SMB do not listen on alias ip

'Morning!
I have added 1 ip alias on green interface 192.168.1.241 + 192.168.12.241

From > netstat -an i see samba listen on all ip expect 192.168.12.241

Then as usual, I made the change to hand and added on smb.conf

interfaces = 127.0.0.1 192.168.1.0/24 192.168.10.0/24 192.168.12.0/24

now folder is visible from network 12, but obviously, autentication on folder failed

only message in secure log is
Jun 14 09:28:47 samba smbd[392132]: pam_unix(samba:session): session closed for user nobody

What am I forgetting?

1 Like

@davidep, did you mention this problem to me in the past?

Great catch @sharpec!

I noticed the same problem some days ago (as Filippo recalls)…

Yes, we could list alias IP under interfaces

Otherwise we could not use interfaces at all, and make smbd and nmbd bind on all available IPs. Access is controlled by firewall configuration, too…


Edit: This is the workaround. I don’t know if/how it works on gateways:

$ cat /etc/e-smith/templates-custom/etc/samba/smb.conf/11interfaces

#
# 11interfaces -- custom
#
# Revert to samba default to bind IP aliases
#
[global]
interfaces = 
bind interfaces only = no

Then run

signal-event nethserver-samba-update

@sharpec, could you test it?

ok @davidep now samba listen on 0.0.0.0:445 /137 /138 /139

but login from remote network , on ip 192.168.12.241 continue to fail

The connection is from network vpn ipsec 192.168.18.0 on network 192.168.12.0

I have already added network 18 to the allowed networks, in fact the share list is shown.

The fact that I have the domain with the nsdc network, and that this interface does not seem to be visible on vpn is a problem?

edit: i have try to login from local network (not vpn) on alias ip 12…continue to fail
on physical ip 1, login work, the password is correct :slight_smile:

Did this setting fix the problem on IPsec, too?

Yes, it has solved in the sense that the folders are visible.

But I only have access to those folder with reading permissions for everyone.
If I have to go into a secure folder, when I try login, it does not allow me to log in

Should I close this post and open another?

Yes! I should reproduce this one, too… It is complex to reproduce in a development environment, though. Please be patient. I hope other people help us to confirm the second bug.

Well, the first problem (bind-on-alias-ip) seems trivial.

I’d prefer my fix only because the implementation is straightforward and I love removing code. However it still does not prove it is effective as your.

Your fix is definitely better than mine: less invasive, no possibility of regression.

The second problem (connect-nsdc-from-vpn) must be investigated. Yes, I’d open a separate thread once it is reproducible.

However, la connessione it fails only on vpn, but also from local

1 Like

There’s also a third problem: during the restore-config procedure, if the IP configuration is not applied automatically, smbd and nmbd waits indefinitely for that specific IP list to appear.

The wildcard approach would prevent the third problem.

i have check this

netstat -an |grep 389
tcp        0      0 192.168.1.241:48668     192.168.1.2:389         ESTABLISHED

192.168.1.2 is a bridged nsdc interface of DC
ldap problem whit alias ip?

I’m not sure I understand your network configuration. Could you attach the output of

db networks show
config show sssd
config show nsdc
[root@samba log]# db networks show
192.168.18.0=network
    Description=
    Mask=255.255.255.0
192.168.180.0=network
    Description=vpn
    Mask=255.255.255.0
br0=bridge
    gateway=192.168.1.254
    ipaddr=192.168.1.241
    netmask=255.255.255.0
    role=green
br0:0=alias
    ipaddr=192.168.12.241
    netmask=255.255.255.0
    role=alias
br1=bridge
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=
    ipaddr=192.168.10.241
    netmask=255.255.255.0
    role=green
em1=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bridge=br0
    role=bridged
em2=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    bridge=br1
    role=bridged
em3=ethernet
    bootproto=none
    role=
em4=ethernet
    role=
ppp0=xdsl-disabled
    AuthType=auto
    FwInBandwidth=
    FwOutBandwidth=
    Password=
    name=PPPoE
    provider=xDSL provider
    role=red
    user=


[root@samba log]# config show sssd
sssd=service
    AdDns=192.168.1.2
    LdapURI=
    Provider=ad
    Realm=XXXXX.IT
    Workgroup=XXXXX
    status=enabled

[root@samba log]# config show nsdc
nsdc=service
    IpAddress=192.168.1.2
    ProvisionType=newdomain
    bridge=br0
    status=enabled
1 Like

It is a normal condition: it is a connection betweeen your local br0 green (192.168.1.241) and remote nsdc LDAP server.

