want to
2385
troubleshoot WINS, for example, you'd say:</p>
2387
<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L </b></tt><em class="replaceable">server</em> <tt class="userinput"><b>-R wins</b></tt></pre></blockquote>
2389
<p>The possible settings are <tt class="literal">hosts</tt> (which means
2390
whatever the Unix system is using, not just<em class="filename">
2391
/etc/hosts</em> files), <tt class="literal">lmhosts</tt>,
2392
<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt> (broadcast).</p>
2394
<p>In the following sections, we use the term <em class="emphasis">long
2395
name</em> for a fully qualified domain name (FQDN), such as
2396
<tt class="literal">server.example.com</tt> , and the term <em class="emphasis">short
2397
name</em> for the host part of an FQDN, such as
2398
<tt class="literal">server</tt>.</p>
2405
<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.2"/>
2407
<h3 class="head3">Cannot look up hostnames</h3>
2409
<p><a name="INDEX-91"/>Try the
2415
<p>Run <tt class="literal">nslookup</tt> <em class="replaceable">name</em>. If
2416
this fails, look for a <em class="filename">resolv.conf</em> error, a
2417
downed DNS server, or a short/long name problem (see the next
2418
section). Try the following:</p>
2422
<p>Your <em class="filename">/etc/resolv.conf</em> file should contain one or
2423
more <tt class="literal">nameserver</tt> lines, each with an IP address.
2424
These are the addresses of your DNS servers.</p>
2426
<p>Ping each server address you find. If this fails for one, suspect the
2427
system. If it fails for each, suspect your network.</p>
2429
<p>Retry the lookup using the full domain name (e.g.,
2430
<tt class="literal">server.example.com</tt>) if you tried the short name
2431
first, or the short name if you tried the long name first. If results
2432
differ, skip to the next section.</p>
2438
<dt><b>Broadcast/ WINS</b></dt>
2440
<p>Broadcast/ WINS does only short names such as
2441
<tt class="literal">server</tt>, and not long ones, such as
2442
<tt class="literal">server.example.com</tt>. Run
2443
<tt class="literal">nmblookup</tt> <tt class="literal">-S</tt>
2444
<em class="replaceable">server</em>. This reports everything broadcast
2445
has registered for the name. In our example, it looks like this:</p>
2447
<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S server</b></tt>
2448
Looking up status of 192.168.236.86
2450
SERVER <00> - M <ACTIVE>
2451
SERVER <03> - M <ACTIVE>
2452
SERVER <1f> - M <ACTIVE>
2453
SERVER <20> - M <ACTIVE>
2454
..__MSBROWSE__. <01> - <GROUP> M <ACTIVE>
2455
MYGROUP <00> - <GROUP> M <ACTIVE>
2456
MYGROUP <1b> - M <ACTIVE>
2457
MYGROUP <1c> - <GROUP> M <ACTIVE>
2458
MYGROUP <1d> - M <ACTIVE>
2459
MYGROUP <1e> - <GROUP> M <ACTIVE></pre></blockquote>
2461
<p>The required entry is <tt class="literal">SERVER</tt>
2462
<tt class="literal"><00></tt>, which identifies
2463
<em class="replaceable">server</em> as being this
2464
system's NetBIOS name. You should also see your
2465
workgroup mentioned one or more times. If these lines are missing,
2466
Broadcast/WINS cannot look up names and will need attention.</p>
2468
<a name="samba2-CHP-12-NOTE-160"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
2469
<p>The numbers in angle brackets in the previous output identify NetBIOS
2470
names as being workgroups, workstations, and file users of the
2471
messenger service, master browsers, domain master browsers, domain
2472
controllers, and a plethora of others. We primarily use
2473
<tt class="literal"><00></tt> to identify system and workgroup names
2474
and <tt class="literal"><20></tt> to identify systems as servers. The
2475
complete list is available at <a href="http://support.microsoft.com/support/kb/articles/q163/4/09.asp">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</a>.</p>
2483
