* samba: unreachable - admin prohibited
@ 2005-07-29 18:10 Dermot Paikkos
2005-07-29 18:28 ` Jens Knoell
[not found] ` <4848.192.168.99.70.1122661523.squirrel@192.168.99.70>
0 siblings, 2 replies; 7+ messages in thread
From: Dermot Paikkos @ 2005-07-29 18:10 UTC (permalink / raw)
To: linux-admin
Hi
SYS: redhat fedora 4, samba 3.0.14a-2
This is the first time I have had trouble configuring samba but I am
completely stuck.
I have a basic smb.conf (see below) and testparm says it's fine. The
path to the one share exists and the permissions a 0777. However no
clients can reach it. Unix smbclient can not access it:
[root]# smbclient -L polaris
Error connecting to 194.200.237.132 (No route to host)
Connection to polaris failed
Windows clients says permission denied and the network path was not
found. NT4 server-manager sees the server but can't reach it. net rpc
join fails with "Unable to find a suitable server"
tcpdump reports:
"unreachable - admin prohibited" when I listen on the interface for
incoming traffic from a client.
I can ping the server from other hosts (by hostname if the host has
the server in its hosts file or by IP otherwise) but I am pretty sure
this is a network/access problem.
The one area I am not sure about is the firewall. I left this enabled
during the install of redhat. The iptables are listed at the end of
this mail. portscan shows 139 running with netbios-ssn so I am not
sure if this means traffic is allowed through or not.
Does anyone have any ideas?
Thanx.
Dp.
============== iptables ================
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp
dpt:5353
ACCEPT udp -- anywhere anywhere udp
dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited
=============== End iptables ============
=======smb.conf ==========
[global]
workgroup = mygroup
server string = 132
netbios name = polaris
#hosts allow = 196.218.237.128/255.255.255.128
printcap name = /etc/printcap
#load printers = yes
cups options = raw
guest account = samba
log file = /var/log/samba/%m.log
max log size = 50
security = domain
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
default case = lower
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = yes
[share]
comment = scanning drive
path = /data/share
public = yes
writable = yes
create mask = 0777
browseable = yes
=============== end of smb.conf ==========
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: samba: unreachable - admin prohibited
2005-07-29 18:10 samba: unreachable - admin prohibited Dermot Paikkos
@ 2005-07-29 18:28 ` Jens Knoell
[not found] ` <4848.192.168.99.70.1122661523.squirrel@192.168.99.70>
1 sibling, 0 replies; 7+ messages in thread
From: Jens Knoell @ 2005-07-29 18:28 UTC (permalink / raw)
To: dermot; +Cc: linux-admin
Hi Dermot
On Fri, July 29, 2005 12:10 pm, Dermot Paikkos wrote:
[...snipped...]
> tcpdump reports:
> "unreachable - admin prohibited" when I listen on the interface for
> incoming traffic from a client.
It's a firewall issue, not a Samba issue. This message basically means
that there is an IPTables rule which prevents access to that port.
J
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: samba: unreachable - admin prohibited
[not found] ` <4848.192.168.99.70.1122661523.squirrel@192.168.99.70>
@ 2005-07-29 18:33 ` Dermot Paikkos
2005-07-29 18:55 ` Jens Knoell
[not found] ` <42EA9A54.3516.CAC929@localhost>
0 siblings, 2 replies; 7+ messages in thread
From: Dermot Paikkos @ 2005-07-29 18:33 UTC (permalink / raw)
To: linux-admin
On 29 Jul 2005 at 11:25, Scott Taylor wrote:
>
> Dermot Paikkos said:
> > Hi
> >
> > The one area I am not sure about is the firewall. I left this
> > enabled during the install of redhat. The iptables are listed at the
> > end of this mail. portscan shows 139 running with netbios-ssn so I
> > am not sure if this means traffic is allowed through or not.
> >
> > Does anyone have any ideas?
>
> I don't see any SMB or NMB allowed in your IPTABLES rulez.
>
I guess the next question is how do I add a rule for smb and nmb or
can I just turn it off to confirm that this is the source of the
problem?
> > ============== iptables ================
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain RH-Firewall-1-INPUT (2 references)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT icmp -- anywhere anywhere icmp
> > any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT
> > ipv6-auth-- anywhere anywhere ACCEPT udp --
> > anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp
> > -- anywhere anywhere udp dpt:ipp ACCEPT
> > all -- anywhere anywhere state
> > RELATED,ESTABLISHED ACCEPT tcp -- anywhere
> > anywhere state NEW tcp dpt:ssh ACCEPT tcp --
> > anywhere anywhere state NEW tcp dpt:http
> > ACCEPT tcp -- anywhere anywhere state
> > NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere
> > state NEW tcp dpt:smtp REJECT all -- anywhere
> > anywhere reject- with icmp-host-prohibited
> >
>
> --
> Scott
>
~~
Dermot Paikkos * dermot@sciencephoto.com
Network Administrator @ Science Photo Library
Phone: 0207 432 1100 * Fax: 0207 286 8668
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: samba: unreachable - admin prohibited
2005-07-29 18:33 ` Dermot Paikkos
@ 2005-07-29 18:55 ` Jens Knoell
2005-07-29 19:27 ` Dermot Paikkos
[not found] ` <42EA9A54.3516.CAC929@localhost>
1 sibling, 1 reply; 7+ messages in thread
From: Jens Knoell @ 2005-07-29 18:55 UTC (permalink / raw)
To: dermot; +Cc: linux-admin
On Fri, July 29, 2005 12:33 pm, Dermot Paikkos wrote:
> On 29 Jul 2005 at 11:25, Scott Taylor wrote:
>
>>
>> Dermot Paikkos said:
>> > Hi
>> >
>> > The one area I am not sure about is the firewall. I left this
>> > enabled during the install of redhat. The iptables are listed at the
>> > end of this mail. portscan shows 139 running with netbios-ssn so I
>> > am not sure if this means traffic is allowed through or not.
