--- /dev/null
+<html>
+<body bgcolor="#ffffff">
+
+<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
+hspace="10" align="left" />
+
+<h1 class="head0">Chapter 12. Troubleshooting Samba</h1>
+
+
+<p><a name="INDEX-1"/><a name="INDEX-2"/>Samba is extremely robust. Once you have
+everything set up the way you want, you'll probably
+forget that it is running. When trouble occurs, it's
+typically during installation or when you're trying
+to reconfigure the server. Fortunately, a wide variety of resources
+are available to diagnose these troubles. While we
+can't describe in detail the solution to every
+problem you might encounter, you should be able to get a good start
+at resolving the problem by following the advice given in this
+chapter.</p>
+
+<p>The first section of this chapter lists the tool bag, a collection of
+tools available for troubleshooting Samba; the second section is a
+detailed how-to; the last section lists extra resources to track down
+particularly stubborn problems.</p>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-1"/>
+
+<h2 class="head1">The Tool Box</h2>
+
+<p><a name="INDEX-3"/><a name="INDEX-4"/>Sometimes Unix
+seems to be made up of a grab bag of applications and tools. There
+are tools to troubleshoot tools. And of course, there are several
+ways to accomplish the same task. When trying to solve a problem
+related to Samba, a good plan of attack is to use the following:</p>
+
+<ul><li>
+<p>Samba logs</p>
+</li><li>
+<p>Samba test utilities</p>
+</li><li>
+<p>Unix utilities</p>
+</li><li>
+<p>Fault tree</p>
+</li><li>
+<p>Documentation and FAQs</p>
+</li><li>
+<p>Samba newsgroups</p>
+</li><li>
+<p>Searchable mailing list archives</p>
+</li></ul>
+<p>Let's go over each of these one-by-one in the
+following sections.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.1"/>
+
+<h3 class="head2">Samba Logs</h3>
+
+<p><a name="INDEX-5"/><a name="INDEX-6"/>Your first line of attack should always
+be to check the log files. The Samba log files can help diagnose the
+vast majority of the problems faced by beginning- to
+intermediate-level Samba administrators. Samba is quite flexible when
+it comes to logging. You can set up the server to log as little or as
+much information as you want. Using substitution variables in the
+Samba configuration file allows you to isolate individual logs for
+each system, share, or combination thereof.</p>
+
+<p>Logs are placed in <em class="filename">/usr/local/samba/var/smbd.log</em>
+and <em class="filename">/usr/local/samba/var/nmbd.log</em> by default.
+You can specify a log directory to use with the
+<em class="emphasis">-l</em> flag on the command line when starting the
+Samba daemons. For example:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>smbd -l /var/log/samba</b></tt>
+# <tt class="userinput"><b>nmbd -l /var/log/samba</b></tt></pre></blockquote>
+
+<p>Alternatively, you can override the location and name using the
+<tt class="literal">log</tt><a name="INDEX-7"/> <tt class="literal">file</tt> configuration
+option in <em class="filename">smb.conf</em>. This option accepts all the
+substitution variables, so you could easily have the server keep a
+separate log for each connecting client system by specifying the
+following:</p>
+
+<blockquote><pre class="code">[global]
+ log file = %m.log</pre></blockquote>
+
+<p>Another useful trick is to have the server keep a log for each
+service (share) that is offered, especially if you suspect a
+particular share is causing trouble. To do this, use the
+<tt class="literal">%S</tt> variable, like this:</p>
+
+<blockquote><pre class="code">[global]
+ log file = %S.log</pre></blockquote>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.1"/>
+
+<h3 class="head3">Log levels</h3>
+
+<p><a name="INDEX-8"/>The level of logging that Samba uses
+can be set in the <em class="filename">smb.conf</em> file using the global
+<tt class="literal">log</tt> <tt class="literal">level</tt> or
+<tt class="literal">debug</tt> <tt class="literal">level</tt> option; they are
+equivalent. The logging level is an integer that can range from 0 to
+10. At level 0, no logging is done. Higher values result in more
+voluminous logging. For example, let's assume that
+we will use a Windows client to browse a directory on a Samba server.
+For a small amount of log information, you can use
+<tt class="literal">log</tt> <tt class="literal">level</tt> <tt class="literal">=</tt>
+<tt class="literal">1</tt>, which instructs Samba to show only cursory
+information, in this case only the connection itself:</p>
+
+<blockquote><pre class="code">05/25/02 22:02:11 server (192.168.236.86) connect to service public as user pcguest
+(uid=503,gid=100) (pid 3377)</pre></blockquote>
+
+<p>Higher debug levels produce more detailed information. Usually, you
+won't need more than level 3, which is fully
+adequate for most Samba administrators. Levels above 3 are used by
+the developers and dump enormous amounts of cryptic information.</p>
+
+<p>Here is an example of output at levels 2 and 3 for the same
+operation. Don't worry if you don't
+understand the intricacies of an SMB connection; the point is simply
+to show you what types of information are shown at the different
+<a name="INDEX-9"/>logging levels:</p>
+
+<blockquote><pre class="code"> /* Level 2 */
+Got SIGHUP
+Processing section "[homes]"
+Processing section "[public]"
+Processing section "[temp]"
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC/
+
+
+/* Level 3 */
+05/25/02 22:15:09 Transaction 63 of length 67
+switch message SMBtconX (pid 3377)
+Allowed connection from 192.168.236.86 (192.168.236.86) to IPC$
+ACCEPTED: guest account and guest ok
+found free connection number 105
+Connect path is /tmp
+chdir to /tmp
+chdir to /
+05/25/02 22:15:09 server (192.168.236.86) connect to service IPC$ as user pcguest
+(uid=503,gid=100) (pid 3377)
+05/25/02 22:15:09 tconX service=ipc$ user=pcguest cnum=105
+05/25/02 22:15:09 Transaction 64 of length 99
+switch message SMBtrans (pid 3377)
+chdir to /tmp
+trans <\PIPE\LANMAN> data=0 params=19 setup=0
+Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
+Doing RNetShareEnum
+RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
+05/25/02 22:15:11 Transaction 65 of length 99
+switch message SMBtrans (pid 3377)
+chdir to /
+chdir to /tmp
+trans <\PIPE\LANMAN> data=0 params=19 setup=0
+Got API command 0 of form <WrLeh> <B13BWz> (tdscnt=0,tpscnt=19,mdrcnt=4096,mprcnt=8)
+Doing RNetShareEnum
+RNetShareEnum gave 4 entries of 4 (1 4096 126 4096)
+05/25/02 22:15:11 Transaction 66 of length 95
+switch message SMBtrans2 (pid 3377)
+chdir to /
+chdir to /pcdisk/public
+call_trans2findfirst: dirtype = 0, maxentries = 6, close_after_first=0, close_if_end
+= 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432
+unix_clean_name [./DESKTOP.INI]
+unix_clean_name [desktop.ini]
+unix_clean_name [./]
+creating new dirptr 1 for path ./, expect_close = 1
+05/25/02 22:15:11 Transaction 67 of length 53
+switch message SMBgetatr (pid 3377)
+chdir to /
+
+<i class="lineannotation">[... deleted ...]</i></pre></blockquote>
+
+<p>We cut off this listing after the first packet because it runs on for
+many pages. However, be aware that log levels above 3 will quickly
+consume disk space with megabytes of excruciating detail concerning
+Samba's internal operations. Log level 3 is
+extremely useful for following exactly what the server is doing, and
+most of the time it will be obvious where an error occurs by glancing
+through the log file.</p>
+
+<p>Using a high log level (3 or above) will
+<em class="emphasis">seriously</em> slow down the Samba server. Remember
+that every log message generated causes a write to disk (an
+inherently slow operation) and log levels greater than 2 produce
+massive amounts of data. Essentially, you should turn on logging
+level 3 only when you're actively tracking a problem
+in the Samba server. <a name="INDEX-10"/></p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.2"/>
+
+<h3 class="head3">Activating and deactivating logging</h3>
+
+<p><a name="INDEX-11"/><a name="INDEX-12"/>To turn logging on and off,
+set the appropriate level in the <tt class="literal">[global]</tt> section
+of <em class="filename">smb.conf</em>. Then, you can either restart Samba
+or force the current daemon to reprocess the configuration file by
+sending it a hangup (HUP) signal. You also can send the
+<em class="emphasis">smbd</em> process a SIGUSR1 signal to increase its
+log level by one while it's running, like this:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR1 1234</b></tt></pre></blockquote>
+
+<p>or a SIGUSR2 signal to decrease it by one:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>kill -SIGUSR2 1234</b></tt></pre></blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.1.3"/>
+
+<h3 class="head3">Logging by individual client systems or users</h3>
+
+<p>An effective way to diagnose problems without hampering other users
+is to assign different log levels for different systems in the
+<tt class="literal">[global]</tt> section of the
+<em class="filename">smb.conf</em> file. We can do this by building on the
+strategy we presented earlier:</p>
+
+<blockquote><pre class="code">[global]
+ log level = 0
+ log file = /usr/local/samba/var/log.%m
+ include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>
+
+<p>These options instruct Samba to use unique configuration and log
+files for each client that connects. Now all you have to do is create
+an <em class="filename">smb.conf</em> file for a specific client system
+with a <tt class="literal">log</tt> <tt class="literal">level</tt>
+<tt class="literal">=</tt> <tt class="literal">3</tt> entry in it (the others
+will pick up the default log level of 0) and use that log file to
+track down the problem.</p>
+
+<p>Similarly, if only particular users are experiencing a
+problem—and it travels from system to system with
+them—you can isolate logging to a specific user by adding the
+following to the <em class="filename">smb.conf</em> file:</p>
+
+<blockquote><pre class="code">[global]
+ log level = 0
+ log file = /usr/local/samba/var/log.%u
+ include = /usr/local/samba/lib/smb.conf.%u</pre></blockquote>
+
+<p>Then you can create a unique <em class="filename">smb.conf</em> file for
+each user you wish to monitor (e.g.,
+<em class="filename">/usr/local/samba/lib/smb.conf.tim</em>). Files
+containing the configuration option <tt class="literal">log</tt>
+<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">3</tt>
+and only those users will get more detailed logging.<a name="INDEX-13"/><a name="INDEX-14"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.2"/>
+
+<h3 class="head2">Samba Test Utilities</h3>
+
+<p><a name="INDEX-15"/><a name="INDEX-16"/>A rigorous set of tests that exercise
+the major parts of Samba are described in various files in the
+<em class="emphasis">/docs/textdocs</em> directory of the Samba
+distribution kit, starting with <em class="emphasis">DIAGNOSIS.txt</em>.
+The fault tree in this chapter is a more detailed version of the
+basic tests suggested by the Samba Team, but it covers only
+installation and reconfiguration diagnosis, such as
+<em class="emphasis">DIAGNOSIS.txt</em>. The other files in the
+<em class="emphasis">/docs</em> subdirectories address specific problems
+and instruct you how to troubleshoot items not included in this book.
+If the fault tree doesn't suffice, be sure to look
+at
+<em class="emphasis">DIAGNOSIS.txt</em><a name="INDEX-17"/>
+and its friends.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-1.3"/>
+
+<h3 class="head2">Unix Utilities</h3>
+
+<p>Sometimes it's useful to use a tool outside the
+Samba suite to examine what's happening inside the
+server. Three diagnostic tools can be of particular help in debugging
+Samba troubles: <em class="emphasis">trace</em>,
+<em class="emphasis">tcpdump</em>, and <em class="emphasis">Ethereal</em>.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.1"/>
+
+<h3 class="head3">Using trace</h3>
+
+<p>The <em class="emphasis">trace</em><a name="INDEX-18"/> command masquerades under several
+different names, depending on the operating system you are using. On
+Linux it will be
+<em class="emphasis">strace</em><a name="INDEX-19"/>; on Solaris you'll use
+<em class="emphasis">truss</em><a name="INDEX-20"/>; SGI will have
+<em class="emphasis">padc</em><a name="INDEX-21"/> and
+<em class="emphasis">par</em><a name="INDEX-22"/>; and HP-UX will have
+<em class="emphasis">trace</em> or
+<em class="emphasis">tusc</em><a name="INDEX-23"/>. All have essentially the same
+function, which is to display each operating system function call as
+it is executed. This allows you to follow the execution of a program,
+such as the Samba server, and often pinpoints the exact call that is
+causing the difficulty.</p>
+
+<p>One problem that <em class="emphasis">trace</em> can highlight is an
+incorrect version of a dynamically linked library. This can happen if
+you've downloaded prebuilt binaries of Samba.
+You'll typically see the offending call at the end
+of the <em class="emphasis">trace</em>, just before the program
+terminates.</p>
+
+<p>A sample <em class="emphasis">strace</em> output for the Linux operating
+system follows. This is a small section of a larger file created
+during the opening of a directory on the Samba server. Each line
+lists a system call and includes its parameters and the return value.
+If there was an error, the error value (e.g.,
+<tt class="literal">ENOENT</tt>) and its explanation are also shown. You
+can look up the parameter types and the errors that can occur in the
+appropriate <em class="emphasis">trace</em> manual page for the operating
+system you are using.</p>
+
+<blockquote><pre class="code">chdir("/pcdisk/public") = 0
+stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory)
+stat("mini", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
+stat("mini/desktop.ini", 0xbffff7ec) = -1 ENOENT (No such file or directory)
+open("mini", O_RDONLY) = 5
+fcntl(5, F_SETFD, FD_CLOEXEC) = 0
+fstat(5, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
+lseek(5, 0, SEEK_CUR) = 0
+SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 196
+lseek(5, 0, SEEK_CUR) = 1024
+SYS_141(0x5, 0xbfffdbbc, 0xedc, 0xbfffdbbc, 0x80ba708) = 0
+close(5) = 0
+stat("mini/desktop.ini", 0xbffff86c) = -1 ENOENT (No such file or directory)
+write(3, "\0\0\0#\377SMB\10\1\0\2\0\200\1\0"..., 39) = 39
+SYS_142(0xff, 0xbffffc3c, 0, 0, 0xbffffc08) = 1
+read(3, "\0\0\0?", 4) = 4
+read(3, "\377SMBu\0\0\0\0\0\0\0\0\0\0\0\0"..., 63) = 63
+time(NULL) = 896143871</pre></blockquote>
+
+<p>This example shows several <em class="emphasis">stat() calls</em> failing
+to find the files they were expecting. You don't
+have to be an expert to see that the file
+<em class="emphasis">desktop.ini</em> is missing from that directory. In
+fact, many difficult problems can be identified by looking for
+obvious, repeatable errors with <em class="emphasis">trace</em>. Often,
+you need not look further than the last message before a crash.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.2"/>
+
+<h3 class="head3">Using tcpdump</h3>
+
+<p>The <em class="emphasis">tcpdump</em><a name="INDEX-24"/> program, as extended by Andrew
+<a name="INDEX-25"/>Tridgell,
+allows you to monitor SMB <a name="INDEX-26"/>network
+traffic in real time. A variety of output formats are available, and
+you can filter the output to look at only a particular type of
+traffic. You can examine all conversations between client and server,
+including SMB and NMB broadcast messages. While its troubleshooting
+capabilities lie mainly at the OSI network layer, you can still use
+its output to get a general idea of what the server and client are
+attempting to do.</p>
+
+<p>A sample <em class="emphasis">tcpdump</em> log follows. In this instance,
+the client has requested a directory listing, and the server has
+responded appropriately, giving the directory names
+<tt class="literal">homes</tt>, <tt class="literal">public</tt>,
+<tt class="literal">IPC$</tt>, and <tt class="literal">temp</tt>
+(we've added a few explanations on the right):</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>tcpdump -v -s 255 -i eth0 port not telnet</b></tt>
+SMB PACKET: SMBtrans (REQUEST) <i class="lineannotation"> Request packet</i>
+SMB Command = 0x25 <i class="lineannotation">Request was ls or dir</i>
+
+[000] 01 00 00 10 <i class="lineannotation">....</i>
+
+
+>>> NBT Packet <i class="lineannotation">Outer frame of SMB packet</i>
+NBT Session Packet
+Flags=0x0
+Length=226
+[lines skipped]
+
+SMB PACKET: SMBtrans (REPLY) <i class="lineannotation">Beginning of a reply to request</i>
+SMB Command = 0x25 <i class="lineannotation">Command was an ls or dir</i>
+Error class = 0x0
+Error code = 0 <i class="lineannotation">No errors</i>
+Flags1 = 0x80
+Flags2 = 0x1
+Tree ID = 105
+Proc ID = 6075
+UID = 100
+MID = 30337
+Word Count = 10
+TotParamCnt=8
+TotDataCnt=163
+Res1=0
+ParamCnt=8
+ParamOff=55
+Res2=0
+DataCnt=163
+DataOff=63
+Res3=0
+Lsetup=0
+Param Data: (8 bytes)
+[000] 00 00 00 00 05 00 05 00 ........
