[Samba] RE: firewall (solution)
I just wanted to post the ipchains rules that allowed nmblookup to work, as well as findsmb. The security ramifications of opening the netbios ports are something I will look into next. But, these rules will allow not only seeing shares from NT clients but samba to act as PDC also. -A input -p tcp -s 192.168.0.0/24 -d 0/0 137:139 -j ACCEPT -A input -p udp -s 192.168.0.0/24 -d 0/0 137:139 -j ACCEPT -A input -p udp -s 192.168.0.0/24 137:139 -d 0/0 1024: -j ACCEPT resulting in (ipchains -L): ACCEPT tcp -- 192.168.0.0/24 anywhere any - netbios-ns:netbios-ssn ACCEPT udp -- 192.168.0.0/24 anywhere any - netbios-ns:netbios-ssn ACCEPT udp -- 192.168.0.0/24 anywhere netbios-ns:netbios-ssn - 1024:65535 Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] firewall continued
I have been following the recent firewall thread with interest. I am trying to get nmblookup and findsmb to work too. Samba shares are visible from the Windows client and server, but nmblookup '*' only lists the local machine. I dertermined from the 'firewall' thread that my firewall could be the problem, and turned it off. Sure enough, all the machines in my domain showed up when I ran nmblookup '*' or findsmb. So there is something going on in my firewall chains. Here is my ipchain setup. Chain input (policy ACCEPT): target prot opt sourcedestination ports ACCEPT all -- anywhere anywhere n/a ACCEPT tcp -y anywhere anywhere any - smtp ACCEPT tcp -y anywhere anywhere any - http ACCEPT tcp -y anywhere anywhere any - ftp ACCEPT tcp -y anywhere anywhere any - ssh ACCEPT tcp -- 192.168.0.0/24 anywhere any - netbios-ssn ACCEPT udp -- 192.168.0.0/24 anywhere any - netbios-ns:netbios-ssn ACCEPT udp -- dns1.net anywhere domain - any ACCEPT udp -- ns1.mydns.com anywhere domain - any ACCEPT udp -- ns2.mydns.com anywhere domain - any REJECT tcp -y anywhere anywhere any - any REJECT udp -- anywhere anywhere any - any Chain forward (policy ACCEPT): Chain output (policy ACCEPT): Please note that by default all output packets are accepted. If I change input rule 7 (the first udp rule) to allow all udp packets, ACCEPT udp -- 192.168.0.0/24 anywhere any - any my findsmb lists all the machines in my domain. If I restrict this rule to allow only packets to ports 137:139, ACCEPT udp -- 192.168.0.0/24 anywhere any - netbios-ns:netbios-ssn only the local machine is listed by findsmb (or nmblookup) even though tcpdump shows udp packets coming in from all machines (to 137). So these packets are being rejected. This is very puzzling to me because the rule specifically allows 137:139. If I modify the rule again to allow packets addressed to 1024: (1024 and above) only, findsmb will list all machines EXCEPT the local machine.. and very slowly. Here tcpdump shows heavy traffic. My question to a samba guru: exactly what ports do I need to accept udp packets on for samba to be fully functional? It seems that the respone to a broadcast on 192.168.0.255 137 (netbios-ns) is responded to on ports other than 137:139, and that if 137:139 are the only ports whose packets are accepted, findsmb will not work. Thanks. By looking throught the archives I can see this is a recurring problem, but solutions are elusive. Maybe people get their network up and simply do not post their solution, I don't know. But, please, Mr. guru, help! - Original Message - From: Ulrich Kohlhase [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 03, 2002 11:25 AM Subject: [Samba] RE: firewall Justin, -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT Did you specify OUTPUT rules also ? You may want to try the following lines taken from a working server config. keep_state is a special chain for stateful inspection and logging purposes: -A INPUT -p tcp -s 192.168.1.0/24 --sport 1024: --dport 137:139 -j ACCEPT -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 137:139 --dport 1024: -j keep_state -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 1024: --dport 137:139 -j ACCEPT -A INPUT -p tcp -s 192.168.1.0/24 --sport 137:139 --dport 1024: -j keep_state -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT -A OUTPUT -p udp -d 192.168.1.0/24 --dport 137:139 -j ACCEPT -N keep_state -A keep_state -m state --state INVALID -j DROP -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT # debug, info, notice, warning, err, crit, alert und emerg -A keep_state -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level notice --log-prefix Packets dropped: -A keep_state -j DROP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] nmblookup trouble
I have two samba servers, 2.2.6, on my domain. They are both visible in Network Neighborhood. However, running nmblookup returns different results: [root@centauri /]# nmblookup '*'querying * on 192.168.0.255192.168.0.231 *00192.168.0.7 *00192.168.0.5 *00192.168.0.10 *00192.168.0.14 *00192.168.0.8 *00192.168.0.6 *00192.168.0.9 *00192.168.0.16 *00 [root@thor /]# nmblookup '*'querying * on 192.168.0.255192.168.0.10 *00 Thor only gets a response from thor, but centauri gets a response from all nodes, including thor. Why?
