Login Failure

Rashkae git at meaford.com
Mon Mar 26 03:54:13 GMT 2001

There was one mistake in the explanation. Samba does not reject the client
if the hosts allow / hosts deny are specified by IP address. However,
because it uses the tcp wraper, it nonetheless performs a reverse lookup.
The lookup is sent to the DHCP in the due course, and the DNS server
spends time trying to lookup it up.. Unfortunately, by the time DNS gives
up and reports a failure, SMB clients time out. The DNS server caches the
request. So that client will be able to re-connect for as long as the
cached request lives.  By listing the client IP address in the /etc/hosts
file, even without a host name, you prevent the lookup from being sent to
the DNS server, so no timeout.  For some reason, despite all the problems
this has caused, no one seems to have mentioned this prominantly in the
base documentation... tsk tsk.  oplock, strict locking and dos filesystem
should also be better documented. (Note, I don't hold the Samba team
responsible for that. This kind of common troubleshooting should be in the
smb.conf file provided by distributions, well commented with exambles.)

On Mon, 26 Mar 2001, Grant wrote:

> Nice explanation... However, howcome "sometimes" it allows it through and
> other times it doesn't. Sometimes on the 2nd, 3rd, or 4th attempt it
> allows the domain login to samba, on other attempts it will say the
> password is incorrect.
> On Mon, 26 Mar 2001, Tim Potter wrote:
> > Seth Thornberry writes:
> > 
> > > ]Well not knowing anything about the setup, the standard answer is
> > > ]workstations having DHCP addresses without forward and reverse
> > > ]DNS entries and using 'hosts allow' and 'hosts deny' in the
> > > ]smb.conf file.
> > > 
> > > How is that an answer? Or is that just a description of the problem? Does
> > > samba not support that kind of set up? Why does samba have to have the DNS
> > > names of the computers accessing it? Shouldn't samba be using netbios names?
> > > Is this documented somewhere that I'm missing?
> > 
> > OK - when host machines connect to Samba and the 'hosts allow'
> > and 'hosts deny' options are present, Samba needs to determine
> > the DNS name to work out whether to allow the connection.  If the
> > host does not have a reverse IP then it is automatically rejected
> > as Samba cannot determine whether to allow or deny the
> > connection.  This is because the code is based on the tcp wrapper
> > code and netbios names are too easy to spoof.
> > 
> > Er, I don't think it is actually documented anywhere.  )-:
> > 
> > 
> > Tim.
> > 
> > 
> > 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list