<p>Try <tt class="literal">ypmatch</tt> <tt class="literal">name</tt>
2484
<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
2485
NIS server's name by running
2486
<em class="emphasis">ypwhich</em>, and ping the system to see if
2487
it's accessible.</p>
2492
<dt><b>NIS+</b></dt>
2494
<p>If you're running NIS+, try
2495
<tt class="literal">nismatch</tt> <tt class="literal">name</tt>
2496
<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
2497
NIS+ server's name by running
2498
<em class="emphasis">niswhich</em>, and ping that system to see if
2499
it's accessible.</p>
2504
<dt><b>hosts and HOSTS files</b></dt>
2506
<p>Inspect the <em class="filename">HOSTS</em> file on the client
2507
(<em class="filename">C:\Windows\ Hosts</em> on Windows 95/98/Me, and
2508
<em class="filename">C:\WINNT \system32\drivers\etc\hosts</em> on Windows
2509
NT/2000/XP). Each line should have an IP number and one or more
2510
names, the primary name first, then any optional aliases. An example
2514
<blockquote><pre class="code">127.0.0.1 localhost
2515
192.168.236.1 dns.svc.example.com
2516
192.168.236.10 client.example.com client
2517
192.168.236.11 backup.example.com loghost
2518
192.168.236.86 server.example.com server
2519
192.168.236.254 router.svc.example.com</pre></blockquote>
2521
<p>On Unix, <tt class="literal">localhost</tt> should always be 127.0.0.1,
2522
although it might be just an alias for a hostname on the PC. On the
2523
client, check that there are no <tt class="literal">#XXX</tt> directives at
2524
the ends of the lines; these are LAN Manager/NetBIOS directives and
2525
should appear only in <em class="emphasis">LMHOSTS</em> files.</p>
2530
<dt><b>LMHOSTS files</b></dt>
2532
<p>This file is a local source for LAN Manager (NetBIOS) names. It has a
2533
format similar to <em class="filename">hosts</em> files, but it does not
2534
support long-form domain names (e.g.,
2535
<tt class="literal">server.example.com</tt>) and can have a number of
2536
optional <tt class="literal">#XXX</tt> directives following the NetBIOS
2537
names. There is usually an <em class="emphasis">lmhosts.sam</em> (for
2538
sample) file located in <em class="filename">C:\Windows</em> on Windows
2539
95/98/Me, and in <em class="filename">C:\WINNT\system32\drivers\etc</em>
2540
on Windows NT/2000/XP, but it's not used unless it
2541
is renamed to <em class="emphasis">Lmhosts</em> in the same directory.</p>
2551
<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.3"/>
2553
<h3 class="head3">Long and short hostnames</h3>
2555
<p><a name="INDEX-92"/>Where the long (FQDN) form of a hostname
2556
works but the short name doesn't (for example,
2557
<tt class="literal">client.example.com</tt> works but
2558
<tt class="literal">client</tt> doesn't), consider the
2562
<dt><b>DNS </b></dt>
2564
<p>This usually indicates that there is no default domain in which to
2565
look up the short names. Look for a <tt class="literal">default</tt> line
2566
in <em class="filename">/etc/resolv.conf</em> on the Samba server with
2567
your domain in it, or look for a <tt class="literal">search</tt> line with
2568
one or more domains in it. One or the other might need to be present
2569
to make short names usable; which one depends on the vendor and
2570
version of the DNS resolver. Try adding <tt class="literal">domain</tt>
2571
<em class="replaceable">your_domain</em> to
2572
<em class="filename">resolv.conf</em>, and ask your network or DNS
2573
administrator what should be in the file.</p>
2578
<dt><b>Broadcast/WINS </b></dt>
2580
<p>Broadcast/WINS doesn't support long names; it
2581
won't suffer from this problem.</p>
2586
<dt><b>NIS </b></dt>
2588
<p>Try the command <tt class="literal">ypmatch</tt>
2589
<em class="replaceable">hostname</em> <tt class="literal">hosts</tt>. If you
2590
don't get a match, your tables
2591
