- - PR -
【Samba】connection to IPC$ denied due to security descriptor エラー
1
投稿者 | 投稿内容 |
---|---|
|
投稿日時: 2007-06-11 11:22
お世話になっております。長文になりますがよろしくお願いします。
Samba 3.0.24-4.fc5 (x86_64) をPDCで稼働させています。 ログに「connection to IPC$ denied due to security descriptor」が大量に出ます。 現状は、 ・ログイン時、認証にかなり時間がかかること ・サーバのファイルにアクセスする時タイムラグを感じること ・シャットダウン時に切れるまで時間がかかる などありますが、ファイルの読み書きなどほぼ問題なくできます。 現時点では大きな支障は無いのですが、このエラー(IPC$ denied due)が出なくなれば、 これら3点の問題が解決するのではないかと、サイトを検索しながら試みてきましたが まだ解決できないでいます。 どうすればこの問題を解決できるでしょうか。 マシン信頼アカウント関連と思いましたので、アカウントを pdbedit で削除して 再登録することを何度かしてみました。 また、Samba を止め wins.dat, wins.tdb, browse.dat, share_info.tdb を削除して Samba の再起動を試みましたが状況は同じです。 smb.conf 等問題がありますでしょうか? プリンタは接続していないので smb.conf で 関連項目はコメントアウトして設定していません。テストで load printers = no disable spoolss = yes として再起動後しばらく様子を見ましたが同じログが書き出されています。 (CUPS サービスは起動状態、停止状態をそれぞれ試してみました。) サーバOS: Fedora Core 5 x86_64 クライアントOS: Windows XP sp2 (winPC1, winPC3) Windows 2000 Pro (winPC2) ※プリンタ(2台) はLAN接続で固定IPを持たせて、Windows のみで使用。 ポートは UDP:137/138, TCP:139/445 共に iptables で開けています。 【log】 ■クライアントからサーバにアクセスがある度に'winPC1.log'に以下のログが大量に繰り返される [2007/06/11 10:10:26, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 10:10:26, 0] smbd/service.c:make_connection_snum(782) make_connection: connection to IPC$ denied due to security descriptor. [2007/06/11 10:10:26, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 10:10:26, 0] smbd/service.c:make_connection_snum(782) make_connection: connection to IPC$ denied due to security descriptor. [2007/06/11 10:10:26, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 10:10:26, 0] smbd/service.c:make_connection_snum(782) make_connection: connection to IPC$ denied due to security descriptor. ■クライアント起動時のログ 'winPC1.log' は [2007/06/11 08:50:41, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 08:50:42, 0] smbd/service.c:make_connection_snum(782) make_connection: connection to IPC$ denied due to security descriptor. [2007/06/11 08:50:42, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/06/11 08:50:42, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/06/11 08:50:42, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [User1] -> [user1] -> [user1] succeeded [2007/06/11 08:50:42, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 08:50:42, 2] lib/module.c:do_smb_load_module(64) Module '/usr/lib64/samba/vfs/recycle.so' loaded [2007/06/11 08:50:42, 1] smbd/service.c:make_connection_snum(950) winPC1 (192.168.1.11) connect to service user1 initially as user user1 (uid=500, gid=505) (pid 31006) [2007/06/11 08:50:42, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 08:50:42, 0] smbd/service.c:make_connection_snum(782) make_connection: connection to IPC$ denied due to security descriptor. [2007/06/11 08:50:42, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 08:50:42, 1] smbd/service.c:make_connection_snum(950) winPC1 (192.168.1.11) connect to service public initially as user user1 (uid=500, gid=505) (pid 31006) [2007/06/11 08:50:44, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 08:50:44, 0] smbd/service.c:make_connection_snum(782) make_connection: connection to IPC$ denied due to security descriptor. [2007/06/11 08:50:44, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) [2007/06/11 08:50:44, 0] smbd/service.c:make_connection_snum(782) make_connection: connection to IPC$ denied due to security descriptor. (以下、08:50:44 行の4行分を繰り返し) ■上記 winPC1 のIPアドレスでログ '192.168.1.11.log' ができていて起動時のログは [2007/06/11 08:50:41, 2] lib/access.c:check_access(323) [2007/06/11 08:50:41, 2] lib/access.c:check_access(323) Allowed connection from (192.168.1.11) Allowed connection from (192.168.1.11) [2007/06/11 08:50:41, 2] smbd/reply.c:reply_special(496) netbios connect: name1=my_server name2=winPC1 [2007/06/11 08:50:41, 2] smbd/reply.c:reply_special(503) netbios connect: local=my_server remote=winPC1, name type = 0 [2007/06/11 08:50:41, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/06/11 08:50:41, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. ■winPC2(Windows2000)でパスワード入力後に記録されるログ 'winPC2.log' Jun 11 09:14:10 my_server smbd[8496]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229) Jun 11 09:14:10 my_server smbd[8496]: getpeername failed. Error was Transport endpoint is not connected Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229) Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229) Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/access.c:check_access(327) Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229) Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected