SMB authentication issue

I created /var/log/samba and now SMB logging seems to be working. I'm not sure if this is a concern:

---
Mar 4 10:48:23 internal /usr/sbin/ocspd[39539]: starting
Mar 4 10:59:41 internal sudo[39603]: westin : TTY=ttys000 ; PWD=/private/var/log ; USER=root ; COMMAND=/usr/bin/su
Mar 4 11:00:15 internal servermgrd[80]: --Module servermgr_smb returned nil response
Mar 4 11:00:17 internal servermgrd[80]: servermgr_smb: -[SCSMBConfigurationParser writeFile] kSMBPreferencesSyncTool
Mar 4 11:00:18 internal com.apple.launchd[1] (org.samba.smbd[39411]): Stray process with PGID equal to this dead job: PID 39418 PPID 1 smbd
Mar 4 11:00:22 internal servermgrd[80]: servermgr_smb: -[SCSMBConfigurationParser writeFile] kSMBPreferencesSyncTool
---

I'll go test the authentication issue again, now that I can see the logs when users connect.

Greg

The 'process has forked' error messages persist, and users can still connect without passwords. Interestingly, they seem to connect as the correct user, so it's as if the previous connection isn't being terminated properly, or Windows is saving the login information. Perhaps the 'process has forked' messages are indicating that there's some problem with actually getting rid of processes?

If I shut down the SMB service, disconnect all clients, then restart the service and connect a client, this happens:

---
\[2008/03/19 17:05:51, 0\] /SourceCache/samba/samba-187/samba/source/smbd/server.c:main(890)
smbd version 3.0.25b-apple started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
The process has forked and you cannot use this CoreFoundation functionality safely. You MUST exec().
Break on _THE_PROCESS_HAS_FORKED_AND_YOU_CANNOT_USE_THIS_COREFOUNDATION_FUNCTIONALITY___Y OU_MUST_EXEC_() to debug.
---

I don't know if this is relevant, but I saw another post that said that I had to make my SMB server the PDC, and I get a number of messages like this in the SMB Name Service Log:

---
Samba name server SERVERNAME is now a local master browser for workgroup WORKGROUPNAME on subnet xxx.xxx.xxx.xx
---

Thanks for any help,

Greg

Message was edited by: Greg Westin to add a few more details about error messages

I just tried connecting using SMB from a 10.5 Mac, and this seems to work fine. At this point, I think that:

- I had some problems with my permissions setup that applied an ACL permitting all users in our group to read/write to basically everything, which caused it to seem like an unauthenticated user could somehow read/write everywhere
- Users by default seem to connect as a guest; however, if I try to mount a user's home folder (no matter which one) it prompts for authentication, which always seems to fail.
- At least some of the users who had working connections before still connect, without authentication, under their own usernames.

So one issue might be with my authentication setup; perhaps I need to change to use a different authentication method. This might solve the issue of users being unable to truly de-authenticate by disconnecting the network drive, and perhaps also the setup that doesn't automatically ask for authentication, but instead logs people in as guest by default.

Thanks for any help on this,

Greg

I've disabled guest access and changed some settings for the SMB service, and now I'm down to two issues:

- The issue I mentioned before of users basically being unable to de-authenticate. If I change the user's password on the server, the person has to log in again, but if I change the password back, the user once again cannot log out. Even logging out and restarting don't change this. How can I remove this saved authentication information?

- The second issue is that I have at least one computer that couldn't connect via domain name, but could connect via IP address. It said that it couldn't locate the resource, or something like that, when connecting by domain name. After connecting via IP, however, I could connect via domain name just fine. All of my client machines are on a different subnet from the server, and that computer could seemingly connect via other protocols (like on ports 8443 and 8008 for the iCal server) using the domain name.

This is exhausting. I wish I could just not support these Windows clients.

Greg

Honestly, I don't really understand the purpose of WINS. I had it off, but turned it on today after seeing someone suggest that on some discussion here. If none of my client machines are on the same subnet as the server, how do they 'announce their presence'? Looking at that file, I see a number of entries that correspond to the server's IP, and a number that list 255.255.255.255. This makes me think that WINS must not be appropriate for this situation.

The client workstations are all behind a firewall that doesn't allow any incoming connections (they don't have externally-accessible IP addresses).

Greg