sharpec
(EnzoC)
June 14, 2017, 7:30am
1
'Morning!
I have added 1 ip alias on green interface 192.168.1.241 + 192.168.12.241
From > netstat -an i see samba listen on all ip expect 192.168.12.241
Then as usual, I made the change to hand and added on smb.conf
interfaces = 127.0.0.1 192.168.1.0/24 192.168.10.0/24 192.168.12.0/24
now folder is visible from network 12, but obviously, autentication on folder failed
only message in secure log is
Jun 14 09:28:47 samba smbd[392132]: pam_unix(samba:session): session closed for user nobody
What am I forgetting?
1 Like
@davidep , did you mention this problem to me in the past?
davidep
(Davide Principi)
June 14, 2017, 1:54pm
3
Great catch @sharpec !
I noticed the same problem some days ago (as Filippo recalls)…
Yes, we could list alias IP under interfaces
…
Otherwise we could not use interfaces
at all, and make smbd and nmbd bind on all available IPs. Access is controlled by firewall configuration, too…
Edit: This is the workaround . I don’t know if/how it works on gateways:
$ cat /etc/e-smith/templates-custom/etc/samba/smb.conf/11interfaces
#
# 11interfaces -- custom
#
# Revert to samba default to bind IP aliases
#
[global]
interfaces =
bind interfaces only = no
Then run
signal-event nethserver-samba-update
@sharpec , could you test it?
sharpec
(EnzoC)
June 15, 2017, 7:03am
4
ok @davidep now samba listen on 0.0.0.0:445 /137 /138 /139
but login from remote network , on ip 192.168.12.241 continue to fail
The connection is from network vpn ipsec 192.168.18.0 on network 192.168.12.0
I have already added network 18 to the allowed networks, in fact the share list is shown.
The fact that I have the domain with the nsdc network, and that this interface does not seem to be visible on vpn is a problem?
edit: i have try to login from local network (not vpn) on alias ip 12 …continue to fail
on physical ip 1 , login work, the password is correct
davidep
(Davide Principi)
June 15, 2017, 7:17am
5
Did this setting fix the problem on IPsec, too?
sharpec
(EnzoC)
June 15, 2017, 7:23am
6
Yes, it has solved in the sense that the folders are visible.
But I only have access to those folder with reading permissions for everyone.
If I have to go into a secure folder, when I try login, it does not allow me to log in
Should I close this post and open another?
davidep
(Davide Principi)
June 15, 2017, 7:35am
7
Yes! I should reproduce this one, too… It is complex to reproduce in a development environment, though. Please be patient. I hope other people help us to confirm the second bug.
Well, the first problem (bind-on-alias-ip ) seems trivial.
I’d prefer my fix only because the implementation is straightforward and I love removing code. However it still does not prove it is effective as your.
Your fix is definitely better than mine: less invasive, no possibility of regression.
The second problem (connect-nsdc-from-vpn ) must be investigated. Yes, I’d open a separate thread once it is reproducible.
sharpec
(EnzoC)
June 15, 2017, 7:57am
8
However, la connessione it fails only on vpn, but also from local
1 Like
davidep
(Davide Principi)
June 15, 2017, 8:00am
9
There’s also a third problem : during the restore-config procedure, if the IP configuration is not applied automatically, smbd and nmbd waits indefinitely for that specific IP list to appear.
The wildcard approach would prevent the third problem.
sharpec
(EnzoC)
June 15, 2017, 8:14am
10
i have check this
netstat -an |grep 389
tcp 0 0 192.168.1.241:48668 192.168.1.2:389 ESTABLISHED
192.168.1.2 is a bridged nsdc interface of DC
ldap problem whit alias ip?
davidep
(Davide Principi)
June 15, 2017, 8:32am
11
I’m not sure I understand your network configuration. Could you attach the output of
db networks show
config show sssd
config show nsdc
sharpec
(EnzoC)
June 15, 2017, 8:35am
12
[root@samba log]# db networks show
192.168.18.0=network
Description=
Mask=255.255.255.0
192.168.180.0=network
Description=vpn
Mask=255.255.255.0
br0=bridge
gateway=192.168.1.254
ipaddr=192.168.1.241
netmask=255.255.255.0
role=green
br0:0=alias
ipaddr=192.168.12.241
netmask=255.255.255.0
role=alias
br1=bridge
FwInBandwidth=
FwOutBandwidth=
bootproto=none
gateway=
ipaddr=192.168.10.241
netmask=255.255.255.0
role=green
em1=ethernet
FwInBandwidth=
FwOutBandwidth=
bridge=br0
role=bridged
em2=ethernet
FwInBandwidth=
FwOutBandwidth=
bootproto=none
bridge=br1
role=bridged
em3=ethernet
bootproto=none
role=
em4=ethernet
role=
ppp0=xdsl-disabled
AuthType=auto
FwInBandwidth=
FwOutBandwidth=
Password=
name=PPPoE
provider=xDSL provider
role=red
user=
[root@samba log]# config show sssd
sssd=service
AdDns=192.168.1.2
LdapURI=
Provider=ad
Realm=XXXXX.IT
Workgroup=XXXXX
status=enabled
[root@samba log]# config show nsdc
nsdc=service
IpAddress=192.168.1.2
ProvisionType=newdomain
bridge=br0
status=enabled
1 Like
davidep
(Davide Principi)
June 15, 2017, 8:41am
13
sharpec:
netstat -an |grep 389
It is a normal condition: it is a connection betweeen your local br0 green (192.168.1.241) and remote nsdc LDAP server.