+
+Data Data: (135 bytes) <i class="lineannotation">Actual directory contents:</i>
+[000] 68 6F 6D 65 73 00 00 00 00 00 00 00 00 00 00 00 homes... ........
+[010] 64 00 00 00 70 75 62 6C 69 63 00 00 00 00 00 00 d...publ ic......
+[020] 00 00 00 00 75 00 00 00 74 65 6D 70 00 00 00 00 ....u... temp....
+[030] 00 00 00 00 00 00 00 00 76 00 00 00 49 50 43 24 ........ v...IPC$
+[040] 00 00 00 00 00 00 00 00 00 00 03 00 77 00 00 00 ........ ....w...
+[050] 64 6F 6E 68 61 6D 00 00 00 00 00 00 00 00 00 00 donham.. ........
+[060] 92 00 00 00 48 6F 6D 65 20 44 69 72 65 63 74 6F ....Home Directo
+[070] 72 69 65 73 00 00 00 49 50 43 20 53 65 72 76 69 ries...I PC Servi
+[080] 63 65 20 28 53 61 6D ce (Sam</pre></blockquote>
+
+<p>This is more of the same debugging session as we saw before with the
+<em class="emphasis">trace</em> command: the listing of a directory. The options
+we used were <em class="emphasis">-v</em> (verbose), <em class="emphasis">-i
+eth0</em> to tell <em class="emphasis">tcpdump</em> on which
+interface to listen (an Ethernet port), and <em class="emphasis">-s
+255</em> to tell it to save the first 255 bytes of each packet
+instead of the default: the first 68. The option
+<tt class="literal">port</tt> <tt class="literal">not</tt>
+<tt class="literal">telnet</tt> is used to avoid screens of telnet traffic,
+because we were logged in to the server remotely. The
+<em class="emphasis">tcpdump</em> program actually has quite a number of
+options to filter just the traffic you want to look at. If
+you've used <em class="emphasis">snoop</em> or
+<em class="emphasis">etherdump</em>, it will look vaguely familiar.</p>
+
+<p>You can download the modified <em class="emphasis">tcpdump</em> from the
+Samba FTP server, located at
+<a href="ftp://samba.anu.edu.au/pub/samba/tcpdump-smb">ftp://samba.anu.edu.au/pub/samba/tcpdump-smb</a>.
+Other versions might not include support for the SMB protocol; if you
+don't see output such as that shown in the example,
+you'll need to use the SMB-enabled version.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-1.3.3"/>
+
+<h3 class="head3">Using Ethereal</h3>
+
+<p><a name="INDEX-27"/>Ethereal (<a href="http://www.ethereal.com">http://www.ethereal.com</a>) is a GUI-based
+utility that performs the same basic function as
+<em class="emphasis">tcpdump</em>. You might prefer Ethereal because it is
+much easier to use. Once you have Ethereal running, just do the
+following:</p>
+
+<ol><li>
+<p>Select Start from the Capture menu.</p>
+</li><li>
+<p>Click the OK button in the dialog box that appears. This will bring
+up a dialog box showing how many packets Ethereal has seen. Perform
+the actions on the system(s) in your network to reproduce the problem
+you are analyzing.</p>
+</li><li>
+<p>Click the Stop button in the Ethereal dialog box to make it finish
+collecting data.</p>
+</li><li>
+<p>In the main Ethereal window, click any item in the upper window to
+view it in the lower window. In the lower window, click any of the
+boxes containing a plus sign (<tt class="literal">+</tt>) to expand the
+view.</p>
+</li></ol>
+<p>Ethereal does a good job of translating the content of the packets it
+encounters into human-readable format, and you should have little
+trouble seeing what happened on the network during the capture
+period. <a name="INDEX-28"/><a name="INDEX-29"/></p>
+
+
+</div>
+
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-2"/>
+
+<h2 class="head1">The Fault Tree</h2>
+
+<p><a name="INDEX-30"/><a name="INDEX-31"/><a name="INDEX-32"/><a name="INDEX-33"/>The fault
+tree presented in this section is for diagnosing and fixing problems
+that occur when you're installing and reconfiguring
+Samba. It's an expanded form of the trouble and
+diagnostic document <em class="filename">DIAGNOSIS.txt</em>, which is part
+of the Samba distribution.</p>
+
+<p>Before you set out to troubleshoot any part of the Samba suite, you
+should know the following information:</p>
+
+<ul><li>
+<p>Your client IP address (we use 192.168.236.10)</p>
+</li><li>
+<p>Your server IP address (we use 192.168.236.86)</p>
+</li><li>
+<p>The netmask for your network (typically 255.255.255.0)</p>
+</li><li>
+<p>Whether the systems are all on the same subnet (ours are)</p>
+</li></ul>
+<p>For clarity, we've renamed the server in the
+following examples to <tt class="literal">server.example.com</tt>, and the
+client system to <tt class="literal">client.example.com</tt>.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.1"/>
+
+<h3 class="head2">How to Use the Fault Tree</h3>
+
+<p>Start the tests here, without skipping forward; it
+won't take long (about 5 minutes) and might actually
+save you time backtracking. Whenever a test succeeds, you will be
+given a name of a section to which you can safely skip.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.2"/>
+
+<h3 class="head2">Troubleshooting Low-Level IP</h3>
+
+<p><a name="INDEX-34"/>The
+first series of tests is that of the low-level services that Samba
+needs to run. The tests in this section verify that:</p>
+
+<ul><li>
+<p>The IP software works</p>
+</li><li>
+<p>The Ethernet hardware works</p>
+</li><li>
+<p>Basic name service is in place</p>
+</li></ul>
+<p>Subsequent sections add TCP software, the Samba daemons
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>, host-based
+access control, authentication and per-user access control, file
+services, and browsing. The tests are described in considerable
+detail to make them understandable by both technically oriented end
+users and experienced systems and network administrators.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.1"/>
+
+<h3 class="head3">Testing the networking software with ping</h3>
+
+<p><a name="INDEX-35"/>The first command to enter
+on both the server and the client is
+<tt class="literal">ping</tt><a name="INDEX-36"/><a name="INDEX-37"/>
+<tt class="literal">127.0.0.1</tt>. This pings the loopback address and
+indicates whether any networking support is functioning. On Unix, you
+can use <tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> with the
+statistics option and interrupt it after a few lines. On Sun
+workstations, the command is typically
+<tt class="literal">/usr/etc/ping</tt> <tt class="literal">-s</tt>
+<tt class="literal">127.0.0.1</tt>; on Linux, just <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt>. On Windows clients, run
+<tt class="literal">ping</tt> <tt class="literal">127.0.0.1</tt> in an MS-DOS
+(command prompt) window, and it will stop by itself after four lines.</p>
+
+<p>Here is an example on a Linux server:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping 127.0.0.1 </b></tt>
+PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1):
+icmp-seq=0. time=1. ms 64 bytes from localhost (127.0.0.1):
+icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1):
+icmp-seq=2. time=1. ms ^C
+----127.0.0.1 PING Statistics----
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If you get "ping: no answer from . . .
+" or "100% packet
+loss," you have no IP networking installed on the
+system. The address <tt class="literal">127.0.0.1</tt> is the internal
+loopback address and doesn't depend on the computer
+being physically connected to a network. If this test fails, you have
+a serious local problem. TCP/IP either isn't
+installed or is seriously misconfigured. See your operating system
+documentation if it's a Unix server. If
+it's a Windows client, follow the instructions in
+<a href="ch03.html">Chapter 3</a> to install networking support.</p>
+
+<a name="samba2-CHP-12-NOTE-155"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>If <em class="emphasis">you're</em> the network manager,
+some good references are Craig Hunt's
+<em class="emphasis">TCP/IP Network Administration</em>, Chapter 11, and Craig Hunt and Robert Bruce
+Thompson's <em class="emphasis">Windows NT TCP/IP Network
+Administration</em>, both published by
+O'Reilly.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.2"/>
+
+<h3 class="head3">Testing local name services with ping</h3>
+
+<p><a name="INDEX-38"/>Next, try to ping
+<tt class="literal">localhost</tt> on the Samba server. The
+<tt class="literal">localhost</tt> hostname is the conventional hostname
+for the <tt class="literal">127.0.0.1</tt> loopback interface, and it
+should resolve to that address. After typing <tt class="literal">ping</tt>
+<tt class="literal">localhost</tt>, you should see output similar to the
+following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping localhost </b></tt>
+PING localhost: 56 data bytes 64 bytes from localhost (127.0.0.1):
+icmp-seq=0. time=0. ms 64 bytes from localhost (127.0.0.1):
+icmp-seq=1. time=0. ms 64 bytes from localhost (127.0.0.1):
+icmp-seq=2. time=0. ms ^C</pre></blockquote>
+
+<p>If this succeeds, try the same test on the client. Otherwise:</p>
+
+<ul><li>
+<p>If you get "unknown host:
+localhost," there is a problem resolving the
+hostname <em class="filename">localhost</em> into a valid IP address.
+(This might be as simple as a missing entry in a local
+<em class="emphasis">hosts</em> file.) From here, skip down to
+<a href="ch03.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a> later in this chapter.</p>
+</li><li>
+<p>If you get "ping: no answer," or
+"100% packet loss," but pinging
+<tt class="literal">127.0.0.1</tt> worked, name services is resolving to an
+address, but it isn't the correct one. Check the
+file or database (typically <em class="filename">/etc/hosts</em> on a Unix
+system) that the name service is using to resolve addresses to ensure
+that the entry is correct.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.3"/>
+
+<h3 class="head3">Testing the networking hardware with ping</h3>
+
+<p><a name="INDEX-39"/>Next, ping the
+server's network IP address from itself. This should
+get you exactly the same results as pinging
+<tt class="literal">127.0.0.1</tt>:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping 192.168.236.86 </b></tt>
+PING 192.168.236.86: 56 data bytes 64 bytes from 192.168.236.86 (192.168.236.86):
+icmp-seq=0. time=1. ms 64 bytes from 192.168.236.86 (192.168.236.86):
+icmp-seq=1. time=0. ms 64 bytes from 192.168.236.86 (192.168.236.86):
+icmp-seq=2. time=1. ms ^C
+----192.168.236.86 PING Statistics----
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If this works on the server, repeat it for the client. Otherwise:</p>
+
+<ul><li>
+<p>If <tt class="literal">ping</tt> <em class="replaceable">network_ip</em>
+fails on either the server or client, but <tt class="literal">ping</tt>
+<tt class="literal">127.0.0.1</tt> works on that system, you have a TCP/IP
+problem that is specific to the Ethernet network interface card on
+the computer. Check with the documentation for the network card or
+host operating system to determine how to configure it correctly.
+However, be aware that on some operating systems, the
+<em class="emphasis">ping</em> command appears to work even if the network
+is disconnected, so this test doesn't always
+diagnose all hardware problems.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.2.4"/>
+
+<h3 class="head3">Testing connections with ping</h3>
+
+<p><a name="INDEX-40"/>Now, ping the server by name (instead
+of its IP address)—once from the server and once from the
+client. This is the general test for working network hardware:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ping server </b></tt>
+PING server.example.com: 56 data bytes 64 bytes from server.example.com (192.168.236.86):
+icmp-seq=0. time=1. ms 64 bytes from server.example.com (192.168.236.86):
+icmp-seq=1. time=0. ms 64 bytes from server.example.com (192.168.236.86):
+icmp-seq=2. time=1. ms ^C
+----server.example.com PING Statistics----
+3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms)
+min/avg/max = 0/0/1</pre></blockquote>
+
+<p>If successful, this test tells us five things:</p>
+
+<ul><li>
+<p>The hostname (e.g., <tt class="literal">server</tt>) is being found by your
+local name server.</p>
+</li><li>
+<p>The hostname has been expanded to the full name (e.g.,
+<tt class="literal">server.example.com</tt>).</p>
+</li><li>
+<p>Its address is being returned (<tt class="literal">192.168.236.86</tt>).</p>
+</li><li>
+<p>The client has sent the Samba server four 56-byte UDP/IP packets.</p>
+</li><li>
+<p>The Samba server has replied to all four packets.</p>
+</li></ul>
+<p>If this test isn't successful, one of several things
+can be wrong with the network:</p>
+
+<ul><li>
+<p>First, if you get <tt class="literal">ping</tt>: <tt class="literal">no</tt>
+<tt class="literal">answer</tt>, or <tt class="literal">100%</tt>
+<tt class="literal">packet</tt> <tt class="literal">loss</tt>,
+you're not connecting to the network, the other
+system isn't connecting, or one of the addresses is
+incorrect. Check the addresses that the <em class="emphasis">ping</em>
+command reports on each system, and ensure that they match the ones
+you set up initially.</p>
+
+<p>If not, there is at least one mismatched address between the two
+systems. Try entering the command <tt class="literal">arp</tt>
+<tt class="literal">-a</tt>, and see if there is an entry for the other
+system. (The <em class="emphasis">arp</em> command stands for the Address
+Resolution Protocol. The <tt class="literal">arp</tt> <tt class="literal">-a</tt>
+command lists all the addresses known on the local system.) Here are
+some things to try:</p>
+<ul><li>
+<p>If you receive a message like <tt class="literal">192.168.236.86</tt>
+<tt class="literal">at</tt> <tt class="literal">(incomplete)</tt>, the Ethernet
+address of 192.168.236.86 is unknown. This indicates a complete lack
+of connectivity, and you're likely having a problem
+at the very bottom of the TCP/IP protocol stack—the Ethernet
+interface layer. This is discussed in Chapters 5 and 6 of
+<em class="citetitle">TCP/IP Network Administration
+</em>(O'Reilly).</p>
+</li><li>
+<p>If you receive a response similar to server
+<tt class="literal">(192.168.236.86)</tt> <tt class="literal">at</tt>
+<tt class="literal">8:0:20:12:7c:94</tt>, the server has been reached at
+some time, or another system is answering on its behalf. However,
+this means that <em class="emphasis">ping</em> should have worked: you may
+have an intermittent networking or ARP problem.</p>
+</li><li>
+<p>If the IP address from ARP doesn't match the
+addresses you expected, investigate and correct the addresses
+manually.</p>
+</li>
+</ul>
+</li>
+
+<li>
+<p>If each system can ping itself but not another, something is wrong on
+the network between them.</p>
+</li><li>
+<p>If you get <tt class="literal">ping</tt>: <tt class="literal">network</tt>
+<tt class="literal">unreachable</tt> or <tt class="literal">ICMP</tt>
+<tt class="literal">Host</tt> <tt class="literal">Unreachable</tt>,
+you're not receiving an answer, and more than one
+network is probably involved.</p>
+
+<p>In principle, you shouldn't try to troubleshoot SMB
+clients and servers on different networks. Try to test a server and
+client that are on the same network:</p>
+
+<ol><li>
+<p>First, perform the tests for <tt class="literal">ping</tt>:
+<tt class="literal">no</tt> <tt class="literal">answer</tt> described earlier in
+this section. If this doesn't identify the problem,
+the remaining possibilities are the following: an address is wrong,
+your netmask is wrong, a network is down, or the packets have been
+stopped by a firewall.</p>
+</li>
+<li>
+<p>Check both the address and the netmasks on source and destination
+systems to see if something is obviously wrong. Assuming both systems
+really are on the same network, they both should have the same
+netmasks, and <em class="emphasis">ping</em> should report the correct
+addresses. If the addresses are wrong, you'll need
+to correct them. If they are correct, the programs might be confused
+by an incorrect netmask. See <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter.</p>
+</li>
+<li>
+<p>If the commands are still reporting that the network is unreachable
+and neither of the previous two conditions are in error, one network
+really might be unreachable from the other. This, too, is an issue
+for the network manager.</p>
+</li></ol>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt>
+<tt class="literal">Administratively</tt> <tt class="literal">Prohibited</tt>,
+you've struck a firewall of some sort or a
+misconfigured router. You will need to speak to your network security
+officer.</p>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
+<tt class="literal">redirect</tt> and <em class="emphasis">ping</em> reports
+packets getting through, this is generally harmless:
+you're simply being rerouted over the network.</p>
+</li><li>
+<p>If you get a host redirect and no <em class="emphasis">ping</em>
+responses, you are being redirected, but no one is responding. Treat
+this just like the <tt class="literal">Network</tt>
+<tt class="literal">unreachable</tt> response, and check your addresses and
+netmasks.</p>
+</li><li>
+<p>If you get <tt class="literal">ICMP</tt> <tt class="literal">Host</tt>
+<tt class="literal">Unreachable</tt> <tt class="literal">from</tt>
+<tt class="literal">gateway</tt> <tt class="literal">gateway</tt>
+<tt class="literal">name</tt>, ping packets are being routed to another
+network, but the other system isn't responding and
+the router is reporting the problem on its behalf. Again, treat this
+like a <tt class="literal">Network</tt> <tt class="literal">unreachable</tt>
+response, and start checking addresses and netmasks.</p>
+</li><li>
+<p>If you get <tt class="literal">ping</tt>: <tt class="literal">unknown</tt>
+<tt class="literal">host</tt> <tt class="literal">hostname</tt>, your
+system's name is not known. This tends to indicate a
+name service problem, which didn't affect
+<tt class="literal">localhost</tt>. Have a look at <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If you get a partial success—with some pings failing but others
+succeeding—you have either an intermittent problem between the
+systems or an overloaded network. Ping a bit longer, and see if more
+than about three percent of the packets fail. If so, check it with
+your network manager: a problem might just be starting. However, if
+only a few fail, or if you happen to know some massive network
+program is running, don't worry unduly. The ICMP
+(and UDP) protocols used by <em class="emphasis">ping</em> are allowed to
+drop occasional packets.</p>
+</li><li>
+<p>If you get a response such as <tt class="literal">smtsvr.antares.net</tt>
+<tt class="literal">is</tt> <tt class="literal">alive</tt> when you actually
+pinged <tt class="literal">client.example.com</tt>, either
+you're using someone else's address
+or the system has multiple names and addresses. If the address is
+wrong, the name service is clearly the culprit;
+you'll need to change the address in the name
+service database to refer to the correct system. This is discussed in
+<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this
+chapter.</p>
+
+<p>Servers are often <em class="emphasis">multihomed</em> —i.e.,
+connected to more than one network, with different names on each net.
