Something happened to netbios aliases, include files and hosts allow
David Pullman
dpullman at cme.nist.gov
Wed Sep 3 21:30:33 GMT 2003
For a few years we've has three netbios aliases on our samba server,
with a global file and an include file for each alias. Besides
different shares, we also have a different hosts allow line in each
include file. One of the aliases allows access to a group of machines
(sort of a "dmz"), specified by a netgroup name, that are not allowed
access to the other aliases shares.
Recently we started to get reports that these "dmz" machines could not
get access to shares that they had in the past. We checked the usual
suspects, and then started digging. It appears that although when the
"dmz" machine connects and the server used the configuration and include
for the correct netbios alias, it is still only using the non-alias
netbios names hosts allow. This denies access to the "dmz" machine.
The snip below illustrates this. We're running 228a and actually we've
had this alias scheme running since smething like 223a.
Did something change in the recent releases? Is it something that I can
correct with conf file changes? Any suggestions?
Thanks
David Pullman
Gaithersburg, MD
This is a snip of smbd log at debug = 10. The allow line is from
smb.conf.scifi (netbios name "scifi") even though the machine
"cassandra" is connecting to netbios name "mxproj" which has its own
include smb.conf.mxproj. That file has a host allow with an additional
netgroup @dmz.
[2003/09/03 16:58:03, 10] lib/access.c:(304)
check_access: allow = @cme, @mel, 129.6.26., 129.6.27., 129.6.31.,
129.6.36.,
129.6.71.19, 129.6.71.15, 129.6.72.15, 129.6.73.15, 129.6.74.15,
129.6.76.15, 12
9.6.77.15, 129.6.32.20, 129.6.71.16, 129.6.72.16, 129.6.73.16,
129.6.74.16, 129.
6.76.16, 129.6.77.16, 129.6.176.232, deny =
[2003/09/03 16:58:03, 3] lib/access.c:(283)
only_ipaddrs_in_list: list [@cme, @mel, 129.6.26., 129.6.27.,
129.6.31., 129.6
.36., 129.6.71.19, 129.6.71.15, 129.6.72.15, 129.6.73.15, 129.6.74.15,
129.6.76.
15, 129.6.77.15, 129.6.32.20, 129.6.71.16, 129.6.72.16, 129.6.73.16,
129.6.74.16
, 129.6.76.16, 129.6.77.16, 129.6.176.232] has non-ip address @cme
[2003/09/03 16:58:03, 3] lib/access.c:(321)
check_access: hostnames in host allow/deny list.
[2003/09/03 16:58:03, 5] lib/access.c:(95)
looking for 129.6.78.196 of domain melnis in netgroup cme gave No
[2003/09/03 16:58:03, 5] lib/access.c:(95)
looking for cassandra.dmz.cme.nist.gov of domain melnis in netgroup
cme gave N
o
[2003/09/03 16:58:03, 5] lib/access.c:(95)
looking for 129.6.78.196 of domain melnis in netgroup mel gave No
[2003/09/03 16:58:03, 5] lib/access.c:(95)
looking for cassandra.dmz.cme.nist.gov of domain melnis in netgroup
mel gave N
o
[2003/09/03 16:58:03, 0] lib/access.c:(333)
Denied connection from cassandra.dmz.cme.nist.gov (129.6.78.196)
[2003/09/03 16:58:03, 1] smbd/process.c:(839)
More information about the samba-technical
mailing list