- PR -

【Samba】connection to IPC$ denied due to security descriptor エラー

1
投稿者投稿内容
pursuit
会議室デビュー日: 2007/06/11
投稿数: 1
投稿日時: 2007-06-11 11:22
お世話になっております。長文になりますがよろしくお願いします。

Samba 3.0.24-4.fc5 (x86_64) をPDCで稼働させています。
ログに「connection to IPC$ denied due to security descriptor」が大量に出ます。
現状は、
 ・ログイン時、認証にかなり時間がかかること
 ・サーバのファイルにアクセスする時タイムラグを感じること
 ・シャットダウン時に切れるまで時間がかかる
などありますが、ファイルの読み書きなどほぼ問題なくできます。
現時点では大きな支障は無いのですが、このエラー(IPC$ denied due)が出なくなれば、
これら3点の問題が解決するのではないかと、サイトを検索しながら試みてきましたが
まだ解決できないでいます。
どうすればこの問題を解決できるでしょうか。

マシン信頼アカウント関連と思いましたので、アカウントを pdbedit で削除して
再登録することを何度かしてみました。
また、Samba を止め wins.dat, wins.tdb, browse.dat, share_info.tdb を削除して
Samba の再起動を試みましたが状況は同じです。

smb.conf 等問題がありますでしょうか? プリンタは接続していないので smb.conf で
関連項目はコメントアウトして設定していません。テストで
load printers = no
disable spoolss = yes
として再起動後しばらく様子を見ましたが同じログが書き出されています。
(CUPS サービスは起動状態、停止状態をそれぞれ試してみました。)

サーバOS: Fedora Core 5 x86_64
クライアントOS: Windows XP sp2 (winPC1, winPC3)
Windows 2000 Pro (winPC2)
※プリンタ(2台) はLAN接続で固定IPを持たせて、Windows のみで使用。
ポートは UDP:137/138, TCP:139/445 共に iptables で開けています。

【log】
■クライアントからサーバにアクセスがある度に'winPC1.log'に以下のログが大量に繰り返される
[2007/06/11 10:10:26, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 10:10:26, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to IPC$ denied due to security descriptor.
[2007/06/11 10:10:26, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 10:10:26, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to IPC$ denied due to security descriptor.
[2007/06/11 10:10:26, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 10:10:26, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to IPC$ denied due to security descriptor.

■クライアント起動時のログ 'winPC1.log' は
[2007/06/11 08:50:41, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 08:50:42, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to IPC$ denied due to security descriptor.
[2007/06/11 08:50:42, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2007/06/11 08:50:42, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2007/06/11 08:50:42, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [User1] -> [user1] -> [user1] succeeded
[2007/06/11 08:50:42, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 08:50:42, 2] lib/module.c:do_smb_load_module(64)
Module '/usr/lib64/samba/vfs/recycle.so' loaded
[2007/06/11 08:50:42, 1] smbd/service.c:make_connection_snum(950)
winPC1 (192.168.1.11) connect to service user1 initially as user user1 (uid=500, gid=505) (pid 31006)
[2007/06/11 08:50:42, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 08:50:42, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to IPC$ denied due to security descriptor.
[2007/06/11 08:50:42, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 08:50:42, 1] smbd/service.c:make_connection_snum(950)
winPC1 (192.168.1.11) connect to service public initially as user user1 (uid=500, gid=505) (pid 31006)
[2007/06/11 08:50:44, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 08:50:44, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to IPC$ denied due to security descriptor.
[2007/06/11 08:50:44, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
[2007/06/11 08:50:44, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to IPC$ denied due to security descriptor.
(以下、08:50:44 行の4行分を繰り返し)

■上記 winPC1 のIPアドレスでログ '192.168.1.11.log' ができていて起動時のログは
[2007/06/11 08:50:41, 2] lib/access.c:check_access(323)
[2007/06/11 08:50:41, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.11)
Allowed connection from (192.168.1.11)
[2007/06/11 08:50:41, 2] smbd/reply.c:reply_special(496)
netbios connect: name1=my_server name2=winPC1
[2007/06/11 08:50:41, 2] smbd/reply.c:reply_special(503)
netbios connect: local=my_server remote=winPC1, name type = 0
[2007/06/11 08:50:41, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2007/06/11 08:50:41, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

■winPC2(Windows2000)でパスワード入力後に記録されるログ 'winPC2.log'
Jun 11 09:14:10 my_server smbd[8496]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229)
Jun 11 09:14:10 my_server smbd[8496]: getpeername failed. Error was Transport endpoint is not connected
Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229)
Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected
Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229)
Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected
Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/access.c:check_access(327)
Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229)
Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected
Jun 11 09:14:10 my_server smbd[13782]: Denied connection from (0.0.0.0)
Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229)
Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected
Jun 11 09:14:10 my_server smbd[13782]: Connection denied from 0.0.0.0
Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:write_data(562)
Jun 11 09:14:10 my_server smbd[13782]: write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:send_smb(769)
Jun 11 09:14:10 my_server smbd[13782]: Error writing 5 bytes to client. -1. (Connection reset by peer)