don't include short names. Speak to your network
2592
manager; short names might be missing by accident or might be
2593
unsupported as a matter of policy. Some sites don't
2594
ever use (ambiguous) short names.</p>
2599
<dt><b>NIS+</b></dt>
2601
<p>Try <tt class="literal">nismatch</tt> <em class="replaceable">hostname</em>
2602
<tt class="literal">hosts</tt>, and treat failure exactly as with NIS.</p>
2607
<dt><b>hosts </b></dt>
2609
<p>If the short name is not in <em class="filename">/etc/hosts</em>, consider
2610
adding it as an alias. Avoid, if you can, short names as primary
2611
names (the first one on a line). Have them as aliases if your system
2617
<dt><b>LMHOSTS </b></dt>
2619
<p>LAN Manager doesn't support long names, so it
2620
won't suffer from this problem.</p>
2625
<p>On the other hand, if the short form of the name works and the long
2626
form doesn't, consider the following:</p>
2629
<dt><b>DNS </b></dt>
2631
<p>This is bizarre; see your network or DNS administrator, as this is
2632
probably a DNS setup error.</p>
2637
<dt><b>Broadcast/WINS </b></dt>
2639
<p>This is normal; Broadcast/WINS can't use the long
2640
form. Optionally, consider DNS. (Be aware that Microsoft has stated
2641
that it will eventually switch entirely to DNS, even though DNS does
2642
not provide name types such as <00>.)</p>
2649
<p>If you can use <em class="emphasis">ypmatch</em> to look up the short form
2650
but not the long, consider adding the long form to the table as at
2656
<dt><b>NIS+ </b></dt>
2658
<p>Same as NIS, except you use <em class="emphasis">nismatch</em> instead of
2659
<em class="emphasis">ypmatch</em> to look up names.</p>
2664
<dt><b>hosts and HOSTS</b></dt>
2666
<p>Add the long name as at least an alias, and preferably as the primary
2667
form. Also consider using DNS if it's practical.</p>
2672
<dt><b>LMHOSTS </b></dt>
2674
<p>This is normal. LAN Manager can't use the long form;
2675
consider switching to DNS or <em class="filename">hosts</em>.</p>
2685
<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.4"/>
2687
<h3 class="head3">Unusual delays</h3>
2689
<p><a name="INDEX-93"/>When there is a long delay before the
2690
expected result:</p>
2693
<dt><b>DNS </b></dt>
2695
<p>Test the same name with the <em class="emphasis">nslookup</em> command on
2696
the system that is slow (client or server). If
2697
<em class="emphasis">nslookup</em> is also slow, you have a DNS problem.
2698
If it's slower on a client, you might have too many
2699
protocols bound to the Ethernet card. Eliminate NetBEUI, which is
2700
infamously slow, and, optionally, Novell—assuming you
2701
don't need them. This is especially important on
2702
Windows 95, which is particularly sensitive to excess protocols.</p>
2707
<dt><b>Broadcast/ WINS</b></dt>
2709
<p>Test the client using <em class="emphasis">nmblookup</em>; if
2710
it's faster, you probably have the protocols problem
2711
as mentioned in the previous item.</p>
2718
<p>Try <em class="emphasis">ypmatch</em>; if it's slow,
2719
report the problem to your network manager.</p>
2724
<dt><b>NIS+ </b></dt>
2726
<p>Try <em class="emphasis">nismatch</em>, similarly.</p>
2731
<dt><b>hosts and HOSTS</b></dt>
2733
<p>The <em class="emphasis">hosts</em> files, if of reasonable size, are
2734
always fast. You probably have the protocols problem mentioned
2735
previously under DNS.</p>
2740
<dt><b>lmhosts and LMHOSTS</b></dt>
2742
<p>This is not a name lookup problem; <em class="emphasis">LMHOSTS</em> files
2743
are as fast as <em class="emphasis">hosts</em> and
2744
<em class="filename">HOSTS</em> files.</p>
2754
<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.5"/>
2756
<h3 class="head3">Localhost issues</h3>
2758
<p><a name="INDEX-94"/>When a localhost isn't
2759
127.0.0.1, try the following:</p>
2764
<p>There is probably no record for <tt class="literal">localhost</tt>.