+If you are getting a response from an unexpected name on a multihomed
+server, look at the address and see if it's on your
+network (see <a href="ch12.html#samba2-CHP-12-SECT-2.8.1">Section 12.2.8.1</a>, later in this chapter). If
+so, you should use that address, rather than one on a different
+network, for both performance and reliability reasons.</p>
+
+<p>Servers can also have multiple names for a single Ethernet address,
+especially if they are web servers. This is harmless, albeit
+startling. You probably will want to use the official (and permanent)
+name, rather than an alias that might change.</p>
+</li><li>
+<p>If everything works but the IP address reported is
+<tt class="literal">127.0.0.1</tt>, you have a name service error. This
+typically occurs when an operating-system installation program
+generates an <em class="filename">/etc/hosts</em> line similar to
+<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
+<em class="emphasis">hostname.domainname</em>. The localhost line should
+say <tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt> or
+<tt class="literal">127.0.0.1</tt> <tt class="literal">localhost</tt>
+<tt class="literal">loghost</tt>. Correct it, lest it cause failures to
+negotiate who is the master browse list holder and who is the master
+browser. It can also cause (ambiguous) errors in later tests.</p>
+</li></ul>
+<p>If this worked from the server, repeat it from the client. <a name="INDEX-41"/>
+<a name="INDEX-42"/><a name="INDEX-43"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.3"/>
+
+<h3 class="head2">Troubleshooting TCP</h3>
+
+<p><a name="INDEX-44"/><a name="INDEX-45"/>Now that
+you've tested IP, UDP, and a name service with
+<em class="emphasis">ping</em>, it's time to test TCP.
+Browsing and <em class="emphasis">ping</em> use ICMP and UDP; file and
+print services (shares) use TCP. Both depend on IP as a lower layer,
+and all four depend on name services. Testing TCP is most
+conveniently done using the FTP program.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.3.1"/>
+
+<h3 class="head3">Testing TCP with FTP</h3>
+
+<p>Try connecting via FTP, once from the server to itself, and once from
+the client to the server:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ftp server</b></tt>
+Connected to server.example.com.
+220 server.example.com FTP server (Version 6.2/OpenBSD/Linux-0.10) ready.
+ Name (server:davecb):
+331 Password required for davecb.
+Password:
+230 User davecb logged in.
+ ftp><tt class="userinput"><b> quit </b></tt>
+221 Goodbye.</pre></blockquote>
+
+<p>If this worked, skip to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you received the message <tt class="literal">server</tt>:
+<tt class="literal">unknown</tt> <tt class="literal">host</tt>, name service has
+failed. Go back to the corresponding <em class="emphasis">ping</em> step,
+<a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>, and rerun those tests
+to see why name lookup failed.</p>
+</li><li>
+<p>If you received <tt class="literal">ftp</tt>: <tt class="literal">connect</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the system
+isn't running an FTP daemon. This is mildly unusual
+on Unix servers. Optionally, you might try this test by connecting to
+the system using <em class="emphasis">telnet</em> instead of
+<em class="emphasis">ftp</em>; the messages are very similar, and
+<em class="emphasis">telnet</em> uses TCP as well.</p>
+</li><li>
+<p>If there was a long pause, and then <tt class="literal">ftp</tt>:
+<tt class="literal">connect</tt>: <tt class="literal">Connection</tt>
+<tt class="literal">timed</tt> <tt class="literal">out</tt>, the system
+isn't reachable. Return to <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>.</p>
+</li><li>
+<p>If you received <tt class="literal">530</tt> <tt class="literal">Logon</tt>
+<tt class="literal">Incorrect</tt>, you connected successfully, but
+you've just found a different problem. You likely
+provided an incorrect username or password. Try again, making sure
+you use your username from the Unix server and type your password
+correctly.</p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.4"/>
+
+<h3 class="head2">Troubleshooting Server Daemons</h3>
+
+<p><a name="INDEX-46"/>Once
+you've confirmed that TCP networking is working
+properly, the next step is to make sure the daemons are running on
+the server. This takes three separate tests because no single one of
+the following will decisively prove that they're
+working correctly.</p>
+
+<p>To be sure they're running, you need to find out
+whether the daemons:</p>
+
+<ol><li>
+<p>Have started</p>
+</li><li>
+<p>Are registered or bound to a TCP/IP port by the operating system</p>
+</li><li>
+<p>Are actually paying attention</p>
+</li></ol>
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.1"/>
+
+<h3 class="head3">Tracking daemon startup</h3>
+
+<p><a name="INDEX-47"/>First, check the Samba logs. If
+you've started the daemons, the message
+<tt class="literal">smbd</tt> <tt class="literal">version</tt>
+<tt class="literal">number</tt> <tt class="literal">started</tt> should appear.
+If it doesn't, you need to restart the Samba
+daemons.</p>
+
+<p>If the daemon reports that it has indeed started, look out for
+<tt class="literal">bind</tt> <tt class="literal">failed</tt>
+<tt class="literal">on</tt> <tt class="literal">port</tt> <tt class="literal">139</tt>
+<tt class="literal">socket_addr=0</tt> <tt class="literal">(Address</tt>
+<tt class="literal">already</tt> <tt class="literal">in</tt>
+<tt class="literal">use)</tt>. This means another daemon has been started
+on port 139 (<em class="emphasis">smbd</em> ). Also,
+<em class="emphasis">nmbd</em> will report a similar failure if it cannot
+bind to port 137. Either you've started them twice,
+or the <em class="emphasis">inetd</em> server has tried to provide a
+daemon for you. If it's the latter,
+we'll diagnose that in a moment.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.2"/>
+
+<h3 class="head3">Looking for daemon processes with ps</h3>
+
+<p><a name="INDEX-48"/>Another way to make sure the daemons are
+running is to check their processes on the system. Use the
+<em class="emphasis">ps</em><a name="INDEX-49"/> command on the server with the
+"long" option for your system type
+(commonly <tt class="literal">ps</tt> <tt class="literal">ax</tt> or
+<tt class="literal">ps</tt> <tt class="literal">-ef</tt>), and see whether
+<em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> are already
+running. This often looks like the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ps ax</b></tt>
+ PID TTY STAT TIME COMMAND
+ 1 ? S 0:03 init [2]
+ 2 ? SW 0:00 (kflushd)
+<i class="lineannotation">(...many lines of processes...) </i>
+ 234 ? S 0:14 nmbd -D3
+ 237 ? S 0:11 smbd -D3
+<i class="lineannotation">(...more lines, possibly including more smbd lines...)</i></pre></blockquote>
+
+<p>This example illustrates that <em class="emphasis">smbd</em> and
+<em class="emphasis">nmbd</em> have already started as standalone daemons
+(the <em class="emphasis">-D</em> option) at log level 3.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.3"/>
+
+<h3 class="head3">Looking for daemons bound to ports</h3>
+
+<p><a name="INDEX-50"/>Next, the daemons have to be registered
+with the operating system so that they can get access to TCP/IP
+ports. The <em class="emphasis">netstat</em> command will tell you if this
+has been done. Run the command <tt class="literal">netstat</tt>
+<tt class="literal">-a</tt> on the server, and look for lines mentioning
+<tt class="literal">netbios</tt>, <tt class="literal">137</tt>, or
+<tt class="literal">139</tt>:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>netstat -a </b></tt>
+Active Internet connections (including servers)
+Proto Recv-Q Send-Q Local Address Foreign Address (state)
+udp 0 0 *.137 *.*
+tcp 0 0 *.139 *.* LISTEN
+tcp 8370 8760 server.139 client.1439 ESTABLISHED</pre></blockquote>
+
+<p>Among similar lines, there should be at least one UDP line for
+<tt class="literal">*.netbios-</tt> or <tt class="literal">*.137</tt>. This
+indicates that the <em class="emphasis">nmbd</em> server is registered and
+(we hope) is waiting to answer requests. There should also be at
+least one TCP line mentioning <tt class="literal">*.netbios-</tt> or
+<tt class="literal">*.139</tt>, and it will probably be in the LISTEN
+state. This means that <em class="emphasis">smbd</em> is up and listening
+for connections.</p>
+
+<p>There might be other TCP lines indicating connections from
+<em class="emphasis">smbd</em> to clients, one for each client. These are
+usually in the ESTABLISHED state. If there are
+<em class="emphasis">smbd</em> lines in the ESTABLISHED state,
+<em class="emphasis">smbd</em> is definitely running. If there is only one
+line in the LISTEN state, we're not sure yet. If
+both of the lines are missing, a daemon has not succeeded in
+starting, so it's time to check the logs and then go
+back to <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>If there is a line for each client, it might be coming either from a
+Samba daemon or from the master IP daemon,
+<em class="emphasis">inetd</em>. It's quite possible that
+your <em class="emphasis">inetd</em> startup file contains lines that
+start Samba daemons without your realizing it; for instance, the
+lines might have been placed there if you installed Samba as part of
+a Linux distribution. The daemons started by
+<em class="emphasis">inetd</em> prevent ours from running. This problem
+typically produces log messages such as <tt class="literal">bind</tt>
+<tt class="literal">failed</tt> <tt class="literal">on</tt>
+<tt class="literal">port</tt> <tt class="literal">139</tt>
+<tt class="literal">socket</tt> <tt class="literal">addr=0</tt>
+<tt class="literal">(Address</tt> <tt class="literal">already</tt>
+<tt class="literal">in</tt> <tt class="literal">use)</tt>.</p>
+
+<p>Check your <em class="filename">/etc/inetd.conf</em> ; unless
+you're intentionally starting the daemons from
+there, <tt class="literal">netbios-ns</tt> (UDP port 137) or
+<tt class="literal">netbios-ssn</tt> (tcp port 139) servers should be
+mentioned there. If your system is providing an SMB daemon via
+<em class="emphasis">inetd</em>, lines such as the following will appear
+in the <em class="filename">inetd.conf</em> file:</p>
+
+<blockquote><pre class="code">netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd
+netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd</pre></blockquote>
+
+<p>If your system uses <em class="emphasis">xinetd</em> instead of
+<em class="emphasis">inetd</em>, see <a href="ch02.html">Chapter 2</a> for
+details concerning its configuration.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.4"/>
+
+<h3 class="head3">Checking smbd with telnet</h3>
+
+<p><a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>Ironically, the easiest way to test that
+the <em class="emphasis">smbd</em> server is actually working is to send
+it a meaningless message and see if it is rejected. Try something
+such as the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>echo "hello" | telnet localhost 139 </b></tt>
+Trying
+Trying 192.168.236.86 ...
+Connected to localhost. Escape character is '^]'.
+Connection closed by foreign host.</pre></blockquote>
+
+<p>This sends an erroneous but harmless message to
+<em class="emphasis">smbd</em>. If you get a <tt class="literal">Connected</tt>
+message followed by a <tt class="literal">Connection</tt>
+<tt class="literal">closed</tt> message, the test was a success. You have
+an <em class="emphasis">smbd</em> daemon listening on the port and
+rejecting improper connection messages. On the other hand, if you get
+<tt class="literal">telnet</tt>: <tt class="literal">connect</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, most likely
+no daemon is present. Check the logs and go back to <a href="ch02.html">Chapter 2</a>.</p>
+
+<p>Regrettably, there isn't an easy test for
+<em class="emphasis">nmbd</em>. If the <em class="emphasis">telnet</em> test
+and the <em class="emphasis">netstat</em> test both say that an
+<em class="emphasis">smbd</em> is running, there is a good chance that
+<em class="emphasis">netstat</em> will also be correct about
+<em class="emphasis">nmbd</em> running.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.4.5"/>
+
+<h3 class="head3">Testing daemons with testparm</h3>
+
+<p><a name="INDEX-54"/><a name="INDEX-55"/>Once you know
+there's a daemon, you should always run
+<em class="emphasis">testparm</em>, in hopes of getting something such as
+the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>testparm </b></tt>
+Load smb config files from /opt/samba/lib/smb.conf
+Processing section "[homes]"
+Processing section "[printers]" ...
