Strange behavior when using 'hosts allow' parameter

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange behavior when using 'hosts allow' parameter

Phil Quesinberry
I wanted to bring attention to some odd behavior which I don't believe is
intentional.

With Samba running, I can go to a Windows machine on the network
(10.0.0.0/24) and see all of the Samba shares by pulling up an Explorer
window and going to \\Server1   Everything appears to work as expected.
However, if I populate the 'hosts allow' parameter within smb.conf as
follows:
hosts allow = 10.0.0. 127.

I can no longer see the shares by going to \\Server1   I can, however, go to
\\Server1\sharename and pull that up just fine, I just can't see the root
path which contains all of the shares.  While this seems like a handy way to
keep users from browsing to see what shares are available, I don't think
that was the intent.

Configuration info is included below, I'll be happy to provide any
additional information required upon request.

Testparm output:
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (2048) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[hldata]"
Processing section "[C]"
Processing section "[D]"
Processing section "[MacData]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions

[global]
        workgroup = HERSCHLAUREN
        realm = HERSCHLAUREN.COM
        server string = HerschLinux
        interfaces = 10.0.0.15/24, 127.0.0.1/8
        server role = active directory domain controller
        passdb backend = samba_dsdb
        deadtime = 15
        add machine script = /usr/sbin/useradd -n -g machines -d /dev/null
-s /sbin/nologin %u
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        allow dns updates = nonsecure and secure
        dns forwarder = 10.0.0.1
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        idmap config * : backend = tdb
        invalid users = nobody, root
        hosts allow = 10.0.0., 127.
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4, acl_xattr

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/herschlauren.com/scripts

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[hldata]
        comment = Data directory for entire Windows share (Samba)
        path = /hldata
        valid users = administrator, lhall, pquesinb, tcordes, vquesinberry,
phil
        read only = No

[C]
        comment = C: Drive
        path = /hldata/C
        valid users = administrator, lhall, pquesinb, tcordes, vquesinberry,
phil
        read only = No

[D]
        comment = D: Drive
        path = /hldata/D
        valid users = administrator, lhall, pquesinb, tcordes, vquesinberry,
phil
        read only = No

[MacData]
        comment = MacData directory
        path = /hldata/D/D Drive/MacData
        valid users = administrator, lhall, pquesinb, tcordes, vquesinberry,
phil
        read only = No

[printers]
        comment = All Printers
        path = /usr/local/samba/var/spool
        printable = Yes
        print ok = Yes
        browseable = No

[print$]
        comment = Point and Print Printer Drivers
        path = /usr/local/samba/var/print

Version is 4.1.0pre1-GIT-0fa404c

Phil Quesinberry
Q Systems Engineering, Inc.
Embedded Systems Hardware/Software Development and VoIP Business Telephone
Hosting
Improve your business telephone services and save money
(410) 969-8002
http://www.qsystemsengineering.com <http://www.qsystemsengineering.com/>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Strange behavior when using 'hosts allow' parameter

Phil Quesinberry
Some additional info on this.  When copying files from another host on the network which is allowed by the hosts allow entry, I get 'denied by access rules' entries filling the log at over 1000 lines per second.  Log level is currently set to 3.  I'm guessing I need to file a bug report:

[2013/04/19 00:24:49,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/19 00:24:49,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/19 00:24:49,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/19 00:24:49,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (10.0.0.)
[2013/04/19 00:24:49,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/19 00:24:49,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/19 00:24:49,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/19 00:24:49,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (10.0.0.)
[2013/04/19 00:24:49,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/19 00:24:49,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/19 00:24:49,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/19 00:24:49,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (10.0.0.)
[2013/04/19 00:24:49,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/19 00:24:49,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/19 00:24:49,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/19 00:24:49,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (10.0.0.)
[2013/04/19 00:24:49,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/19 00:24:49,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/19 00:24:49,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/19 00:24:49,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (10.0.0.)
[2013/04/19 00:24:49,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/19 00:24:49,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/19 00:24:49,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/19 00:24:49,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (10.0.0.)
[2013/04/19 00:24:49,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/19 00:24:49,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/19 00:24:49,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/19 00:24:49,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
Reply | Threaded
Open this post in threaded view
|

Re: Strange behavior when using 'hosts allow' parameter

Ricky Nance-2
Do you see the same behavior if you add localhost and your hostname to
hosts allow? Also, with s3fs it'd be interesting to know if the hosts allow
parameter is even recognized by smbd, though I am not seeing how to check
that right at the moment.

