[Samba] Lingering IPC$ connections

Alfredo Ramos ralf at is.rice.edu
Fri Apr 11 03:28:37 GMT 2003


John,

Thank you for the explanation. It sheds a light into something I was not
aware of. The reason we run samba is to stay away from M$ servers. I might
grab a spare PC and load Win2K Server though, just to experiment and sniff
the traffic. It should be interesting to see how the session setup goes
from an M$ point of view. As you stated, it should mirror what samba does.
Or viceversa.

Thanks again;

Al.

---------------------------------------------------------------------------------
                                           | Alfredo Ramos
This space available for rent.             | Educational Technology
Get your product moving. Advertise here!   | Rice University.
                                           | Email: ralf at is.rice.edu
---------------------------------------------------------------------------------

> Alfredo,
>
> The protocol stack is the secret.
>
> IP-|->TCP->|->SMB->NetBIOS->Named Pipes->MS ONC DCE RPC->RPC Services
>    |->UDP->|
>
> Operations are mulitplexed over the named pipes. It is NOT uncommon for
> each SMB operation to con-currently run 8 or more communication sessions
> over the same named pipe. This makes decoding Microsoft protocols so
> interesting.
>
> The client may open the IPC$ share as the null user (to obtain share
> information), or as an authenticated user, usually both happen, typically
> it keeps the null connection open - there is no good reason to close it.
>
> Secondly, Samba does NOT control clients, clients control Samba. That is
> the way it is with SMB protocols. It is only the client that drops
> sessions if it chooses to. Samba does not drop client connections.
>
> If you want to understand this better grab an XP Pro client and a Windows
> 2000 Server and using Ethereal monitor the traffic. Also, on your Windows
> XP Pro client you should from control panel / administrative options run
> the Machine Manager MMC and locate the panel that will allow you to see
> all open and current connections to your samba or Win2K server.
>
> You will see that what smbstatus reports is in fact what the client will
> report in the way of open connections. You are seeing only the named pipes
> that are open.
>
> smbstatus is not reporting multiple smbds that have the same pid, it is
> reporting the named pipe sessions that are open over a single smbd.
>
>
> - John T.
>



More information about the samba mailing list