2765
<tt class="literal">A</tt> <tt class="literal">127.0.0.1</tt>. Arrange to add
2766
one, as well as a reverse entry,
2767
<tt class="literal">1.0.0.127.IN-ADDR.ARPA</tt> <tt class="literal">PTR</tt>
2768
<tt class="literal">127.0.0.1</tt>.</p>
2773
<dt><b>Broadcast/WINS</b></dt>
2775
<p>Not applicable.</p>
2782
<p>If <tt class="literal">localhost</tt> isn't in the table,
2788
<dt><b>NIS+ </b></dt>
2790
<p>If <tt class="literal">localhost</tt> isn't in the table,
2796
<dt><b>hosts and HOSTS</b></dt>
2798
<p>Add a line that says <tt class="literal">127.0.0.1</tt>
2799
<tt class="literal">localhost</tt>.</p>
2804
<dt><b>LMHOSTS</b></dt>
2806
<p>Not applicable. <a name="INDEX-95"/><a name="INDEX-96"/></p>
2818
<div class="sect2"><a name="samba2-CHP-12-SECT-2.8"/>
2820
<h3 class="head2">Troubleshooting Network Addresses</h3>
2822
<p><a name="INDEX-97"/><a name="INDEX-98"/>A
2823
number of common problems are caused by incorrect routing of Internet
2824
addresses or by the incorrect assignment of addresses. This section
2825
helps you determine what your addresses are.</p>
2828
<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.1"/>
2830
<h3 class="head3">Netmasks</h3>
2832
<p>Using the <a name="INDEX-99"/>netmask, it is possible to
2833
determine which addresses can be reached directly (i.e., which are on
2834
the local network) and which addresses require forwarding packets
2835
through a router. If the netmask is wrong, the systems will make one
2836
of two mistakes. One is to route local packets via a router, which is
2837
an expensive waste of time—it might work reasonably fast, it
2838
might run slowly, or it might fail utterly. The second mistake is to
2839
fail to send packets from a remote system to the router, which will
2840
prevent them from being forwarded to the remote system.</p>
2842
<p>The netmask is a number like an IP address, with one-bits for the
2843
network part of an address and zero-bits for the host portion. It is
2844
used as a bitmask to mask off parts of the address inside the TCP/IP
2845
code. If the mask is 255.255.0.0, the first 2 bytes are the network
2846
part and the last 2 are the host part. More common is 255.255.255.0,
2847
in which the first 3 bytes are the network part and the last one is
2850
<p>For example, let's say your IP address is
2851
192.168.0.10 and the Samba server is 192.168.236.86. If your netmask
2852
happens to be 255.255.255.0, the network part of the address is the
2853
first 3 bytes, and the host part is the last byte. In this case, the
2854
network parts are different, and the systems are on different
2857
<a name="ch12-37-fm2xml"/><table border="1">
2890
<p>If your netmask happens to be 255.255.0.0, the network part is just
2891
the first 2 bytes. In this case, the network parts match, and so the
2892
two systems are on the same network:</p>
2894
<a name="ch12-38-fm2xml"/><table border="1">
2927
<p>Make sure the netmask in use on each system matches the structure of
2928
your network. On every subnet, the netmask should be identical on
2936
<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.2"/>
2938
<h3 class="head3">Broadcast addresses</h3>
2940
<p>The <a name="INDEX-100"/>broadcast address is a normal address,
2941
with the hosts part all one-bits. It means "all
2942
hosts on your network." You can compute it easily
2943
from your netmask and address: take the address and put one-bits in
2944
it for all the bits that are zero at the end of the netmask (the host
2945
part). The following table illustrates this:</p>
2947
<a name="ch12-39-fm2xml"/><table border="1">
3000
<p>In this example, the broadcast address on the 192.168.236 network is
3001
192.168.236.255. There is also an old
3002
"universal" broadcast address,
3003
255.255.255.255. Routers are prohibited from forwarding these, but
3004
most systems on your local network will respond to broadcasts to this
3012
<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.3"/>
3014
<h3 class="head3">Network address ranges</h3>
3016
<p>A <a name="INDEX-101"/>number of address ranges have been
3017
reserved for testing and for nonconnected networks; we use these for
3018
the examples in this book. If you don't have an
3019
address yet, feel free to use one of these to start. They include one
3020
class A network, 10.*.*.*, a range of class B network addresses,
3021
172.16.*.* through 172.31.*.*, and 254 class C networks, 192.168.1.*
3022
through 192.168.254.*. The domain <tt class="literal">example.com</tt> is
3023
also reserved for unconnected networks, explanatory examples, and
3026
<p>If you're actually connecting to the Internet,
3027
you'll need to get an appropriate IP address and a
3028
domain name, probably through the same company that provides your
3036
<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.4"/>
3038
<h3 class="head3">Finding your network address</h3>
3040
<p><a name="INDEX-102"/>If you
3041
haven't recorded your IP address, you can learn it
3042
through the <em class="emphasis">ifconfig</em><a name="INDEX-103"/> command on Unix or the
3043
<em class="emphasis">ipconfig</em> <a name="INDEX-104"/>command on Windows. (Check your manual
3044
pages for any options required by your brand of Unix. For example,
3045
<tt class="literal">ifconfig</tt> <tt class="literal">-a</tt> works on Solaris.)
