diff options
Diffstat (limited to 'docs/docbook/projdoc/Diagnosis.xml')
-rw-r--r-- | docs/docbook/projdoc/Diagnosis.xml | 522 |
1 files changed, 522 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/Diagnosis.xml b/docs/docbook/projdoc/Diagnosis.xml new file mode 100644 index 0000000000..150f071b78 --- /dev/null +++ b/docs/docbook/projdoc/Diagnosis.xml @@ -0,0 +1,522 @@ +<chapter id="diagnosis"> +<chapterinfo> + &author.tridge; + &author.jelmer; + <pubdate>Wed Jan 15</pubdate> +</chapterinfo> + +<title>The samba checklist</title> + +<sect1> +<title>Introduction</title> + +<para> +This file contains a list of tests you can perform to validate your +Samba server. It also tells you what the likely cause of the problem +is if it fails any one of these steps. If it passes all these tests +then it is probably working fine. +</para> + +<para> +You should do ALL the tests, in the order shown. We have tried to +carefully choose them so later tests only use capabilities verified in +the earlier tests. However, do not stop at the first error as there +have been some instances when continuing with the tests has helped +to solve a problem. +</para> + +<para> +If you send one of the samba mailing lists an email saying "it doesn't work" +and you have not followed this test procedure then you should not be surprised +if your email is ignored. +</para> + +</sect1> + +<sect1> +<title>Assumptions</title> + +<para> +In all of the tests it is assumed you have a Samba server called +BIGSERVER and a PC called ACLIENT both in workgroup TESTGROUP. +</para> + +<para> +The procedure is similar for other types of clients. +</para> + +<para> +It is also assumed you know the name of an available share in your +&smb.conf;. I will assume this share is called <replaceable>tmp</replaceable>. +You can add a <replaceable>tmp</replaceable> share like this by adding the +following to &smb.conf;: +</para> + +<para><programlisting> + +[tmp] + comment = temporary files + path = /tmp + read only = yes + +</programlisting> +</para> + +<note><para> +These tests assume version 3.0 or later of the samba suite. +Some commands shown did not exist in earlier versions. +</para></note> + +<para> +Please pay attention to the error messages you receive. If any error message +reports that your server is being unfriendly you should first check that your +IP name resolution is correctly set up. eg: Make sure your <filename>/etc/resolv.conf</filename> +file points to name servers that really do exist. +</para> + +<para> +Also, if you do not have DNS server access for name resolution please check +that the settings for your &smb.conf; file results in <command>dns proxy = no</command>. The +best way to check this is with <userinput>testparm smb.conf</userinput>. +</para> + +<para> +It is helpful to monitor the log files during testing by using the +<command>tail -F <replaceable>log_file_name</replaceable></command> in a separate +terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). +Relevant log files can be found (for default installations) in +<filename>/usr/local/samba/var</filename>. Also, connection logs from +machines can be found here or possibly in <filename>/var/log/samba</filename> +depending on how or if you specified logging in your &smb.conf; file. +</para> + +<para> +If you make changes to your &smb.conf; file while going through these test, +don't forget to restart &smbd; and &nmbd;. +</para> + +</sect1> + +<sect1> +<title>The tests</title> +<procedure> +<title>Diagnosing your samba server</title> + +<step performance="required"> +<para> +In the directory in which you store your &smb.conf; file, run the command +<userinput>testparm smb.conf</userinput>. If it reports any errors then your &smb.conf; +configuration file is faulty. +</para> + +<note><para> +Your &smb.conf; file may be located in: <filename>/etc/samba</filename> +Or in: <filename>/usr/local/samba/lib</filename> +</para></note> +</step> + +<step performance="required"> +<para> +Run the command <userinput>ping BIGSERVER</userinput> from the PC and +<userinput>ping ACLIENT</userinput> from +the unix box. If you don't get a valid response then your TCP/IP +software is not correctly installed. +</para> + +<para> +Note that you will need to start a "dos prompt" window on the PC to +run ping. +</para> + +<para> +If you get a message saying "host not found" or similar then your DNS +software or <filename>/etc/hosts</filename> file is not correctly setup. +It is possible to +run samba without DNS entries for the server and client, but I assume +you do have correct entries for the remainder of these tests. +</para> + +<para> +Another reason why ping might fail is if your host is running firewall +software. You will need to relax the rules to let in the workstation +in question, perhaps by allowing access from another subnet (on Linux +this is done via the <application>ipfwadm</application> program.) +</para> + +<para> +Note: Modern Linux distributions install ipchains/iptables by default. +This is a common problem that is often overlooked. +</para> +</step> + +<step performance="required"> +<para> +Run the command <userinput>smbclient -L BIGSERVER</userinput> on the unix box. You +should get a list of available shares back. +</para> + +<para> +If you get a error message containing the string "Bad password" then +you probably have either an incorrect <command>hosts allow</command>, +<command>hosts deny</command> or <command>valid users</command> line in your +&smb.conf;, or your guest account is not +valid. Check what your guest account is using &testparm; and +temporarily remove any <command>hosts allow</command>, <command>hosts deny</command>, <command>valid users</command> or <command>invalid users</command> lines. +</para> + +<para> +If you get a "connection refused" response then the smbd server