I need to have the following services from my server:
imap - mostly by lan, but occasionally external file and print serve samba access - read and write to some directories
The problems I'm seeing are inconsistent, making it difficult to know how to find the source. Samba access is essential to me. I use a server-based korganizer, and without samba it's inaccessible. Sometimes it is working, sometimes it isn't. Last night, in desperation, I turned off selinux and the firewall so that I could finish a job, intending to get it sorted this morning. (There is a router firewall, so while security was diminished it was not totally absent.) This morning my laptop cannot make any samba connections at all.
In an attempt to find out what's happening I have searched log files, and the only relevant entries are as follow:
messages #borg2=server - no other connection at this point Feb 7 10:01:07 borg2 smbd[7393]: [2008/02/07 10:01:07, 0] lib/util_sock.c:read_data(534) Feb 7 10:01:07 borg2 smbd[7393]: read_data: read failure for 4 bytes to client 192.168.0.91. Error = No route to host Feb 7 10:03:09 borg2 smbd[7394]: [2008/02/07 10:03:09, 0] lib/util_sock.c:read_data(534) Feb 7 10:03:09 borg2 smbd[7394]: read_data: read failure for 4 bytes to client 192.168.0.91. Error = No route to host # laptop started - should automount borg2 Feb 7 10:09:48 borg2 automount[2590]: create_udp_client: hostname lookup failed: No such process Feb 7 10:09:48 borg2 automount[2590]: create_tcp_client: hostname lookup failed: No such process Feb 7 10:09:48 borg2 automount[2590]: lookup_mount: exports lookup failed for .directory # last entry refers to nfs export? # hostname lookup should be by way of /etc/hosts, which holds list of all lan members
secure shows nothing helpful
Way back I remember that msec used to change security settings overnight. Could this be happening?
I feel to be thrashing helplessly. I need help to find a sensible strategy for sorting this, then setting correct security measures.
TIA
Anne
On Thursday 07 February 2008 10:29, Anne Wilson wrote:
I need to have the following services from my server:
imap - mostly by lan, but occasionally external file and print serve samba access - read and write to some directories
<snip>
I feel to be thrashing helplessly. I need help to find a sensible strategy for sorting this, then setting correct security measures.
Logwatch for yesterday shows the following:
--------------------- Automount Begin ------------------------
**Unmatched Entries** create_udp_client: hostname lookup failed: No such process: 17 Time(s) lookup_mount: exports lookup failed for .directory: 17 Time(s) create_tcp_client: hostname lookup failed: No such process: 17 Time(s)
---------------------- Automount End -------------------------
--------------------- Mountd Begin ------------------------
Exit after catching signal: Signal 15: 1 Time(s)
---------------------- Mountd End -------------------------
--------------------- samba Begin ------------------------
WARNING!!!!!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s)
**Unmatched Entries** libsmb/nmblib.c:send_udp(791) Packet send failed to 192.168.0.255(138) ERRNO=Invalid argument : 1 Time(s) libsmb/smb_signing.c:srv_check_incoming_message(737) srv_check_incoming_message: BAD SIG: seq 2 wanted SMB signature of : 6 Time(s) libsmb/smb_signing.c:srv_check_incoming_message(741) srv_check_incoming_message: BAD SIG: seq 2 got SMB signature of : 6 Time(s)
---------------------- samba End -------------------------
I asked the samba mailing list recently about reports similar to the last section, but have had no reply.
Anne
Anne Wilson wrote:
--------------------- samba Begin ------------------------
WARNING!!!!!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s)
Hmmm... let's see your smb.conf.
On Thursday 07 February 2008 13:53, Milton Calnek wrote:
Anne Wilson wrote:
--------------------- samba Begin ------------------------
WARNING!!!!!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s)
Hmmm... let's see your smb.conf.
[global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 map to guest = Bad User passdb backend = tdbsam # See comment below username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 acl compatibility = winnt server signing = auto os level = 66 preferred master = No # needs changing to yes domain master = No ldap ssl = no guest ok = Yes hosts allow = 127., 192.168.0. cups options = raw
[homes] comment = Home Directories read only = No browseable = No
[printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No
[DATA1] path = /Data1/ read only = No
[DATA2] path = /Data2 read only = No
[DATA3] path = /Data3/ valid users = anne, gillian, david read only = No
[DOWNLOADS] path = /home/anne/Downloads read only = No
[LYDGATE DESIGN] path = /Data1/LydgateDesign/ read only = No
[ANNE] path = /home/anne/ read only = No guest ok = No case sensitive = No strict locking = No msdfs proxy = yes
I normally keep a minimal smb.conf, hand-edited. My LAN is a simple home one, no domain. This looks as though it was created through a gui - I believe I did examine it in kcontrol, so that's probably the reason. I don't recognise the passdb-backend line. I use smb-passwd and have never had a line like that before. Is it correct?
