LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewall Samba driving me nuts (https://www.linuxquestions.org/questions/linux-security-4/firewall-samba-driving-me-nuts-623527/)

Legolas327 02-24-2008 02:04 PM

Firewall Samba driving me nuts
 
"Unable to find any workgroups in your local network. This might be caused by an enabled firewall."

I get this message when trying to access one linux machine to the other. I have samba set up between two machines using Fedora 8. I have the firewall checked for allow samba in my firewalls, and ports 137-139, 445 set up in allowed in Selinux settings. I even opened up port 137-139 for the two IP address in the router firewalls.

Note I have both machines set up the same: Fedora 8, same workgroup, and same shared file. Maybe I am confusing the system or something? I have read many posts and setup Howto's. I had both of these machines running Samba configuration just fine under Fedora 5. The main difference that I know of is that I did not have SElinux activated then.

Here is my smb.conf code.
Code:

[root@localhost sbin]# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Shared]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = HOGWARTS
        server string = Samba Server Version %v
        security = SHARE
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        acl compatibility = winnt
        server signing = auto
        preferred master = No
        domain master = No
        ldap ssl = no
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0664
        directory mask = 0775
        guest ok = Yes
        case sensitive = No
        strict locking = No
        msdfs proxy = no
[Shared]
        comment = Mythv Shared
        path = /home/mythtv/Shared
        read only = No
        create mask = 0664
        directory mask = 0775
        inherit permissions = Yes
        guest ok = Yes
        case sensitive = No
        strict locking = No
        fstype = ext3
        msdfs proxy = no

I get this as well:
Quote:

The file or folder smb://localhost/Shared does not exist.
in the logs I get this:
Quote:

[2008/02/24 13:44:13, 0] smbd/negprot.c:reply_nt1(317)
reply_nt1: smb signing is incompatible with share level security !
If you think you can solve this please help :)

harry edwards 02-24-2008 03:22 PM

Disabling your firewall will prove whether or not it is getting in the way.

billymayday 02-24-2008 05:10 PM

You don't allow ports in SELinux, so I don't understand your comment there.

if you're trying to attach to localhost, that's the machine your on not the other box.

Temporarily disable SeLinix with setenforce 0 (that's a zero) on both boxes and give it a go.

jschiwal 02-24-2008 05:50 PM

Make sure your computers hostnames aren't local host.
Share level security is obsolete. It would be better to use "Security = user".

Use the "smbpasswd" program to enter in each windows user/password so that the "/etc/samba/passwd" data is correct.

If you have a globally writable share be sure to set the "sticky" bit. You can create it with
chmod a=rwxt /path/to/directory

Check out the services on the other computer like:
smbclient -L <hostname>

Look for a samba-doc package. ( FC may include the docs with the samba package however )
The "Samba 3 by Example" book is very good. It takes you through step by step in creating a number of sample setups.

Legolas327 02-24-2008 08:50 PM

Thanks for the speedy response:

I did as recommended before posting but did again just to be sure:

Quote:

Use the "smbpasswd" program to enter in each windows user/password so that the "/etc/samba/passwd" data is correct.

If you have a globally writable share be sure to set the "sticky" bit. You can create it with
chmod a=rwxt /path/to/directory

Check out the services on the other computer like:
smbclient -L <hostname>

[
Code:

root@localhost ~]# smbclient -L localhost
Password:
Domain=[HOGWARTS] OS=[Unix] Server=[Samba 3.0.28-0.fc8]

        Sharename      Type      Comment
        ---------      ----      -------
        homes          Disk      Home Directories
        Shared          Disk      Mythv Shared
        IPC$            IPC      IPC Service (Samba Server Version 3.0.28-0.fc8)
Domain=[HOGWARTS] OS=[Unix] Server=[Samba 3.0.28-0.fc8]

        Server              Comment
        ---------            -------
        GRAYSNEW            Samba Server Version 3.0.28-0.fc8
        LOCALHOST            Samba Server Version 3.0.28-0.fc8

        Workgroup            Master
        ---------            -------
        HOGWARTS            GRAYSNEW

Quote:

Temporarily disable SeLinix with setenforce 0 (that's a zero) on both boxes and give it a go.
Disabled Selinux once before but did again to be sure.
Set security to user
Code:

security = user
Sorry I set the ports in:
Quote:

system-config-firewall.py 1.0.12

Legolas327 02-24-2008 09:19 PM

I did all of the recommendations and it did not change. I did restart smb and rebooted to be sure that it accepted the changes.

In both machines using Konqueror I see the one machine called Graysnew. When I try to access the shared file called "Shared" the password authentication screen pops up but it wont accept the pass words I just set by smbpasswd??.

I cant see my second machine's shared files (should be seen as localhost since that machine is not given a special name). Both machines ping just fine.

It is like it does not recognize the user and password. This is the smbusers file:
Code:

[root@localhost samba]# cat smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
[root@localhost samba]#

I had all of this working with no problem before I loaded both machines to Fedora 8. I did not expect this trouble /sigh.

billymayday 02-24-2008 09:41 PM

if you rebooted, SELinux is back on since setenforce is not persistent.