may +not be running. If you installed it in inetd.conf then you probably edited +that file incorrectly. If you installed it as a daemon then check that +it is running, and check that the netbios-ssn port is in a LISTEN +state using <userinput>netstat -a</userinput>. +</para> + +<note><para> +Some Unix / Linux systems use <command>xinetd</command> in place of +<command>inetd</command>. Check your system documentation for the location +of the control file/s for your particular system implementation of +this network super daemon. +</para></note> + +<para> +If you get a "session request failed" then the server refused the +connection. If it says "Your server software is being unfriendly" then +its probably because you have invalid command line parameters to &smbd;, +or a similar fatal problem with the initial startup of &smbd;. Also +check your config file (&smb.conf;) for syntax errors with &testparm; +and that the various directories where samba keeps its log and lock +files exist. +</para> + +<para> +There are a number of reasons for which smbd may refuse or decline +a session request. The most common of these involve one or more of +the following &smb.conf; file entries: +</para> + +<para><programlisting> + hosts deny = ALL + hosts allow = xxx.xxx.xxx.xxx/yy + bind interfaces only = Yes +</programlisting></para> + +<para> +In the above, no allowance has been made for any session requests that +will automatically translate to the loopback adaptor address 127.0.0.1. +To solve this problem change these lines to: +</para> + +<para><programlisting> + hosts deny = ALL + hosts allow = xxx.xxx.xxx.xxx/yy 127. +</programlisting></para> + +<para> +Do NOT use the <command>bind interfaces only</command> parameter where you +may wish to +use the samba password change facility, or where &smbclient; may need to +access a local service for name resolution or for local resource +connections. (Note: the <command>bind interfaces only</command> parameter deficiency +where it will not allow connections to the loopback address will be +fixed soon). +</para> + +<para> +Another common cause of these two errors is having something already running +on port 139, such as Samba (ie: smbd is running from <application>inetd</application> already) or +something like Digital's Pathworks. Check your <filename>inetd.conf</filename> file before trying +to start &smbd; as a daemon, it can avoid a lot of frustration! +</para> + +<para> +And yet another possible cause for failure of this test is when the subnet mask +and / or broadcast address settings are incorrect. Please check that the +network interface IP Address / Broadcast Address / Subnet Mask settings are +correct and that Samba has correctly noted these in the <filename>log.nmb</filename> file. +</para> + +</step> + +<step performance="required"> + +<para> +Run the command <userinput>nmblookup -B BIGSERVER __SAMBA__</userinput>. You should get the +IP address of your Samba server back. +</para> + +<para> +If you don't then nmbd is incorrectly installed. Check your <filename>inetd.conf</filename> +if you run it from there, or that the daemon is running and listening +to udp port 137. +</para> + +<para> +One common problem is that many inetd implementations can't take many +parameters on the command line. If this is the case then create a +one-line script that contains the right parameters and run that from +inetd. +</para> + +</step> + +<step performance="required"> + +<para>run the command <userinput>nmblookup -B ACLIENT '*'</userinput></para> + +<para> +You should get the PCs IP address back. If you don't then the client +software on the PC isn't installed correctly, or isn't started, or you +got the name of the PC wrong. +</para> + +<para> +If ACLIENT doesn't resolve via DNS then use the IP address of the +client in the above test. +</para> + +</step> + +<step performance="required"> + +<para> +Run the command <userinput>nmblookup -d 2 '*'</userinput> +</para> + +<para> +This time we are trying the same as the previous test but are trying +it via a broadcast to the default broadcast address. A number of +Netbios/TCPIP hosts on the network should respond, although Samba may +not catch all of the responses in the short time it listens. You +should see "got a positive name query response" messages from several +hosts. +</para> + +<para> +If this doesn't give a similar result to the previous test then +nmblookup isn't correctly getting your broadcast address through its +automatic mechanism. In this case you should experiment with the +<command>interfaces</command> option in &smb.conf; to manually configure your IP +address, broadcast and netmask. +</para> + +<para> +If your PC and server aren't on the same subnet then you will need to +use the <parameter>-B</parameter> option to set the broadcast address to that of the PCs +subnet. +</para> + +<para> +This test will probably fail if your subnet mask and broadcast address are +not correct. (Refer to TEST 3 notes above). +</para> + +</step> + +<step performance="required"> + +<para> +Run the command <userinput>smbclient //BIGSERVER/TMP</userinput>. You should +then be prompted for a password. You should use the password of the account +you are logged into the unix box with. If you want to test with +another account then add the <parameter>-U <replaceable>accountname</replaceable></parameter> option to the end of +the command line. eg: +<userinput>smbclient //bigserver/tmp -Ujohndoe</userinput> +</para> + +<note><para> +It is possible to specify the password along with the username +as follows: +<userinput>smbclient //bigserver/tmp -Ujohndoe%secret</userinput> +</para></note> + +<para> +Once you enter the password you should get the <prompt>smb></prompt> prompt. If you +don't then look at the error message. If it says "invalid network +name" then