[Samba] PDC connect problem
This is my second attempt to get some help.. maybe my first post was too complex, so I will simplify it and if you need more information you will ask me. I am quite stuck so I would really appreciate some help. I am trying to connect an NT box, mercury, to a RedHat 7.3 PDC, thor. When I try to logon to the domain from mercury I get an error msg on my NT box which says the domain controller for this domain cannot be located. My smb.conf global section is: [global] workgroup = MYGROUP netbios name = THOR server string = Samba PDC %v %h max log size = 50 security = user smb passwd file = /etc/samba/smbpasswd encrypt passwords = Yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated* os level = 65 domain master = yes preferred master = yes domain logons = yes logon home = \\%L\%u logon drive = H: logon script = netlogon.bat logon path = \\%L\Profiles\%u hosts allow = 192.168.1., 127. Mercury and thor are on their own private network, all other machines here are on 192.168.0. I cannot pinpoint the problem. When I try to log in from mercury, the samba log files on thor do not even register the attempt. It should be something simple, but I have been tweaking for 3 days and no success Help! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC connect problem
If this is a multi-homed machine then you might try interfaces = xxx.xxx.xxx.xxx bind interfaces only = yes I tried this an it had no effect on the problem, which is that the domain controller for this domain cannot be located. In order to eliminate any possible problem of multiple networks I deleted the other network device, eth1, which was inactive anyway, from my PDC machine. Also all other hosts on the 192.168.0. network have been removed from my /etc/hosts file. Now I just have eth0 set to 192.168.1.10 and localhost, thor (RH 7.3 PDC) , and mercury 192.168.1.7 (NT) in my /etc/hosts. I also tried wins support = yes and this also had no effect. I do believe, from what I have read, that I have a minimal smb.conf file for a PDC. Here it is again: [global] workgroup = MYGROUP netbios name = THOR os level = 64 domain master = yes preferred master = yes local master = yes security = user encrypt passwords = yes domain logons = yes logon path = \\%L\Profiles\%u logon drive = H: logon home = \\%L\%u logon script = netlogon.bat [homes] comment = Home Directories path = %H writeable = Yes valid users = %S create mode = 0664 directory mode = 0775 [netlogon] comment = Network Logon Services path = /home/samba/netlogon read only = yes # list of all possible users who I could imagine would try to connect during testing. # All have samba passwords = Unix passwords (or NT in case of Administrator) write list = Administrator, rfox, root [Profiles] path = /home/samba/profiles browseable = No I am very surprised that the log file shows no attempt to connect when I try to join the domain MYGROUP from mercury. The log file does show that samba initialized ok and is waiting for connections. I don't know how to simplify things any further. My network is 2 machines only, no additional interfaces. I did remove the DNS server IPs and gateway IP from mercury's TCP/IP settings but this also made no difference so I put them back. Keep these ideas coming, I am completely stumped. Thanks, Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC connect problem: II
This is all you should need for a bare minimum PDC to work. snip I tried this, it didn't work, I then found out about DIAGNOSTICS.txt in the samba distribution and started going through it step by step. I failed Step 5, which reads: TEST 5: --- run the command nmblookup -B ACLIENT '*' You should get the PCs IP address back. If you don't then the client software on the PC isn't installed correctly, or isn't started, or you got the name of the PC wrong. If ACLIENT doesn't resolve via DNS then use the IP address of the client in the above test. * When I run nmblookup -B mercury '*' I get: [rootthor etc]# nmblookup -B MERCURY '*' querying * on 192.168.1.7 name_query failed to find name * The address to mercury is resolved fine, but the lookup failed. This means that the TCP/IP setup on the mercury NT box is wrong, no? Any ideas what this could be? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PDC operation: controller cannot be located error