>> >
>> > Does anyone have any ideas?
>>
>> I don't see any SMB or NMB allowed in your IPTABLES rulez.
>>
> I guess the next question is how do I add a rule for smb and nmb or
> can I just turn it off to confirm that this is the source of the
> problem?
Firewall rules are set in the "setup" program in your distro, if I recall
correctly. To check if the firewall is indeed the culprit, try this:
/usr/sbin/iptables -F
That will wipe the firewall temporarily, not including the NAT and mangle
tables (in case your box works as a gateway). To clean the NAT and mangle
tables too, use these:
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
J
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: samba: unreachable - admin prohibited
2005-07-29 18:55 ` Jens Knoell
@ 2005-07-29 19:27 ` Dermot Paikkos
0 siblings, 0 replies; 7+ messages in thread
From: Dermot Paikkos @ 2005-07-29 19:27 UTC (permalink / raw)
To: linux-admin
On 29 Jul 2005 at 12:55, Jens Knoell wrote:
> On Fri, July 29, 2005 12:33 pm, Dermot Paikkos wrote:
> > I guess the next question is how do I add a rule for smb and nmb or
> > can I just turn it off to confirm that this is the source of the
> > problem?
>
> Firewall rules are set in the "setup" program in your distro, if I
> recall correctly. To check if the firewall is indeed the culprit, try
> this: /usr/sbin/iptables -F
>
> That will wipe the firewall temporarily, not including the NAT and
> mangle tables (in case your box works as a gateway). To clean the NAT
> and mangle tables too, use these: /usr/sbin/iptables -t nat -F
> /usr/sbin/iptables -t mangle -F
Well something has changed as I seem to be getting through;
[root@proxima ~]# smbclient -L polaris
Password:
session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
This looks like the samba server isn't communicting with the PDC.
so then;
>net rpc join mydomain -U administrator%password
Joined domain SPL.
>[root@proxima ~]# smbclient -L polaris
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
A better error. The windows client can finally see it.
Thanx Jens & Scott. I guess I'll have to rtfm to configure the
iptables or turn them off.
Dp.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: samba: unreachable - admin prohibited
@ 2005-07-29 20:04 Scott Taylor
0 siblings, 0 replies; 7+ messages in thread
From: Scott Taylor @ 2005-07-29 20:04 UTC (permalink / raw)
To: linux-admin
Dermot Paikkos said:
> On 29 Jul 2005 at 11:25, Scott Taylor wrote:
>
>>
>> I don't see any SMB or NMB allowed in your IPTABLES rulez.
>>
> I guess the next question is how do I add a rule for smb and nmb or can
I just turn it off to confirm that this is the source of the problem?
If you don't need a firewall then you should disable it. FD4 default
rules blocks everything unless you specifically allow it. To modify the
firewall you could use system-config-security (I think it is)...let me
turn on my FD4 box...da-dee-dum-dee-dum...booting...la-de-dah...takes so
long to boot this OS...go get a coffee...
Ah, here it is, "system-config-securitylevel". It works in both X and
terminal session (command line). You can customize it to allow the
different ports, I forget off hand what nmb and smb are on. Or disable it
all together. Make sure to read the help and stuff on the screen. :)
In X it's in a really stupid place, under "Desktop" menu -> System
Settings -> Security Level.
I don't know who's silly idea it was to put system settings (like firewall
settings) under a menu called Desktop. It's a wonder anyone can navigate
this POS OS that installs way too much gunk even when you install basic
mode. =P
Enjoy.
--
Scott
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: samba: unreachable - admin prohibited
[not found] ` <42EA9A54.3516.CAC929@localhost>
@ 2005-07-29 20:14 ` Scott Taylor
0 siblings, 0 replies; 7+ messages in thread
From: Scott Taylor @ 2005-07-29 20:14 UTC (permalink / raw)
To: linux-admin
Dermot Paikkos said:
> Yes, found it. Not in the place your'd expect it.
>
> Disabled now. I guess I don't have to print out the iptable man pages
> :-).
Good thing you didn't try that, there is no man page, only "info" (the new
man?) pages. :(
> Thanx scott.
You are welcome. Happy weekend. :)
--
Scott
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-07-29 20:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-29 18:10 samba: unreachable - admin prohibited Dermot Paikkos
2005-07-29 18:28 ` Jens Knoell
[not found] ` <4848.192.168.99.70.1122661523.squirrel@192.168.99.70>
2005-07-29 18:33 ` Dermot Paikkos
2005-07-29 18:55 ` Jens Knoell
2005-07-29 19:27 ` Dermot Paikkos
[not found] ` <42EA9A54.3516.CAC929@localhost>
2005-07-29 20:14 ` Scott Taylor
-- strict thread matches above, loose matches on Subject: below --
2005-07-29 20:04 Scott Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).