the service "tmp" is not correctly setup in your &smb.conf;. +</para> + +<para> +If it says "bad password" then the likely causes are: +</para> + +<orderedlist> +<listitem> + <para> + you have shadow passords (or some other password system) but didn't + compile in support for them in &smbd; + </para> +</listitem> + +<listitem> + <para> + your <command>valid users</command> configuration is incorrect + </para> +</listitem> + +<listitem> + <para> + you have a mixed case password and you haven't enabled the <command>password + level</command> option at a high enough level + </para> +</listitem> + +<listitem> + <para> + the <command>path =</command> line in &smb.conf; is incorrect. Check it with &testparm; + </para> +</listitem> + +<listitem> + <para> + you enabled password encryption but didn't create the SMB encrypted + password file + </para> +</listitem> +</orderedlist> + +<para> +Once connected you should be able to use the commands +<command>dir</command> <command>get</command> <command>put</command> etc. +Type <command>help <replaceable>command</replaceable></command> for instructions. You should +especially check that the amount of free disk space shown is correct +when you type <command>dir</command>. +</para> + +</step> + +<step performance="required"> + +<para> +On the PC, type the command <userinput>net view \\BIGSERVER</userinput>. You will +need to do this from within a "dos prompt" window. You should get back a +list of available shares on the server. +</para> + +<para> +If you get a "network name not found" or similar error then netbios +name resolution is not working. This is usually caused by a problem in +nmbd. To overcome it you could do one of the following (you only need +to choose one of them): +</para> + +<orderedlist> +<listitem><para> + fixup the &nmbd; installation +</para></listitem> + +<listitem><para> + add the IP address of BIGSERVER to the <command>wins server</command> box in the + advanced tcp/ip setup on the PC. +</para></listitem> + +<listitem><para> + enable windows name resolution via DNS in the advanced section of + the tcp/ip setup +</para></listitem> + +<listitem><para> + add BIGSERVER to your lmhosts file on the PC. +</para></listitem> +</orderedlist> + +<para> +If you get a "invalid network name" or "bad password error" then the +same fixes apply as they did for the <userinput>smbclient -L</userinput> test above. In +particular, make sure your <command>hosts allow</command> line is correct (see the man +pages) +</para> + +<para> +Also, do not overlook that fact that when the workstation requests the +connection to the samba server it will attempt to connect using the +name with which you logged onto your Windows machine. You need to make +sure that an account exists on your Samba server with that exact same +name and password. +</para> + +<para> +If you get "specified computer is not receiving requests" or similar +it probably means that the host is not contactable via tcp services. +Check to see if the host is running tcp wrappers, and if so add an entry in +the <filename>hosts.allow</filename> file for your client (or subnet, etc.) +</para> + +</step> + +<step performance="required"> + +<para> +Run the command <userinput>net use x: \\BIGSERVER\TMP</userinput>. You should +be prompted for a password then you should get a "command completed +successfully" message. If not then your PC software is incorrectly +installed or your smb.conf is incorrect. make sure your <command>hosts allow</command> +and other config lines in &smb.conf; are correct. +</para> + +<para> +It's also possible that the server can't work out what user name to +connect you as. To see if this is the problem add the line <command>user = +<replaceable>username</replaceable></command> to the <command>[tmp]</command> section of +&smb.conf; where <replaceable>username</replaceable> is the +username corresponding to the password you typed. If you find this +fixes things you may need the username mapping option. +</para> + +<para> +It might also be the case that your client only sends encrypted passwords +and you have <command>encrypt passwords = no</command> in &smb.conf; +Turn it back on to fix. +</para> + +</step> + +<step performance="required"> + +<para> +Run the command <userinput>nmblookup -M <replaceable>testgroup</replaceable></userinput> where +<replaceable>testgroup</replaceable> is the name of the workgroup that your Samba server and +Windows PCs belong to. You should get back the IP address of the +master browser for that workgroup. +</para> + +<para> +If you don't then the election process has failed. Wait a minute to +see if it is just being slow then try again. If it still fails after +that then look at the browsing options you have set in &smb.conf;. Make +sure you have <command>preferred master = yes</command> to ensure that +an election is held at startup. +</para> + +</step> + +<step performance="required"> + +<para> +>From file manager try to browse the server. Your samba server should +appear in the browse list of your local workgroup (or the one you +specified in smb.conf). You should be able to double click on the name +of the server and get a list of shares. If you get a "invalid +password" error when you do then you are probably running WinNT and it +is refusing to browse a server that has no encrypted password +capability and is in user level security mode. In this case either set +<command>security = server</command> AND +<command>password server = Windows_NT_Machine</command> in your +&smb.conf; file, or make sure <command>encrypted passwords</command> is +set to "yes". +</para> + +</step> +</procedure> +</sect1> + +<sect1> +<title>Still having troubles?</title> + +<para>Read the chapter on +<link linkend="problems">Analysing and Solving Problems</link>. +</para> + +</sect1> + +</chapter> |