Probably it is the sssd LDAP client opening that socket.
# ss -np 'dport = 389'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.5.252:45260 192.168.5.251:389 users:(("sssd_be",pid=2526,fd=29))
sharpec
(EnzoC)
June 15, 2017, 8:46am
14
ok, but in my case, br0 and nsdc ldap server is the same machine
192.168.1.241 physical network
192.168.1.2 bridged DC network
192.168.12.241 bridged ipsec network
same machine, same interface br0
davidep
(Davide Principi)
June 15, 2017, 8:49am
15
Could you paste also (an excerpt of) /var/log/firewall.log
?
sharpec
(EnzoC)
June 15, 2017, 8:56am
16
Jun 12 10:05:24 samba kernel: Shorewall:net2loc:DROP:IN=br0 OUT=br0 PHYSIN=em1 PHYSOUT=vnet0 MAC=52:54:00:70:bf:d5:18:03:73:f1:9c:f5:08:00 SRC=192.168.18.24 DST=192.168.12.248 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=32300 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=57
last entry,
before adding network 18 to safe network
12.248 is a VM on the same samba machine
davidep
(Davide Principi)
June 15, 2017, 9:04am
17
Are you running KVM, too? How many services did you install?
rpm -qa | grep ^neth
sharpec
(EnzoC)
June 15, 2017, 9:13am
18
nethserver-firewall-base-3.2.1-1.ns7.noarch
nethserver-firewall-base-ui-3.2.1-1.ns7.noarch
nethserver-base-3.0.22-1.ns7.noarch
nethserver-avahi-1.1.0-1.ns7.noarch
nethserver-duc-1.4.2-1.ns7.noarch
nethserver-mail-smarthost-0.1.1-1.ns7.noarch
nethserver-lang-en-1.1.10-1.ns7.noarch
nethserver-mysql-1.1.1-1.ns7.noarch
nethserver-httpd-3.1.4-1.ns7.noarch
nethserver-bandwidthd-1.0.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-dnsmasq-1.6.4-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-lib-2.2.3-1.ns7.noarch
nethserver-letsencrypt-1.1.4-1.ns7.noarch
nethserver-openssh-1.2.1-1.ns7.noarch
nethserver-sssd-1.2.1-1.ns7.noarch
nethserver-release-7-3.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-ibays-3.1.1-1.ns7.noarch
nethserver-lang-it-1.1.10-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-httpd-admin-2.0.11-1.ns7.noarch
nethserver-cups-1.2.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-mail-common-1.6.3-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-dc-1.2.3-1.ns7.x86_64
nethserver-tomcat-1.1.0-1.ns7.noarch
nethserver-backup-data-1.3.1-1.ns7.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-crontabmanager-0.0.7-1.ns7.sdl.noarch
nethserver-samba-2.0.7-1.ns7.noarch
nethserver-backup-config-1.5.6-1.ns7.noarch
nethserver-postgresql-1.1.0-1.ns7.noarch
nethserver-antivirus-1.2.1-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-samba-audit-1.1.2-1.ns7.noarch
nethserver-spamd-1.0.0-1.ns7.noarch
nethserver-collectd-3.0.5-1.ns7.noarch
nethserver-restore-data-1.2.3-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
Hardware
Connection qemu:///system
Hostname samba.xxxxx.it
Hypervisor qemu
Memory 63,9 GB
Logical CPUs 40
Processor Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Architecture x86_64
Virtual Machine
erpnext Running 4 8192MB
mail-xxxx Running 2 2048MB
mysql Running 8 16384MB
target Running 4 8192MB
web Running 2 4096MB
too many?
1 Like
davidep
(Davide Principi)
June 20, 2017, 2:58pm
19
I tried to configure a similar system on a VPS with red+green interface,
host IP <green>.2
configured Active Directory DC IP <green>.7
configured IPsec tunnels
I can ping the host <green>.2
from the remote network. However the DC IP does not respond.
To fix this situation I did the following:
yum --installroot=/var/lib/machines/nsdc install iproute iputils bind-utils
systemd-run -M nsdc -t /bin/bash
From nsdc shell:
ip ro add default via <green>.2
Created <green>.22
and <green>.1
aliases: smbd seems to bind on the first IP, <green>.1
.
Applied the proposed workaround above: I can connect from smbclient on the remote network.
@sharpec , please see if defining a default route in your nsdc container fixes your connection problems with DC (and file server).
1 Like
sharpec
(EnzoC)
June 20, 2017, 3:29pm
20
I have to admit I’m a little afraid to do this on DC
1 Like