Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Samba] "getpeername failed" error when signed communications policy enabled
367 views
Skip to first unread message
Jeremy Allison
Dec 14, 2011, 5:20:02 PM12/14/11
to
On Wed, Dec 07, 2011 at 11:01:50AM +0000, Hilton, David wrote:
> Hi,
>
> I'm looking for help with an issue that we are seeing with the following
> configuration:
>
> We are using Samba (3.5.12-72.fc15) to share out CUPS printers from a Fedora
> 15 machine. However, a requirement of the system is that these printers are
> not directly visible from client systems (Windows 7 SP1 32-bit), so instead
> we are sharing them out from a Windows print server (Windows 2008 R2 SP1).
> So the clients connect to print queues on the Windows print server, which in
> turn forwards the print jobs on to CUPS.
>
> The issue we are seeing occurs when a policy change is made on the Windows
> 2008 R2 print server. If the "Microsoft network client: Digitally sign
> communications (always)" policy setting is enabled, we see the following
> behaviour:
>
> - Applications running on the print server can print normally.
> - Applications running on client machines fail to print.
>
> When a print job fails we see the following in the samba log for the client
> machine:
>
>
> [2011/12/07 10:43:23.381798, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [XXX] -> [XXX] -> [XXX]
> succeeded
> [2011/12/07 10:43:39.760399, 0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/12/07 10:43:39.760476, 0]
> lib/util_sock.c:1441(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
>
>
>
> The smb.conf file that we are using is as follows:
>
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2011/12/05 17:22:13
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
> workgroup = LOW
> password server = LOWDC
> security = user
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = false
> winbind offline logon = false
> server signing = auto
> log level = 2
> log file = /var/log/samba.log.%m
> max log size = 50
> debug timestamp = yes
>
> #--authconfig--end-line--
> load printers = yes
> printing = cups
> printcap name = cups
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = yes
> writable = no
> printable = yes
> printer admin = root, @ntadmins, @smbprintadm
> use client driver = yes
>
>
>
>
>
> If the "Microsoft network client: Digitally sign communications (always)"
> setting is disabled it all works OK, but disabling this policy setting is
> not an allowed option at present.
That sounds like a signing error - do you see such in the
Samba logs ?
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
> Hi,
>
> I'm looking for help with an issue that we are seeing with the following
> configuration:
>
> We are using Samba (3.5.12-72.fc15) to share out CUPS printers from a Fedora
> 15 machine. However, a requirement of the system is that these printers are
> not directly visible from client systems (Windows 7 SP1 32-bit), so instead
> we are sharing them out from a Windows print server (Windows 2008 R2 SP1).
> So the clients connect to print queues on the Windows print server, which in
> turn forwards the print jobs on to CUPS.
>
> The issue we are seeing occurs when a policy change is made on the Windows
> 2008 R2 print server. If the "Microsoft network client: Digitally sign
> communications (always)" policy setting is enabled, we see the following
> behaviour:
>
> - Applications running on the print server can print normally.
> - Applications running on client machines fail to print.
>
> When a print job fails we see the following in the samba log for the client
> machine:
>
>
> [2011/12/07 10:43:23.381798, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [XXX] -> [XXX] -> [XXX]
> succeeded
> [2011/12/07 10:43:39.760399, 0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/12/07 10:43:39.760476, 0]
> lib/util_sock.c:1441(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
>
>
>
> The smb.conf file that we are using is as follows:
>
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2011/12/05 17:22:13
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
> workgroup = LOW
> password server = LOWDC
> security = user
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = false
> winbind offline logon = false
> server signing = auto
> log level = 2
> log file = /var/log/samba.log.%m
> max log size = 50
> debug timestamp = yes
>
> #--authconfig--end-line--
> load printers = yes
> printing = cups
> printcap name = cups
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = yes
> writable = no
> printable = yes
> printer admin = root, @ntadmins, @smbprintadm
> use client driver = yes
>
>
>
>
>
> If the "Microsoft network client: Digitally sign communications (always)"
> setting is disabled it all works OK, but disabling this policy setting is
> not an allowed option at present.
That sounds like a signing error - do you see such in the
Samba logs ?
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeremy Allison
Dec 15, 2011, 1:10:02 PM12/15/11
to
On Thu, Dec 15, 2011 at 09:10:11AM +0000, Hilton, David wrote:
> No, the only error that we see is the "getpeername failed" error in the Samba log for the client machine that is trying to print the job.
