samba: unreachable - admin prohibited

Hi

SYS: redhat fedora 4, samba 3.0.14a-2

This is the first time I have had trouble configuring samba but I am
completely stuck.

I have a basic smb.conf (see below) and testparm says it's fine. The
path to the one share exists and the permissions a 0777. However no
clients can reach it. Unix smbclient can not access it:

[root]# smbclient -L polaris
Error connecting to 194.200.237.132 (No route to host)
Connection to polaris failed

Windows clients says permission denied and the network path was not
found. NT4 server-manager sees the server but can't reach it. net rpc
join fails with "Unable to find a suitable server"

tcpdump reports:
"unreachable - admin prohibited" when I listen on the interface for
incoming traffic from a client.

I can ping the server from other hosts (by hostname if the host has
the server in its hosts file or by IP otherwise) but I am pretty sure
this is a network/access problem.

The one area I am not sure about is the firewall. I left this enabled
during the install of redhat. The iptables are listed at the end of
this mail. portscan shows 139 running with netbios-ssn so I am not
sure if this means traffic is allowed through or not.

Does anyone have any ideas?
Thanx.
Dp.



============== iptables ================
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp
dpt:5353
ACCEPT udp -- anywhere anywhere udp
dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:smtp
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited

=============== End iptables ============

=======smb.conf ==========
[global]
workgroup = mygroup
server string = 132
netbios name = polaris
#hosts allow = 196.218.237.128/255.255.255.128
printcap name = /etc/printcap
#load printers = yes
cups options = raw
guest account = samba
log file = /var/log/samba/%m.log
max log size = 50
security = domain
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
default case = lower
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = yes
[share]
comment = scanning drive
path = /data/share
public = yes
writable = yes
create mask = 0777
browseable = yes
=============== end of smb.conf ==========
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: samba: unreachable - admin prohibited

Hi Dermot

On Fri, July 29, 2005 12:10 pm, Dermot Paikkos wrote:
[...snipped...]
> tcpdump reports:
> "unreachable - admin prohibited" when I listen on the interface for
> incoming traffic from a client.

It's a firewall issue, not a Samba issue. This message basically means
that there is an IPTables rule which prevents access to that port.

J

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: samba: unreachable - admin prohibited

On 29 Jul 2005 at 11:25, Scott Taylor wrote:

>
> Dermot Paikkos said:
> > Hi
> >
> > The one area I am not sure about is the firewall. I left this
> > enabled during the install of redhat. The iptables are listed at the
> > end of this mail. portscan shows 139 running with netbios-ssn so I
> > am not sure if this means traffic is allowed through or not.
> >
> > Does anyone have any ideas?
>
> I don't see any SMB or NMB allowed in your IPTABLES rulez.
>
I guess the next question is how do I add a rule for smb and nmb or
can I just turn it off to confirm that this is the source of the
problem?

> > ============== iptables ================
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain RH-Firewall-1-INPUT (2 references)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT icmp -- anywhere anywhere icmp
> > any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT
> > ipv6-auth-- anywhere anywhere ACCEPT udp --
> > anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp
> > -- anywhere anywhere udp dpt:ipp ACCEPT
> > all -- anywhere anywhere state
> > RELATED,ESTABLISHED ACCEPT tcp -- anywhere
> > anywhere state NEW tcp dpt:ssh ACCEPT tcp --
> > anywhere anywhere state NEW tcp dpt:http
> > ACCEPT tcp -- anywhere anywhere state
> > NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere
> > state NEW tcp dpt:smtp REJECT all -- anywhere
> > anywhere reject- with icmp-host-prohibited
> >
>
> --
> Scott
>


~~
Dermot Paikkos * dermot@sciencephoto.com
Network Administrator @ Science Photo Library
Phone: 0207 432 1100 * Fax: 0207 286 8668

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: samba: unreachable - admin prohibited

