Logs filling up with "smbd/service.c:make_connection" - "couldn't find service"
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Logs filling up with "smbd/service.c:make_connection" - "couldn't find service"
SuSE 9.1 Samba version 3.0.4-1.12
I've Googled this to death, and searched the forum
My /var/log/warn and /var/log/samba/log.smbd have been filling up with the following for the past year:
Dec 28 08:58:17 MY-DOMAIN smbd[8361]: [2005/12/28 08:58:17,0]
smbd/service.c:make_connection(771)
Dec 28 08:58:17 MY-DOMAIN smbd[8361]: COMPUTER_NAME (192.xx.xx.xx) couldn't find service offic
No one is reporting any problems, but it is a nusance as it is filling /var/log/ with warn-2005xxx.gz files.
I do know that the last letter of the share gets dropped (offic = office)and as far as I can tell from Googling, this is not part of the problem.
Here is my smb.conf:
# Global parameters
[global]
workgroup = MY DOMAIN
netbios name = LINUXSERVER
server string = Primary Data Server ** SUSE 9.1 - SaMBa 3.x
passwd program = /usr/bin/passwd
unix password sync = Yes
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
add user script = /usr/sbin/useradd -c Machine -d /dev/null -s /bin/false %m$
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap suffix = dc=example,dc=com
ldap ssl = no
admin users = root, administrator
[downloads]
path = /data/downloads/
admin users = root, administrator, user1
read only = No
guest ok = Yes
[office]
path = /data/office/
read only = No
guest ok = yes
[scanned]
path = /data/scanned
read only = No
guest ok = Yes
[data]
path = /data
read only = No
guest ok = Yes
[data1]
path = /data1
read only = No
guest ok = Yes
I either want to stop these entries from logging, or fix the problem, if a problem exists
If anyone could help, that would be fantastic.
If any more info is needed, just let me know
Thanks in advance!
Last edited by DumbTerminal; 01-31-2006 at 08:52 AM.
Is this the correct place for Samba questions?
It seems the Samba questions have minimal views and no answers. The reason I ask is because I want to post in the correct area, and I can request this thread be moved.
Thanks for the help in advance
DumbTerminal:
The first thing to do is find out what's triggering these log messages. I'd do that the following way:
Shutdown all workstations (smb clients).
Interactively monitor the samba server's log file with tail, as so:
Code:
tail -f /var/log/warn
and/or
Code:
tail -f /var/log/samba/log.smbd
While you're watching the logs, bootup the clients one by one, and see when those messages are produced. We're trying to isolate which client is causing these messages.
If you boot them all up and none of the warning messages are produced, then go to the clients and browse the office share one-by-one, to see when it starts spitting out those messages.
Find out which smb client is causing this. Then you can start troubleshooting properly.
As far as not having your logs grow, you could reduce the debug level from 1 (default) to 0.
To view what it's set to now, do:
Code:
smbcontrol smbd debuglevel
To change it to 0, do:
Code:
smbcontrol smbd debug 0
Note that this only affect the current smbd process, and will be reset when you reboot. If you want it to be permenant, then modify your rc.* startup script which invokes samba, and add the "-d 0" option.
I am guessing the problem is caused by a particular smb client, and not by your server. It's peculiar as to why it would truncate the sharename to 5 digits though. Are you running some shared app that used the "office" share. If so, once you isolate the client causing the probs, check what version of that app they're running (update if possible), update their NIC drivers, etc.
Let me know what you find, as I'm curious about this.
I wish I could do hands on troubleshooting, but these are remote computers, and there are several of them.
However in the logs "COMPUTER_NAME (192.xx.xx.xx)" refers to the problem computer, and it seems to only be this computer having the problems.
The other shares are basically just data storage. The "office" share has OpenOffice installed on it.No one has had any complaints about OpenOffice not working. I don't believe they even use OO at that office.
This message is logging every few seconds, as the computers on this network are always on. I don't know if that computer itself is actually trying to connect to "office", or if that is just a Samba thing. As stated above, there have been no complaints of anything not "working", so it is hard to tell.
Does Samba try to make a connection to all of the shares in the smb.conf whether or not the user physically tries to access them?
I just find it odd that it is only one computer, and only one (probably unused) share.
I wish I had more information, as this is rather curious...If I figure anything more out, I'll post.
Thanks for your help, I appreciate it.
Last edited by DumbTerminal; 01-31-2006 at 08:52 AM.
It's log reading (staring blankly at) day again
Same thing is happening, but it looks like "couldn't find service" refers to almost all of the shares, and it is happening on almost all of the computers on the network.
I'm also getting alot of "couldn't find service: netlogon"
I'm guessing that these messages aren't really indicadive of a problem as I've had no complaints, but I would like to know if there is a problem, or if there is a way to stop these errors from logging. [Maybe there is a way to get moreinfo in the logs?]
Thanks for any help, advice, and/or comments
*edit*
{sorry, just reread the debugging instructions above.Upped the log level to 8. Thanks}
I'll repost maybe Monday if I get better logging as to what the problem may be
EDIT:
More info:
The "couldn't find service netlogon" errors are only on computers from the branch office that is on a different subnet than the Samba server.
To clarify, there have been no complaints. Believe me, this customer is the type that calls screaming at me if she has her caps lock on and can't log in, so I would definately have heard if there was a problem
Last edited by DumbTerminal; 01-27-2006 at 03:50 PM.
