Samba is inaccessible from VPN

Nas · January 14, 2016, 1:13pm

Hi to all I have faced with issue that Samba share is not accessible through OpenVPN.
Please share your thoughts.

filippo_carletti · January 14, 2016, 3:10pm

I vaguely remember an issue about a system with multiple green interfaces.
What’s in /etc/samba/smb.conf?

I have:

interfaces = 127.0.0.1 192.168.x.0/24 (green network)
hosts allow = 127.0.0.1 10.9.9.0/255.255.255.0 192.168.x.0/255.255.255.0

(10.9.9.0 is the vpn network)

Nas · January 14, 2016, 3:13pm

# Only bind to allowed NIC's
bind interfaces only = yes
interfaces = 127.0.0.1 10.1.1.0/24 10.1.114.0/24 
hosts allow = 127.0.0.1 10.1.1.0/255.255.255.0 10.1.114.0/255.255.255.0 10.10.1.0/255.255.255.0 192.168.78.0/255.255.255.0

[root@nethserver log]# netstat -plane | grep smbd
tcp        0      0 127.0.0.1:445               0.0.0.0:*                   LISTEN      0          219350     1753/smbd
tcp        0      0 10.1.1.11:445               0.0.0.0:*                   LISTEN      0          219348     1753/smbd
tcp        0      0 10.1.114.11:445             0.0.0.0:*                   LISTEN      0          219344     1753/smbd
tcp        0      0 127.0.0.1:139               0.0.0.0:*                   LISTEN      0          219351     1753/smbd
tcp        0      0 10.1.1.11:139               0.0.0.0:*                   LISTEN      0          219349     1753/smbd
tcp        0      0 10.1.114.11:139             0.0.0.0:*                   LISTEN      0          219347     1753/smbd
unix  3      [ ]         STREAM     CONNECTED     219331 1753/smbd

VPN network is 10.10.1.0/24 :

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.1.1  P-t-P:10.10.1.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1832 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1861 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:121855 (118.9 KiB)  TX bytes:578347 (564.7 KiB)

alefattorini · January 14, 2016, 3:20pm

Try to add 10.10.1.0/24 to the interfaces parameter and re-try

Nas · January 14, 2016, 3:23pm

Already tried, samba could not bind on this interface

Nas · January 14, 2016, 3:38pm

I suppose it is a bug in Samba that it could not bind on tun interface

craaaft · February 14, 2016, 5:32pm

I have to report the same issue. Also tried to add the tunnel network to the interfaces and restart Samba but it didn’t help.

Any news on this from the Dev Team?

giacomo · February 15, 2016, 7:52am

As far as I know, nobody else has this bug (still, I currently don’t have a valid environment to reproduce it).
@nrauso, did someone report the same bad behavior?

Nas · February 15, 2016, 7:54am

It was ME

Nas · February 15, 2016, 8:07am

@giacomo as for Samba it is a known issue with Tun interface, that samba can not bind to it, but on TAP it should bind. maybe some port forward or port tunnel from VPN can be a workaround. It should be tested.

Nas · February 15, 2016, 8:09am

Hi @stephdl maybe You have some thoughts regarding this ?

mark_nl · February 15, 2016, 2:29pm

Workaround could be IP forwarding, :

iptables -t nat -A POSTROUTING -s <your.vpn.network.0>/24 -o <ethX> -j MASQUERADE
service iptables save

in /etc/sysctl.conf add:

net.ipv4.ip_forward = 1

apply sysctl:

sysctl -p

(in the case of @Nas <your.vpn.network.0> = 10.10.1.0)

samba share shoud be found at

\\<static ip server>\<share>

Nas · February 15, 2016, 2:38pm

As we use Shorewall, it can be done through masq file But it could cause another issues with other services

mark_nl · February 15, 2016, 2:57pm

Still have to read in to Shorewall… (and Nethserver/Centos as a mather of fact);

Nas · February 15, 2016, 5:51pm

Hw about this ?

github.com

samba-team/samba/blob/master/lib/tdb/test/tap-interface.h

/* 
   Unix SMB/CIFS implementation.
   Simplistic implementation of tap interface.

   Copyright (C) Rusty Russell 2012
   
     ** NOTE! The following LGPL license applies to the talloc
     ** library. This does NOT imply that all of Samba is released
     ** under the LGPL
   
   This library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 3 of the License, or (at your option) any later version.

   This library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

This file has been truncated. show original

stephdl · February 15, 2016, 8:16pm

Sorry @Nas not enough time to play at the minute, I’m changing my main server (aubrac-medical.fr) and reconfiguring my build machine for el7.

Nas · February 15, 2016, 8:21pm

@stephdl it is not a matter of minutes, but we should make some research regarding this.

stephdl · February 15, 2016, 8:39pm

Out of topic, but aubrac-medical.fr is like a a good friend that I’m leaving after an adventure of six years about free software ( smeserver, stephdl, nethserver, archlinux repositories) and a lot of (old) scripts everywhere. Today I’m a bit sad

But the new server is a monster (comparatively from the old) -> https://www.soyoustart.com/fr/offres/e3-sat-3.xml

Nas · February 15, 2016, 8:43pm

Yep, Xeon + DDR3 = Rocket

craaaft · February 16, 2016, 9:12am

Could you show how this can be done through shorewall? I am just familiar with iptables and I would like to check this workaround.