Jun 11 09:14:10 my_server smbd[13782]: Denied connection from (0.0.0.0) Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:get_peer_addr(1229) Jun 11 09:14:10 my_server smbd[13782]: getpeername failed. Error was Transport endpoint is not connected Jun 11 09:14:10 my_server smbd[13782]: Connection denied from 0.0.0.0 Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:write_data(562) Jun 11 09:14:10 my_server smbd[13782]: write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer Jun 11 09:14:10 my_server smbd[13782]: [2007/06/11 09:14:10, 0] lib/util_sock.c:send_smb(769) Jun 11 09:14:10 my_server smbd[13782]: Error writing 5 bytes to client. -1. (Connection reset by peer) 【設定ファイル】 smb.conf は # testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[netlogon]" Processing section "[public]" Processing section "[wwwdir]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] dos charset = CP932 display charset = UTF-8 workgroup = MY_NET server string = Server interfaces = eth1, lo, 192.168.1.0/24 passdb backend = tdbsam:/etc/samba/passdb.tdb username map = /etc/samba/smbusers log level = 2 log file = /var/log/samba/%m.log max log size = 256 name resolve order = wins host bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes idmap uid = 15000-20000 idmap gid = 15000-20000 create mask = 0774 directory mask = 0774 guest ok = Yes hosts allow = 192.168.1.0/255.255.255.0, 127.0.0. hide special files = Yes [homes] comment = Home Directories valid users = %S read only = No force create mode = 0770 force directory mode = 0770 browseable = No [netlogon] comment = Network Logon Service path = /home/netlogon browseable = No [public] comment = Public Stuff path = /home/samba/public read only = No force create mode = 0774 force directory mode = 0774 【ユーザ情報など】 #pdbedit -L user1:500:mr-user1 user2:501:mr-user2 user3:510:mr-user3 winPC1$:1003:Machine winPC2$:1004:Machine winPC3$:1005:Machine my_server$:1008:Machine # pdbedit -L -v -u user1 Unix username: user1 NT username: Account Flags: [U ] User SID: S-1-5-21-123456789-1234567890-1234567890-1012 Primary Group SID: S-1-5-21-123456789-1234567890-1234567890-513 Full Name: mr-user1 Home Directory: \\MY_SERVER\user1 HomeDir Drive: Logon Script: Profile Path: \\MY_SERVER\user1\profile Domain: MY_NET Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 日, 07 2月 2106 15:28:15 JST Kickoff time: 日, 07 2月 2106 15:28:15 JST Password last set: 水, 09 5月 2007 09:30:36 JST Password can change: 水, 09 5月 2007 09:30:36 JST Password must change:日, 07 2月 2106 15:28:15 JST Last bad password :0 Bad password count :0 Logon hours :FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # pdbedit -L -v -u winPC1$ Unix username: winPC1$ NT username: Account Flags: [W ] User SID: S-1-5-21-123456789-1234567890-1234567890-3006 Primary Group SID: S-1-5-21-123456789-1234567890-1234567890-513 Full Name: Machine Home Directory: HomeDir Drive: Logon Script: Profile Path: Domain: MY_NET Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 日, 07 2月 2106 15:28:15 JST Kickoff time: 日, 07 2月 2106 15:28:15 JST Password last set: 金, 11 5月 2007 13:52:55 JST Password can change: 金, 11 5月 2007 13:52:55 JST Password must change:日, 07 2月 2106 15:28:15 JST Last bad password :0 Bad password count :0 Logon hours :FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # pdbedit -L -v -u my_server$ Unix username: my_server$ NT username: Account Flags: [W ] User SID: S-1-5-21-123456789-1234567890-1234567890-3016 Primary Group SID: S-1-5-21-123456789-1234567890-1234567890-513 Full Name: Machine Home Directory: HomeDir Drive: Logon Script: Profile Path: Domain: MY_NET Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 日, 07 2月 2106 15:28:15 JST Kickoff time: 日, 07 2月 2106 15:28:15 JST Password last set: 金, 11 5月 2007 14:00:38 JST Password can change: 金, 11 5月 2007 14:00:38 JST Password must change:日, 07 2月 2106 15:28:15 JST Last bad password :0 Bad password count :0 Logon hours :FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # cat wins.dat VERSION 1 0 "MY_NET#00" 1180835260 255.255.255.255 e4R "MY_NET#1b" 1180835260 192.168.1.1 64R "MY_NET#1e" 1180835260 255.255.255.255 e4R "my_server#00" 1180835260 192.168.1.1 66R "my_server#03" 1180835260 192.168.1.1 66R "my_server#20" 1180835260 192.168.1.1 66R "winPC1#00" 1180869016 192.168.1.11 64R "winPC1#03" 1180869017 192.168.1.11 64R "winPC1#20" 1180869024 192.168.1.11 