bug fix?: 2.2.7a, nmbd/nmbd_packets.c, listen_for_packets()

Mon Feb 17 03:02:51 GMT 2003

> >
> > When running a WINS server using the following configuration:
> > 	[global]
> > 	wins support = yes
> > 	interfaces = 192.168.1.0/24
> > 	bind interfaces only = true
> > the WINS server erroneously discards 127.0.0.1 requests from SMBD
> > children.  This happens whenever libsmb/resolve_wins() is called.  I
ran
> > into this trying to understand why bringing up a Print dialog would
take
> > > 6 secs, but I would guess that there are other places this would
come
> > up.
> 
> I don't see how this is erroneous.  If you specifically configure
Samba
> not to listen on an interface, I might imagine that it might just
happen
> to not listen on that interface.  The documentation is quite clear on
> this matter - you really should include localhost in your interface
> list.
>

I think there are several good reasons to include this fix:
1)  I think the documentation is ambiguous on this subject.

The smb.conf man page states:
****
   interfaces (G)
         This  option  allows  you to override the default network
inter-
         faces list that Samba will use for browsing,  name
registration
         and  other  NBT  traffic. By default Samba will query the
kernel
         for the list of all active interfaces  and  use  any
interfaces
         except 127.0.0.1 that are broadcast capable.
		.
		.
   For example, the following line:

   interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
		.
		.
   Default: all active interfaces  except  127.0.0.1  that  are
broadcast
       Capable
*****
I think this documentation implies that 127.0.0.1 is an unnecessary
interface as far as Samba is concerned.
	a) The sample given does not include 127.0.0.0/8
	b) Twice it states that the default will NOT acquire 127.0.0.1.

There's little mention of "interfaces=" in the Samba HOWTO.
In section 4.6 of "Using Samba", the example smb.conf does not add the
loopback interface (only in 4.6.1.4 does it say,

"If you set bind interfaces only to yes, you should add the localhost
address (127.0.0.1) to the "interfaces" list. Otherwise, smbpasswd will
be unable to connect to the server using its default mode in order to
change a password." -- BTW, not actually true. smbpasswd works fine
without this.

I could only find two appropriate entries: section 6.1 of the
"Unofficial Samba How-To" and an e-mail from Martin Rusko on a Debian
Security mailing list.

2) "interfaces=" is an overloaded option.  Setting the loopback address
in "interfaces=" has both SMBD and NMBD listening to it.  But in the
default mode, SMBD will only listen to all broadcast addresses EXCEPT
loopback, whereas NMBD will listen to every address.

3) I've seen quite a few misconfigured "interfaces=".  I think this is
probably a very common oversight that goes largely undetected.  In my
case, I was running this misconfiguration on one server for two years,
and on another for 9 mos.  It was only because I decided to seriously
bulldog a seemlingly unrelated problem (long time to bring up Print
dialog) that I uncovered the misconfiguration for myself.

4) I believe this to be the most serious.  The only indication that
something is wrong is that things run slow or sporadically slow.  But
slow-running stuff is hard to diagnose.  It could be network hardware,
server hardware, misconfigured network hardware, corrupted firewalls,
complex multi-subnet installations, etc.  The security-conscious (a lot
of people) are going to and do use "bind interfaces only = yes", without
realizing all the ramifications.

A lot of posts on the samba list are about complex problems that start:
it's running slow.  Remember the thread, "How Samba let us down"?  Quite
a furor:  interestingly, Chris de Vidal states in his e-mail of 23
October 2002, 10:46:29, "I did try WINS in testing;.... I would see
"WINS server appears to be down"...Have you seen better documents on
implementing Samba WINS..."

I think in this situation a small change could go a long way.

Thanks,

Peter Hurley
phurley at imaginexd.com