【設定ファイル】
smb.conf は
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[public]"
Processing section "[wwwdir]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
dos charset = CP932
display charset = UTF-8
workgroup = MY_NET
server string = Server
interfaces = eth1, lo, 192.168.1.0/24
passdb backend = tdbsam:/etc/samba/passdb.tdb
username map = /etc/samba/smbusers
log level = 2
log file = /var/log/samba/%m.log
max log size = 256
name resolve order = wins host bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
create mask = 0774
directory mask = 0774
guest ok = Yes
hosts allow = 192.168.1.0/255.255.255.0, 127.0.0.
hide special files = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
force create mode = 0770
force directory mode = 0770
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/netlogon
browseable = No
[public]
comment = Public Stuff
path = /home/samba/public
read only = No
force create mode = 0774
force directory mode = 0774

【ユーザ情報など】
#pdbedit -L
user1:500:mr-user1
user2:501:mr-user2
user3:510:mr-user3
winPC1$:1003:Machine
winPC2$:1004:Machine
winPC3$:1005:Machine
my_server$:1008:Machine

# pdbedit -L -v -u user1
Unix username: user1
NT username:
Account Flags: [U ]
User SID: S-1-5-21-123456789-1234567890-1234567890-1012
Primary Group SID: S-1-5-21-123456789-1234567890-1234567890-513
Full Name: mr-user1
Home Directory: \\MY_SERVER\user1
HomeDir Drive:
Logon Script:
Profile Path: \\MY_SERVER\user1\profile
Domain: MY_NET
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 日, 07 2月 2106 15:28:15 JST
Kickoff time: 日, 07 2月 2106 15:28:15 JST
Password last set: 水, 09 5月 2007 09:30:36 JST
Password can change: 水, 09 5月 2007 09:30:36 JST
Password must change:日, 07 2月 2106 15:28:15 JST
Last bad password :0
Bad password count :0
Logon hours :FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# pdbedit -L -v -u winPC1$
Unix username: winPC1$
NT username:
Account Flags: [W ]
User SID: S-1-5-21-123456789-1234567890-1234567890-3006
Primary Group SID: S-1-5-21-123456789-1234567890-1234567890-513
Full Name: Machine
Home Directory:
HomeDir Drive:
Logon Script:
Profile Path:
Domain: MY_NET
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 日, 07 2月 2106 15:28:15 JST
Kickoff time: 日, 07 2月 2106 15:28:15 JST
Password last set: 金, 11 5月 2007 13:52:55 JST
Password can change: 金, 11 5月 2007 13:52:55 JST
Password must change:日, 07 2月 2106 15:28:15 JST
Last bad password :0
Bad password count :0
Logon hours :FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# pdbedit -L -v -u my_server$
Unix username: my_server$
NT username:
Account Flags: [W ]
User SID: S-1-5-21-123456789-1234567890-1234567890-3016
Primary Group SID: S-1-5-21-123456789-1234567890-1234567890-513
Full Name: Machine
Home Directory:
HomeDir Drive:
Logon Script:
Profile Path:
Domain: MY_NET
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 日, 07 2月 2106 15:28:15 JST
Kickoff time: 日, 07 2月 2106 15:28:15 JST
Password last set: 金, 11 5月 2007 14:00:38 JST
Password can change: 金, 11 5月 2007 14:00:38 JST
Password must change:日, 07 2月 2106 15:28:15 JST
Last bad password :0
Bad password count :0
Logon hours :FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# cat wins.dat
VERSION 1 0
"MY_NET#00" 1180835260 255.255.255.255 e4R
"MY_NET#1b" 1180835260 192.168.1.1 64R
"MY_NET#1e" 1180835260 255.255.255.255 e4R
"my_server#00" 1180835260 192.168.1.1 66R
"my_server#03" 1180835260 192.168.1.1 66R
"my_server#20" 1180835260 192.168.1.1 66R
"winPC1#00" 1180869016 192.168.1.11 64R
"winPC1#03" 1180869017 192.168.1.11 64R
"winPC1#20" 1180869024 192.168.1.11 64R
"winPC2#00" 1180871087 192.168.1.3 64R
"winPC2#03" 1180871086 192.168.1.3 64R
"winPC2#20" 1180871086 192.168.1.3 64R
"winPC3#00" 0 192.168.1.4 64R
"winPC3#03" 0 192.168.1.4 64R
"winPC3#20" 0 192.168.1.4 64R
"user1#03" 1180869044 192.168.1.11 64R
"user2#03" 1180871086 192.168.1.3 64R
"winPC2$#03" 1180871086 192.168.1.3 64R
  ※ 下の3行に当たる他のユーザやマシン名が無いのですがいいのでしょうか?

