troubleshooting Samba 3.x on FreeBSD 6.x
Jan 3, 2010

The below is partly based on the official Samba diagnosis chapter. It's been tweaked for FreeBSD, and includes tests for WINS and a member server running Winbind, plus some extra bits. Some tests may not be applicable to your environment.

The test lab has two servers, one client PC and one user. One of the servers is a PDC named "emachine", on IP address 192.168.1.201, and it runs an NT4-style domain called TESTDOM. The other server, named "array" and on IP address 192.168.1.202, is a member server in the TESTDOM domain. The client PC is named "tinyxp" and is on IP address 192.168.1.7. The user is named "testuser"; his password is "xyz". The PDC is sharing home directories, plus a share called "x-drive". The member server has a single share called "vol1".

The goals:

  1. the user should only see ONE (1) password prompt - when they first login
  2. client PC can join the domain
  3. user can login as a domain user
  4. user can browse the domain on the network
  5. user can browse the list of resources on the PDC and on the member server
  6. user can create/delete files on shares on the PDC and on the member server
  7. drives mapped to shares on the PDC and on the member server are automatically reconnected on login
  8. login script runs

Note that the Winbind tests should only be run on the member server. All machines should be freshly rebooted (if possible) and left unused for up to 15 minutes prior to testing (this is to allow time for the machines to register themselves, conduct browser elections etc).

Please see the main Samba section for instructions on how to build the servers.

First, some errors and their possible causes:

NT_STATUS_CONNECTION_REFUSEDthis can appear if the interfaces line in smb.conf is incorrect
NT_STATUS_INVALID_NETWORK_RESPONSEthis can appear if the hosts allow line in smb.conf is incorrect
NT_STATUS_NETWORK_ACCESS_DENIEDthis is due to unix file system permissions, eg. chmod and chgrp
tree connect failed: NT_STATUS_ACCESS_DENIEDthis appears if the user is not listed in the valid users line, due to unix file system permissions (chown)
session setup failed: NT_STATUS_LOGON_FAILUREthis is when the username or password is incorrect

Now, to the tests. The output shown below is what appears when everything is working correctly.

  1. Output of make -I /usr/ports/net/samba3 showconfig on PDC:
    ===> The following configuration options are available for samba-3.0.37,1:
         LDAP=off "With LDAP support"
         ADS=off "With Active Directory support"
         CUPS=off "With CUPS printing support"
         WINBIND=off "With WinBIND support"
         ACL_SUPPORT=off "With ACL support"
         AIO_SUPPORT=off "With Asyncronous IO support"
         FAM_SUPPORT=off "With File Alteration Monitor"
         SYSLOG=on "With Syslog support"
         QUOTAS=off "With Disk quota support"
         UTMP=on "With UTMP accounting support"
         PAM_SMBPASS=on "With PAM authentication vs passdb backends"
         CLUSTER=off "With experimental cluster support"
         DNSUPDATE=off "With dynamic DNS update(require ADS)"
         EXP_MODULES=off "With experimental modules"
         POPT=on "With system-wide POPT library"
         PCH=on "With precompiled headers optimization"
         MAX_DEBUG=off "With maximum debugging"
         SMBTORTURE=off "With smbtorture"
    

    Note: this is a FreeBSD-specific command that lists the Samba version and compile-time options.

  2. Output of make -I /usr/ports/net/samba3 showconfig on member server:
    ===> The following configuration options are available for samba-3.0.37,1:
         LDAP=off "With LDAP support"
         ADS=off "With Active Directory support"
         CUPS=off "With CUPS printing support"
         WINBIND=on "With WinBIND support"
         ACL_SUPPORT=off "With ACL support"
         AIO_SUPPORT=off "With Asyncronous IO support"
         FAM_SUPPORT=off "With File Alteration Monitor"
         SYSLOG=on "With Syslog support"
         QUOTAS=off "With Disk quota support"
         UTMP=on "With UTMP accounting support"
         PAM_SMBPASS=on "With PAM authentication vs passdb backends"
         CLUSTER=off "With experimental cluster support"
         DNSUPDATE=off "With dynamic DNS update(require ADS)"
         EXP_MODULES=off "With experimental modules"
         POPT=on "With system-wide POPT library"
         PCH=on "With precompiled headers optimization"
         MAX_DEBUG=off "With maximum debugging"
         SMBTORTURE=off "With smbtorture"
    