Hi all, I am running Samba 2.2.5 on a RedHat 7.3 system. I am attempting to establish this server (thor) as the PDC on my private network of (currently) 2 machines. The first machine I want to connect is an NT client, mercury. I followed instructions from various web resources, the PDC howto, etc and have this as my smb.conf file: [global] workgroup = THORDOMAIN netbios name = THOR server string = Samba PDC %v %h encrypt passwords = yes domain logons = yes logon script = netlogon.bat share modes = no os level = 64 local master = yes domain master = yes preferred master = yes domain admin group = admins security = user smb passwd file = /etc/samba/smbpasswd hosts allow = 192.168.1., 127. max log size = 50 unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated* logon home = \\%L\%u logon drive = H: logon path = \\%L\Profiles\%u # add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u [homes] comment = Home Directories path = %H writeable = Yes valid users = %S create mode = 0664 directory mode = 0775 [netlogon] comment = Network Logon Services path = /home/samba/netlogon read only = yes guest ok = no write list = adm [Profiles] path = /home/samba/profiles browseable = No The netlogon and profiles dirs were created, permissions set. Netlogon.bat is in /usr/bin. I created an account for my NT box: # useradd -g machines -d /dev/null -s /bin/false mercury$ # passwd -l mercury$ # smbpasswd -a -m mercury When I try to logon to the domain from mercury I get an error msg on my NT box which says the domain controller for this domain cannot be located. My log.smbd file says: [2002/10/30 10:20:28, 2] smbd/server.c:open_sockets(215) waiting for a connection [2002/10/30 10:46:23, 3] smbd/oplock.c:init_oplocks(1211) open_oplock_ipc: opening loopback UDP socket. [2002/10/30 10:46:23, 3] lib/util_sock.c:open_socket_in(813) bind succeeded on port 0 [2002/10/30 10:46:23, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(298) Linux kernel oplocks enabled [2002/10/30 10:46:23, 3] smbd/oplock.c:init_oplocks(1241) open_oplock ipc: pid = 3008, global_oplock_port = 32773 [2002/10/30 10:46:23, 3] lib/access.c:check_access(318) check_access: no hostnames in host allow/deny list. [2002/10/30 10:46:23, 0] lib/access.c:check_access(331) Denied connection from (65.241.90.144) [2002/10/30 10:46:23, 1] smbd/process.c:process_smb(869) Connection denied from 65.241.90.144 [2002/10/30 10:46:23, 3] smbd/sec_ctx.c:set_sec_ctx(313) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2002/10/30 10:46:23, 2] smbd/server.c:exit_server(461) Closing connections [2002/10/30 10:46:23, 3] smbd/connection.c:yield_connection(48) Yielding connection to [2002/10/30 10:46:23, 3] smbd/connection.c:yield_connection(61) yield_connection: tdb_delete for name failed with error Record does not exist. [2002/10/30 10:46:23, 3] smbd/server.c:exit_server(495) Server exit (connection denied) One part I do not understand is that it says Denied connection from (65.241.90.144) If this is an IP address, I have no idea who this connection attempt is from, I am on a private network with no mapping from our router. So this must be mercury trying to connect. Perhaps to someone with a deeper knowledge of samba this log file might point to a severe configuration error I may have, why mercury can't locate the PDC. Yes, the systems can ping eachother. Is my config file set up correctly? Your help is greatly appreciated. Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