+Processing section "[tmp]"
+Loaded services file OK. ...</pre></blockquote>
+
+<p>The <em class="emphasis">testparm</em> program normally reports the
+processing of a series of sections and responds with
+<tt class="literal">Loaded</tt> <tt class="literal">services</tt>
+<tt class="literal">file</tt> <tt class="literal">OK</tt> if it succeeds. If not,
+it reports one or more of the following messages, which also appear
+in the logs as noted:</p>
+
+<dl>
+<dt><b>Allow/Deny connection from account (n) to service</b></dt>
+<dd>
+<p>A <em class="emphasis">testparm</em>-only message produced if you have
+<tt class="literal">valid</tt> <tt class="literal">user</tt> or
+<tt class="literal">invalid</tt> <tt class="literal">user</tt> options set in
+your <em class="emphasis">smb.conf</em>. You will want to make sure that
+you are on the valid user list, and that <tt class="literal">root</tt>,
+<tt class="literal">bin</tt>, etc., are on the invalid user list. If you
+don't, you will not be able to connect, or users who
+shouldn't <em class="emphasis">will</em> be able to.</p>
+</dd>
+
+
+
+<dt><b>Warning: You have some share names that are longer than eight chars</b></dt>
+<dd>
+<p>For anyone using Windows for Workgroups and older clients. They fail
+to connect to shares with long names, producing an overflow message
+that sounds confusingly like a memory overflow.</p>
+</dd>
+
+
+
+<dt><b>Warning: [name] service MUST be printable!</b></dt>
+<dd>
+<p>A printer share lacks a <tt class="literal">printable</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option.</p>
+</dd>
+
+
+
+<dt><b>No path in service name using [name]</b></dt>
+<dd>
+<p>A file share doesn't know which directory to provide
+to the user, or a print share doesn't know which
+directory to use for spooling. If no path is specified, the service
+will try to run with a path of <em class="emphasis">/tmp</em>, which might
+not be what you want.</p>
+</dd>
+
+
+
+<dt><b>Note: Servicename is flagged unavailable</b></dt>
+<dd>
+<p>Just a reminder that you have used the <tt class="literal">available</tt>
+<tt class="literal">=</tt> <tt class="literal">no</tt> option in a share.</p>
+</dd>
+
+
+
+<dt><b>Can't find include file [name] </b></dt>
+<dd>
+<p>A configuration file referred to by an <tt class="literal">include</tt>
+option did not exist. If you were including the file unconditionally,
+this is an error and probably a serious one: the share will not have
+the configuration you intended. If you were including it based on one
+of the <tt class="literal">%</tt> variables, such as <tt class="literal">%a</tt>
+(architecture), you will need to decide whether, for example, a
+missing Windows for Workgroups configuration file is a problem. It
+often isn't.</p>
+</dd>
+
+
+
+<dt><b>Can't copy service name, unable to copy to itself</b></dt>
+<dd>
+<p>You tried to copy an <em class="filename">smb.conf</em> section into
+itself.</p>
+</dd>
+
+
+
+<dt><b>Unable to copy service—source not found: [name]</b></dt>
+<dd>
+<p>Indicates a missing or misspelled section in a
+<tt class="literal">copy</tt> <tt class="literal">=</tt> option.</p>
+</dd>
+
+
+
+<dt><b>Ignoring unknown parameter name </b></dt>
+<dd>
+<p>Typically indicates an obsolete, misspelled, or unsupported option.</p>
+</dd>
+
+
+
+<dt><b>Global parameter name found in service section </b></dt>
+<dd>
+<p>Indicates that a global-only parameter has been used in an individual
+share. Samba ignores the parameter.</p>
+</dd>
+
+</dl>
+
+<p>After the <em class="emphasis">testparm</em> test, repeat it with
+(exactly) three parameters: the name of your
+<em class="filename">smb.conf</em> file, the name of your client, and its
+IP address:</p>
+
+<blockquote><pre class="code"># <tt class="userinput"><b>testparm /usr/local/samba/lib/smb.conf client 192.168.236.10</b></tt></pre></blockquote>
+
+<p>This will run one more test that checks the hostname and address
+against <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options and might
+produce the <tt class="literal">Allow</tt> <tt class="literal">connection</tt>
+<tt class="literal">from</tt> <tt class="literal">hostname</tt>
+<tt class="literal">to</tt> <tt class="literal">service</tt> and/or
+<tt class="literal">Deny</tt> <tt class="literal">connection</tt>
+<tt class="literal">from</tt> <tt class="literal">hostname</tt>
+<tt class="literal">to</tt> <tt class="literal">service</tt> messages for the
+client system. These messages indicate that you have
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and/or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options in your
+<em class="filename">smb.conf</em>, and they prohibit access from the
+client system. <a name="INDEX-56"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.5"/>
+
+<h3 class="head2">Troubleshooting SMB Connections</h3>
+
+<p><a name="INDEX-57"/><a name="INDEX-58"/>Now
+that you know the servers are up, you need to make sure
+they're running properly. We start by placing a
+simple <em class="filename">smb.conf</em> file in the
+<em class="filename">/usr/local/samba/lib</em> directory.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.1"/>
+
+<h3 class="head3">A minimal smb.conf file</h3>
+
+<p>In the following tests, we assume you have a
+<tt class="literal">[temp]</tt> share suitable for testing, plus at least
+one account. An <em class="filename">smb.conf</em> file that includes just
+these is as follows:</p>
+
+<blockquote><pre class="code">[global]
+ workgroup = <em class="replaceable">EXAMPLE</em>
+ security = user
+ browsable = yes
+ local master = yes
+[homes]
+ guest ok = no
+ browsable = no
+[temp]
+ path = /tmp
+ public = yes</pre></blockquote>
+<a name="samba2-CHP-12-NOTE-156"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
+<p>The <tt class="literal">public</tt> <tt class="literal">=</tt>
+<tt class="literal">yes</tt> option in the <tt class="literal">[temp]</tt> share
+is just for testing. You probably don't want people
+without accounts storing things on your Samba server, so you should
+comment it out when you're done.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.2"/>
+
+<h3 class="head3">Testing locally with smbclient</h3>
+
+<p><a name="INDEX-59"/><a name="INDEX-60"/>The first test is to ensure that the
+server can list its own services (shares). Run the command
+<tt class="literal">smbclient</tt> <em class="emphasis">-L</em>
+<tt class="literal">localhost</tt> <tt class="literal">-U%</tt> to connect to the
+server from itself, and specify the guest user. You should see the
+following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L localhost -U% </b></tt>
+Server time is Wed May 27 17:57:40 2002 Timezone is UTC-4.0
+Server=[localhost]
+User=[davecb]
+Workgroup=[EXAMPLE]
+Domain=[EXAMPLE]
+ Sharename Type Comment
+ --------- ----- ----------
+ temp Disk
+ IPC$ IPC IPC Service (Samba 1.9.18)
+ homes Disk Home directories
+This machine does not have a browse list</pre></blockquote>
+
+<p>If you received this output, move on to the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>. On the other hand, if you
+receive an error, check the following:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Get_hostbyname</tt>:
+<tt class="literal">unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">localhost</tt>, either you've spelled
+its name wrong or there actually is a problem (which should have been
+seen back in <a href="ch12.html#samba2-CHP-12-SECT-2.2.2">Section 12.2.2.2</a>). In the
+latter case, move on to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If you get <tt class="literal">Connect</tt> <tt class="literal">error</tt>:
+<tt class="literal">Connection</tt> <tt class="literal">refused</tt>, the server
+was found, but it wasn't running an
+<em class="emphasis">nmbd</em> daemon. Skip back to
+<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>,
+earlier in this chapter, and retest the daemons.</p>
+</li><li>
+<p>If you get the message <tt class="literal">Your</tt>
+<tt class="literal">server</tt> <tt class="literal">software</tt>
+<tt class="literal">is</tt> <tt class="literal">being</tt>
+<tt class="literal">unfriendly</tt>, the initial session request packet got
+a garbage response from the server. The server might have crashed or
+started improperly. The common causes of this can be discovered by
+scanning the logs for the following:</p>
+<ul><li>
+<p>Invalid command-line parameters to <em class="emphasis">smbd</em> ; see
+the <em class="emphasis">smbd</em> manual page.</p>
+</li><li>
+<p>A fatal problem with the <em class="filename">smb.conf</em> file that
+prevents the startup of <em class="emphasis">smbd</em>. Always check your
+changes with <em class="emphasis">testparm</em>, as was done in <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>, earlier in this chapter.</p>
+</li><li>
+<p>Missing directories where Samba is supposed to keep its log and lock
+files.</p>
+</li><li>
+<p>The presence of a server already on the port (139 for
+<em class="emphasis">smbd</em>, 137 for <em class="emphasis">nmbd</em> ),
+preventing the daemon from starting.</p>
+</li></ul>
+</li>
+<li>
+<p>If you're using <em class="emphasis">inetd</em> (or
+xinetd ) instead of standalone daemons, be sure to check your
+<em class="filename">/etc/inetd.conf</em> (or xinetd configuration files)
+and <em class="filename">/etc/services</em> entries against their manual
+pages for errors as well.</p>
+</li><li>
+<p>If you get a <tt class="literal">Password</tt>: prompt, your guest account
+is not set up properly. The <em class="emphasis">-U%</em> option tells
+<em class="emphasis">smbclient</em> to do a "null
+login," which requires that the guest account be
+present but does not require it to have any privileges.</p>
+</li><li>
+<p>If you get the message <tt class="literal">SMBtconX</tt>
+<tt class="literal">failed</tt>. <tt class="literal">ERRSRV--ERRaccess</tt>, you
+aren't permitted access to the server. This normally
+means you have a <tt class="literal">hosts</tt> <tt class="literal">allow</tt>
+option that doesn't include the server or a
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.
+Recheck with the command <tt class="literal">testparm</tt>
+<tt class="literal">smb.conf</tt> <em class="replaceable">your_hostname</em>
+<em class="replaceable">your_ip_address</em> (see
+<a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>),
+and correct any unintended prohibitions.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.3"/>
+
+<h3 class="head3">Testing connections with smbclient</h3>
+
+<p><a name="INDEX-61"/><a name="INDEX-62"/>Run the command
+<tt class="literal">smbclient</tt>
+<tt class="literal">\\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
+to connect to the server's <tt class="literal">[temp]</tt>
+share and to see if you can connect to a file service. You should get
+the following response:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient '\\server\temp' </b></tt>
+Server time is Tue May 5 09:49:32 2002 Timezone is UTC-4.0 Password:
+<b class="emphasis-bold">smb: \> quit</b></pre></blockquote>
+<p>You might receive the following errors:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, <tt class="literal">Connect</tt>
+<tt class="literal">error</tt>: <tt class="literal">Connection</tt>
+<tt class="literal">refused</tt>, or <tt class="literal">Your</tt>
+<tt class="literal">server</tt> <tt class="literal">software</tt>
+<tt class="literal">is</tt> <tt class="literal">being</tt>
+<tt class="literal">unfriendly</tt>, see the previous section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, for
+the diagnoses.</p>
+</li><li>
+<p>If you get the message <tt class="literal">servertemp</tt>:
+<tt class="literal">Not</tt> <tt class="literal">enough</tt>
+<tt class="literal">`\</tt>'
+<tt class="literal">characters</tt> <tt class="literal">in</tt>
+<tt class="literal">service</tt>, you likely didn't quote
+the address, so Unix stripped off backslashes. You can also write the
+command:</p>
+
+<blockquote><pre class="code">smbclient \\\\<em class="replaceable">server</em>\\temp</pre></blockquote>
+
+<p>or:</p>
+<blockquote><pre class="code">smbclient //<em class="replaceable">server</em>/temp</pre></blockquote>
+</li>
+</ul>
+<p>Now, provide your Unix account password to the
+<tt class="literal">Password</tt>: prompt. If you then get an
+<tt class="literal">smb</tt>: <tt class="literal">\></tt> prompt, it worked.
+Enter <tt class="literal">quit</tt> and continue on to the next section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If
+you got <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
+<tt class="literal">ERRSRV--ERRinvnetname</tt>, the problem can be any of
+the following:</p>
+
+<ul><li>
+<p>A wrong share name: you might have spelled it wrong, it might be too
+long, it might be in mixed case, or it might not be available. Check
+that it's what you expect with
+<em class="emphasis">testparm</em> (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>A <tt class="literal">security</tt> <tt class="literal">=</tt>
+<tt class="literal">share</tt> parameter in your Samba configuration file,
+in which case you might have to add <tt class="literal">-U</tt>
+<em class="replaceable">your_account</em> to the
+<em class="emphasis">smbclient</em> command.</p>
+</li><li>
+<p>An erroneous username.</p>
+</li><li>
+<p>An erroneous password.</p>
+</li><li>
+<p>An <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> option in your
+<em class="emphasis">smb.conf</em> file that doesn't
+allow your account to connect. Recheck using
+<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
+<em class="replaceable">your_hostname your_ip_address</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>A <tt class="literal">valid</tt> <tt class="literal">hosts</tt> option that
+doesn't include the server, or an
+<tt class="literal">invalid</tt> <tt class="literal">hosts</tt> option that does.