  3. Output of smbclient -L localhost -U% on PDC:
    Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.0.37]
    
            Sharename       Type      Comment
            ---------       ----      -------
            netlogon        Disk      Network Logon Service
            x-drive         Disk      Test Share
            IPC$            IPC       IPC Service (Samba Server [PDC])
    
            Server               Comment
            ---------            -------
            ARRAY                Samba Server [storage]
            EMACHINE             Samba Server [PDC]
            TINYXP
    
            Workgroup            Master
            ---------            -------
            TESTDOM              EMACHINE
    
  4. Output of smbclient -L localhost -U% on member server:
    Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.0.37]
    
            Sharename       Type      Comment
            ---------       ----      -------
            vol1            Disk      test share
            IPC$            IPC       IPC Service (Samba Server [storage])
    
            Server               Comment
            ---------            -------
            ARRAY                Samba Server [storage]
            EMACHINE             Samba Server [PDC]
    
            Workgroup            Master
            ---------            -------
            TESTDOM              EC2
    
  5. Output of testparm (first part only) on PDC:
    Load smb config files from /usr/local/etc/smb.conf
    Processing section "[netlogon]"
    Processing section "[homes]"
    Processing section "[x-drive]"
    Loaded services file OK.
    Server role: ROLE_DOMAIN_PDC
    Press enter to see a dump of your service definitions
    
  6. Output of testparm (first part only) on member server:
    Load smb config files from /usr/local/etc/smb.conf
    Processing section "[vol1]"
    Loaded services file OK.
    Server role: ROLE_DOMAIN_MEMBER
    Press enter to see a dump of your service definitions
    
  7. Test name resolution with ping:

  8. Output of pdbedit -L on PDC:
    array$:1004:machine account
    root:0:Charlie &
    tinyxp$:1002:machine account
    testuser:1003:Test User
    

    This lists the user and machine accounts defined in the SAM database. Use -v for verbose.

  9. Output of pdbedit -L on member server is empty (this is OK, as we're using winbind)
     
  10. Output of nmblookup -B emachine __SAMBA__ on PDC:
    querying __SAMBA__ on 192.168.1.201
    192.168.1.201 __SAMBA__<00>
    
  11. Output of nmblookup -B emachine __SAMBA__ on member server:
    querying __SAMBA__ on 192.168.1.201
    192.168.1.201 __SAMBA__<00>
    
  12. Output of nmblookup -U emachine -R 'tinyxp' on PDC:
    querying tinyxp on 192.168.1.201
    192.168.1.7 tinyxp<00>
    

    This tests whether NetBIOS names can be resolved with WINS.

  13. Output of nmblookup -U emachine -R 'tinyxp' on member server:
    querying tinyxp on 192.168.1.201
    192.168.1.7 tinyxp<00>
    
  14. Output of nmblookup -d 2 '*' on PDC:
    added interface ip=192.168.1.201 bcast=192.168.1.255 nmask=255.255.255.0
    querying * on 192.168.1.255
    Got a positive name query response from 192.168.1.202 ( 192.168.1.202 )
    Got a positive name query response from 192.168.1.201 ( 192.168.1.201 )
    192.168.1.202 *<00>
    192.168.1.201 *<00>
    

    This tests whether the broadcast address is working.

  15. Output of nmblookup -d 2 '*' on member server:
    added interface ip=192.168.1.202 bcast=192.168.1.255 nmask=255.255.255.0
    querying * on 192.168.1.255
    Got a positive name query response from 192.168.1.201 ( 192.168.1.201 )
    Got a positive name query response from 192.168.1.202 ( 192.168.1.202 )
    192.168.1.201 *<00>
    192.168.1.202 *<00>
    
  16. Output of nmblookup -M TESTDOM on PDC:
    querying TESTDOM on 192.168.1.255
    192.168.1.201 TESTDOM<1d>
    

    This tests whether a master browser can be found.