Probably it is the sssd LDAP client opening that socket.

# ss -np 'dport = 389'
Netid State      Recv-Q Send-Q                                                          Local Address:Port                                                                         Peer Address:Port              
tcp   ESTAB      0      0                                                               192.168.5.252:45260                                                                       192.168.5.251:389                 users:(("sssd_be",pid=2526,fd=29))

ok, but in my case, br0 and nsdc ldap server is the same machine

192.168.1.241   physical network
192.168.1.2     bridged DC network
192.168.12.241  bridged ipsec network

same machine, same interface br0

Could you paste also (an excerpt of) /var/log/firewall.log?

Jun 12 10:05:24 samba kernel: Shorewall:net2loc:DROP:IN=br0 OUT=br0 PHYSIN=em1 PHYSOUT=vnet0 MAC=52:54:00:70:bf:d5:18:03:73:f1:9c:f5:08:00 SRC=192.168.18.24 DST=192.168.12.248 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=32300 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=57

last entry,
before adding network 18 to safe network

12.248 is a VM on the same samba machine

Are you running KVM, too? :fearful: How many services did you install?

rpm -qa | grep ^neth
nethserver-firewall-base-3.2.1-1.ns7.noarch
nethserver-firewall-base-ui-3.2.1-1.ns7.noarch
nethserver-base-3.0.22-1.ns7.noarch
nethserver-avahi-1.1.0-1.ns7.noarch
nethserver-duc-1.4.2-1.ns7.noarch
nethserver-mail-smarthost-0.1.1-1.ns7.noarch
nethserver-lang-en-1.1.10-1.ns7.noarch
nethserver-mysql-1.1.1-1.ns7.noarch
nethserver-httpd-3.1.4-1.ns7.noarch
nethserver-bandwidthd-1.0.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-dnsmasq-1.6.4-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-lib-2.2.3-1.ns7.noarch
nethserver-letsencrypt-1.1.4-1.ns7.noarch
nethserver-openssh-1.2.1-1.ns7.noarch
nethserver-sssd-1.2.1-1.ns7.noarch
nethserver-release-7-3.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-ibays-3.1.1-1.ns7.noarch
nethserver-lang-it-1.1.10-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-httpd-admin-2.0.11-1.ns7.noarch
nethserver-cups-1.2.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-mail-common-1.6.3-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-dc-1.2.3-1.ns7.x86_64
nethserver-tomcat-1.1.0-1.ns7.noarch
nethserver-backup-data-1.3.1-1.ns7.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-crontabmanager-0.0.7-1.ns7.sdl.noarch
nethserver-samba-2.0.7-1.ns7.noarch
nethserver-backup-config-1.5.6-1.ns7.noarch
nethserver-postgresql-1.1.0-1.ns7.noarch
nethserver-antivirus-1.2.1-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-samba-audit-1.1.2-1.ns7.noarch
nethserver-spamd-1.0.0-1.ns7.noarch
nethserver-collectd-3.0.5-1.ns7.noarch
nethserver-restore-data-1.2.3-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch

Hardware

Connection qemu:///system
Hostname samba.xxxxx.it
Hypervisor qemu
Memory 63,9 GB
Logical CPUs 40
Processor Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Architecture x86_64

Virtual Machine

erpnext	    Running	4	8192MB
mail-xxxx	Running	2	2048MB
mysql	    Running	8	16384MB	
target	    Running	4	8192MB
web	        Running	2	4096MB

too many?

1 Like

I tried to configure a similar system on a VPS with red+green interface,

  • host IP <green>.2
  • configured Active Directory DC IP <green>.7
  • configured IPsec tunnels

I can ping the host <green>.2 from the remote network. However the DC IP does not respond.

To fix this situation I did the following:

yum --installroot=/var/lib/machines/nsdc install iproute iputils bind-utils
systemd-run -M nsdc -t /bin/bash

From nsdc shell:

ip ro add default via <green>.2

Created <green>.22 and <green>.1 aliases: smbd seems to bind on the first IP, <green>.1.

Applied the proposed workaround above: I can connect from smbclient on the remote network.


@sharpec, please see if defining a default route in your nsdc container fixes your connection problems with DC (and file server).

1 Like

I have to admit I’m a little afraid to do this on DC :sweat:

1 Like