3046
You should see output similar to the following:</p>
3048
<blockquote><pre class="code">$ <tt class="userinput"><b>ifconfig -a</b></tt>
3049
le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING >
3050
inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255
3051
lo0: flags=49<&lt>UP,LOOPBACK,RUNNING<&gt>
3052
inet 127.0.0.1 netmask ff000000</pre></blockquote>
3054
<p>One of the interfaces will be loopback (in our examples,
3055
<tt class="literal">lo0</tt>), and the other will be the regular IP
3056
interface. The flags should show that the interface is running, and
3057
Ethernet interfaces will also say they support broadcasts (PPP
3058
interfaces don't). The other places to look for IP
3059
addresses are <em class="filename">/etc/hosts</em> files, Windows
3060
<em class="emphasis">HOSTS</em> files, Windows
3061
<em class="emphasis">LMHOSTS</em> files, NIS, NIS+, and DNS. <a name="INDEX-105"/><a name="INDEX-106"/></p>
3070
<div class="sect2"><a name="samba2-CHP-12-SECT-2.9"/>
3072
<h3 class="head2">Troubleshooting NetBIOS Names</h3>
3074
<p><a name="INDEX-107"/><a name="INDEX-108"/>Historically, SMB protocols have
3075
depended on the NetBIOS name system, also called the LAN Manager name
3076
system. This was a simple scheme where each system had a unique
3077
20-character name and broadcast it on the LAN for everyone to know.
3078
With TCP/IP, we tend to use names such as
3079
<tt class="literal">client.example.com</tt>, stored in
3080
<em class="filename">/etc/hosts</em> files through DNS or WINS.</p>
3082
<p>The usual mapping of domain names such as
3083
<tt class="literal">server.example.com</tt> to NetBIOS names simply uses
3084
the <tt class="literal">server</tt> part as the NetBIOS name and converts
3085
it to uppercase. Alas, this doesn't always work,
3086
especially if you have a system with a 21-character name; not
3087
everyone uses the same NetBIOS and DNS names. For example,
3088
<tt class="literal">corpvm1</tt> along with <tt class="literal">vm1.corp.com</tt>
3091
<p>A system with a different NetBIOS name and domain name is confusing
3092
when you're troubleshooting; we recommend that you
3093
try to avoid this wherever possible. NetBIOS names are discoverable
3094
with <em class="emphasis">smbclient</em> :</p>
3097
<p>If you can list shares on your Samba server with
3098
<tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
3099
<tt class="literal">short_name</tt>, the short name is the NetBIOS name.</p>
3101
<p>If you get <tt class="literal">Get_Hostbyname</tt>:
3102
<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
3103
<tt class="literal">name</tt>, there is probably a mismatch. Check in the
3104
<em class="filename">smb.conf</em> file to see if the NetBIOS name is
3107
<p>Try to list shares again, specifying <tt class="literal">-I</tt> and the IP
3108
address of the Samba server (e.g., <tt class="literal">smbclient</tt>
3109
<tt class="literal">-L</tt> <tt class="literal">server</tt> <tt class="literal">-I</tt>
3110
<tt class="literal">192.168.236.86</tt>). This overrides the name lookup
3111
and forces the packets to go to the IP address. If this works, there
3114
<p>Try with <tt class="literal">-I</tt> and the full domain name of the server
3115
(e.g., <tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
3116
<tt class="literal">server</tt> <tt class="literal">-I</tt>
3117
<tt class="literal">server.example.com</tt>). This tests the lookup of the
3118
domain name, using whatever scheme the Samba server uses (e.g., DNS).