  17. Output of nmblookup -M TESTDOM on member server:
    querying TESTDOM on 192.168.1.255
    192.168.1.201 TESTDOM<1d>
    
  18. Output of findsmb on PDC:
                                    *=DMB
                                    +=LMB
    IP ADDR         NETBIOS NAME     WORKGROUP/OS/VERSION
    ---------------------------------------------------------------------
    192.168.1.201   EMACHINE      *[TESTDOM] [Unix] [Samba 3.0.37]
    192.168.1.202   ARRAY          [TESTDOM] [Unix] [Samba 3.0.37]
    

    This scans the network for NetBIOS hosts.

  19. Output of findsmb on member server:
                                    *=DMB
                                    +=LMB
    IP ADDR         NETBIOS NAME     WORKGROUP/OS/VERSION
    ---------------------------------------------------------------------
    192.168.1.201   EMACHINE      *[TESTDOM] [Unix] [Samba 3.0.37]
    192.168.1.202   ARRAY          [TESTDOM] [Unix] [Samba 3.0.37]
    
  20. Output of wbinfo -p on the member server:
    Ping to winbindd succeeded on fd 4
    

    This pings the Winbind daemon. Run on the member server only (winbind test).

  21. Output of wbinfo -u on the member server:
    TESTDOM\root
    TESTDOM\testuser
    

    This lists domain users. Run on the member server only (winbind test).

  22. Output of wbinfo -g on the member server:
    BUILTIN\administrators
    BUILTIN\users
    TESTDOM\domain users
    TESTDOM\domain guests
    TESTDOM\domain admins
    

    This lists domain groups. Run on the member server only (winbind test).

  23. Output of wbinfo -D TESTDOM on the member server:
    Name              : TESTDOM
    Alt_Name          :
    SID               : S-1-5-21-2081955890-1415863938-788714504
    Active Directory  : No
    Native            : No
    Primary           : Yes
    Sequence          : 1262306190
    

    This lists domain info. Run on the member server only (winbind test).

  24. Output of id TESTDOM\\testuser on the member server:
    uid=10000(TESTDOM\testuser) gid=10002(TESTDOM\domain users) groups=10002(TESTDOM\domain users), 10001(BUILTIN\users)
    

    This lists user info. Run on the member server only (winbind test).

  25. Output of wbinfo -a "TESTDOM\testuser%xyz" on the member server:
    plaintext password authentication succeeded
    challenge/response password authentication succeeded
    

    This tests user authentication. Run on the member server only (winbind test).

  26. Output of pw show user -a on the member server:
    [... snip ...]
    nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
    TESTDOM\root:*:10001:10002::0:0:Charlie &:/home/TESTDOM/root:/sbin/nologin
    TESTDOM\testuser:*:10000:10002::0:0:Test User:/home/TESTDOM/testuser:/sbin/nologin
    

    This shows the combined local and domain user list. Run on the member server only (winbind test).

  27. Output of pw show group -a on the member server:
    [... snip ...]
    nobody:*:65534:
    TESTDOM\domain users:*:10002:TESTDOM\testuser
    TESTDOM\domain guests:*:10003:
    TESTDOM\domain admins:*:10004:TESTDOM\root
    BUILTIN\administrators:*:10000:TESTDOM\root
    BUILTIN\users:*:10001:TESTDOM\testuser
    

    This shows the combined local and domain group list. Run on the member server only (winbind test).

  28. Output of pw usershow 10000 on the member server:
    TESTDOM\testuser:*:10000:10002::0:0:Test User:/home/TESTDOM/testuser:/sbin/nologin
    

    This lists user info, using Winbind UID. Run on the member server only (winbind test).