Anne
Anne Wilson wrote:
On Thursday 07 February 2008 13:53, Milton Calnek wrote:
Anne Wilson wrote:
--------------------- samba Begin ------------------------
WARNING!!!!!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s)
Hmmm... let's see your smb.conf.
[global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 map to guest = Bad User passdb backend = tdbsam # See comment below username map = /etc/samba/smbusers
I normally keep a minimal smb.conf, hand-edited. My LAN is a simple home one, no domain. This looks as though it was created through a gui - I believe I did examine it in kcontrol, so that's probably the reason. I don't recognise the passdb-backend line. I use smb-passwd and have never had a line like that before. Is it correct?
I think the passdb is fine. It means that the samba server keeps it's own password file.
I didn't see anything obvious.
Does testparm tell you anything?
What happens when you try to use smbclient? smbclient //localhost/ANNE -U anne
On Thursday 07 February 2008 14:34, Milton Calnek wrote:
Anne Wilson wrote:
On Thursday 07 February 2008 13:53, Milton Calnek wrote:
Anne Wilson wrote:
--------------------- samba Begin ------------------------
WARNING!!!!!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s)
Hmmm... let's see your smb.conf.
[global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24 map to guest = Bad User passdb backend = tdbsam # See comment below username map = /etc/samba/smbusers
I normally keep a minimal smb.conf, hand-edited. My LAN is a simple home one, no domain. This looks as though it was created through a gui - I believe I did examine it in kcontrol, so that's probably the reason. I don't recognise the passdb-backend line. I use smb-passwd and have never had a line like that before. Is it correct?
I think the passdb is fine. It means that the samba server keeps it's own password file.
I didn't see anything obvious.
Does testparm tell you anything?
Nothing at all. The above was taken from a testparm output.
What happens when you try to use smbclient? smbclient //localhost/ANNE -U anne
Password: Domain=[BORG2] OS=[Unix] Server=[Samba 3.0.25b-1.el5_1.4] smb: >
Part way through the morning I rebooted the server and samba has performed since then. I suspect SELinux problems. I had tried to implement it yesterday, then switched it out while troubleshooting. I forgot that SELinux is one thing that really needs a reboot. I'm going to try to get the firewall working satisfactorily first, before tackline SELinux again.
Anne
On 2/7/08, Anne Wilson cannewilson@googlemail.com wrote:
On Thursday 07 February 2008 13:53, Milton Calnek wrote:
Anne Wilson wrote:
--------------------- samba Begin ------------------------
WARNING!!!!!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s)
Hmmm... let's see your smb.conf.
[global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24
Hi there,
Should the IP address supplied be the actual address for eth0 rather than the network address?
ie 192.168.0.1/24 rather than 192.168.0.0/24
mike
Michael Simpson wrote:
Hi there,
Should the IP address supplied be the actual address for eth0 rather than the network address?
ie 192.168.0.1/24 rather than 192.168.0.0/24
I dunno... what does 192.168.0.1/24 mean? what does 192.168.0.0/24 mean?
The way I see it, they both mean 192.168.0.0 - 192.168.0.255.
On 2/7/08, Milton Calnek milton@calnek.com wrote:
Michael Simpson wrote:
Hi there,
Should the IP address supplied be the actual address for eth0 rather than the network address?
ie 192.168.0.1/24 rather than 192.168.0.0/24
I dunno... what does 192.168.0.1/24 mean? what does 192.168.0.0/24 mean?
The way I see it, they both mean 192.168.0.0 - 192.168.0.255.
from rfc 919
If the use of "all ones" in a field of an IP address means "broadcast", using "all zeros" could be viewed as meaning "unspecified". There is probably no reason for such addresses to appear anywhere but as the source address of an ICMP Information Request datagram. However, as a notational convention, we refer to networks (as opposed to hosts) by using addresses with zero fields. For example, 36.0.0.0 means "network number 36" while 36.255.255.255 means "all hosts on network number 36".
iirc smb.con is expecting the actual ip address of the interface in the "interfaces=" field rather than the "network address"
The /24 is just the CIDR way of expressing the netmask therefore 192.168.0.0/24 to me means 192.168.0.0-255 because the "network" address is being used whereas 192.168.0.1/24 means the more specific "host" address 192.168.0.1.255.255.255.0
I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation.
mike
On Thursday 07 February 2008 15:13, Michael Simpson wrote:
I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation.
I took the notation as I set it from a book when I first started using samba - 2001/2? 'Using Samba', I believe. It has worked without a problem up to now. I don't think that smb.conf as such is the problem.
Anne
On 2/7/08, Anne Wilson cannewilson@googlemail.com wrote:
On Thursday 07 February 2008 15:13, Michael Simpson wrote:
I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation.