3119
If it fails, you have a name service problem. You should reread the
3120
earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>,
3121
after you finish troubleshooting the NetBIOS names.</p>
3123
<p>Try with the <tt class="literal">-n</tt> (NetBIOS name) option, giving it
3124
the name you expect to work (e.g., <tt class="literal">smbclient</tt>
3125
<tt class="literal">-n</tt> <tt class="literal">server</tt> <tt class="literal">-L</tt>
3126
<tt class="literal">server-12</tt>), but without overriding the IP address
3127
through <tt class="literal">-I</tt>. If this works, the name you specified
3128
with <tt class="literal">-n</tt> is the actual NetBIOS name of the server.
3129
If you receive <tt class="literal">Get-Hostbyname</tt>:
3130
<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
3131
<tt class="literal">SERVER</tt>, it's not the right server
3134
<p>If nothing is working so far, repeat the tests specifying
3135
<tt class="literal">-U</tt> <em class="emphasis">username</em> and
3136
<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>, with the
3137
username and workgroup in uppercase, to make sure
3138
you're not being derailed by a user or workgroup
3141
<p>If still nothing works and you had evidence of a name service
3142
problem, troubleshoot the name service (see the earlier section,
3143
<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>) and then return to
3144
the NetBIOS name service. <a name="INDEX-109"/><a name="INDEX-110"/></p>
3154
<div class="sect1"><a name="samba2-CHP-12-SECT-3"/>
3156
<h2 class="head1">Extra Resources</h2>
3158
<p>At some point during your work with Samba, you'll
3159
want to turn to online or printed resources for news, updates, and
3163
<div class="sect2"><a name="samba2-CHP-12-SECT-3.1"/>
3165
<h3 class="head2">Documentation and FAQs</h3>
3167
<p>It's OK to read the <a name="INDEX-111"/><a name="INDEX-112"/>documentation. Really. Nobody can see you,
3168
and we won't tell. In fact, Samba ships with a large
3169
set of documentation files, and it is well worth the effort to at
3170
least browse through them, either in the distribution directory on
3171
your computer under <em class="filename">/docs</em> or online at the Samba
3172
web site: <a href="http://www.samba.org">http://www.samba.org</a>. The most current
3173
FAQ list, bug information, and distribution locations are located at
3174
the web site, with links to all the Samba manual pages and HOWTOs.</p>
3180
<div class="sect2"><a name="samba2-CHP-12-SECT-3.2"/>
3182
<h3 class="head2">Samba Newsgroups</h3>
3184
<p><a name="INDEX-113"/>Usenet
3185
newsgroups have always been a great place to get advice on just about
3186
any topic. In the past few years, though, this vast pool of knowledge
3187
has developed something that has made it into an invaluable resource:
3188
a memory. Archival and search sites such as the one at
3189
<a name="INDEX-114"/>Google (<a href="http://groups.google.com/advanced_group_search">http://groups.google.com/advanced_group_search</a>)
3190
have made sifting through years of valuable solutions as simple as a
3191
few mouse clicks.</p>
3193
<p>The primary newsgroup for Samba is
3194
<em class="emphasis">comp.protocols.smb</em><a name="INDEX-115"/>. This should always be your first
3195
stop when there's a problem. More often than not,
3196
spending 5 minutes researching an error here will save hours of
3197
frustration while trying to debug something yourself.</p>
3199
<p>When searching a newsgroup, try to be as specific as possible, but
3200
not too wordy. Searching on actual error messages is best. If you
3201
don't find an answer immediately in the newsgroup,
3202
resist the temptation to post a request for help until
3203
you've done a bit more work on the problem. You
3204
might find that the answer is in a FAQ or one of the many
3205
documentation files that ship with Samba, or a solution might become
3206
evident when you run one of Samba's diagnostic
3207
tools. If nothing works, post a request in
