weekly burst of smbd process_usershare_file errors: from where?

1

For the past few weeks, every Monday morning between about 6:30 and 7:45, in a burst lasting less than a second, my Ubuntu 14.04.5 LTS fileserver logs a spate of errors from smbd.

../source3/param/loadparm.c:3259(process_usershare_file)
process_usershare_file: stat of /var/lib/samba/usershares/q.exe failed. Permission denied
process_usershare_file: stat of /var/lib/samba/usershares/q.exe failed. No such file or directory

This repeats with q.exe changed to q.dll, q.lnk, q.cmd, q.bat, q.com, and q.pif.

The directory /var/lib/samba/usershares is empty.

The irregular timestamps suggest that these errors don't stem from a cron job on the server itself.

The suffixes suggest that they relate to Windows.

The steady once-a-week timing makes malice unlikely.

So what causes them? Is some other host attempting to run Windows Defender on a mount point? (One of the fileserver's /etc/samba/smb.conf entries is [q].) More directly:

  • Can I prevent these errors from occuring in the first place?
  • Can I safely ignore these errors (by filtering them with logcheck)?

Camille Goudeseune

Posted 2017-01-17T19:55:20.767

Reputation: 1 361

1Can you monitor network traffic during the burst of traffic to identify whether a host on the network is the culprit? Perhaps there's a host with malware that's scanning all SMB shares on the network looking for particular files? – Dave Lucre – 2017-02-21T23:00:11.393

While thinking about how to do that next Monday, your note here sparked an idea, which worked. grep process_usershare_file /var/log/samba/* found such lines in only one host-specific file, /var/log/samba/log.stupidWin7Host. That host was mounting that [q] share, and running Microsoft Security Essentials at that time of week. Culprit found. So I've answered my own bounty. What's the etiquette now? – Camille Goudeseune – 2017-02-22T21:26:19.607

1Glad you found the culprit. I think at this point you should Submit an answer to your question with how you solved it, and then mark it as the correct answer. I'm keen to know what configuration on the Win7 host caused this behavior. – Dave Lucre – 2017-02-22T21:27:38.807

MSE, fair enough :) Glad to have helped! – Dave Lucre – 2017-02-22T21:30:50.533

Answers

0

grep process_usershare_file /var/log/samba/* found such lines in only one host-specific file, /var/log/samba/log.stupidWin7Host. That host was mounting that [q] share, and running Microsoft Security Essentials at that time of week.

Camille Goudeseune

Posted 2017-01-17T19:55:20.767

Reputation: 1 361

Asked: 2017-01-17T19:55:20.767

Viewed: 487 times

Active: 2017-02-27T16:21:10.710