SMB do not listen on alias ip

davidep · June 15, 2017, 7:35am

Yes! I should reproduce this one, too… It is complex to reproduce in a development environment, though. Please be patient. I hope other people help us to confirm the second bug.

Well, the first problem (bind-on-alias-ip) seems trivial.

I’d prefer my fix only because the implementation is straightforward and I love removing code. However it still does not prove it is effective as your.

Your fix is definitely better than mine: less invasive, no possibility of regression.

The second problem (connect-nsdc-from-vpn) must be investigated. Yes, I’d open a separate thread once it is reproducible.

sharpec · June 15, 2017, 7:57am

However, la connessione it fails only on vpn, but also from local

davidep · June 15, 2017, 8:00am

There’s also a third problem: during the restore-config procedure, if the IP configuration is not applied automatically, smbd and nmbd waits indefinitely for that specific IP list to appear.

The wildcard approach would prevent the third problem.

sharpec · June 15, 2017, 8:14am

i have check this

netstat -an |grep 389
tcp        0      0 192.168.1.241:48668     192.168.1.2:389         ESTABLISHED

192.168.1.2 is a bridged nsdc interface of DC
ldap problem whit alias ip?

davidep · June 15, 2017, 8:32am

I’m not sure I understand your network configuration. Could you attach the output of

db networks show
config show sssd
config show nsdc

sharpec · June 15, 2017, 8:35am

[root@samba log]# db networks show
192.168.18.0=network
    Description=
    Mask=255.255.255.0
192.168.180.0=network
    Description=vpn
    Mask=255.255.255.0
br0=bridge
    gateway=192.168.1.254
    ipaddr=192.168.1.241
    netmask=255.255.255.0
    role=green
br0:0=alias
    ipaddr=192.168.12.241
    netmask=255.255.255.0
    role=alias
br1=bridge
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=
    ipaddr=192.168.10.241
    netmask=255.255.255.0
    role=green
em1=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bridge=br0
    role=bridged
em2=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    bridge=br1
    role=bridged
em3=ethernet
    bootproto=none
    role=
em4=ethernet
    role=
ppp0=xdsl-disabled
    AuthType=auto
    FwInBandwidth=
    FwOutBandwidth=
    Password=
    name=PPPoE
    provider=xDSL provider
    role=red
    user=


[root@samba log]# config show sssd
sssd=service
    AdDns=192.168.1.2
    LdapURI=
    Provider=ad
    Realm=XXXXX.IT
    Workgroup=XXXXX
    status=enabled

[root@samba log]# config show nsdc
nsdc=service
    IpAddress=192.168.1.2
    ProvisionType=newdomain
    bridge=br0
    status=enabled

davidep · June 15, 2017, 8:41am

It is a normal condition: it is a connection betweeen your local br0 green (192.168.1.241) and remote nsdc LDAP server.

Probably it is the sssd LDAP client opening that socket.

# ss -np 'dport = 389'
Netid State      Recv-Q Send-Q                                                          Local Address:Port                                                                         Peer Address:Port              
tcp   ESTAB      0      0                                                               192.168.5.252:45260                                                                       192.168.5.251:389                 users:(("sssd_be",pid=2526,fd=29))

sharpec · June 15, 2017, 8:46am

ok, but in my case, br0 and nsdc ldap server is the same machine

192.168.1.241   physical network
192.168.1.2     bridged DC network
192.168.12.241  bridged ipsec network

same machine, same interface br0

davidep · June 15, 2017, 8:49am

Could you paste also (an excerpt of) /var/log/firewall.log?

sharpec · June 15, 2017, 8:56am

Jun 12 10:05:24 samba kernel: Shorewall:net2loc:DROP:IN=br0 OUT=br0 PHYSIN=em1 PHYSOUT=vnet0 MAC=52:54:00:70:bf:d5:18:03:73:f1:9c:f5:08:00 SRC=192.168.18.24 DST=192.168.12.248 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=32300 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=57

last entry,
before adding network 18 to safe network

12.248 is a VM on the same samba machine

davidep · June 15, 2017, 9:04am

Are you running KVM, too? How many services did you install?

rpm -qa | grep ^neth

sharpec · June 15, 2017, 9:13am

nethserver-firewall-base-3.2.1-1.ns7.noarch
nethserver-firewall-base-ui-3.2.1-1.ns7.noarch
nethserver-base-3.0.22-1.ns7.noarch
nethserver-avahi-1.1.0-1.ns7.noarch
nethserver-duc-1.4.2-1.ns7.noarch
nethserver-mail-smarthost-0.1.1-1.ns7.noarch
nethserver-lang-en-1.1.10-1.ns7.noarch
nethserver-mysql-1.1.1-1.ns7.noarch
nethserver-httpd-3.1.4-1.ns7.noarch
nethserver-bandwidthd-1.0.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-dnsmasq-1.6.4-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-lib-2.2.3-1.ns7.noarch
nethserver-letsencrypt-1.1.4-1.ns7.noarch
nethserver-openssh-1.2.1-1.ns7.noarch
nethserver-sssd-1.2.1-1.ns7.noarch
nethserver-release-7-3.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-ibays-3.1.1-1.ns7.noarch
nethserver-lang-it-1.1.10-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-httpd-admin-2.0.11-1.ns7.noarch
nethserver-cups-1.2.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-mail-common-1.6.3-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-dc-1.2.3-1.ns7.x86_64
nethserver-tomcat-1.1.0-1.ns7.noarch
nethserver-backup-data-1.3.1-1.ns7.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-crontabmanager-0.0.7-1.ns7.sdl.noarch
nethserver-samba-2.0.7-1.ns7.noarch
nethserver-backup-config-1.5.6-1.ns7.noarch
nethserver-postgresql-1.1.0-1.ns7.noarch
nethserver-antivirus-1.2.1-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-samba-audit-1.1.2-1.ns7.noarch
nethserver-spamd-1.0.0-1.ns7.noarch
nethserver-collectd-3.0.5-1.ns7.noarch
nethserver-restore-data-1.2.3-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch

Hardware

Connection qemu:///system
Hostname samba.xxxxx.it
Hypervisor qemu
Memory 63,9 GB
Logical CPUs 40
Processor Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Architecture x86_64

Virtual Machine

erpnext	    Running	4	8192MB
mail-xxxx	Running	2	2048MB
mysql	    Running	8	16384MB	
target	    Running	4	8192MB
web	        Running	2	4096MB

too many?

davidep · June 20, 2017, 2:58pm

I tried to configure a similar system on a VPS with red+green interface,

host IP <green>.2
configured Active Directory DC IP <green>.7
configured IPsec tunnels

I can ping the host <green>.2 from the remote network. However the DC IP does not respond.

To fix this situation I did the following:

yum --installroot=/var/lib/machines/nsdc install iproute iputils bind-utils
systemd-run -M nsdc -t /bin/bash

From nsdc shell:

ip ro add default via <green>.2

Created <green>.22 and <green>.1 aliases: smbd seems to bind on the first IP, <green>.1.

Applied the proposed workaround above: I can connect from smbclient on the remote network.

@sharpec, please see if defining a default route in your nsdc container fixes your connection problems with DC (and file server).

sharpec · June 20, 2017, 3:29pm

I have to admit I’m a little afraid to do this on DC

sharpec · June 21, 2017, 6:50am

ok, I’m doing right now,
But I have problems when I have to enter the static route. In fact I can not give it to you

ip ro add 192.168.18.0/24 via 192.168.12.253

-------------------remote net------------ip of FW with vpn ipsec

 ip ro add 192.168.18.0/24 via 192.168.12.253
RTNETLINK answers: Network is unreachable

ip a
 host0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 1a:d0:ba:25:2c:52 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.2/24 brd 192.168.1.255 scope global host0
       valid_lft forever preferred_lft forever
    inet 192.168.12.2/32 scope global host0:1
       valid_lft forever preferred_lft forever
    inet6 fe80::18d0:baff:fe25:2c52/64 scope link
       valid_lft forever preferred_lft forever

In essence it is the same logic I used for all the machines I want to publish in vpn ipsec, alias ip and static route!

Why should I set it as default?
Why locally come with ip direct? Does everything else send on gateways?

davidep · June 21, 2017, 8:04am

I’m sorry, my bad: your configuration does not have a red interface! However it is really complex!

IIUC you have two green networks and need to communicate with other networks behind a VPN router…

At the moment, the nsdc network configuration sets the green network gateway as default (and unique) route. That gateway is the only responsible for all packet routing rules.

We are planning to set NethServer itself as gateway, if a red interface is present. This scenario is still not covered by our configuration and needs to be fixed.

Meanwhile I’d move forward with the original problem:

sharpec · July 13, 2017, 2:09pm

Sorry @davidep You think I’ve exaggerated with the services?

davidep · July 14, 2017, 1:47pm

NethServer has a modular design and is often considered an all-in-one server. It’s perfectly fine to install all modules on a single system, however if something is not working properly it’s more difficult to debug.

Some people prefer to split the roles across different machines, expecially firewall and everything else.

davidep · October 4, 2017, 4:25pm

A post was split to a new topic: SMB access denied with VPNs