3208
<em class="emphasis">comp.protocols.smb</em>, and be as specific as
3209
possible about what you have tried and what you are seeing. Include
3210
any error messages that appear. It might be days before you receive
3211
help, so be patient and keep trying things while you wait.</p>
3213
<a name="samba2-CHP-12-NOTE-161"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
3214
<p>Once you post a request for help, keep poking at the problem
3215
yourself. Most of us have had the experience of posting a Usenet
3216
article containing hundreds of lines of intricate detail, only to
3217
solve the problem an hour later after the article has blazed its way
3218
across several continents. The rule of thumb goes something like
3219
this: the more folks who have read your request, the simpler the
3220
solution. Usually this means that once everyone in the Unix community
3221
has seen your article, the solution will be something simple such as,
3222
"Plug the power cord into the wall
3230
<div class="sect2"><a name="samba2-CHP-12-SECT-3.3"/>
3232
<h3 class="head2">Samba Mailing Lists</h3>
3234
<p>The following are <a name="INDEX-116"/>mailing lists for support with Samba. See
3235
the Samba home page, <a href="http://www.samba.org/">http://www.samba.org/</a>, for
3236
information on subscribing and unsubscribing to these mailing lists:</p>
3239
<dt><b>samba@samba.org</b></dt>
3241
<p>This is the primary mailing list for general questions and discussion
3242
regarding Samba.</p>
3247
<dt><b>samba-announce@samba.org</b></dt>
3249
<p>This list is for receiving news regarding Samba, such as
3250
announcements of new releases.</p>
3255
<dt><b>samba-cvs@samba.org</b></dt>
3257
<p>By subscribing to this list, you can automatically receive a message
3258
every time one of the Samba developers updates the Samba source code
3259
in the CVS repository. You might want to do this if you are waiting
3260
for a specific bug fix or feature to be applied. To avoid congesting
3261
your email inbox, we suggest using the digest feature, which
3262
consolidates messages into a smaller number of emails.</p>
3267
<dt><b>samba-docs@samba.org</b></dt>
3269
<p>This list is for discussing Samba documentation.</p>
3274
<dt><b>samba-vms@samba.org</b></dt>
3276
<p>This mailing list is for people who are running Samba on the VMS
3277
operating system.</p>
3282
<dt><b>samba-binaries@samba.org</b></dt>
3284
<p>This is a list for developers to use when discussing precompiled
3285
Samba distributions.</p>
3290
<dt><b>samba-technical@samba.org</b></dt>
3292
<p>This mailing list is for developer discussion of the Samba code.</p>
3297
<p>Searchable versions of the Samba mailing list archives can be found
3298
at <a href="http://marc.theaimsgroup.com">http://marc.theaimsgroup.com</a>.</p>
3300
<p>When posting messages to the Samba mailing lists, keep in mind that
3301
you are sending your message to a large audience. The notes in the
3302
previous section regarding Usenet postings also apply here. A
3303
well-formulated question or comment is more likely to be answered,
3304
and a poorly conceived message is <em class="emphasis">very</em> likely to
3311
<div class="sect2"><a name="samba2-CHP-12-SECT-3.4"/>
3313
<h3 class="head2">Further Reading</h3>
3316
<p>Hunt, Craig. <em class="emphasis">TCP/IP Network Administration</em>,
3317
Third Edition. Sebastopol, CA: O'Reilly
3318
& Associates, 1997.</p>
3321
<p>Hunt, Craig, and Robert Bruce Thompson. <em class="emphasis">Windows NT TCP/IP
3322
Network Administration</em>. Sebastopol, CA:
3323
O'Reilly & Associates, 1998.</p>
3326
<p>Albitz, Paul, and Cricket Liu. <em class="emphasis">DNS and Bind</em>,
3327
Fourth Edition. Sebastopol, CA: O'Reilly
3328
& Associates, 1998.</p>
3331
<p>Stern, Hal. <em class="emphasis">Managing NFS and NIS</em>, Second
3332
Edition. Sebastopol, CA: O'Reilly & Associates,
3333
1991.<a name="INDEX-117"/></p>
3341
<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
added
removed
docs/htmldocs/using_samba/ch12.html
