[Samba] how is Samba 3.x advertising itself to Windows clients across LAN, WAN ?

Brian M brianm0000 at mail.ru
Fri Oct 22 22:41:18 GMT 2004

We recently installed Samba 3.x server on Linux system (RHEL 3.0, using stock RH samba packages).

We are observing following messages in logs:
and access is denied. I know why we get access denied: we have restricted "hosts allow =" setting.
My question is: why are we getting connection requests in first place? I think something is advertising this system, but what? And how do we turn off?

We have not put system into production, still in staging - we have not yet announced system existence.
Yet we get connection requests from scattering of systems across internal network. Pattern of connection requests look random   many different hosts on many different subnets on local site LAN and from other sites across WAN. Most look to be from Windows- some are clients, some are servers.
It looks like random sampling of systems, not from a single source of small set of hosts  so it does not suggest security scanning, nor some worm or virus.

Comparing to a Samba 2.x system (on Solaris, compiled from source) - that is located on same subnet, and is advertised system - we do \not\ see connection requests from these same systems. We are aware NIMDA would find open Samba fileshares to dump payload, but we do not see similar requests between Solaris/Samba 2.x and Linux/Samba 3.x systems.
Since we are not seeing on Samba 2.x, we think is some "feature" of 3.x which we do not yet understand.

Any advise?


More information about the samba mailing list