I took the notation as I set it from a book when I first started using samba - 2001/2? 'Using Samba', I believe. It has worked without a problem up to now. I don't think that smb.conf as such is the problem.
Anne
i agree Life is just one big learning experience. After sitting various cisco certs i get a bit hung up about ip addressing. Didn't use 0 subnets for years for instance, guess i need to loosen up :-)
mike
On Thursday 07 February 2008 16:10:24 Michael Simpson wrote:
On 2/7/08, Anne Wilson cannewilson@googlemail.com wrote:
On Thursday 07 February 2008 15:13, Michael Simpson wrote:
I could be wrong (often am) but it might be worth trying it out to see if it gets rid of the error pertaining to subnet creation.
I took the notation as I set it from a book when I first started using samba - 2001/2? 'Using Samba', I believe. It has worked without a problem up to now. I don't think that smb.conf as such is the problem.
Anne
i agree Life is just one big learning experience. After sitting various cisco certs i get a bit hung up about ip addressing. Didn't use 0 subnets for years for instance, guess i need to loosen up
<sigh> so after taking an hour out to eat, I come back to the laptop only to find that samba is once more unavailable. Back out to the office, and
service smb status smbd (pid 2871 2859) is running... nmbd dead but pid file exists
I've never known samba to be flaky before - it always either worked, or didn't.
Anne
Milton Calnek wrote:
Michael Simpson wrote:
Hi there,
Should the IP address supplied be the actual address for eth0 rather than the network address?
ie 192.168.0.1/24 rather than 192.168.0.0/24
I dunno... what does 192.168.0.1/24 mean?
this one is not always accepted.
what does 192.168.0.0/24 mean?
this is the correct one.
The way I see it, they both mean 192.168.0.0 - 192.168.0.255.
yes, but the first version is not accepted by all software. because no IP will satisfy bin(ip) & 0xffffff00 = bin(192.168.0.1)
anyway, I have a samba setup with interfaces = 192.168.10.0/24 and it works. so this is not the source of the problem.
Another, more reasonable interpretation:
what does 192.168.0.1/24 mean? {or, equivalently,
192.168.0.1/255.255.255.0) ...
what does 192.168.0.0/24 mean?
It means, "My Address is 192.168.0.1," and "I belong to the subnet with addresses that range from 192.168.0.0 through 192.168.0.255"
The rules: 1. The dotted-quad is a specific address (save for special interpretations of the first and last addresses in the range). It must be unique on the network (i.e., nobody else using it).
2. The mask 255.255.255.0 (or, in CIDR, /24) specifies what *other* addresses (the subnet range) this NIC can communicate with (including itself)
See if this made-up example makes sense:
My NIC's address: 75.213.18.72 My "neighborhood" of other addresses on this subnet: 75.213.18.0 through 75.213.19.255 There are 512 addresses in the range; 512 is equivalent to a 9-bit binary value. To compute CIDR: 32 - (9) = 23 So, my NIC's address and mask are: 75.213.18.72/23 or, if you prefer, 75.213.18.72/255.255.254.0
Here's a completely different way to look at how to understand IP addresses from one computer on a network (I'm not teaching routing, here :-) For a 512 address range, it takes 9 bits to encode those 512 addresses. Now, look at the 32-bit address: The least-significant 9 bits identify addresses WITHIN the subnet; the rest of the bits are identical for everything WITHIN this subnet, and something else for NICs OUTSIDE the network.
I think of the MASK as identifying, in a concise way, the line between the bits to the left, and bits on the right. If a packet comes to me and the bits to the left of that line don't match mine, I ignore the packet. If that *does* match, then I see if the message has my unique bit pattern; if not, then I ignore it. If it passes both tests...It's For Me!)
Oh, and your second question:
what does 192.168.0.0/24 mean?
It means: The entire subnet from 192.168.0.0 through 192.168.0.255.
Remember, the lowest subnet range address (all bits = 0), is the address of the entire network, and the highest subnet range address (all bits = 1), is the broadcast address (to which all active addresses in the subnet range listen)
Try working it out yourself, to see if you "get" these IP addressing rules.
--Carol Anne
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of mouss Sent: Thursday, February 07, 2008 1:21 PM To: CentOS mailing list Subject: Re: [CentOS] Security help desperately needed - more info
Milton Calnek wrote:
Michael Simpson wrote:
Hi there,
Should the IP address supplied be the actual address for
eth0 rather
than the network address?
ie 192.168.0.1/24 rather than 192.168.0.0/24
I dunno... what does 192.168.0.1/24 mean?
this one is not always accepted.
what does 192.168.0.0/24 mean?
this is the correct one.