+Also test this with <em class="emphasis">testparm</em>.</p>
+</li><li>
+<p>A problem in authentication, such as if shadow passwords or the
+Password Authentication Module (PAM) is used on the server, but Samba
+is not compiled to use it. This is rare, but it occasionally happens
+when a SunOS 4 Samba binary (with no shadow passwords) is run without
+recompilation on a Solaris system (with shadow passwords).</p>
+</li><li>
+<p>The <tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option is in the
+configuration file, but no password for your account is in the
+<em class="emphasis">smbpasswd</em> file.</p>
+</li><li>
+<p>You have a null password entry, either in Unix
+<em class="filename">/etc/passwd</em> or in the
+<em class="emphasis">smbpasswd</em> file.</p>
+</li><li>
+<p>You are connecting to <tt class="literal">[temp]</tt>, and you do not have
+the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> option in the
+<tt class="literal">[temp]</tt> section of the
+<em class="emphasis">smb.conf</em> file.</p>
+</li><li>
+<p>You are connecting to <tt class="literal">[temp]</tt> before connecting to
+your home directory, and your guest account isn't
+set up correctly. If you can connect to your home directory and then
+connect to <tt class="literal">[temp]</tt>, that's the
+problem. See <a href="ch02.html">Chapter 2</a> for more information on
+creating a basic Samba configuration file.</p>
+
+<p>A bad guest account will also prevent you from printing or browsing
+until after you've logged in to your home directory.</p>
+</li></ul>
+<p>There is one more reason for this failure that has nothing at all to
+do with passwords: the <tt class="literal">path</tt> parameter in your
+<em class="filename">smb.conf</em> file might point somewhere that
+doesn't exist. This will not be diagnosed by
+<em class="emphasis">testparm</em>, and most SMB clients
+can't distinguish it from other types of bad user
+accounts. You will have to check it manually.</p>
+
+<p>Once you have connected to <tt class="literal">[temp]</tt> successfully,
+repeat the test, this time logging in to your home directory (e.g.,
+map network drive
+<em class="replaceable">server</em><tt class="literal">\davecb</tt>). If you
+have to change anything to get that to work, retest
+<tt class="literal">[temp]</tt> again afterward.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.4"/>
+
+<h3 class="head3">Testing connections with net use</h3>
+
+<p><a name="INDEX-63"/><a name="INDEX-64"/>Run the command
+<tt class="literal">net</tt> <tt class="literal">use</tt> <tt class="literal">*</tt>
+<tt class="literal">\</tt><em class="replaceable">server</em><tt class="literal">\temp</tt>
+on the Windows client to see if it can connect to the server. You
+should be prompted for a password, then receive the response
+<tt class="literal">The</tt> <tt class="literal">command</tt>
+<tt class="literal">was</tt> <tt class="literal">completed</tt>
+<tt class="literal">successfully</tt>.</p>
+
+<p>If that worked, continue with the steps in the next section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.5">Section 12.2.5.5</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
+<tt class="literal">shared</tt> <tt class="literal">directory</tt>
+<tt class="literal">cannot</tt> <tt class="literal">be</tt>
+<tt class="literal">found</tt>, or <tt class="literal">Cannot</tt>
+<tt class="literal">locate</tt> <tt class="literal">specified</tt>
+<tt class="literal">share</tt> <tt class="literal">name</tt>, the directory name
+is either misspelled or not in the <em class="emphasis">smb.conf</em>
+file. This message can also warn of a name that is in mixed case,
+including spaces, or that is longer than eight characters.</p>
+</li><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">computer</tt>
+<tt class="literal">name</tt> <tt class="literal">specified</tt>
+<tt class="literal">in</tt> <tt class="literal">the</tt>
+<tt class="literal">network</tt> <tt class="literal">path</tt>
+<tt class="literal">cannot</tt> <tt class="literal">be</tt>
+<tt class="literal">located</tt> or <tt class="literal">Cannot</tt>
+<tt class="literal">locate</tt> <tt class="literal">specified</tt>
+<tt class="literal">computer</tt>, the directory name has been misspelled,
+the name service has failed, there is a networking problem, or the
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option includes your
+host.</p>
+<ul><li>
+<p>If it is not a spelling mistake, you need to double back at least to
+<a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a> to
+investigate why it doesn't connect.</p>
+</li><li>
+<p>If <em class="emphasis">smbclient</em> does work, there is a name service
+problem with the client name service, and you need to go forward to
+<a href="ch12.html#samba2-CHP-12-SECT-2.6.2">Section 12.2.6.2</a> and see if
+you can look up both the client and server with
+<em class="emphasis">nmblookup</em>.</p>
+</li>
+</ul>
+</li>
+
+<li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
+<tt class="literal">is</tt> <tt class="literal">invalid</tt>
+<tt class="literal">for</tt> <tt class="literal">\server\username</tt>, your
+locally cached copy on the client doesn't match the
+one on the server. You will be prompted for a replacement.</p>
+
+<a name="samba2-CHP-12-NOTE-157"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Each Windows 95/98/Me client keeps a local
+<em class="emphasis">password</em> file, but it's really
+just a cached copy of the password it sends to Samba and NT/2000/XP
+servers to authenticate you. That's what is being
+prompted for here. You can still log on to a Windows system without a
+password (but not to NT/2000/XP).</p>
+</blockquote>
+
+<p>If you provide your password and it still fails, your password is not
+being matched on the server, you have a <tt class="literal">valid</tt>
+<tt class="literal">users</tt> or <tt class="literal">invalid</tt>
+<tt class="literal">users</tt> list denying you permission, NetBEUI is
+interfering, or the encrypted password problem described in the next
+paragraph exists.</p>
+</li><li>
+<p>If your client is Windows NT 4.0, NT 3.5 with Patch 3, Windows 95
+with Patch 3, Windows 98, any of these with Internet Explorer 4.0, or
+any subsequent version of Windows, the system will default to
+Microsoft encryption for passwords. In general, if you have installed
+a major Microsoft product on any of the older Windows versions, you
+might have applied an update and turned on encrypted passwords. If
+the client is defaulting to encrypted passwords, you will need to
+specify <tt class="literal">encrypt</tt> <tt class="literal">passwords</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in your Samba
+configuration file if you are using a version of Samba prior to Samba
+3.0.</p>
+
+<a name="samba2-CHP-12-NOTE-158"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Because of Internet Explorer's willingness to honor
+URLs such as <em class="filename">file://somehost/somefile</em> by making
+SMB connections, clients up to and including Windows 95 Patch Level 2
+would happily send your password, in plain text, to SMB servers
+anywhere on the Internet. This was considered a bad idea, and
+Microsoft switched to using only encrypted passwords in the SMB
+protocol. All subsequent releases of Microsoft's
+products have included this correction.</p>
+</blockquote>
+</li>
+
+<li>
+<p>If you have a mixed-case password on Unix, the client is probably
+sending it in all one case. If changing your password to all one case
+works, this was the problem. Regrettably, all but the oldest clients
+support uppercase passwords, so Samba will try once with the password
+in uppercase and once in lowercase. If you wish to use mixed-case
+passwords, see the <tt class="literal">password</tt>
+<tt class="literal">level</tt> option in <a href="ch09.html">Chapter 9</a> for a
+workaround.</p>
+</li><li>
+<p>You might have a <tt class="literal">valid</tt> <tt class="literal">users</tt>
+problem, as tested with <em class="emphasis">smbclient</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.3">Section 12.2.5.3</a>).</p>
+</li><li>
+<p>You might have the NetBEUI protocol bound to the Microsoft client.
+This often produces long timeouts and erratic failures and is known
+to have caused failures to accept passwords in the past. Unless you
+absolutely need the NetBEUI protocol, remove it.</p>
+</li></ul>
+<a name="samba2-CHP-12-NOTE-159"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The term "bind" is used here to
+mean connecting one piece of software to another. When configured
+correctly, the Microsoft SMB client is "bound
+to" TCP/IP in the bindings section of the TCP/IP
+properties panel under the Windows 95/98/Me Network icon in the
+Control Panel. TCP/IP in turn is bound to an Ethernet card. This is
+not the same sense of the word as binding an SMB daemon to a TCP/IP
+port.</p>
+</blockquote>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.5.5"/>
+
+<h3 class="head3">Testing connections with Windows Explorer</h3>
+
+<p><a name="INDEX-65"/><a name="INDEX-66"/>Start Windows Explorer
+(not Internet Explorer), select Map Network Drive from the Tools
+menu, and specify the UNC for one of your shares on the Samba server
+to see if you can make Explorer connect to it. If so,
+you've succeeded and can skip to the next section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.6">Section 12.2.6</a>.</p>
+
+<p>Windows Explorer is a rather poor diagnostic tool: it tells you that
+something's wrong, but rarely what it is. If you get
+a failure, you'll need to track it down with the
+Windows <em class="emphasis">net use</em> command, which has far superior
+error reporting:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">password</tt>
+<tt class="literal">for</tt> <tt class="literal">this</tt>
+<tt class="literal">connection</tt> <tt class="literal">that</tt>
+<tt class="literal">is</tt> <tt class="literal">in</tt> <tt class="literal">your</tt>
+<tt class="literal">password</tt> <tt class="literal">file</tt>
+<tt class="literal">is</tt> <tt class="literal">no</tt> <tt class="literal">longer</tt>
+<tt class="literal">correct</tt>, you might have any of the following:</p>
+<ul><li>
+<p>Your locally cached copy on the client doesn't match
+the one on the server.</p>
+</li><li>
+<p>You didn't provide a username and password when
+logging on to the client. Some versions of Explorer will continue to
+send a null username and password, even if you provide a password.</p>
+</li><li>
+<p>You have misspelled the password.</p>
+</li><li>
+<p>You have an <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> list denying
+permission.</p>
+</li><li>
+<p>Your client is defaulting to encrypted passwords, but Samba is
+configured with the <tt class="literal">encrypt</tt>
+<tt class="literal">passwords</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> configuration file parameter.</p>
+</li><li>
+<p>You have a mixed-case password, which the client is supplying in all
+one case.</p>
+</li>
+</ul>
+</li>
+<li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">network</tt>
+<tt class="literal">name</tt> <tt class="literal">is</tt>
+<tt class="literal">either</tt> <tt class="literal">incorrect</tt>,
+<tt class="literal">or</tt> <tt class="literal">a</tt> <tt class="literal">network</tt>
+<tt class="literal">to</tt> <tt class="literal">which</tt> <tt class="literal">you</tt>
+<tt class="literal">do</tt> <tt class="literal">not</tt> <tt class="literal">have</tt>
+<tt class="literal">full</tt> <tt class="literal">access</tt>, or
+<tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
+<tt class="literal">specified</tt> <tt class="literal">computer</tt>, you might
+have any of the following:</p>
+<ul><li>
+<p>Misspelled name</p>
+</li><li>
+<p>Malfunctioning service</p>
+</li><li>
+<p>Failed share</p>
+</li><li>
+<p>Networking problem</p>
+</li><li>
+<p>Bad <tt class="literal">path</tt> parameter in
+<em class="filename">smb.conf</em></p>
+</li><li>
+<p><tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that excludes
+you</p>
+</li>
+</ul>
+</li>
+<li>
+<p>If you get <tt class="literal">You</tt> <tt class="literal">must</tt>
+<tt class="literal">supply</tt> <tt class="literal">a</tt>
+<tt class="literal">password</tt> <tt class="literal">to</tt>
+<tt class="literal">make</tt> <tt class="literal">this</tt>
+<tt class="literal">connection</tt>, the password on the client is out of
+synchronization with the server, or this is the first time
+you've tried from this client system and the client
+hasn't cached it locally yet.</p>
+</li><li>
+<p>If you get <tt class="literal">Cannot</tt> <tt class="literal">locate</tt>
+<tt class="literal">specified</tt> <tt class="literal">share</tt>
+<tt class="literal">name</tt>, you have a wrong share name or a syntax
+error in specifying it, a share name longer than eight characters, or
+one containing spaces or in mixed case.</p>
+</li></ul>
+<p>Once you can reliably connect to the share, try again, this time
+using your home directory. If you have to change something to get
+home directories working, retest with the first share, and vice
+versa, as we showed in the earlier section, "Testing
+connections with net use." As always, if Explorer
+fails, drop back to that section and debug the connection there.
+<a name="INDEX-67"/><a name="INDEX-68"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.6"/>
+
+<h3 class="head2">Troubleshooting Browsing</h3>
+
+<p><a name="INDEX-69"/><a name="INDEX-70"/>Finally, we
+come to browsing. We've left this for last, not
+because it is the most difficult, but because it's
+both optional and partially dependent on a protocol that
+doesn't guarantee delivery of a packet. Browsing is
+hard to diagnose if you don't already know that all
+the other services are running.</p>
+
+<p>Browsing is purely optional: it's just a way to find
+the servers on your network and the shares that they provide. Unix
+has nothing of the sort and happily does without. Browsing also
+assumes all your systems are on a local area network (LAN) where
+broadcasts are allowable.</p>
+
+<p>First, the browsing mechanism identifies a system using the
+unreliable UDP protocol; it then makes a normal (reliable) TCP/IP
+connection to list the shares the system provides.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.1"/>
+
+<h3 class="head3">Testing browsing with smbclient</h3>
+
+<p><a name="INDEX-71"/><a name="INDEX-72"/>We'll start with
+testing the reliable connection first. From the server, try listing
+its own shares using <em class="emphasis">smbclient</em> with a
+<tt class="literal">-L</tt> option and your server's name.
+You should get something resembling the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L server</b></tt>
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Server
+time is Tue Apr 28 09:57:28 2002 Timezone is UTC-4.0
+Password:
+Domain=[EXAMPLE] OS=[Unix] Server=[Samba 2.2.5]
+
+ Sharename Type Comment
+ --------- ---- -------
+ cdrom Disk CD-ROM
+ cl Printer Color Printer 1
+ davecb Disk Home Directories
+
+ Server Comment
+ --------- -------
+ SERVER Samba 2.2.5
+
+ Workgroup Master
+ --------- -------
+ EXAMPLE SERVER</pre></blockquote>
+
+<ul><li>
+<p>If you didn't get a Sharename list, the server is
+not allowing you to browse any shares. This should not be the case if
+you've tested any of the shares with Windows
+Explorer or the <em class="emphasis">net use</em> command. If you
+haven't done the <tt class="literal">smbclient</tt>
+<tt class="literal">-L</tt> <tt class="literal">localhost</tt>
+<tt class="literal">-U%</tt> test yet (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), do it now. An erroneous
+guest account can prevent the shares from being seen. Also, check the
+<em class="filename">smb.conf</em> file to make sure you do not have the
+option <tt class="literal">browsable</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt> anywhere in it: we suggest using a minimal
+<em class="filename">smb.conf</em> file (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.1">Section 12.2.5.1</a>). You need to have
+<tt class="literal">browsable</tt> enabled (which is the default) to see
+the share.</p>
+</li><li>
+<p>If you didn't get a browse list, the server is not
+providing information about the systems on the network. At least one
+system on the net must support browse lists. Make sure you have
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> in the
+<em class="filename">smb.conf</em> file if you want Samba to be the local
+master browser.</p>
+</li><li>
+<p>If you got a browse list but didn't get
+<em class="emphasis">/tmp</em>, you probably have a
+<em class="filename">smb.conf</em> problem. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>.</p>
+</li><li>
+<p>If you didn't get a workgroup list with your
+workgroup name in it, it is possible that your workgroup is set
+incorrectly in the <em class="filename">smb.conf</em> file.</p>
+</li><li>
+<p>If you didn't get a workgroup list at all, ensure
+that <tt class="literal">workgroup</tt> <tt class="literal">=</tt>
+<tt class="literal">EXAMPLE</tt> is present in the
+<em class="filename">smb.conf</em> file.</p>
+</li><li>
+<p>If you get nothing, try once more with the options
+<tt class="literal">-I</tt> <em class="emphasis">ip_address</em>
+<tt class="literal">-n</tt> <em class="emphasis">netbios_name</em>
+<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>
+<tt class="literal">-d3</tt> with the NetBIOS and workgroup name in
+uppercase. (The <tt class="literal">-d3</tt> option sets the log /debugging
+level to 3.) Then check the Samba logs for clues.</p>
+</li></ul>
+<p>If you're still getting nothing, you
+shouldn't have gotten this far; double back to at
+least <a href="ch12.html#samba2-CHP-12-SECT-2.3.1">Section 12.2.3.1</a>, or perhaps
+<a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. On the other hand:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">SMBtconX</tt> <tt class="literal">failed</tt>.
+<tt class="literal">ERRSRV--ERRaccess</tt>, you aren't
+permitted access to the server. This normally means you have a
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option that
+doesn't include the server or a
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option that does.</p>
+</li><li>
+<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>, you
+presumably have one of the following:</p>
+<ul><li>
+<p>An incorrect <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line</p>
+</li><li>
+<p>An incorrect <tt class="literal">invalid</tt> <tt class="literal">users</tt> or
+<tt class="literal">valid</tt> <tt class="literal">users</tt> line</p>
+</li><li>
+<p>A lowercase password and OS/2 or Windows for Workgroups clients</p>
+</li><li>
+<p>A missing or invalid guest account</p>
+</li></ul>
+<p>Check what your guest account is (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>), change or comment out any
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt>,
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt>,
+<tt class="literal">valid</tt> <tt class="literal">users</tt>, or
+<tt class="literal">invalid</tt> <tt class="literal">users</tt> lines, and verify
+your <em class="filename">smb.conf</em> file with
+<tt class="literal">testparm</tt> <tt class="literal">smb.conf</tt>
+<em class="replaceable">your_hostname your_ip_address</em> (see the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.4.5">Section 12.2.4.5</a>).</p>
+</li><li>
+<p>If you get <tt class="literal">Connection</tt> <tt class="literal">refused</tt>,
+the <em class="emphasis">smbd</em> server is not running or has crashed.
+Check that it's up, running, and listening to the
+network with <em class="emphasis">netstat</em>. See the earlier section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.4">Section 12.2.4</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, you've made a spelling
+error, there is a mismatch between the Unix and NetBIOS hostname, or
+there is a name service problem. Start name service debugging as
+discussed in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.4">Section 12.2.5.4</a>. If this works, suspect a
+name mismatch, and go to the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">Session</tt> <tt class="literal">request</tt>
+<tt class="literal">failed</tt>, the server refused the connection. This
+usually indicates an internal error, such as insufficient memory to
+fork a process.</p>
+</li><li>
+<p>If you get <tt class="literal">Your</tt> <tt class="literal">server</tt>
+<tt class="literal">software</tt> <tt class="literal">is</tt>
+<tt class="literal">being</tt> <tt class="literal">unfriendly</tt>, the initial
+session request packet received a garbage response from the server.