On Fri, July 29, 2005 12:33 pm, Dermot Paikkos wrote:
> On 29 Jul 2005 at 11:25, Scott Taylor wrote:
>
>>
>> Dermot Paikkos said:
>> > Hi
>> >
>> > The one area I am not sure about is the firewall. I left this
>> > enabled during the install of redhat. The iptables are listed at the
>> > end of this mail. portscan shows 139 running with netbios-ssn so I
>> > am not sure if this means traffic is allowed through or not.
>> >
>> > Does anyone have any ideas?
>>
>> I don't see any SMB or NMB allowed in your IPTABLES rulez.
>>
> I guess the next question is how do I add a rule for smb and nmb or
> can I just turn it off to confirm that this is the source of the
> problem?

Firewall rules are set in the "setup" program in your distro, if I recall
correctly. To check if the firewall is indeed the culprit, try this:
/usr/sbin/iptables -F

That will wipe the firewall temporarily, not including the NAT and mangle
tables (in case your box works as a gateway). To clean the NAT and mangle
tables too, use these:
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F


J

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: samba: unreachable - admin prohibited

On 29 Jul 2005 at 12:55, Jens Knoell wrote:

> On Fri, July 29, 2005 12:33 pm, Dermot Paikkos wrote:

> > I guess the next question is how do I add a rule for smb and nmb or
> > can I just turn it off to confirm that this is the source of the
> > problem?
>
> Firewall rules are set in the "setup" program in your distro, if I
> recall correctly. To check if the firewall is indeed the culprit, try
> this: /usr/sbin/iptables -F
>
> That will wipe the firewall temporarily, not including the NAT and
> mangle tables (in case your box works as a gateway). To clean the NAT
> and mangle tables too, use these: /usr/sbin/iptables -t nat -F
> /usr/sbin/iptables -t mangle -F


Well something has changed as I seem to be getting through;

[root@proxima ~]# smbclient -L polaris
Password:
session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

This looks like the samba server isn't communicting with the PDC.
so then;

>net rpc join mydomain -U administrator%password
Joined domain SPL.
>[root@proxima ~]# smbclient -L polaris
Password:
session setup failed: NT_STATUS_LOGON_FAILURE

A better error. The windows client can finally see it.

Thanx Jens & Scott. I guess I'll have to rtfm to configure the
iptables or turn them off.
Dp.
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: samba: unreachable - admin prohibited

Dermot Paikkos said:
> On 29 Jul 2005 at 11:25, Scott Taylor wrote:
>
>>
>> I don't see any SMB or NMB allowed in your IPTABLES rulez.
>>
> I guess the next question is how do I add a rule for smb and nmb or can
I just turn it off to confirm that this is the source of the problem?

If you don't need a firewall then you should disable it. FD4 default
rules blocks everything unless you specifically allow it. To modify the
firewall you could use system-config-security (I think it is)...let me
turn on my FD4 box...da-dee-dum-dee-dum...booting...la-de-dah...takes so
long to boot this OS...go get a coffee...

Ah, here it is, "system-config-securitylevel". It works in both X and
terminal session (command line). You can customize it to allow the
different ports, I forget off hand what nmb and smb are on. Or disable it
all together. Make sure to read the help and stuff on the screen. :)

In X it's in a really stupid place, under "Desktop" menu -> System
Settings -> Security Level.

I don't know who's silly idea it was to put system settings (like firewall
settings) under a menu called Desktop. It's a wonder anyone can navigate
this POS OS that installs way too much gunk even when you install basic
mode. =P

Enjoy.

--
Scott
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: samba: unreachable - admin prohibited

Dermot Paikkos said:
> Yes, found it. Not in the place your'd expect it.
>
> Disabled now. I guess I don't have to print out the iptable man pages
> :-).

Good thing you didn't try that, there is no man page, only "info" (the new
man?) pages. :(

> Thanx scott.

You are welcome. Happy weekend. :)

--
Scott
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html