[Samba] Slow "run as ...", firewall issues.

David Mathog mathog at caltech.edu
Wed Sep 17 22:59:26 GMT 2008 

After doing some system work, including upgrading the Samba server to
3.0.28a from 3.0.24, upgrading the kernel to 2.6.24, and changing the
firewall rulesk, the XP workstations which belong to that domain, the
right click "run as ..." option is slow to bring up a dialog.  The
phenotype is this:

right click some program (for instance, a shortcut to the
  "command prompt")
select "run as ..."
15 seconds elapse before the dialog appears

Once the dialog appears, a local machine account can login more or less
instantaneously, and a domain account can login in about 35-40 seconds.

Oddly, if instead of logging in, the dialog is closed, and then "run
as..." selected again, that dialog appears immediately.  This is also
true if a different application is selected.  Wait one minute though
(about, 30 seconds is not long enough, 45 seconds to 1 minute usually
is) and the next time it will be slow once more.

Working back through this it turned out that the firewall rule which had
previously allowed 137-138 access:

ACCEPT     tcp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy       tcp
dpts:137:139 state NEW 
ACCEPT     udp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy        udp
dpts:137:139 state NEW 
ACCEPT     tcp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy        tcp
dpts:137:139 
ACCEPT     udp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy        udp
dpts:137:139 

was no longer being applied.  Logins still worked using 445, the only
issue was the slow "run as...".

So I changed the rules to:

REJECT     tcp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy       tcp
dpts:137:139 reject-with icmp-port-unreachable 
REJECT     udp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy       udp
dpts:137:139 reject-with icmp-port-unreachable 

And "run as..." was fast again.

So, by trial and error, I have so far learned that for a Samba
machine's firewall to work right

445     must be open

and the following ports must be set to REJECT (or ALLOW, but not DROP)

137-139 (as above)
80      (or there is a long webDAV delay if there is no http server)

Are there any others I should know about???

Thanks,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

More information about the samba mailing list