[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)

Mohammed El-Afifi mohammed_elafifi at yahoo.com
Wed Jul 2 23:26:31 GMT 2008 

Here's my analysis results describing my message:

  1   0.000000 192.168.1.101 -> 192.168.1.254 DNS Standard query AAAA vic-cai-l0047.localdomain
  2   0.029740 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No such name
  3   0.029889 192.168.1.101 -> 192.168.1.254 DNS Standard query A vic-cai-l0047.localdomain
  4   0.056225 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No such name
  5   0.056738 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20>
  6   0.057018 Dell_b0:3b:f2 -> Broadcast    ARP Who has 192.168.1.101?  Tell 192.168.1.100
  7   0.057032 Giga-Byt_49:21:e7 -> Dell_b0:3b:f2 ARP 192.168.1.101 is at 00:16:e6:49:21:e7
  8   0.057139 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100
  9   0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited)
 10   0.326384 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20>
 11   0.326732 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100
 12   0.326763 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited)
 13   0.596355 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20>
 14   0.596734 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100
 15   0.596758 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited)

192.168.1.101 is my linux client, 192.168.1.100 is my windows machine(containing the shares I want to access from the fedora 9 box), and 192.168.1.254 is my local DNS server. Obviously there're no messages sent to the linux machine on destination port 139 or 145. All messages coming from the windows machine are originating from port 137 on the windows machine.
I tried to disable the NetworkManager service but this didn't solve the problem. I also got level 5 debugging from smbclient; it's as follows:
INFO: Current debug levels:
  all: True/5
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
  dmapi: False/0
  registry: False/0
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = MYGROUP
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::216:e6ff:fe49:21e7%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.1.101 bcast=192.168.1.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="LOCALHOST"
Client started (version 3.2.0rc1-15.fc9).
Opening cache file at /var/lib/samba/gencache.tdb
tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
sitename_fetch: No stored sitename for
no entry for vic-cai-l0047#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name vic-cai-l0047<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
resolve_wins: Attempting wins lookup for name vic-cai-l0047<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name vic-cai-l0047<0x20>
resolve_hosts: getaddrinfo failed for name vic-cai-l0047 [Name or service not known]
name_resolve_bcast: Attempting broadcast lookup for name vic-cai-l0047<0x20>
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 1
socket option SO_BROADCAST = 1
Could not test socket option TCP_NODELAY.
Could not test socket option TCP_KEEPCNT.
Could not test socket option TCP_KEEPIDLE.
Could not test socket option TCP_KEEPINTVL.
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 122880
socket option SO_RCVBUF = 122880
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
Sending a packet of len 50 to (192.168.1.255) on port 137
Sending a packet of len 50 to (192.168.1.255) on port 137
Sending a packet of len 50 to (192.168.1.255) on port 137
Connection to vic-cai-l0047 failed (Error NT_STATUS_BAD_NETWORK_NAME)

Note the last 3 red lines; it seems that smbclient doesn't see the response packets although tcpdump and wireshark show they're received in the kernel IP tables. The ICMP messages also aren't seen in the logging to be sent by my linux client. Think I'm going to investigate more and produce a similar logging information for smbclient on the redhat 9 box to see where they differ.


----- Original Message ----
From: Scott Lovenberg <scott.lovenberg at gmail.com>
To: Mohammed El-Afifi <mohammed_elafifi at yahoo.com>
Cc: samba at lists.samba.org
Sent: Wednesday, July 2, 2008 9:38:41 PM
Subject: Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)


Mohammed El-Afifi wrote:
> I'm using fedora 9, 64-bit edition, on a machine acting as a client. I've installed samba-client 3.2.0 from a binary package. I amn't running the server portion of samba(smbd, nmbd, or even winbindd).
> I'm trying to access shares on another windows machine, on the same network 192.168.1.0/24. Both machines, the client and the server, are using DHCP to acquire IP addresses.
> When I type the command
> smbclient -L <windows host name>
> I get an error about bad network name. I traced my smbclient session with tcpdump and wireshark, jut to find out some strange behaviour. 
>     1. smbclient tries DNS requests and receives unresolved host replies. This's totally sane since my DNS works for resolving external names only, not those inside my network.
>     2. smbclient then tries to resolve the netbios name. It broadcasts a message and it really receives response from the windows machine resolving the name successfully. However after smbclient receives the successful netbios response, it sends and ICMP message to the windows machine indicating "unreachable destination host(administratively prohibited)".
>     3. Steps 1 and 2 repeat for a few times(about 3 times), each time ending with the strange ICMP message.
> I can't see what's wrong with my network configuration. I can access the other windows machine by IP address pretty well. I can access all internet sites successfully. I've disabled the kernal firewall and selinux, but with no progress.
> I've redhat 9(installed on the same machine having fedora 9) with samba-client installed(a very old version of course, 2.2 maybe), and it can access the windows machine seamlessly. So I wonder if it's something related to my samba version, my fedora 9 OS, or may I be missing something critical in my smb.conf, taking into consideration that I haven't changed smb.conf from the stock one shipping with the samba-client binary package?
> Appreciating your help for any suggestions!
>
>
>      
>  
Perhaps a routing problem?  Does either machine have multiple network 
cards?  If you're not using wireless, make sure that the NetworkManager 
service is disabled; I've had nothing but problems with it in F9. 

Also, is the ICMP response in regards to Windows trying to make a 
connection on ports 139 and 445 at the same time?  For some silly reason 
Windows will open two connections at the same time.  I believe that the 
default samba (server) setting is to drop the port 445 requests and use 
the port 139 connections.

More information about the samba mailing list