LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-24-2008, 01:04 PM   #1
Legolas327
Member
 
Registered: Apr 2006
Location: Atlanta, GA
Distribution: Ubuntu 9.10
Posts: 69

Rep: Reputation: 15
Unhappy Firewall Samba driving me nuts


"Unable to find any workgroups in your local network. This might be caused by an enabled firewall."

I get this message when trying to access one linux machine to the other. I have samba set up between two machines using Fedora 8. I have the firewall checked for allow samba in my firewalls, and ports 137-139, 445 set up in allowed in Selinux settings. I even opened up port 137-139 for the two IP address in the router firewalls.

Note I have both machines set up the same: Fedora 8, same workgroup, and same shared file. Maybe I am confusing the system or something? I have read many posts and setup Howto's. I had both of these machines running Samba configuration just fine under Fedora 5. The main difference that I know of is that I did not have SElinux activated then.

Here is my smb.conf code.
Code:
 [root@localhost sbin]# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Shared]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = HOGWARTS
        server string = Samba Server Version %v
        security = SHARE
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        acl compatibility = winnt
        server signing = auto
        preferred master = No
        domain master = No
        ldap ssl = no
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0664
        directory mask = 0775
        guest ok = Yes
        case sensitive = No
        strict locking = No
        msdfs proxy = no
[Shared]
        comment = Mythv Shared
        path = /home/mythtv/Shared
        read only = No
        create mask = 0664
        directory mask = 0775
        inherit permissions = Yes
        guest ok = Yes
        case sensitive = No
        strict locking = No
        fstype = ext3
        msdfs proxy = no
I get this as well:
Quote:
The file or folder smb://localhost/Shared does not exist.
in the logs I get this:
Quote:
[2008/02/24 13:44:13, 0] smbd/negprot.c:reply_nt1(317)
reply_nt1: smb signing is incompatible with share level security !
If you think you can solve this please help
 
Old 02-24-2008, 02:22 PM   #2
harry edwards
Member
 
Registered: Nov 2007
Location: Lincolnshire, UK
Distribution: CentOS, Fedora, and Suse
Posts: 365

Rep: Reputation: 48
Disabling your firewall will prove whether or not it is getting in the way.
 
Old 02-24-2008, 04:10 PM   #3
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
You don't allow ports in SELinux, so I don't understand your comment there.

if you're trying to attach to localhost, that's the machine your on not the other box.

Temporarily disable SeLinix with setenforce 0 (that's a zero) on both boxes and give it a go.
 
Old 02-24-2008, 04:50 PM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Make sure your computers hostnames aren't local host.
Share level security is obsolete. It would be better to use "Security = user".

Use the "smbpasswd" program to enter in each windows user/password so that the "/etc/samba/passwd" data is correct.

If you have a globally writable share be sure to set the "sticky" bit. You can create it with
chmod a=rwxt /path/to/directory

Check out the services on the other computer like:
smbclient -L <hostname>

Look for a samba-doc package. ( FC may include the docs with the samba package however )
The "Samba 3 by Example" book is very good. It takes you through step by step in creating a number of sample setups.
 
Old 02-24-2008, 07:50 PM   #5
Legolas327
Member
 
Registered: Apr 2006
Location: Atlanta, GA
Distribution: Ubuntu 9.10
Posts: 69

Original Poster
Rep: Reputation: 15
Thanks for the speedy response:

I did as recommended before posting but did again just to be sure:

Quote:
Use the "smbpasswd" program to enter in each windows user/password so that the "/etc/samba/passwd" data is correct.