example for your config: hosts allow = 10.0.0. 127. localhost myhostname

Ricky


On Fri, Apr 19, 2013 at 10:58 AM, Phil Quesinberry <
[hidden email]> wrote:

> Some additional info on this.  When copying files from another host on the
> network which is allowed by the hosts allow entry, I get 'denied by access
> rules' entries filling the log at over 1000 lines per second.  Log level is
> currently set to 3.  I'm guessing I need to file a bug report:
>
> [2013/04/19 00:24:49,  0]
> ../source4/lib/socket/access.c:356(socket_check_access)
>   socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
> (LOCAL/unixdom)
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>   Terminating connection - 'denied by access rules'
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[denied by access rules]
> [2013/04/19 00:24:49,  3]
> ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (10.0.0.)
> [2013/04/19 00:24:49,  0]
> ../source4/lib/socket/access.c:356(socket_check_access)
>   socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
> (LOCAL/unixdom)
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>   Terminating connection - 'denied by access rules'
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[denied by access rules]
> [2013/04/19 00:24:49,  3]
> ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (10.0.0.)
> [2013/04/19 00:24:49,  0]
> ../source4/lib/socket/access.c:356(socket_check_access)
>   socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
> (LOCAL/unixdom)
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>   Terminating connection - 'denied by access rules'
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[denied by access rules]
> [2013/04/19 00:24:49,  3]
> ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (10.0.0.)
> [2013/04/19 00:24:49,  0]
> ../source4/lib/socket/access.c:356(socket_check_access)
>   socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
> (LOCAL/unixdom)
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>   Terminating connection - 'denied by access rules'
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[denied by access rules]
> [2013/04/19 00:24:49,  3]
> ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (10.0.0.)
> [2013/04/19 00:24:49,  0]
> ../source4/lib/socket/access.c:356(socket_check_access)
>   socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
> (LOCAL/unixdom)
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>   Terminating connection - 'denied by access rules'
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[denied by access rules]
> [2013/04/19 00:24:49,  3]
> ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (10.0.0.)
> [2013/04/19 00:24:49,  0]
> ../source4/lib/socket/access.c:356(socket_check_access)
>   socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
> (LOCAL/unixdom)
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>   Terminating connection - 'denied by access rules'
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[denied by access rules]
> [2013/04/19 00:24:49,  3]
> ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
>   only_ipaddrs_in_list: list has non-ip address (10.0.0.)
> [2013/04/19 00:24:49,  0]
> ../source4/lib/socket/access.c:356(socket_check_access)
>   socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
> (LOCAL/unixdom)
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>   Terminating connection - 'denied by access rules'
> [2013/04/19 00:24:49,  3]
> ../source4/smbd/process_single.c:114(single_terminate)
>   single_terminate: reason[denied by access rules]
> [2013/04/19 00:24:49,  3]
> ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
>
>
>
>
> --
> View this message in context:
> http://samba.2283325.n4.nabble.com/Strange-behavior-when-using-hosts-allow-parameter-tp4646968p4647026.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Strange behavior when using 'hosts allow' parameter

Phil Quesinberry
Hi Ricky,

Yes, if I add localhost and the hostname to 'hosts allow', it complains about those in the log as well.  Changing from 10.0.0. to 10.0.0.0/24 appears to eliminate the only_ipaddrs_in_list errors related to that entry and another machine on that subnet can still connect.  I've pasted in a few of the localhost related log entries at the end of this message.

Interesting theory on smbd.

When you first log in you can see the root share but you can't seem to get to it after that unless you navigate up one level from one of the shares in Windows Explorer.  It's kind of bizarre, I'll have to see if I can characterize that behavior a little better through experimentation.

- Phil


[2013/04/20 10:44:29,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (localhost)
[2013/04/20 10:44:29,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/20 10:44:29,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/20 10:44:29,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]
[2013/04/20 10:44:29,  3] ../source4/lib/socket/access.c:298(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (localhost)
[2013/04/20 10:44:29,  0] ../source4/lib/socket/access.c:356(socket_check_access)
  socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom (LOCAL/unixdom)
[2013/04/20 10:44:29,  3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'denied by access rules'
[2013/04/20 10:44:29,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[denied by access rules]