Controlling NMBD

[BillyCrook]

I run a samba server on Fedora Core 5. This machine has two nics, one wan, one lan. I want smbd (port 139 and 445) to be available to hosts on both networks. I want nmbd broadcasts and announcements to only occur on eth1 (lan). I am trying to minimize traffic on eth0. My server keeps sending usp accountrements to a certain host on eth0, which I have never heard of before. I know one answer is to use iptables to drop any traffic going onto on eth0, from port udp/138. This would in effect contain the problem. I want to do it the 'right' way though. A quick sniff with wire-shark reveals that the two UDP data-grams nmbd is sending ever 12 minutes are a Domain/Workgroup Announcement and a local master announcement. They are being sent to 172.16.95.255, which Is the broadcast address on eth0's network. I know that if the server cannot advertise itself nothing will be able to access it by host name. This is acceptable since the only hosts on the wan that should be accessing it do so directly by IP address.

How can I stop NMBD from advertising to a specific network without stopping SMBD from servicing that same network.

 

[PHV]

What is the value of remote announce in your smb.conf file ?

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[BillyCrook]

My 'remote announce' was set to '192.168.0.255' originally (192.168.0.0/24 is the sub-net of eth1) At some point in trying to isolate this, I commented out the 'remote announce' line.

Since you mentioned it, I looked it up in O’Reilly's 'Using Samba', which said:

[ignore][global][/ignore] remote announce = remote list
allowable values: list of remote addresses
default: NULL

Adds work-groups to the list on which the Samba server will announce itself. Specified as IP address/work-group (for instance, 192.168.220.215/SIMPLE) with multiple groups separated by spaces. Allows directed broadcasts. The server will appear on those work-group's browse lists. Does not require WINS.

From this I assume 'remote announce' is commented out by default, and since most people want everything to have their samba server in its browse list, I also gather that the default behaviour of being unspecified is to remote announce to all networks. Thanks for your help. I'm reverting this line back to 'remote announce = 192.168.0.255', and I bet that will do the trick.

 

[BillyCrook]

hrm, its not working yet. I saved the change, ran testparm, then ran 'service smb reload' the reload went OK, but I'm still seeing the broadcasts in tcpdump. I can schedule a restart of smb for tonite, but is there a way to force this change to take effect without restarting samba completely? I fear that my office door may not be strong enough to hold back the angry users if their sessions drop.

 

[BillyCrook]

I went ahead and restarted the whole smbd. No luck, it still was sending junk to that host. I tried to block it in iptables, and it got MAD. var/log/messages is getting entries from smbd about operation not permitted when it tries to transmit to 172.16.95.255!

 

[rzs0502]

How about
interfaces = x.x.x.x/24
Where x.x.x.x is the range of your eth1 device


"If you always do what you've always done, you will always be where you've always been."

 

[BillyCrook]

How about
interfaces = x.x.x.x/24
Where x.x.x.x is the range of your eth1 device

Unfortunately, that would keep smbd from responding to direct access on eth0. 'interfaces' is currently set = to '127.0.0.1/8 192.168.0.2/24 172.16.87.105/20' That last one is what puts samba on eth0. SMBd must be on eth0 so that certain good hosts on that network can connect to the server. NMBd doesn't need to be on eth0 at all though because all of those good hosts know the IP of the server. The network behind eth1 is mostly mapped by IP too, but I want name resolution on eth1 so the users can have it easier.

 

[IRudebwoy]

I think you are trying to fight the nature of the beast. Use iptables to stop the broadcasts once and for all. You'll get alot of complains in the log but you won't broadcast anymore.

Instead of blocking by port, block by destiation IP (172.16.87.255) and/or destination port if desired.

 

[BillyCrook]

You're probably right. I'm actually blocking the broadcasts with iptables for the short term. I just had an idea though. Could I have two separate configuration files? One, say, for smbd and another for nmbd? or even better what about using an includes file referenced by a variable containing the name of the daemon (smbd or nmbd). This way I suppose, I could have nmbd's config reference only the eth1-subnet in it's 'interfaces' clause, and smbd would reference all subnets.

 

[PHV]

Use the -s <configuration file> option of nmbd in your samba's startup script.

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[BillyCrook]

I edited /etc/sysconfig/samba to include the -s option for both smbd and nmbd. I set their conf files to /etc/samba/smb.conf and /etc/samba/nmb.conf accordingly. Then I renamed smb.conf to both.conf. I made two new files: smb.conf and nmb.conf, and added the following

---to smb.conf:

[global]
include = /etc/samba/both.conf
interfaces = a.a.a.a/s b.b.b.b/s c.c.c.c/s

---and to nmb.conf:

[global]
include = /etc/samba/both.conf
interfaces = a.a.a.a/s b.b.b.b/s

This kept nmb fron knowing about the c.c.c.c/s subnet that it shouldn't be broadcasting/responding on. And it referenced both.conf for both smb and nmb to know the rest of the configuration correctly from one file that I could easily change in the future.

It appeared to be working, but then testparm, and the logfiles of smb and nmb are all saying 'Global parameter interfaces found inn Service Section!'

Knowing a bit of c++ myself, I guessed that any line reading include = x jumped into and out from that file linearly, as in c++, and I changed smb.conf and nmb.conf from

[global]
include = /etc/samba/both.conf
interfaces = a.a.a.a/s b.b.b.b/s c.c.c.c/s

to

[global]
interfaces = a.a.a.a/s b.b.b.b/s c.c.c.c/s
include = /etc/samba/both.conf

This fixed the problem. I have (I think) effectively silenced nmbd on eth0 so that nothing can just stumble upon the server from eth0 (except by ip address). nmbd still works from eth1. smbd works from both, and clients from both networks can access their files fine!

Thanks for the help guys, it looks like this one is solved, and I hope this can help the next guy!