If you can, diable your firewalls (not practical if connected to net), disable SELinux, and try it. At least you can rul out those elements and concentrate on the config

Edit

Question - where do Windows users come in? Aren't you looking at two Fedora boxes???

jschiwal 02-25-2008 07:00 AM

No, the name "localhost" is not fine. You need to change it. If you try to ping localhost you will be pinging yourself instead of that computer.

When you ran "smbclient -L localhost" you were looking at the shares on the local machine and not the remote host.

Legolas327 02-25-2008 08:40 PM

Quote:

Question - where do Windows users come in? Aren't you looking at two Fedora boxes???
Yes I am looking at two Fedora 8 boxes. No Windows users just the two machines on the same router.

Quote:

if you rebooted, SELinux is back on since setenforce is not persistent.
I was aware of this and "setenforce 0" again when they rebooted.
Quote:

No, the name "localhost" is not fine. You need to change it.
It is a pain to do? I believe I would have to change some other things at the same time???

I able to do this before? Same two machines, and all. Just FC5?

jschiwal 02-28-2008 09:42 PM

Quote:

Originally Posted by Legolas327 (Post 3069670)
Yes I am looking at two Fedora 8 boxes. No Windows users just the two machines on the same router.


I was aware of this and "setenforce 0" again when they rebooted.
It is a pain to do? I believe I would have to change some other things at the same time???

I able to do this before? Same two machines, and all. Just FC5?

It is easy to change the hostname in the networking dialog or editing /etc/HOSTNAME on some distro's.
If you have one computer named "localhost", when another computer tries to reach it, it will reach itself.

The only reason the "localhost" is the default, is that if there was another default, two computers with the same default hostname would cause more problems. You absolutely need to change the hostname. This could actually be what your problem is. Another computer won't be able to find your computer by hostname.

Another thing you want to do is to use "smbclient -L <hostname>" from another computer. If you don't have another Linux machine, then look at "net view \\<netbios-name>" or "net view \\IP_ADDRESS".

Also check that ports 137-139 are open. If a host is XP, it may not have NETBIOS over IP installed and rely on IP alone. If this is the case, it doesn't use broadcasts for browsing. You may need port 445 open in that case. Enabling WINS support in the Samba server ( only one WINS server is allowed per subnet) might help and is required if you want browsing to cross a subnet. The main advantage of using WINS is to reduce network traffic in a windows network do to browsing related broadcasts which are sent to every host in a subnet.

billymayday 02-28-2008 09:51 PM

In Fedora you'll find the hostname in /etc/sysconfig/network or similar. Have a look in there - will check when I have access to a Fedora box

Legolas327 02-28-2008 11:46 PM

Quote:

In Fedora you'll find the hostname in /etc/sysconfig/network or similar. Have a look in there - will check when I have access to a Fedora box
Yes Thanks, this is correct and I can now see both files from both computers. I can see the folders as samba shares but when I try to open the folder I still get the message "The file or folder smb://foo1/foo2 does not exist." I just replaced the actual network name with foo1 and the folder name with the f002. I will check into it tomorrow but I am getting closer.

If you think you may know why I get the message "The file or folder smb://foo1/foo2 does not exist." please let me know.

Thanks again :)

billymayday 02-28-2008 11:56 PM

Is anything coming up in the logs?

How does foo2 tie in with the Shared or other share definition in smb.conf?

Legolas327 02-29-2008 12:16 AM

here is the last log:

Code:

[root@grayold samba]# cat log.graysnew
[2008/02/24 13:05:17, 0] smbd/negprot.c:reply_nt1(317)
  reply_nt1: smb signing is incompatible with share level security !
[2008/02/24 14:11:32, 0] smbd/negprot.c:reply_nt1(317)
  reply_nt1: smb signing is incompatible with share level security !
[2008/02/28 23:33:35, 0] smbd/service.c:make_connection_snum(1003)
  '/home/mythtv/Shared' does not exist or permission denied when connecting to [MythtvShared] Error was Permission denied

Quote:

How does foo2 tie in with the Shared or other share definition in smb.conf?
here is the testparm smb.conf from the target computer:

Code:

[root@GraysNew ~]# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[GrayShared]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = HOGWARTS
        server string = Samba Server Version %v
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        acl compatibility = winnt
        server signing = auto
        preferred master = No
        domain master = No
        ldap ssl = no
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        case sensitive = No

[GrayShared]
        comment = GrayNew Shared
        path = /home/gray/Shared/
        write list = gray, mythtv
        read only = No
        guest ok = Yes
        case sensitive = No
        strict locking = No
        msdfs proxy = no

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

foo2 is the /home/gray/Shared folder with all permissions open. I have selinux disabled by using setenforce 0. One interesting note is that when i perform that command on one computer i get a message saying SElinix Disabled but I don't get that message from this computer? I will go to the other computer and post the testparm so you can see the configuration.

Legolas327 02-29-2008 12:26 AM

I have set the folder and all files open to everyone. Note the users gray and mythtv have full writes.

Code:

drwxrwxrwx 3 gray mythtv 4096 2008-02-24 17:17 Shared/


All times are GMT -5. The time now is 04:13 AM.