If you have a globally writable share be sure to set the "sticky" bit. You can create it with
chmod a=rwxt /path/to/directory

Check out the services on the other computer like:
smbclient -L <hostname>

[
Code:
root@localhost ~]# smbclient -L localhost
Password:
Domain=[HOGWARTS] OS=[Unix] Server=[Samba 3.0.28-0.fc8]

        Sharename       Type      Comment
        ---------       ----      -------
        homes           Disk      Home Directories
        Shared          Disk      Mythv Shared
        IPC$            IPC       IPC Service (Samba Server Version 3.0.28-0.fc8)
Domain=[HOGWARTS] OS=[Unix] Server=[Samba 3.0.28-0.fc8]

        Server               Comment
        ---------            -------
        GRAYSNEW             Samba Server Version 3.0.28-0.fc8
        LOCALHOST            Samba Server Version 3.0.28-0.fc8

        Workgroup            Master
        ---------            -------
        HOGWARTS             GRAYSNEW
Quote:
Temporarily disable SeLinix with setenforce 0 (that's a zero) on both boxes and give it a go.
Disabled Selinux once before but did again to be sure.
Set security to user
Code:
security = user
Sorry I set the ports in:
Quote:
system-config-firewall.py 1.0.12
 
Old 02-24-2008, 08:19 PM   #6
Legolas327
Member
 
Registered: Apr 2006
Location: Atlanta, GA
Distribution: Ubuntu 9.10
Posts: 69

Original Poster
Rep: Reputation: 15
I did all of the recommendations and it did not change. I did restart smb and rebooted to be sure that it accepted the changes.

In both machines using Konqueror I see the one machine called Graysnew. When I try to access the shared file called "Shared" the password authentication screen pops up but it wont accept the pass words I just set by smbpasswd??.

I cant see my second machine's shared files (should be seen as localhost since that machine is not given a special name). Both machines ping just fine.

It is like it does not recognize the user and password. This is the smbusers file:
Code:
[root@localhost samba]# cat smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
[root@localhost samba]#
I had all of this working with no problem before I loaded both machines to Fedora 8. I did not expect this trouble /sigh.
 
Old 02-24-2008, 08:41 PM   #7
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
if you rebooted, SELinux is back on since setenforce is not persistent.

If you can, diable your firewalls (not practical if connected to net), disable SELinux, and try it. At least you can rul out those elements and concentrate on the config

Edit

Question - where do Windows users come in? Aren't you looking at two Fedora boxes???

Last edited by billymayday; 02-24-2008 at 08:42 PM.
 
Old 02-25-2008, 06:00 AM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
No, the name "localhost" is not fine. You need to change it. If you try to ping localhost you will be pinging yourself instead of that computer.

When you ran "smbclient -L localhost" you were looking at the shares on the local machine and not the remote host.
 
Old 02-25-2008, 07:40 PM   #9
Legolas327
Member
 
Registered: Apr 2006
Location: Atlanta, GA
Distribution: Ubuntu 9.10
Posts: 69

Original Poster
Rep: Reputation: 15
Quote:
Question - where do Windows users come in? Aren't you looking at two Fedora boxes???
Yes I am looking at two Fedora 8 boxes. No Windows users just the two machines on the same router.

Quote:
if you rebooted, SELinux is back on since setenforce is not persistent.
I was aware of this and "setenforce 0" again when they rebooted.
Quote:
No, the name "localhost" is not fine. You need to change it.
It is a pain to do? I believe I would have to change some other things at the same time???

I able to do this before? Same two machines, and all. Just FC5?
 
Old 02-28-2008, 08:42 PM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Quote:
Originally Posted by Legolas327 View Post
Yes I am looking at two Fedora 8 boxes. No Windows users just the two machines on the same router.


I was aware of this and "setenforce 0" again when they rebooted.
It is a pain to do? I believe I would have to change some other things at the same time???

I able to do this before? Same two machines, and all. Just FC5?
It is easy to change the hostname in the networking dialog or editing /etc/HOSTNAME on some distro's.
If you have one computer named "localhost", when another computer tries to reach it, it will reach itself.

The only reason the "localhost" is the default, is that if there was another default, two computers with the same default hostname would cause more problems. You absolutely need to change the hostname. This could actually be what your problem is. Another computer won't be able to find your computer by hostname.

Another thing you want to do is to use "smbclient -L <hostname>" from another computer. If you don't have another Linux machine, then look at "net view \\<netbios-name>" or "net view \\IP_ADDRESS".

Also check that ports 137-139 are open. If a host is XP, it may not have NETBIOS over IP installed and rely on IP alone. If this is the case, it doesn't use broadcasts for browsing. You may need port 445 open in that case. Enabling WINS support in the Samba server ( only one WINS server is allowed per subnet) might help and is required if you want browsing to cross a subnet. The main advantage of using WINS is to reduce network traffic in a windows network do to browsing related broadcasts which are sent to every host in a subnet.
 