The way I see it, they both mean 192.168.0.0 - 192.168.0.255.
yes, but the first version is not accepted by all software. because no IP will satisfy bin(ip) & 0xffffff00 = bin(192.168.0.1)
anyway, I have a samba setup with interfaces = 192.168.10.0/24 and it works. so this is not the source of the problem.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Michael Simpson wrote:
On 2/7/08, Anne Wilson cannewilson@googlemail.com wrote:
On Thursday 07 February 2008 13:53, Milton Calnek wrote:
Anne Wilson wrote:
--------------------- samba Begin ------------------------
WARNING!!!!!! Errors when creating subnets: No subnets to listen to. Shutting down. : 1 Time(s)
Hmmm... let's see your smb.conf.
[global] workgroup = LYDGATE.LAN server string = Samba Server Version %v interfaces = lo, eth0, 192.168.0.0/24
Hi there,
Should the IP address supplied be the actual address for eth0 rather than the network address?
ie 192.168.0.1/24 rather than 192.168.0.0/24
If if doubt RTFM:
interfaces (G) This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable. <More in the man page>
Per the man page the interfaces directive seems to only control which interfaces smb will listen for and respond to name requests.
If you wanted smb to bind to only those interfaces you will need to combine it with:
bind interfaces only (G) This global parameter allows the Samba admin to limit what inter- faces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways.
For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the interfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a secu- rity feature for nmbd.
For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.
If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and swat(8) may not work as expected due to the reasons covered below.
To change a users SMB password, the smbpasswd by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smb- passwd can be forced to use the primary IP interface of the local host by using its smbpasswd(8) -r remote machine parameter, with remote machine set to the IP name of the primary interface of the local host.
The swat status page tries to connect with smbd and nmbd at the address 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause smbd and nmbd to always show "not running" even if they really are. This can prevent swat from starting/stop- ping/restarting smbd and nmbd.
Default: bind interfaces only = no
I would look at the DNS setup to make sure all host names are resolvable, maybe the /etc/hosts file isn't setup properly. Make sure smb ports are open inbound and outbound in iptables and the latest selinux profile is installed.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
On Thursday 07 February 2008 15:14, Ross S. W. Walker wrote:
I would look at the DNS setup to make sure all host names are resolvable, maybe the /etc/hosts file isn't setup properly. Make sure smb ports are open inbound and outbound in iptables and the latest selinux profile is installed.
/etc/hosts is fine. All possible connections on the lan are correctly defined. dns resolution is via my isp, and again the IP addresses are correctly set. That leaves the security settings, where I believe the problem is. So, let's start with iptables. I've never worked directly with iptables before. I use shorewall when I set up the older server, a long time ago. /usr/share/doc/iptables... doesn't help. Does that mean that the man pages are the only help? Googling, I suppose. Any particular documents recommended?
SELinux can wait until this is sorted.
Anne
Anne Wilson wrote:
/etc/hosts is fine. All possible connections on the lan are correctly defined. dns resolution is via my isp, and again the IP addresses are correctly set. That leaves the security settings, where I believe the problem is. So, let's start with iptables. I've never worked directly with iptables before. I use shorewall when I set up the older server, a long time ago. /usr/share/doc/iptables... doesn't help. Does that mean that the man pages are the only help? Googling, I suppose. Any particular documents recommended?
do an # iptables-save > somefile
edit somefile and put the following 4 lines "somewhere" (before the lines that reject everything)
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
adjust the IP sources (the -s 192.168.0.0/24) as you need. I am assuming that you have a rule like this: -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
then # iptables-restore < somefile
if you're happy with that, then # iptables-save > /etc/sysconfig/iptables so that this survives a reboot.
On Thursday 07 February 2008 21:30, mouss wrote:
do an # iptables-save > somefile
edit somefile and put the following 4 lines "somewhere" (before the lines that reject everything)
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
adjust the IP sources (the -s 192.168.0.0/24) as you need. I am assuming that you have a rule like this: -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
then> -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 # iptables-restore < somefile
if you're happy with that, then # iptables-save > /etc/sysconfig/iptables so that this survives a reboot.
Thanks for the reply, mouss. First, a few questions if you don't mind - it's important to me to understand what's going on :-)
If I use system-config-securitylevels with samba enabled I get the following two lines
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
while you advocate
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138
Since these two ports are labelled NETBIOS ports, I assume they are the ones used for samba. Does the system-config-securitylevels setting mean that they are accepted providing they match the state already defined above? And does yours tie it down to a more secure version, udp only?
I specifically have opened port 143, as I was unable to read my mail without it. IIUC your version will tell iptables to accept anything from the LAN. Is that right? If so, I guess that specific port-opening can be removed.
When I need an imap connection from outside the lan, the router port-forwards it. Is that then seen as a lan connection?
Thanks for your patience.
Anne
-
Anne Wilson -
Carol Anne Ogdin -
Michael Simpson -
Milton Calnek -
mouss -
Ross S. W. Walker