  29. Output of pw groupshow "TESTDOM\Domain Users" on the member server:
    TESTDOM\domain users:*:10002:TESTDOM\testuser
    

    This lists domain group membership. Run on the member server only (winbind test).

  30. Output of smbclient //emachine/x-drive -Utestuser%xyz -c'ls' on PDC:
    Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.0.37]
      .                                   D        0  Sun Jan  3 02:05:44 2010
      ..                                  D        0  Fri Jan  1 20:50:26 2010
      testfile1.txt                       A        5  Sat Dec 19 09:52:10 2009
                    54836 blocks of size 131072. 32709 blocks available
    

    This tests whether the user can list files on shares on the PDC.

  31. Output of smbclient //emachine/x-drive -Utestuser%xyz -c'ls' on member server:
    Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.0.37]
      .                                   D        0  Sun Jan  3 02:05:44 2010
      ..                                  D        0  Fri Jan  1 20:50:26 2010
      testfile1.txt                       A        5  Sat Dec 19 09:52:10 2009
                    54836 blocks of size 131072. 32709 blocks available
    
  32. Output of smbclient //array/vol1 -Utestuser%xyz -c'ls' on PDC:
    Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.0.37]
      .                                   D        0  Sun Jan  3 02:03:20 2010
      ..                                  D        0  Fri Jan  1 22:56:27 2010
      testfile2.txt                       A        5  Sat Dec 19 09:52:10 2009
                    43617 blocks of size 524288. 36240 blocks available
    

    This tests whether the user can list files on shares on the member server.

  33. Output of smbclient //array/vol1 -Utestuser%xyz -c'ls' on member server:
    Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.0.37]
      .                                   D        0  Sun Jan  3 02:03:20 2010
      ..                                  D        0  Fri Jan  1 22:56:27 2010
      testfile2.txt                       A        5  Sat Dec 19 09:52:10 2009
                    43617 blocks of size 524288. 36240 blocks available
    
  34. Output of net view \\emachine on client PC:
    Shared resources at \\emachine
    
    Samba Server [PDC]
    
    Share name    Type   Used as  Comment
    ----------------------------------------------------
    netlogon    Disk           Network Logon Service
    testuser    Disk  H:       Home Directory
    x-drive     Disk           Test Share
    The command completed successfully.
    
  35. Output of net view \\array on client PC:
    Shared resources at \\array
    
    Samba Server [storage]
    
    Share name  Type  Used as  Comment
    ----------------------------------------------------
    vol1        Disk
    The command completed successfully.
    
  36. Output of net use x: \\emachine\x-drive on client PC:
    The command completed successfully.
    
  37. Output of net use q: \\array\vol1 on client PC:
    The command completed successfully.
    
  38. Output of smbstatus on PDC:
    Samba version 3.0.37
    PID     Username      Group         Machine
    -------------------------------------------------------------------
      508   array$        machines      array        (192.168.1.202)
      510   array$        machines      array        (192.168.1.202)
     1032   testuser      staff         tinyxp       (192.168.1.7)
    
    Service      pid     machine       Connected at
    -------------------------------------------------------
    testuser     1032   tinyxp        Sun Jan  3 02:04:44 2010
    IPC$         1032   tinyxp        Sun Jan  3 02:04:26 2010
    IPC$         508   array         Sun Jan  3 00:43:04 2010
    IPC$         510   array         Sun Jan  3 00:43:05 2010
    netlogon     1032   tinyxp        Sun Jan  3 02:11:15 2010
    x-drive      1032   tinyxp        Sun Jan  3 02:13:53 2010
    
    No locked files
    

    Note: the "locked files" section of the above output will list all open files (if any).

  39. Output of smbstatus on member server:
    Samba version 3.0.37
    PID     Username      Group         Machine
    -------------------------------------------------------------------
      823   TESTDOM\testuser  TESTDOM\domain users  tinyxp       (192.168.1.7)
    
    Service      pid     machine       Connected at
    -------------------------------------------------------
    vol1         823   tinyxp        Sun Jan  3 02:14:06 2010
    
    No locked files