Then I doubt it's a signing issue (which makes it strange).
What does a debug level 10 say ?
> No, the only error that we see is the "getpeername failed" error in the Samba log for the client machine that is trying to print the job.
Then I doubt it's a signing issue (which makes it strange).
What does a debug level 10 say ?
Allen Chen
Dec 16, 2011, 2:30:02 PM12/16/11
to
level = 0".
My Samba 3.4.5 PDC is listening on both ports 139 and 445 under CentOS
5.6 32bits.
Here is the message:
[2011/10/26 16:02:05, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
getpeername failed. Error was Transport endpoint is not connected
[2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
Allen
Jeremy Allison
Dec 19, 2011, 2:10:01 PM12/19/11
to
On Fri, Dec 16, 2011 at 02:00:17PM -0500, Allen Chen wrote:
> I have the same message in samba log file, even though I set up "log
> level = 0".
> My Samba 3.4.5 PDC is listening on both ports 139 and 445 under
> CentOS 5.6 32bits.
> Here is the message:
> [2011/10/26 16:02:05, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
> by peer.
> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
We're going to need debug level 10 log output to even begin
> I have the same message in samba log file, even though I set up "log
> level = 0".
> My Samba 3.4.5 PDC is listening on both ports 139 and 445 under
> CentOS 5.6 32bits.
> Here is the message:
> [2011/10/26 16:02:05, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
> by peer.
> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
to look into this.
Jeremy.
Hilton, David
Dec 28, 2011, 3:50:01 PM12/28/11
to
No, the only error that we see is the "getpeername failed" error in the Samba log for the client machine that is trying to print the job.
David.
Jeremy Allison
Jan 5, 2012, 8:00:02 PM1/5/12
to
On Wed, Jan 04, 2012 at 10:02:45AM +0000, Hilton, David wrote:
> We've found a solution for this and it turns out to be a setting at the
> Windows end:
>
> If you add the value AllowGuestAuthWhenSigningRequired = 1 to the registry
> key
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Param
> eters and then reboot the machine it all seems to work. Apparently this is
> new behaviour in Windows 2008:
>
> http://social.msdn.microsoft.com/Forums/en/os_fileservices/thread/832d395b-6
> e6f-4658-8dbb-120138a4cd7c
Oh thanks for figuring that out - much appreciated ! Looks like it's actually
a Windows bug then.
> We've found a solution for this and it turns out to be a setting at the
> Windows end:
>
> If you add the value AllowGuestAuthWhenSigningRequired = 1 to the registry
> key
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Param
> eters and then reboot the machine it all seems to work. Apparently this is
> new behaviour in Windows 2008:
>
> http://social.msdn.microsoft.com/Forums/en/os_fileservices/thread/832d395b-6
> e6f-4658-8dbb-120138a4cd7c
Oh thanks for figuring that out - much appreciated ! Looks like it's actually
a Windows bug then.
Allen Chen
Apr 22, 2012, 6:00:01 PM4/22/12
to
On 12/19/2011 02:05 PM, Jeremy Allison wrote:
> On Fri, Dec 16, 2011 at 02:00:17PM -0500, Allen Chen wrote:
>
>> I have the same message in samba log file, even though I set up "log
>> level = 0".
>> My Samba 3.4.5 PDC is listening on both ports 139 and 445 under
>> CentOS 5.6 32bits.
>> Here is the message:
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:539(read_fd_with_timeout)
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
>> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
>> by peer.
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
I have lots of the same messages in samba log file(exactly the same as
> On Fri, Dec 16, 2011 at 02:00:17PM -0500, Allen Chen wrote:
>
>> I have the same message in samba log file, even though I set up "log
>> level = 0".
>> My Samba 3.4.5 PDC is listening on both ports 139 and 445 under
>> CentOS 5.6 32bits.
>> Here is the message:
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:539(read_fd_with_timeout)
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
>> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset
>> by peer.
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
>> [2011/10/26 16:02:05, 0] lib/util_sock.c:1491(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
above).
I use compiled samba 3.4.5 PDC on CentOS 5.6 32bit with 200 XP clients.
I googled and try to fix it without success.
The good thing is that nobody complains.
0 new messages