Fighting with Samba

I've fought with samba before and won. However, I forgot how I did it and had to learn it all over again. So, I wasted time because I had not documented how I did it. So, here are my notes. Perhaps they will help you.

My samba was for a Ubuntu 7.10 machine. I don't think that any of my problems relate to that particular release. When I started, I suspected problems in the usual area of iptables. However, I found that I had a number of other problems.

I recently randomly added some packages to my Ubuntu setup. This turned out to be a stupid mistake. I should have downloaded and understood each of them separately. In a couple of cases, the packages conflicted with each other. For example, I got both guarddog and ferm. Both of these programs manipulate iptables. I knew that I had gotten an iptable manipulator but not two!

I decided that I liked ferm better; and so, I removed guarddog. Next the problem was figuring out what the rules should be. From reading the samba manual pages, I could tell that I needed to open up netbios (137 and 139) and smb (445). However, I did not set up the rules right. I started with accepting destinations of 137, 139 and 445. I assumed that would be sufficient. However, I forgot that when you use udp that it is stateless. So, the firewall could not recognize two way conversations. After correcting that my ferm.conf file looks like:

table filter {
chain INPUT {
policy DROP;

# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;

# allow local packages
interface lo ACCEPT;

# respond to ping
proto icmp ACCEPT;

# respond to smb/over netbios
proto udp dport 139 ACCEPT;
proto udp sport 139 ACCEPT;

# respond to smb
proto udp dport 445 ACCEPT;
proto udp sport 445 ACCEPT;

# respond to smb
proto tcp dport 445 ACCEPT;

# respond to nmbd
proto udp dport 137 ACCEPT;
proto udp sport 137 ACCEPT;

# allow IPsec proto udp dport 500 ACCEPT;

# allow SSH connections
proto tcp dport ssh ACCEPT;
}
}

I suspect that I can tighten these rules. However, at the moment, I will just stick with what works.

I was also having problems with smbd. smbd was exiting when it found that port 445 was already taken. This was a mystery to me. I used netstat but could not find the process using it. So, I took a tour in /proc to find it. I did find an entry for it (in tcp with a value of 1BD in hex); however, I could not determine which process held it. Finally, I found it by going to /var/log and searching for 445. I found that a program nepenthes had the port. This was another package that I had picked up at the same time. nepenthes acts as a honeypot trying to catch worms. Of course -- it should not be run on a "production" system. So, I have removed it from my init.d.

Finally, my machine could be seen by the Windows machines! However, I find that I cannot log in. Ugggh! The samba manual was not clear on how authentication worked. With wireshark, I noted that the name to be validated included the originator's netbios name. This led me to search for more on authentication. Instead of using /etc/passwd, all I could find required either the use of /etc/samba/sambapasswd or using domain passwords. Since I did not want to bother with creating a domain, I moved on to using smbpasswd. I learned that the smbpasswd needs to be called twice:

• smbpasswd -add user [to create the account]
• smbpasswd user [to set the password]

My smb.conf ended up looking like:

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = BRINERNET

# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)

# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
name resolve order = lmhosts host wins bcast

#### Networking ####

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
encrypt passwords = true

obey pam restrictions = yes

; guest account = nobody
invalid users = root

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=4096 SO_SNDBUF=4096

#======================= Share Definitions ===================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
[homes]
comment = Home Directories
browseable = yes

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes

The moral of this story is do not add to many packages at once and make sure you think about how they will interact with each other. Also, it is a good idea to document complex changes that you don't perform to often.