+The server might have crashed or started improperly. Go back to <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>, where the
+problem is first analyzed.</p>
+</li><li>
+<p>If you suspect the server is not running, go back to
+<a href="ch12.html#samba2-CHP-12-SECT-2.4.2">Section 12.2.4.2</a> to see why the server
+daemon isn't responding.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.2"/>
+
+<h3 class="head3">Testing the server with nmblookup</h3>
+
+<p><a name="INDEX-73"/><a name="INDEX-74"/>This will test the
+"advertising" system used for
+Windows name services and browsing. Advertising works by broadcasting
+one's presence or willingness to provide services.
+It is the part of browsing that uses an unreliable protocol (UDP) and
+works only on broadcast networks such as Ethernets. The
+<em class="emphasis">nmblookup</em> program broadcasts name queries for
+the hostname you provide and returns its IP address and the name of
+the system, much as <em class="emphasis">nslookup</em> does with DNS.
+Here, the <em class="emphasis">-d</em> (debug or log-level) and
+<em class="emphasis">-B</em> (broadcast address) options direct queries to
+specific systems.</p>
+
+<p>First, we check the server from itself. Run
+<em class="emphasis">nmblookup</em> with a <em class="emphasis">-B</em> option
+of your server's name (to tell it to send the query
+to the Samba server) and a parameter of <tt class="literal">_ _SAMBA_
+_</tt> as the symbolic name to look up. You should get:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -B server _ _SAMBA_ _</b></tt>
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0
+Sending queries to 192.168.236.86 192.168.236.86 _ _SAMBA_ _</pre></blockquote>
+
+<p>You should get the IP address of the server, followed by the name
+<tt class="literal">_ _SAMBA_ _</tt> , which means that the server has
+successfully advertised that it has a service called <tt class="literal">_
+_SAMBA_ _</tt> , and therefore at least part of NetBIOS name
+service works.</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Name_query</tt> <tt class="literal">failed</tt>
+<tt class="literal">to</tt> <tt class="literal">find</tt> <tt class="literal">name</tt>
+<tt class="literal">_ _SAMBA_ _</tt>, you might have specified the server
+name to the <em class="emphasis">-B</em> option, or
+<em class="emphasis">nmbd</em> is not running. The <em class="emphasis">-B</em>
+option actually takes a broadcast address: we're
+using a computer name to get a unicast address and to ask the server
+if it has claimed <tt class="literal">_ _SAMBA_ _</tt>. Try again with
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">ip_address</em>, and if that fails too,
+<em class="emphasis">nmbd</em> isn't claiming the name.
+Go back briefly to the earlier section, "Testing
+daemons with testparm," to see if
+<em class="emphasis">nmbd</em> is running. If so, it might not be claiming
+names; this means that Samba is not providing the browsing
+service—a configuration problem. If that is the case, make sure
+that <em class="filename">smb.conf</em> doesn't contain
+the option <tt class="literal">browsing</tt> <tt class="literal">=</tt>
+<tt class="literal">no</tt>.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.3"/>
+
+<h3 class="head3">Testing the client with nmblookup</h3>
+
+<p><a name="INDEX-75"/><a name="INDEX-76"/>Next, check the IP address of the
+client from the server with <em class="emphasis">nmblookup</em> using the
+<tt class="literal">-B</tt> option for the client's name
+and a parameter of '<tt class="literal">*</tt>' meaning
+"anything," as shown here:</p>
+
+<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -B client '*</b>'
+Sending queries to 192.168.236.10 192.168.236.10 *
+Got a positive name query response from 192.168.236.10 (192.168.236.10)</pre></blockquote>
+
+<p>You might get the following error:</p>
+
+<ul><li>
+<p>If you receive <tt class="literal">Name-query</tt>
+<tt class="literal">failed</tt> <tt class="literal">to</tt>
+<tt class="literal">find</tt> <tt class="literal">name</tt> <tt class="literal">*</tt>,
+you have made a spelling mistake, or the client software on the PC
+isn't installed, started, or bound to TCP/IP. Double
+back to <a href="ch03.html">Chapter 3</a> and ensure that you have a
+client installed that is listening to the network.</p>
+</li></ul>
+<p>Repeat the command with the following options if you had any failures:</p>
+
+<ul><li>
+<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_IP_address</em> succeeds but
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_name</em> fails, there is a name service
+problem with the client's name; go to <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>, later in this chapter.</p>
+</li><li>
+<p>If <tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<tt class="literal">127.0.0.1</tt> '<tt class="literal">*</tt>' succeeds, but
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<em class="replaceable">client_IP_address</em> fails, there is a
+hardware problem, and <em class="emphasis">ping</em> should have failed.
+See your network manager.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.4"/>
+
+<h3 class="head3">Testing the network with nmblookup</h3>
+
+<p><a name="INDEX-77"/><a name="INDEX-78"/>Run the command
+<em class="emphasis">nmblookup</em> again with a <em class="emphasis">-d2</em>
+option (for a debug level of 2) and a parameter of
+'<tt class="literal">*</tt>'. This time we are testing the ability of
+programs (such as <em class="emphasis">nmbd</em> ) to use broadcast.
+It's essentially a connectivity test, done via a
+broadcast to the default broadcast address.</p>
+
+<p>A number of NetBIOS over TCP/IP hosts on the network should respond
+with <tt class="literal">got</tt> <tt class="literal">a</tt>
+<tt class="literal">positive</tt> <tt class="literal">name</tt>
+<tt class="literal">query</tt> <tt class="literal">response</tt> messages. Samba
+might not catch all the responses in the short time it listens, so
+you won't always see all the SMB clients on the
+network. However, you should see most of them:</p>
+
+<blockquote><pre class="code">$ <b class="emphasis-bold">nmblookup -d 2 '*</b>'
+Added interface ip=192.168.236.86 bcast=192.168.236.255 nmask=255.255.255.0 Sending
+queries to 192.168.236.255
+Got a positive name query response from 192.168.236.191 (192.168.236.191)
+Got a positive name query response from 192.168.236.228 (192.168.236.228)
+Got a positive name query response from 192.168.236.75 (192.168.236.75)
+Got a positive name query response from 192.168.236.79 (192.168.236.79)
+Got a positive name query response from 192.168.236.206 (192.168.236.206)
+Got a positive name query response from 192.168.236.207 (192.168.236.207)
+Got a positive name query response from 192.168.236.217 (192.168.236.217)
+Got a positive name query response from 192.168.236.72 (192.168.236.72) 192.168.236.86 *</pre></blockquote>
+
+<p>However:</p>
+
+<ul><li>
+<p>If this doesn't give at least the client address you
+previously tested, the default broadcast address is wrong. Try
+<tt class="literal">nmblookup</tt> <tt class="literal">-B</tt>
+<tt class="literal">255.255.255.255</tt> <tt class="literal">-d</tt>
+<tt class="literal">2</tt> '<tt class="literal">*</tt>', which is a last-ditch
+variant (using a broadcast address of all 1s). If this draws
+responses, the broadcast address you've been using
+before is wrong. Troubleshooting these is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
+chapter.</p>
+</li><li>
+<p>If the address 255.255.255.255 fails too, check your notes to see if
+your PC and server are on different subnets, as discovered in the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.2.4">Section 12.2.2.4</a>. You
+should try to diagnose this step with a server and client on the same
+subnet, but if you can't, you can try specifying the
+remote subnet's broadcast address with
+<em class="emphasis">-B</em>. Finding that address is discussed in <a href="ch12.html#samba2-CHP-12-SECT-2.8.2">Section 12.2.8.2</a>, later in this
+chapter. The <em class="emphasis">-B</em> option will work if your router
+supports directed broadcasts; if it doesn't, you
+might be forced to test with a client on the same network.</p>
+</li></ul>
+<p>As usual, you can check the Samba log files for additional clues.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.5"/>
+
+<h3 class="head3">Testing client browsing with net view</h3>
+
+<p><a name="INDEX-79"/><a name="INDEX-80"/>On the client, run the
+command <em class="replaceable">net view \\server</em> in an MS-DOS
+(command prompt) window to see if you can connect to the client and
+ask what shares it provides. You should get back a list of available
+shares on the server.</p>
+
+<p>If this works, continue with the later section <a href="ch12.html#samba2-CHP-12-SECT-3.1">Section 12.3.1</a>. Otherwise:</p>
+
+<ul><li>
+<p>If you get <tt class="literal">Network</tt> <tt class="literal">name</tt>
+<tt class="literal">not</tt> <tt class="literal">found</tt> for the name you just
+tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.3">Section 12.2.6.3</a>, there is a problem with the
+client software itself. Double-check this by running
+<em class="emphasis">nmblookup</em> on the client; if it works and
+<em class="emphasis">net view</em> doesn't, the client is
+at fault.</p>
+</li><li>
+<p>If <em class="emphasis">nmblookup</em> fails, there is a NetBIOS name
+service problem, as discussed in the later section, <a href="ch12.html#samba2-CHP-12-SECT-2.9">Section 12.2.9</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">You</tt> <tt class="literal">do</tt>
+<tt class="literal">not</tt> <tt class="literal">have</tt> <tt class="literal">the</tt>
+<tt class="literal">necessary</tt> <tt class="literal">access</tt>
+<tt class="literal">rights</tt>, or <tt class="literal">This</tt>
+<tt class="literal">server</tt> <tt class="literal">is</tt>
+<tt class="literal">not</tt> <tt class="literal">configured</tt>
+<tt class="literal">to</tt> <tt class="literal">list</tt>
+<tt class="literal">shared</tt> <tt class="literal">resources</tt>, either your
+guest account is misconfigured (see the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.5.2">Section 12.2.5.2</a>) or you have a
+<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
+<tt class="literal">hosts</tt> <tt class="literal">deny</tt> line that prohibits
+connections from your system. These problems should have been
+detected by the <em class="emphasis">smbclient</em> tests starting in the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.1">Section 12.2.6.1</a>.</p>
+</li><li>
+<p>If you get <tt class="literal">The</tt> <tt class="literal">specified</tt>
+<tt class="literal">computer</tt> <tt class="literal">is</tt>
+<tt class="literal">not</tt> <tt class="literal">receiving</tt>
+<tt class="literal">requests</tt>, you have misspelled the name, the system
+is unreachable by broadcast (tested in the earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.6.4">Section 12.2.6.4</a>), or it's
+not running <em class="emphasis">nmbd</em>.</p>
+</li><li>
+<p>If you get <tt class="literal">Bad</tt> <tt class="literal">password</tt>
+<tt class="literal">error</tt>, you're probably
+encountering the Microsoft-encrypted password problem, as discussed
+earlier in this chapter and in <a href="ch09.html">Chapter 9</a>, with its
+corrections.</p>
+</li></ul>
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.6.6"/>
+
+<h3 class="head3">Browsing the server from the client</h3>
+
+<p><a name="INDEX-81"/><a name="INDEX-82"/>From the Windows Network
+Neighborhood (or My Network Places in newer releases), try to browse
+the server. Your Samba server should appear in the browse list of
+your local workgroup. You should be able to double-click the name of
+the server to get a list of shares.</p>
+
+<ul><li>
+<p>If you get an <tt class="literal">Invalid</tt> <tt class="literal">password</tt>
+error, it's most likely the encryption problem
+again.</p>
+</li><li>
+<p>If you receive an <tt class="literal">Unable</tt> <tt class="literal">to</tt>
+<tt class="literal">browse</tt> <tt class="literal">the</tt>
+<tt class="literal">network</tt> error, one of the following has occurred:</p>
+<ul><li>
+<p>You have looked too soon, before the broadcasts and updates have
+completed. Wait 30 seconds and try again.</p>
+</li><li>
+<p>There is a network problem you've not yet diagnosed.</p>
+</li><li>
+<p>There is no browse master. Add the configuration option
+<tt class="literal">local</tt> <tt class="literal">master</tt>
+<tt class="literal">=</tt> <tt class="literal">yes</tt> to your
+<em class="emphasis">smb.conf</em> file.</p>
+</li><li>
+<p>No shares are made browsable in the <em class="emphasis">smb.conf</em>
+file.</p>
+</li></ul>
+</li>
+<li>
+<p>If you receive the message <tt class="literal">\\server</tt>
+<tt class="literal">is</tt> <tt class="literal">not</tt>
+<tt class="literal">accessible</tt> then:</p>
+<ul><li>
+<p>You have the encrypted password problem.</p>
+</li><li>
+<p>The system really isn't accessible.</p>
+</li><li>
+<p>The system doesn't support browsing.</p>
+</li></ul>
+</li>
+</ul>
+
+<p>If you've made it this far and the problem is not
+yet solved, either the problem is one we've not yet
+seen, or it is a problem related to a topic we have already covered,
+and further analysis is required. Name resolution is often related to
+difficulties with Samba, so we cover it in more detail in the next
+sections. If you know your problem is not related to name resolution,
+skip to the <a href="ch12.html#samba2-CHP-12-SECT-3">Section 12.3</a> at the end of the chapter. <a name="INDEX-83"/><a name="INDEX-84"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.7"/>
+
+<h3 class="head2">Troubleshooting Name Services</h3>
+
+<p><a name="INDEX-85"/><a name="INDEX-86"/>This
+section looks at simple troubleshooting of all the name services
+you'll encounter, but only for the common problems
+that affect Samba.</p>
+
+<p>There are several good references for troubleshooting particular name
+services: Paul <a name="INDEX-87"/>Albitz and Cricket <a name="INDEX-88"/>Liu's <em class="emphasis">DNS and
+Bind</em> (O'Reilly) covers the DNS, Hal
+<a name="INDEX-89"/>Stern's <em class="emphasis">NFS and
+NIS</em> (O'Reilly) covers NIS
+("Yellow pages"), while Windows
+Internet Name Service (WINS), <em class="filename">hosts/LMHOSTS</em>
+files, and NIS+ are best covered by their respective
+vendors' manuals.</p>
+
+<p>The problems addressed in this section are as follows:</p>
+
+<ul><li>
+<p>Name services are identified.</p>
+</li><li>
+<p>A hostname can't be looked up.</p>
+</li><li>
+<p>The long (FQDN) form of a hostname works but the short form
+doesn't.</p>
+</li><li>
+<p>The short form of the name works, but the long form
+doesn't.</p>
+</li><li>
+<p>A long delay occurs before the expected result.</p>
+</li></ul>
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.1"/>
+
+<h3 class="head3">Identifying what's in use</h3>
+
+<p><a name="INDEX-90"/>First, see if both the
+server and the client are using DNS, WINS, NIS, or
+<em class="filename">hosts</em> files to look up IP addresses when you
+give them a name. Each kind of system has a different preference:</p>
+
+<ul><li>
+<p>Windows 95/98/Me tries WINS and the <em class="filename">LMHOSTS</em> file
+first, then broadcast, and finally DNS and <em class="filename">HOSTS</em>
+files.</p>
+</li><li>
+<p>Windows NT/2000/XP tries WINS, then broadcast, then the
+<em class="filename">LMHOSTS</em> file, and finally
+<em class="filename">HOSTS</em> and DNS.</p>
+</li><li>
+<p>Windows programs using the WINSOCK standard use the HOSTS file, DNS,
+WINS, and then broadcast. Don't assume that if a
+different program's name service works, the SMB
+client program's name service will!</p>
+</li><li>
+<p>Samba daemons use <em class="filename">lmhosts</em>, WINS, the Unix
+system's name resolution, and then broadcast.</p>
+</li><li>
+<p>Unix systems can be configured to use any combination of DNS,
+<em class="filename">HOSTS</em> files, NIS or NIS+, and winbind, generally
+in any order.</p>
+</li></ul>
+<p>We recommend that the client systems be configured to use WINS and
+DNS, the Samba daemons to use WINS and DNS, and the Unix server to
+use DNS, <em class="filename">hosts</em> files, and perhaps NIS+.
+You'll have to look at your notes and the actual
+systems to see which is in use.</p>
+
+<p>On the clients, the name services are all set in the TCP/IP
+Properties panel of the Networking Control Panel, as discussed in
+<a href="ch03.html">Chapter 3</a>. You might need to check there to see
+what you've actually turned on. On the server, see
+if a <em class="filename">/etc/resolv.conf</em> file exists. If it does,
+you're using DNS. You might be using the others as
+well, though. You'll need to check for NIS and
+combinations of services.</p>
+
+<p>Check for a <em class="filename">/etc/nsswitch.conf</em> file on Solaris
+and other System V Unix operating systems. If you have one, look for
+a line that begins with <tt class="literal">host</tt>: followed by one or
+more of <tt class="literal">files</tt>, <tt class="literal">bind</tt>,
+<tt class="literal">nis</tt>, or <tt class="literal">nis+</tt>. These are the
+name services to use, in order, with optional extra material in
+square brackets. The <tt class="literal">files</tt> keyword is for
+using <em class="emphasis">HOSTS</em> files, while <tt class="literal">bind</tt>
+(the Berkeley Internet Name Daemon) refers to using DNS.</p>
+
+<p>If the client and server differ, the first thing to do is to get them
+in sync. Clients can use DNS, WINS, <em class="emphasis">HOSTS</em>, and
+<em class="emphasis">LMHOSTS</em> files, but not NIS or NIS+. Servers can
+use <em class="emphasis">HOSTS</em> and <em class="filename">LMHOSTS</em>
+files, DNS, NIS or NIS+, and winbind, but not WINS—even if your
+Samba server provides WINS services. If you can't
+get all the systems to use the same services, you'll
+have to check the server and the client carefully for the same data.</p>
+
+<p>You can also make use of the <em class="emphasis">-R</em> (resolve order)
+option for <em class="emphasis">smbclient</em>. If you want to
+troubleshoot WINS, for example, you'd say:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>smbclient -L </b></tt><em class="replaceable">server</em> <tt class="userinput"><b>-R wins</b></tt></pre></blockquote>
+
+<p>The possible settings are <tt class="literal">hosts</tt> (which means
+whatever the Unix system is using, not just<em class="filename">
+/etc/hosts</em> files), <tt class="literal">lmhosts</tt>,
+<tt class="literal">wins</tt>, and <tt class="literal">bcast</tt> (broadcast).</p>
+
+<p>In the following sections, we use the term <em class="emphasis">long
+name</em> for a fully qualified domain name (FQDN), such as
+<tt class="literal">server.example.com</tt> , and the term <em class="emphasis">short
+name</em> for the host part of an FQDN, such as
+<tt class="literal">server</tt>.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.2"/>
+
+<h3 class="head3">Cannot look up hostnames</h3>
+
+<p><a name="INDEX-91"/>Try the
+following:</p>
+
+<dl>
+<dt><b>DNS</b></dt>
+<dd>
+<p>Run <tt class="literal">nslookup</tt> <em class="replaceable">name</em>. If
+this fails, look for a <em class="filename">resolv.conf</em> error, a
+downed DNS server, or a short/long name problem (see the next
+section). Try the following:</p>
+
+
+<ul><li>
+<p>Your <em class="filename">/etc/resolv.conf</em> file should contain one or
+more <tt class="literal">nameserver</tt> lines, each with an IP address.
+These are the addresses of your DNS servers.</p>
+</li><li>
+<p>Ping each server address you find. If this fails for one, suspect the
+system. If it fails for each, suspect your network.</p>
+</li><li>
+<p>Retry the lookup using the full domain name (e.g.,
+<tt class="literal">server.example.com</tt>) if you tried the short name
+first, or the short name if you tried the long name first. If results
+differ, skip to the next section.</p>
+</li></ul>
+</dd>
+
+
+
+<dt><b>Broadcast/ WINS</b></dt>
+<dd>
+<p>Broadcast/ WINS does only short names such as
+<tt class="literal">server</tt>, and not long ones, such as
+<tt class="literal">server.example.com</tt>. Run
+<tt class="literal">nmblookup</tt> <tt class="literal">-S</tt>
+<em class="replaceable">server</em>. This reports everything broadcast
+has registered for the name. In our example, it looks like this:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>nmblookup -S server</b></tt>
+Looking up status of 192.168.236.86
+received 10 names
+ SERVER <00> - M <ACTIVE>
+ SERVER <03> - M <ACTIVE>
+ SERVER <1f> - M <ACTIVE>
+ SERVER <20> - M <ACTIVE>
+ ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE>
+ MYGROUP <00> - <GROUP> M <ACTIVE>
+ MYGROUP <1b> - M <ACTIVE>
+ MYGROUP <1c> - <GROUP> M <ACTIVE>
+ MYGROUP <1d> - M <ACTIVE>
+ MYGROUP <1e> - <GROUP> M <ACTIVE></pre></blockquote>
+
+<p>The required entry is <tt class="literal">SERVER</tt>
+<tt class="literal"><00></tt>, which identifies
+<em class="replaceable">server</em> as being this
+system's NetBIOS name. You should also see your
+workgroup mentioned one or more times. If these lines are missing,
+Broadcast/WINS cannot look up names and will need attention.</p>
+
+<a name="samba2-CHP-12-NOTE-160"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>The numbers in angle brackets in the previous output identify NetBIOS
+names as being workgroups, workstations, and file users of the
+messenger service, master browsers, domain master browsers, domain
+controllers, and a plethora of others. We primarily use
+<tt class="literal"><00></tt> to identify system and workgroup names
+and <tt class="literal"><20></tt> to identify systems as servers. The
+complete list is available at <a href="http://support.microsoft.com/support/kb/articles/q163/4/09.asp">http://support.microsoft.com/support/kb/articles/q163/4/09.asp</a>.</p>
+</blockquote>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>Try <tt class="literal">ypmatch</tt> <tt class="literal">name</tt>
+<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
+NIS server's name by running
+<em class="emphasis">ypwhich</em>, and ping the system to see if
+it's accessible.</p>
+</dd>
+
+
+
+<dt><b>NIS+</b></dt>
+<dd>
+<p>If you're running NIS+, try
+<tt class="literal">nismatch</tt> <tt class="literal">name</tt>
+<tt class="literal">hosts</tt>. If this fails, NIS is down. Find out the
+NIS+ server's name by running
+<em class="emphasis">niswhich</em>, and ping that system to see if
+it's accessible.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS files</b></dt>
+<dd>
+<p>Inspect the <em class="filename">HOSTS</em> file on the client
+(<em class="filename">C:\Windows\ Hosts</em> on Windows 95/98/Me, and
+<em class="filename">C:\WINNT \system32\drivers\etc\hosts</em> on Windows
+NT/2000/XP). Each line should have an IP number and one or more
+names, the primary name first, then any optional aliases. An example
+follows:</p>
+
+
+<blockquote><pre class="code">127.0.0.1 localhost
+192.168.236.1 dns.svc.example.com
+192.168.236.10 client.example.com client
+192.168.236.11 backup.example.com loghost
+192.168.236.86 server.example.com server
+192.168.236.254 router.svc.example.com</pre></blockquote>
+
+<p>On Unix, <tt class="literal">localhost</tt> should always be 127.0.0.1,
+although it might be just an alias for a hostname on the PC. On the
+client, check that there are no <tt class="literal">#XXX</tt> directives at
+the ends of the lines; these are LAN Manager/NetBIOS directives and
+should appear only in <em class="emphasis">LMHOSTS</em> files.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS files</b></dt>
+<dd>
+<p>This file is a local source for LAN Manager (NetBIOS) names. It has a
+format similar to <em class="filename">hosts</em> files, but it does not
+support long-form domain names (e.g.,
+<tt class="literal">server.example.com</tt>) and can have a number of
+optional <tt class="literal">#XXX</tt> directives following the NetBIOS
+names. There is usually an <em class="emphasis">lmhosts.sam</em> (for
+sample) file located in <em class="filename">C:\Windows</em> on Windows
+95/98/Me, and in <em class="filename">C:\WINNT\system32\drivers\etc</em>
+on Windows NT/2000/XP, but it's not used unless it
+is renamed to <em class="emphasis">Lmhosts</em> in the same directory.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.3"/>
+
+<h3 class="head3">Long and short hostnames</h3>
+
+<p><a name="INDEX-92"/>Where the long (FQDN) form of a hostname
+works but the short name doesn't (for example,
+<tt class="literal">client.example.com</tt> works but
+<tt class="literal">client</tt> doesn't), consider the
+following:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>This usually indicates that there is no default domain in which to
+look up the short names. Look for a <tt class="literal">default</tt> line
+in <em class="filename">/etc/resolv.conf</em> on the Samba server with
+your domain in it, or look for a <tt class="literal">search</tt> line with
+one or more domains in it. One or the other might need to be present
+to make short names usable; which one depends on the vendor and
+version of the DNS resolver. Try adding <tt class="literal">domain</tt>
+<em class="replaceable">your_domain</em> to
+<em class="filename">resolv.conf</em>, and ask your network or DNS
+administrator what should be in the file.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS </b></dt>
+<dd>
+<p>Broadcast/WINS doesn't support long names; it
+won't suffer from this problem.</p>
+</dd>
+
+
+
+<dt><b>NIS </b></dt>
+<dd>
+<p>Try the command <tt class="literal">ypmatch</tt>
+<em class="replaceable">hostname</em> <tt class="literal">hosts</tt>. If you
+don't get a match, your tables
+don't include short names. Speak to your network
+manager; short names might be missing by accident or might be
+unsupported as a matter of policy. Some sites don't
+ever use (ambiguous) short names.</p>
+</dd>
+
+
+
+<dt><b>NIS+</b></dt>
+<dd>
+<p>Try <tt class="literal">nismatch</tt> <em class="replaceable">hostname</em>
+<tt class="literal">hosts</tt>, and treat failure exactly as with NIS.</p>
+</dd>
+
+
+
+<dt><b>hosts </b></dt>
+<dd>
+<p>If the short name is not in <em class="filename">/etc/hosts</em>, consider
+adding it as an alias. Avoid, if you can, short names as primary
+names (the first one on a line). Have them as aliases if your system
+permits.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS </b></dt>
+<dd>
+<p>LAN Manager doesn't support long names, so it
+won't suffer from this problem.</p>
+</dd>
+
+</dl>
+
+<p>On the other hand, if the short form of the name works and the long
+form doesn't, consider the following:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>This is bizarre; see your network or DNS administrator, as this is
+probably a DNS setup error.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS </b></dt>
+<dd>
+<p>This is normal; Broadcast/WINS can't use the long
+form. Optionally, consider DNS. (Be aware that Microsoft has stated
+that it will eventually switch entirely to DNS, even though DNS does
+not provide name types such as <00>.)</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>If you can use <em class="emphasis">ypmatch</em> to look up the short form
+but not the long, consider adding the long form to the table as at
+least an alias.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>Same as NIS, except you use <em class="emphasis">nismatch</em> instead of
+<em class="emphasis">ypmatch</em> to look up names.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>Add the long name as at least an alias, and preferably as the primary
+form. Also consider using DNS if it's practical.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS </b></dt>
+<dd>
+<p>This is normal. LAN Manager can't use the long form;
+consider switching to DNS or <em class="filename">hosts</em>.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.4"/>
+
+<h3 class="head3">Unusual delays</h3>
+
+<p><a name="INDEX-93"/>When there is a long delay before the
+expected result:</p>
+
+<dl>
+<dt><b>DNS </b></dt>
+<dd>
+<p>Test the same name with the <em class="emphasis">nslookup</em> command on
+the system that is slow (client or server). If
+<em class="emphasis">nslookup</em> is also slow, you have a DNS problem.
+If it's slower on a client, you might have too many
+protocols bound to the Ethernet card. Eliminate NetBEUI, which is
+infamously slow, and, optionally, Novell—assuming you
+don't need them. This is especially important on
+Windows 95, which is particularly sensitive to excess protocols.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/ WINS</b></dt>
+<dd>
+<p>Test the client using <em class="emphasis">nmblookup</em>; if
+it's faster, you probably have the protocols problem
+as mentioned in the previous item.</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>Try <em class="emphasis">ypmatch</em>; if it's slow,
+report the problem to your network manager.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>Try <em class="emphasis">nismatch</em>, similarly.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>The <em class="emphasis">hosts</em> files, if of reasonable size, are
+always fast. You probably have the protocols problem mentioned
+previously under DNS.</p>
+</dd>
+
+
+
+<dt><b>lmhosts and LMHOSTS</b></dt>
+<dd>
+<p>This is not a name lookup problem; <em class="emphasis">LMHOSTS</em> files
+are as fast as <em class="emphasis">hosts</em> and
+<em class="filename">HOSTS</em> files.</p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.7.5"/>
+
+<h3 class="head3">Localhost issues</h3>
+
+<p><a name="INDEX-94"/>When a localhost isn't
+127.0.0.1, try the following:</p>
+
+<dl>
+<dt><b>DNS</b></dt>
+<dd>
+<p>There is probably no record for <tt class="literal">localhost</tt>.
