Something happened to netbios aliases, include files and hosts allow

David Pullman dpullman at cme.nist.gov
Wed Sep 3 21:30:33 GMT 2003 

For a few years we've has three netbios aliases on our samba server, 
with a global file and an include file for each alias.  Besides 
different shares, we also have a different hosts allow line in each 
include file.  One of the aliases allows access to a group of machines 
(sort of a "dmz"), specified by a netgroup name, that are not allowed 
access to the other aliases shares.

Recently we started to get reports that these "dmz" machines could not 
get access to shares that they had in the past.  We checked the usual 
suspects, and then started digging.  It appears that although when the 
"dmz" machine connects and the server used the configuration and include 
for the correct netbios alias, it is still only using the non-alias 
netbios names hosts allow.  This denies access to the "dmz" machine.

The snip below illustrates this.  We're running 228a and actually we've 
had this alias scheme running since smething like 223a.

Did something change in the recent releases?  Is it something that I can 
correct with conf file changes? Any suggestions?

Thanks

David Pullman
Gaithersburg, MD

This is a snip of smbd log at debug = 10.  The allow line is from 
smb.conf.scifi (netbios name "scifi") even though the machine 
"cassandra" is connecting to netbios name "mxproj" which has its own 
include smb.conf.mxproj.  That file has a host allow with an additional 
netgroup @dmz.

[2003/09/03 16:58:03, 10] lib/access.c:(304)
  check_access: allow = @cme, @mel, 129.6.26., 129.6.27., 129.6.31., 
129.6.36.,
129.6.71.19, 129.6.71.15, 129.6.72.15, 129.6.73.15, 129.6.74.15, 
129.6.76.15, 12
9.6.77.15, 129.6.32.20, 129.6.71.16, 129.6.72.16, 129.6.73.16, 
129.6.74.16, 129.
6.76.16, 129.6.77.16, 129.6.176.232, deny =
[2003/09/03 16:58:03, 3] lib/access.c:(283)
  only_ipaddrs_in_list: list [@cme, @mel, 129.6.26., 129.6.27., 
129.6.31., 129.6
.36., 129.6.71.19, 129.6.71.15, 129.6.72.15, 129.6.73.15, 129.6.74.15, 
129.6.76.
15, 129.6.77.15, 129.6.32.20, 129.6.71.16, 129.6.72.16, 129.6.73.16, 
129.6.74.16
, 129.6.76.16, 129.6.77.16, 129.6.176.232] has non-ip address @cme
[2003/09/03 16:58:03, 3] lib/access.c:(321)
  check_access: hostnames in host allow/deny list.
[2003/09/03 16:58:03, 5] lib/access.c:(95)
  looking for 129.6.78.196 of domain melnis in netgroup cme gave No
[2003/09/03 16:58:03, 5] lib/access.c:(95)
  looking for cassandra.dmz.cme.nist.gov of domain melnis in netgroup 
cme gave N
o
[2003/09/03 16:58:03, 5] lib/access.c:(95)
  looking for 129.6.78.196 of domain melnis in netgroup mel gave No
[2003/09/03 16:58:03, 5] lib/access.c:(95)
  looking for cassandra.dmz.cme.nist.gov of domain melnis in netgroup 
mel gave N
o
[2003/09/03 16:58:03, 0] lib/access.c:(333)
  Denied connection from cassandra.dmz.cme.nist.gov (129.6.78.196)
[2003/09/03 16:58:03, 1] smbd/process.c:(839)

More information about the samba-technical mailing list