Old 02-28-2008, 08:51 PM   #11
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
In Fedora you'll find the hostname in /etc/sysconfig/network or similar. Have a look in there - will check when I have access to a Fedora box
 
Old 02-28-2008, 10:46 PM   #12
Legolas327
Member
 
Registered: Apr 2006
Location: Atlanta, GA
Distribution: Ubuntu 9.10
Posts: 69

Original Poster
Rep: Reputation: 15
Quote:
In Fedora you'll find the hostname in /etc/sysconfig/network or similar. Have a look in there - will check when I have access to a Fedora box
Yes Thanks, this is correct and I can now see both files from both computers. I can see the folders as samba shares but when I try to open the folder I still get the message "The file or folder smb://foo1/foo2 does not exist." I just replaced the actual network name with foo1 and the folder name with the f002. I will check into it tomorrow but I am getting closer.

If you think you may know why I get the message "The file or folder smb://foo1/foo2 does not exist." please let me know.

Thanks again
 
Old 02-28-2008, 10:56 PM   #13
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Is anything coming up in the logs?

How does foo2 tie in with the Shared or other share definition in smb.conf?
 
Old 02-28-2008, 11:16 PM   #14
Legolas327
Member
 
Registered: Apr 2006
Location: Atlanta, GA
Distribution: Ubuntu 9.10
Posts: 69

Original Poster
Rep: Reputation: 15
here is the last log:

Code:
[root@grayold samba]# cat log.graysnew
[2008/02/24 13:05:17, 0] smbd/negprot.c:reply_nt1(317)
  reply_nt1: smb signing is incompatible with share level security !
[2008/02/24 14:11:32, 0] smbd/negprot.c:reply_nt1(317)
  reply_nt1: smb signing is incompatible with share level security !
[2008/02/28 23:33:35, 0] smbd/service.c:make_connection_snum(1003)
  '/home/mythtv/Shared' does not exist or permission denied when connecting to [MythtvShared] Error was Permission denied
Quote:
How does foo2 tie in with the Shared or other share definition in smb.conf?
here is the testparm smb.conf from the target computer:

Code:
[root@GraysNew ~]# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[GrayShared]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = HOGWARTS
        server string = Samba Server Version %v
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        acl compatibility = winnt
        server signing = auto
        preferred master = No
        domain master = No
        ldap ssl = no
        cups options = raw

[homes]
        comment = Home Directories
        read only = No
        case sensitive = No

[GrayShared]
        comment = GrayNew Shared
        path = /home/gray/Shared/
        write list = gray, mythtv
        read only = No
        guest ok = Yes
        case sensitive = No
        strict locking = No
        msdfs proxy = no

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No
foo2 is the /home/gray/Shared folder with all permissions open. I have selinux disabled by using setenforce 0. One interesting note is that when i perform that command on one computer i get a message saying SElinix Disabled but I don't get that message from this computer? I will go to the other computer and post the testparm so you can see the configuration.

Last edited by Legolas327; 02-28-2008 at 11:21 PM. Reason: edited to get information from other computer
 
Old 02-28-2008, 11:26 PM   #15
Legolas327
Member
 
Registered: Apr 2006
Location: Atlanta, GA
Distribution: Ubuntu 9.10
Posts: 69

Original Poster
Rep: Reputation: 15
I have set the folder and all files open to everyone. Note the users gray and mythtv have full writes.

Code:
drwxrwxrwx 3 gray mythtv 4096 2008-02-24 17:17 Shared/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba driving me nuts osodani Linux - Server 8 12-10-2006 03:52 PM
Driving me nuts!! jappstam12345 Linux - Newbie 7 03-11-2005 05:51 PM
This is driving me nuts! dareino Fedora 4 06-30-2004 02:17 AM
Setting Samba //computername !! Driving me Nuts! Amir Linux - Networking 2 02-27-2004 06:16 AM
driving me nuts!!! ihatebillgates Linux - Newbie 6 12-12-2003 07:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration