nmbd using the wrong source address upon sending Node Status requests

Richard Sharpe rsharpe at richardsharpe.com
Thu Apr 24 19:09:32 GMT 2003


On Thu, 24 Apr 2003, Christopher R. Hertel wrote:

> On Thu, Apr 24, 2003 at 06:00:50PM +0200, Volker Lendecke wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Hi!
> > 
> > Being a LMB nmbd has to send out a node status request to the DMB to
> > find its real name to send as called name. This is done from the wrong
> > source ip address if we use 'bind interfaces only = yes' to a virtual
> > interface. This is needed if you want to run several LMBs on a machine
> > or in a cluster environment.
> > 
> > The node status request goes out with the main interface's IP address
> > as the socket used to send the UDP packet is bound to 0.0.0.0 and nmbd
> > will not receive this. I have not really followed why we ignore the
> > reply.
> > 
> > I can supply logs, sniffs & confs upon request.
> > 
> > I have a little proof of concept patch that revives the socket address
> > parameter for this purpose:
> > 
> > Index: source/nmbd/nmbd.c
> > ===================================================================
> > RCS file: /space/vl/cvstree/samba/source/nmbd/nmbd.c,v
> > retrieving revision 1.105.2.21
> > diff -u -r1.105.2.21 nmbd.c
> > - --- source/nmbd/nmbd.c	30 Mar 2003 23:04:17 -0000	1.105.2.21
> > +++ source/nmbd/nmbd.c	24 Apr 2003 15:20:55 -0000
> > @@ -532,7 +532,7 @@
> >     */
> >  
> >    if ( isdaemon )
> > - -    ClientNMB = open_socket_in(SOCK_DGRAM, port,0,0,True);
> > +    ClientNMB = open_socket_in(SOCK_DGRAM, port,0,interpret_addr(lp_socket_address()),True);
> >    else
> >      ClientNMB = 0;
> >    
> > There was some discussion on irc that this might be not the right
> > solution as 'socket address' is now deprecated. But what is the right
> > one to this rather obvious bug? This *definitely* needs fixing. Why is
> > 'socket address' deprecated in the first place?
> 
> As Volker says, the problem is that we send the NBT Node Status query from 
> 0.0.0.0.  The outbound packet is then assigned the address of the 
> interface from which it is actually sent (which depends upon the routing).
> 
> So, by sending from 0.0.0.0, the source address may be one to which Samba
> is not bound.  As a result we are, essentially, spoofing the packet.  The
> reply will then arrive on an interface to which Samba is not bound and
> will, therefore, be ignored (we probably don't even put it into
> unexpected.tdb).
> 
> Volker's solution is to use the "socket address" parameter, and bind the 
> outbound socket to the interface specified by the "socket address".  Doing 
> this proves that he's got the right diagnosis.  I think, though, that the 
> better solution might be to choose the first address in the "interfaces" 
> list, if such is defined (if not, using 0.0.0.0 will be okay).
> 
> Using the first "interfaces" entry means that "socket address" can remain 
> depricated, and it also means that the sysadmin doesn't have to think 
> about configuring the "socket address" parameter.

I think this is the right solution.

Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com



More information about the samba-technical mailing list