Debugging Samba: Deciphering Access Denied

Carter usually says the motto with a smile, as he did during a presentation at the LinuxWorld conference in San Francisco this month, but his claim is mostly serious. It sounds arrogant, but more often than not, Carter and the rest of the Samba team eventually discover that the "bugs" logged by users are hardware issues specific to their systems or bugs that actually exist in Windows, not Samba.

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

"In this scenario, the error message will say something like, 'Permission is needed to perform this action,'" Carter said. "You will never get an exact problem, because the user will just give you the error message they received and expect you to find out what the problem is. [As a system administrator], what you have to do is decipher what is popping up in front of the user and what is actually happening with Samba."

For any system administrator, the debugging process should always begin with a simple set of steps and a process of elimination, Carter said. First, ensure that you understand what the expected result should be. Then, if possible, test the same operation against a Windows server and check the physical networking hardware for issues.

If things check out, Carter prescribes a recipe for basic debugging needs. The basic debugging settings recommended by the Samba Team are log level 10, log file = /var/log/samba/log.%m, where Max Log Size is set to zero, debug time stamp is set to Yes, and the debug: pid set to Yes. Limiting log file size and log levels increase performance while debugging, Carter said.

Here's how Carter said users should deploy grep tools when Access Denied pops up on users' displays:

• Find the error and backtrack by using grep panic log.*
• Look for crashes with egrep '(WERR_|NT_STATUS)' log.* | grep -v OK
• Look for ACCESS_DENIED and so on by way of grep .api_rpcTNP.*unknown$. log.*
• Look for unknown MS-RPC calls with

Carter explained that many times in an access denied scenario, grep will return a message like this one in the log file:

"So grep wants to open the log file," he said, "and finds that access is denied. But why?" The answer is the SID, or security identifier. In Microsoft Windows, the SID is a unique alphanumeric character string that identifies each operating system and each user in a network of NT/2000/XP systems.

• Formerly known as Ethereal, Wireshark is a network sniffer and protocol analysis tool that provides excellent support for Server Message Block/Common Internet File System; Network Basic I/O System; distributed computing environment/remote procedure calls, Kerberos, Lightweight Directory Access Protocol and other associated protocols.
• There are also system trace tools, such as strace, ltrace and the contents of /proc.

Email Jack Loftus with your comments and suggestions.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseLinux.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.