64R "winPC2#00" 1180871087 192.168.1.3 64R "winPC2#03" 1180871086 192.168.1.3 64R "winPC2#20" 1180871086 192.168.1.3 64R "winPC3#00" 0 192.168.1.4 64R "winPC3#03" 0 192.168.1.4 64R "winPC3#20" 0 192.168.1.4 64R "user1#03" 1180869044 192.168.1.11 64R "user2#03" 1180871086 192.168.1.3 64R "winPC2$#03" 1180871086 192.168.1.3 64R ※ 下の3行に当たる他のユーザやマシン名が無いのですがいいのでしょうか? # cat browser.dat "MY_NET" c0001000 "my_server" "MY_NET" "my_server" 408d9a03 "Server" "MY_NET" "winPC3" 40011003 "Third" "MY_NET" "winPC2" 40011007 "" "MY_NET" "winPC1" 40011207 "First" "MY_NET" # cat hosts 127.0.0.1 localhost.loaldomain localhost 192.168.1.1 my_server aaa.bbb.com 192.168.1.11 winPC1 192.168.1.3 winPC2 192.168.1.4 winPC3 192.168.1.99 printer1 192.168.1.98 printer2 # cat resolv.conf search aaa.bbb.com domain MY_NET nameserver 127.0.0.1 nameserver 192.168.1.1 nameserver ***.***.***.*** (外部DNS) 【ログ】 'nmbd.log' に15分間隔で以下が記録されている [2007/06/11 09:45:31, 2] nmbd/nmbd_browsesync.c:announce_local_master_browser_to_domain_master_browser(108) announce_local_master_browser_to_domain_master_browser: We are both a domain and a local master browser for workgroup MY_NET. Do not announce to ourselves. [2007/06/11 09:45:31, 2] nmbd/nmbd_browsesync.c:sync_with_dmb(152) sync_with_dmb: Initiating sync with domain master browser MY_SERVER<20> at IP 192.168.1.1 for workgroup MY_NET 【その他】 # nmblookup MY_NET#1d added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 querying MY_NET on 192.168.1.255 Got a positive name query response from 192.168.1.1 ( 192.168.1.1 ) 192.168.1.1 MY_NET<1d> # nmblookup -A 192.168.1.1 added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Looking up status of 192.168.1.1 MY_SERVER <00> - H <ACTIVE> MY_SERVER <03> - H <ACTIVE> MY_SERVER <20> - H <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> MY_NET <1d> - H <ACTIVE> MY_NET <1b> - H <ACTIVE> MY_NET <1e> - <GROUP> H <ACTIVE> MY_NET <00> - <GROUP> H <ACTIVE> MAC Address = 00-00-00-00-00-00 # nmblookup -A 192.168.1.11 added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Looking up status of 192.168.1.11 MY_NET <00> - <GROUP> M <ACTIVE> MY_NET <1e> - <GROUP> M <ACTIVE> winPC1 <00> - M <ACTIVE> winPC1 <03> - M <ACTIVE> winPC1 <20> - M <ACTIVE> user1 <03> - M <ACTIVE> MAC Address = **-**-**-**-**-** # nmblookup -A 192.168.1.3 added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Looking up status of 192.168.1.3 MY_NET <00> - <GROUP> M <ACTIVE> MY_NET <1e> - <GROUP> M <ACTIVE> winPC2 <00> - M <ACTIVE> winPC2 <03> - M <ACTIVE> winPC2 <20> - M <ACTIVE> winPC2$ <03> - M <ACTIVE> <-- winPC1, winPC3 には無い user2 <03> - M <ACTIVE> MAC Address = **-**-**-**-**-** # nmblookup -A 192.168.1.4 added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Looking up status of 192.168.1.4 MY_NET <00> - <GROUP> M <ACTIVE> MY_NET <1e> - <GROUP> M <ACTIVE> winPC3 <00> - M <ACTIVE> winPC3 <03> - M <ACTIVE> winPC3 <20> - M <ACTIVE> user3 <03> - M <ACTIVE> MAC Address = **-**-**-**-**-** 【ポート関連】 # netstat -a -t -u -p -n | grep smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 8496/smbd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 8496/smbd tcp 0 0 192.168.1.1:445 192.168.1.4:1222 ESTABLISHED 13528/smbd tcp 0 0 192.168.1.1:139 192.168.1.11:1306 ESTABLISHED 13973/smbd tcp 0 0 192.168.1.1:139 192.168.1.3:1077 ESTABLISHED 13804/smbd # netstat -a -t -u -p -n | grep nmbd udp 0 0 192.168.1.1:137 0.0.0.0:* 8499/nmbd udp 0 0 192.168.1.1:138 0.0.0.0:* 8499/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 8499/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 8499/nmbd iptables の関連部分 iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # # ACCEPT for Samba > UDP/137,138 nmbd TCP/139,445 smbd iptables -A OUTPUT -s $LOCALNET -p udp -m multiport --sports 137,138 -j ACCEPT iptables -A OUTPUT -s $LOCALNET -p tcp -m multiport --sports 139,445 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT iptables -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT iptables -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT # iptables -N NET_BIOS iptables -A NET_BIOS -j LOG --log-prefix '[IPTABLES NET_BIOS] : ' iptables -A NET_BIOS -j DROP # iptables -A INPUT -s ! $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP iptables -A INPUT -s ! $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP iptables -A OUTPUT -d ! $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP iptables -A OUTPUT -d ! $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP |
1