# cat browser.dat
"MY_NET" c0001000 "my_server" "MY_NET"
"my_server" 408d9a03 "Server" "MY_NET"
"winPC3" 40011003 "Third" "MY_NET"
"winPC2" 40011007 "" "MY_NET"
"winPC1" 40011207 "First" "MY_NET"

# cat hosts
127.0.0.1 localhost.loaldomain localhost
192.168.1.1 my_server aaa.bbb.com
192.168.1.11 winPC1
192.168.1.3 winPC2
192.168.1.4 winPC3
192.168.1.99 printer1
192.168.1.98 printer2

# cat resolv.conf
search aaa.bbb.com
domain MY_NET
nameserver 127.0.0.1
nameserver 192.168.1.1
nameserver ***.***.***.*** (外部DNS)

【ログ】
'nmbd.log' に15分間隔で以下が記録されている
[2007/06/11 09:45:31, 2] nmbd/nmbd_browsesync.c:announce_local_master_browser_to_domain_master_browser(108)
announce_local_master_browser_to_domain_master_browser:
We are both a domain and a local master browser for workgroup MY_NET. Do not announce to ourselves.
[2007/06/11 09:45:31, 2] nmbd/nmbd_browsesync.c:sync_with_dmb(152)
sync_with_dmb:
Initiating sync with domain master browser MY_SERVER<20> at IP 192.168.1.1 for workgroup MY_NET

【その他】
# nmblookup MY_NET#1d
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
querying MY_NET on 192.168.1.255
Got a positive name query response from 192.168.1.1 ( 192.168.1.1 )
192.168.1.1 MY_NET<1d>

# nmblookup -A 192.168.1.1
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Looking up status of 192.168.1.1
MY_SERVER <00> - H <ACTIVE>
MY_SERVER <03> - H <ACTIVE>
MY_SERVER <20> - H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
MY_NET <1d> - H <ACTIVE>
MY_NET <1b> - H <ACTIVE>
MY_NET <1e> - <GROUP> H <ACTIVE>
MY_NET <00> - <GROUP> H <ACTIVE>
MAC Address = 00-00-00-00-00-00

# nmblookup -A 192.168.1.11
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Looking up status of 192.168.1.11
MY_NET <00> - <GROUP> M <ACTIVE>
MY_NET <1e> - <GROUP> M <ACTIVE>
winPC1 <00> - M <ACTIVE>
winPC1 <03> - M <ACTIVE>
winPC1 <20> - M <ACTIVE>
user1 <03> - M <ACTIVE>
MAC Address = **-**-**-**-**-**

# nmblookup -A 192.168.1.3
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Looking up status of 192.168.1.3
MY_NET <00> - <GROUP> M <ACTIVE>
MY_NET <1e> - <GROUP> M <ACTIVE>
winPC2 <00> - M <ACTIVE>
winPC2 <03> - M <ACTIVE>
winPC2 <20> - M <ACTIVE>
winPC2$ <03> - M <ACTIVE> <-- winPC1, winPC3 には無い
user2 <03> - M <ACTIVE>
MAC Address = **-**-**-**-**-**

# nmblookup -A 192.168.1.4
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
Looking up status of 192.168.1.4
MY_NET <00> - <GROUP> M <ACTIVE>
MY_NET <1e> - <GROUP> M <ACTIVE>
winPC3 <00> - M <ACTIVE>
winPC3 <03> - M <ACTIVE>
winPC3 <20> - M <ACTIVE>
user3 <03> - M <ACTIVE>
MAC Address = **-**-**-**-**-**

【ポート関連】
# netstat -a -t -u -p -n | grep smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 8496/smbd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 8496/smbd
tcp 0 0 192.168.1.1:445 192.168.1.4:1222 ESTABLISHED 13528/smbd
tcp 0 0 192.168.1.1:139 192.168.1.11:1306 ESTABLISHED 13973/smbd
tcp 0 0 192.168.1.1:139 192.168.1.3:1077 ESTABLISHED 13804/smbd
# netstat -a -t -u -p -n | grep nmbd
udp 0 0 192.168.1.1:137 0.0.0.0:* 8499/nmbd
udp 0 0 192.168.1.1:138 0.0.0.0:* 8499/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 8499/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 8499/nmbd

iptables の関連部分
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#
# ACCEPT for Samba > UDP/137,138 nmbd TCP/139,445 smbd
iptables -A OUTPUT -s $LOCALNET -p udp -m multiport --sports 137,138 -j ACCEPT
iptables -A OUTPUT -s $LOCALNET -p tcp -m multiport --sports 139,445 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
#
iptables -N NET_BIOS
iptables -A NET_BIOS -j LOG --log-prefix '[IPTABLES NET_BIOS] : '
iptables -A NET_BIOS -j DROP
#
iptables -A INPUT -s ! $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT -s ! $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP
1

スキルアップ/キャリアアップ(JOB@IT)