I seem to be getting the same log messages on other networks as well.
I wonder (not rhetorical) if this is a bug of some sort, or if anyone else has the same problem?
Question 2:
How do I tell Samba to only use port 139? I know that is a netbios port, and I looked in /etc/services, and saw no indication to what ports smbd is using
I have a similar issue - no real errors on the network, but several systems just started this behavior a few nights ago.
May 22 08:05:12 smb-server smbd[18777]: [2006/05/22 08:05:12, 0] smbd/service.c:make_connection(794)
May 22 08:05:12 smb-server smbd[18777]: gx260 (10.10.10.10) couldn't find service avl_proj.cmd
May 22 08:05:12 smb-server smbd[18777]: [2006/05/22 08:05:12, 0] smbd/service.c:make_connection(794)
May 22 08:05:12 smb-server smbd[18777]: gx260 (10.10.10.10) couldn't find service avl_proj.exe
May 22 08:05:12 smb-server smbd[18777]: [2006/05/22 08:05:12, 0] smbd/service.c:make_connection(794)
May 22 08:05:12 smb-server smbd[18777]: gx260 (10.10.10.10) couldn't find service avl_proj.com
May 22 08:05:12 smb-server smbd[18777]: [2006/05/22 08:05:12, 0] smbd/service.c:make_connection(794)
May 22 08:05:12 smb-server smbd[18777]: gx260 (10.10.10.10) couldn't find service avl_proj.pif
May 22 08:05:12 smb-server smbd[18777]: [2006/05/22 08:05:12, 0] smbd/service.c:make_connection(794)
May 22 08:05:12 smb-server smbd[18777]: gx260 (10.10.10.10) couldn't find service avl_proj.lnk
(IP's and machine names changed)
I tracked the errors in the log down to Windows Defender - the errors happen at the same time that Windows Defender does it's scheduled daily scan (default is 2am), and changing this scan time changes the time the errors are logged. I also did tail -f and watched the errors pop in as I manually scanned with WD. There is a share on the samba server named avl_proj, and there is likely a mapped drive from the windows machine to the debian smb share.
I have been using WD for months without issue, and now several systems put this message in the logs.
It could well be a new version of WD causing the problem, and the newest version of WD was put out in Feb 06, so perhaps it is your issue as well?
I still have that problem. I pretty much have given up, as you and I are the only ones with this issue
Seriously though, it looks like our issues are a bit different
My "service" refers to a share, where your looks like they refer to programs
avl_proj.exe, avl_proj.com, avl_proj.cmd, etc...
Do you know what those files are?
I don't use Windows Defender, so that isn't my problem. It seems like it is part of yours, though, as that is too much of a coincidence.
Does Windows Defender scan the avl_proj share? Does it need to write to those shares?
Maybe as an experiment, give that share 777 permissions and tail the log again to see if the errors dissapear(Not sure if that would tell anything or not, just reaching with my limited knowledge)
Or you can check to see if WD is indeed scanning that mapped drive, and set it up to not scan it
I still have that problem. I pretty much have given up, as you and I are the only ones with this issue
Seriously though, it looks like our issues are a bit different
My "service" refers to a share, where your looks like they refer to programs
avl_proj.exe, avl_proj.com, avl_proj.cmd, etc...
Do you know what those files are?
avl_proj is a share - not programs. I have no idea why the computer tries to SMB connect to the various extensions - it's like it's looking for executables named after the share.
Quote:
Originally Posted by DumbTerminal
I don't use Windows Defender, so that isn't my problem. It seems like it is part of yours, though, as that is too much of a coincidence.
Does Windows Defender scan the avl_proj share? Does it need to write to those shares?
Maybe as an experiment, give that share 777 permissions and tail the log again to see if the errors dissapear(Not sure if that would tell anything or not, just reaching with my limited knowledge)
Or you can check to see if WD is indeed scanning that mapped drive, and set it up to not scan it
Good luck, and let us know what you find out
The share exists and is working without any problems, I suspected evil afoot, but nothing shows in Norton/F-Protect/Spy Sweeper/Spyware Search & Destroy/etc. Even F-secure's blacklight rootkit finder found nothing.
I have seen this problem happen on a brand new install that had never been on the internet, so I believe WD is doing something new and interesting. I may end up writing to MS support. Likely won't have any result at all.
I also have logs of dozens of shares being affected like this, not just avl_proj, but it's always shares that the computer knows about - even if there are no current mapped drives or network shares open - which is very strange.
Possibly a 'last used' file or the like is sending WD out to the share for something.
I wouldn't waste your time with MS support. They probably will stop listening once you mention Samba server.
Hopefully someone will be able to help us, or at least chime in that they are having the same or similar problems as us with more info
Any ideas?
With hundreds of users and a long development queue I would rather not get the standard "upgrade and see if it goes away" answer that is all prevailing at the moment.
We stopped using defender - as soon as we stopped defender running it's scans, the messages stopped. Definitely Defender trying to scan network shares for multiple extensions of all sharenames. If we had samba shares on the network for one, two, and three, we would get messages on the sharing server to the effect of someone scanning for one.exe, one.com, one.bat, one.cmd, etc. same for two and three. Strange.
But Windows Defender isn't good enough to warrant using anyway, there are far better anti-spyware apps out there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