+<tt class="literal">A</tt> <tt class="literal">127.0.0.1</tt>. Arrange to add
+one, as well as a reverse entry,
+<tt class="literal">1.0.0.127.IN-ADDR.ARPA</tt> <tt class="literal">PTR</tt>
+<tt class="literal">127.0.0.1</tt>.</p>
+</dd>
+
+
+
+<dt><b>Broadcast/WINS</b></dt>
+<dd>
+<p>Not applicable.</p>
+</dd>
+
+
+
+<dt><b>NIS</b></dt>
+<dd>
+<p>If <tt class="literal">localhost</tt> isn't in the table,
+add it.</p>
+</dd>
+
+
+
+<dt><b>NIS+ </b></dt>
+<dd>
+<p>If <tt class="literal">localhost</tt> isn't in the table,
+add it.</p>
+</dd>
+
+
+
+<dt><b>hosts and HOSTS</b></dt>
+<dd>
+<p>Add a line that says <tt class="literal">127.0.0.1</tt>
+<tt class="literal">localhost</tt>.</p>
+</dd>
+
+
+
+<dt><b>LMHOSTS</b></dt>
+<dd>
+<p>Not applicable. <a name="INDEX-95"/><a name="INDEX-96"/></p>
+</dd>
+
+</dl>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.8"/>
+
+<h3 class="head2">Troubleshooting Network Addresses</h3>
+
+<p><a name="INDEX-97"/><a name="INDEX-98"/>A
+number of common problems are caused by incorrect routing of Internet
+addresses or by the incorrect assignment of addresses. This section
+helps you determine what your addresses are.</p>
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.1"/>
+
+<h3 class="head3">Netmasks</h3>
+
+<p>Using the <a name="INDEX-99"/>netmask, it is possible to
+determine which addresses can be reached directly (i.e., which are on
+the local network) and which addresses require forwarding packets
+through a router. If the netmask is wrong, the systems will make one
+of two mistakes. One is to route local packets via a router, which is
+an expensive waste of time—it might work reasonably fast, it
+might run slowly, or it might fail utterly. The second mistake is to
+fail to send packets from a remote system to the router, which will
+prevent them from being forwarded to the remote system.</p>
+
+<p>The netmask is a number like an IP address, with one-bits for the
+network part of an address and zero-bits for the host portion. It is
+used as a bitmask to mask off parts of the address inside the TCP/IP
+code. If the mask is 255.255.0.0, the first 2 bytes are the network
+part and the last 2 are the host part. More common is 255.255.255.0,
+in which the first 3 bytes are the network part and the last one is
+the host part.</p>
+
+<p>For example, let's say your IP address is
+192.168.0.10 and the Samba server is 192.168.236.86. If your netmask
+happens to be 255.255.255.0, the network part of the address is the
+first 3 bytes, and the host part is the last byte. In this case, the
+network parts are different, and the systems are on different
+networks:</p>
+
+<a name="ch12-37-fm2xml"/><table border="1">
+
+
+
+<tr>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>192 168 000</p>
+</td>
+<td>
+<p>10</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>192 168 235</p>
+</td>
+<td>
+<p>86</p>
+</td>
+</tr>
+
+</table>
+
+<p>If your netmask happens to be 255.255.0.0, the network part is just
+the first 2 bytes. In this case, the network parts match, and so the
+two systems are on the same network:</p>
+
+<a name="ch12-38-fm2xml"/><table border="1">
+
+
+
+<tr>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>192 168</p>
+</td>
+<td>
+<p>000 10</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>192 168</p>
+</td>
+<td>
+<p>236 86</p>
+</td>
+</tr>
+
+</table>
+
+<p>Make sure the netmask in use on each system matches the structure of
+your network. On every subnet, the netmask should be identical on
+each system.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.2"/>
+
+<h3 class="head3">Broadcast addresses</h3>
+
+<p>The <a name="INDEX-100"/>broadcast address is a normal address,
+with the hosts part all one-bits. It means "all
+hosts on your network." You can compute it easily
+from your netmask and address: take the address and put one-bits in
+it for all the bits that are zero at the end of the netmask (the host
+part). The following table illustrates this:</p>
+
+<a name="ch12-39-fm2xml"/><table border="1">
+
+
+
+
+<tr>
+<th>
+</th>
+<th>
+<p>Network part</p>
+</th>
+<th>
+<p>Host part</p>
+</th>
+</tr>
+
+
+<tr>
+<td>
+<p>IP address</p>
+</td>
+<td>
+<p>192 168 236</p>
+</td>
+<td>
+<p>86</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Netmask</p>
+</td>
+<td>
+<p>255 255 255</p>
+</td>
+<td>
+<p>000</p>
+</td>
+</tr>
+<tr>
+<td>
+<p>Broadcast</p>
+</td>
+<td>
+<p>192 168 236</p>
+</td>
+<td>
+<p>255</p>
+</td>
+</tr>
+
+</table>
+
+<p>In this example, the broadcast address on the 192.168.236 network is
+192.168.236.255. There is also an old
+"universal" broadcast address,
+255.255.255.255. Routers are prohibited from forwarding these, but
+most systems on your local network will respond to broadcasts to this
+address.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.3"/>
+
+<h3 class="head3">Network address ranges</h3>
+
+<p>A <a name="INDEX-101"/>number of address ranges have been
+reserved for testing and for nonconnected networks; we use these for
+the examples in this book. If you don't have an
+address yet, feel free to use one of these to start. They include one
+class A network, 10.*.*.*, a range of class B network addresses,
+172.16.*.* through 172.31.*.*, and 254 class C networks, 192.168.1.*
+through 192.168.254.*. The domain <tt class="literal">example.com</tt> is
+also reserved for unconnected networks, explanatory examples, and
+books.</p>
+
+<p>If you're actually connecting to the Internet,
+you'll need to get an appropriate IP address and a
+domain name, probably through the same company that provides your
+connection.</p>
+
+
+</div>
+
+
+
+<div class="sect3"><a name="samba2-CHP-12-SECT-2.8.4"/>
+
+<h3 class="head3">Finding your network address</h3>
+
+<p><a name="INDEX-102"/>If you
+haven't recorded your IP address, you can learn it
+through the <em class="emphasis">ifconfig</em><a name="INDEX-103"/> command on Unix or the
+<em class="emphasis">ipconfig</em> <a name="INDEX-104"/>command on Windows. (Check your manual
+pages for any options required by your brand of Unix. For example,
+<tt class="literal">ifconfig</tt> <tt class="literal">-a</tt> works on Solaris.)
+You should see output similar to the following:</p>
+
+<blockquote><pre class="code">$ <tt class="userinput"><b>ifconfig -a</b></tt>
+le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING >
+ inet 192.168.236.11 netmask ffffff00 broadcast 192.168.236.255
+lo0: flags=49<&lt>UP,LOOPBACK,RUNNING<&gt>
+ inet 127.0.0.1 netmask ff000000</pre></blockquote>
+
+<p>One of the interfaces will be loopback (in our examples,
+<tt class="literal">lo0</tt>), and the other will be the regular IP
+interface. The flags should show that the interface is running, and
+Ethernet interfaces will also say they support broadcasts (PPP
+interfaces don't). The other places to look for IP
+addresses are <em class="filename">/etc/hosts</em> files, Windows
+<em class="emphasis">HOSTS</em> files, Windows
+<em class="emphasis">LMHOSTS</em> files, NIS, NIS+, and DNS. <a name="INDEX-105"/><a name="INDEX-106"/></p>
+
+
+</div>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-2.9"/>
+
+<h3 class="head2">Troubleshooting NetBIOS Names</h3>
+
+<p><a name="INDEX-107"/><a name="INDEX-108"/>Historically, SMB protocols have
+depended on the NetBIOS name system, also called the LAN Manager name
+system. This was a simple scheme where each system had a unique
+20-character name and broadcast it on the LAN for everyone to know.
+With TCP/IP, we tend to use names such as
+<tt class="literal">client.example.com</tt>, stored in
+<em class="filename">/etc/hosts</em> files through DNS or WINS.</p>
+
+<p>The usual mapping of domain names such as
+<tt class="literal">server.example.com</tt> to NetBIOS names simply uses
+the <tt class="literal">server</tt> part as the NetBIOS name and converts
+it to uppercase. Alas, this doesn't always work,
+especially if you have a system with a 21-character name; not
+everyone uses the same NetBIOS and DNS names. For example,
+<tt class="literal">corpvm1</tt> along with <tt class="literal">vm1.corp.com</tt>
+is not unusual.</p>
+
+<p>A system with a different NetBIOS name and domain name is confusing
+when you're troubleshooting; we recommend that you
+try to avoid this wherever possible. NetBIOS names are discoverable
+with <em class="emphasis">smbclient</em> :</p>
+
+<ul><li>
+<p>If you can list shares on your Samba server with
+<tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
+<tt class="literal">short_name</tt>, the short name is the NetBIOS name.</p>
+</li><li>
+<p>If you get <tt class="literal">Get_Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">name</tt>, there is probably a mismatch. Check in the
+<em class="filename">smb.conf</em> file to see if the NetBIOS name is
+explicitly set.</p>
+</li><li>
+<p>Try to list shares again, specifying <tt class="literal">-I</tt> and the IP
+address of the Samba server (e.g., <tt class="literal">smbclient</tt>
+<tt class="literal">-L</tt> <tt class="literal">server</tt> <tt class="literal">-I</tt>
+<tt class="literal">192.168.236.86</tt>). This overrides the name lookup
+and forces the packets to go to the IP address. If this works, there
+was a mismatch.</p>
+</li><li>
+<p>Try with <tt class="literal">-I</tt> and the full domain name of the server
+(e.g., <tt class="literal">smbclient</tt> <tt class="literal">-L</tt>
+<tt class="literal">server</tt> <tt class="literal">-I</tt>
+<tt class="literal">server.example.com</tt>). This tests the lookup of the
+domain name, using whatever scheme the Samba server uses (e.g., DNS).
+If it fails, you have a name service problem. You should reread the
+earlier section, <a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>,
+after you finish troubleshooting the NetBIOS names.</p>
+</li><li>
+<p>Try with the <tt class="literal">-n</tt> (NetBIOS name) option, giving it
+the name you expect to work (e.g., <tt class="literal">smbclient</tt>
+<tt class="literal">-n</tt> <tt class="literal">server</tt> <tt class="literal">-L</tt>
+<tt class="literal">server-12</tt>), but without overriding the IP address
+through <tt class="literal">-I</tt>. If this works, the name you specified
+with <tt class="literal">-n</tt> is the actual NetBIOS name of the server.
+If you receive <tt class="literal">Get-Hostbyname</tt>:
+<tt class="literal">Unknown</tt> <tt class="literal">host</tt>
+<tt class="literal">SERVER</tt>, it's not the right server
+yet.</p>
+</li><li>
+<p>If nothing is working so far, repeat the tests specifying
+<tt class="literal">-U</tt> <em class="emphasis">username</em> and
+<tt class="literal">-W</tt> <em class="emphasis">workgroup</em>, with the
+username and workgroup in uppercase, to make sure
+you're not being derailed by a user or workgroup
+mismatch.</p>
+</li><li>
+<p>If still nothing works and you had evidence of a name service
+problem, troubleshoot the name service (see the earlier section,
+<a href="ch12.html#samba2-CHP-12-SECT-2.7">Section 12.2.7</a>) and then return to
+the NetBIOS name service. <a name="INDEX-109"/><a name="INDEX-110"/></p>
+</li></ul>
+
+</div>
+
+
+</div>
+
+
+
+<div class="sect1"><a name="samba2-CHP-12-SECT-3"/>
+
+<h2 class="head1">Extra Resources</h2>
+
+<p>At some point during your work with Samba, you'll
+want to turn to online or printed resources for news, updates, and
+aid.</p>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.1"/>
+
+<h3 class="head2">Documentation and FAQs</h3>
+
+<p>It's OK to read the <a name="INDEX-111"/><a name="INDEX-112"/>documentation. Really. Nobody can see you,
+and we won't tell. In fact, Samba ships with a large
+set of documentation files, and it is well worth the effort to at
+least browse through them, either in the distribution directory on
+your computer under <em class="filename">/docs</em> or online at the Samba
+web site: <a href="http://www.samba.org">http://www.samba.org</a>. The most current
+FAQ list, bug information, and distribution locations are located at
+the web site, with links to all the Samba manual pages and HOWTOs.</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.2"/>
+
+<h3 class="head2">Samba Newsgroups</h3>
+
+<p><a name="INDEX-113"/>Usenet
+newsgroups have always been a great place to get advice on just about
+any topic. In the past few years, though, this vast pool of knowledge
+has developed something that has made it into an invaluable resource:
+a memory. Archival and search sites such as the one at
+<a name="INDEX-114"/>Google (<a href="http://groups.google.com/advanced_group_search">http://groups.google.com/advanced_group_search</a>)
+have made sifting through years of valuable solutions as simple as a
+few mouse clicks.</p>
+
+<p>The primary newsgroup for Samba is
+<em class="emphasis">comp.protocols.smb</em><a name="INDEX-115"/>. This should always be your first
+stop when there's a problem. More often than not,
+spending 5 minutes researching an error here will save hours of
+frustration while trying to debug something yourself.</p>
+
+<p>When searching a newsgroup, try to be as specific as possible, but
+not too wordy. Searching on actual error messages is best. If you
+don't find an answer immediately in the newsgroup,
+resist the temptation to post a request for help until
+you've done a bit more work on the problem. You
+might find that the answer is in a FAQ or one of the many
+documentation files that ship with Samba, or a solution might become
+evident when you run one of Samba's diagnostic
+tools. If nothing works, post a request in
+<em class="emphasis">comp.protocols.smb</em>, and be as specific as
+possible about what you have tried and what you are seeing. Include
+any error messages that appear. It might be days before you receive
+help, so be patient and keep trying things while you wait.</p>
+
+<a name="samba2-CHP-12-NOTE-161"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
+<p>Once you post a request for help, keep poking at the problem
+yourself. Most of us have had the experience of posting a Usenet
+article containing hundreds of lines of intricate detail, only to
+solve the problem an hour later after the article has blazed its way
+across several continents. The rule of thumb goes something like
+this: the more folks who have read your request, the simpler the
+solution. Usually this means that once everyone in the Unix community
+has seen your article, the solution will be something simple such as,
+"Plug the power cord into the wall
+socket."</p>
+</blockquote>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.3"/>
+
+<h3 class="head2">Samba Mailing Lists</h3>
+
+<p>The following are <a name="INDEX-116"/>mailing lists for support with Samba. See
+the Samba home page, <a href="http://www.samba.org/">http://www.samba.org/</a>, for
+information on subscribing and unsubscribing to these mailing lists:</p>
+
+<dl>
+<dt><b>samba@samba.org</b></dt>
+<dd>
+<p>This is the primary mailing list for general questions and discussion
+regarding Samba.</p>
+</dd>
+
+
+
+<dt><b>samba-announce@samba.org</b></dt>
+<dd>
+<p>This list is for receiving news regarding Samba, such as
+announcements of new releases.</p>
+</dd>
+
+
+
+<dt><b>samba-cvs@samba.org</b></dt>
+<dd>
+<p>By subscribing to this list, you can automatically receive a message
+every time one of the Samba developers updates the Samba source code
+in the CVS repository. You might want to do this if you are waiting
+for a specific bug fix or feature to be applied. To avoid congesting
+your email inbox, we suggest using the digest feature, which
+consolidates messages into a smaller number of emails.</p>
+</dd>
+
+
+
+<dt><b>samba-docs@samba.org</b></dt>
+<dd>
+<p>This list is for discussing Samba documentation.</p>
+</dd>
+
+
+
+<dt><b>samba-vms@samba.org</b></dt>
+<dd>
+<p>This mailing list is for people who are running Samba on the VMS
+operating system.</p>
+</dd>
+
+
+
+<dt><b>samba-binaries@samba.org</b></dt>
+<dd>
+<p>This is a list for developers to use when discussing precompiled
+Samba distributions.</p>
+</dd>
+
+
+
+<dt><b>samba-technical@samba.org</b></dt>
+<dd>
+<p>This mailing list is for developer discussion of the Samba code.</p>
+</dd>
+
+</dl>
+
+<p>Searchable versions of the Samba mailing list archives can be found
+at <a href="http://marc.theaimsgroup.com">http://marc.theaimsgroup.com</a>.</p>
+
+<p>When posting messages to the Samba mailing lists, keep in mind that
+you are sending your message to a large audience. The notes in the
+previous section regarding Usenet postings also apply here. A
+well-formulated question or comment is more likely to be answered,
+and a poorly conceived message is <em class="emphasis">very</em> likely to
+be ignored!</p>
+
+
+</div>
+
+
+<div class="sect2"><a name="samba2-CHP-12-SECT-3.4"/>
+
+<h3 class="head2">Further Reading</h3>
+
+<ol><li>
+<p>Hunt, Craig. <em class="emphasis">TCP/IP Network Administration</em>,
+Third Edition. Sebastopol, CA: O'Reilly
+& Associates, 1997.</p>
+</li>
+<li>
+<p>Hunt, Craig, and Robert Bruce Thompson. <em class="emphasis">Windows NT TCP/IP
+Network Administration</em>. Sebastopol, CA:
+O'Reilly & Associates, 1998.</p>
+</li>
+<li>
+<p>Albitz, Paul, and Cricket Liu. <em class="emphasis">DNS and Bind</em>,
+Fourth Edition. Sebastopol, CA: O'Reilly
+& Associates, 1998.</p>
+</li>
+<li>
+<p>Stern, Hal. <em class="emphasis">Managing NFS and NIS</em>, Second
+Edition. Sebastopol, CA: O'Reilly & Associates,
+1991.<a name="INDEX-117"/></p>
+</li></ol>
+
+</div>
+
+
+</div>
+
+<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
projects / samba / blobdiff