[Samba] Re: Slow "run as ...", firewall issues.

David Mathog mathog at caltech.edu
Tue Sep 23 16:51:53 GMT 2008


> So I changed the rules to:
> REJECT     tcp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy       tcp
> dpts:137:139 reject-with icmp-port-unreachable 
> REJECT     udp  --  xxx.xxx.xxx.xxx       yyy.yyy.yyy.yyy       udp
> dpts:137:139 reject-with icmp-port-unreachable 
> And "run as..." was fast again.

Except, after several hours, it was slow again!  I believe there was
some issue with the Samba server retaining netbios names after the
REJECT is set, but then it eventually loses those due to the REJECT.
Once that happens "run as..." is once again slow, even though ports
137-139 are still REJECTing connections from the client machine.
This is a complex interaction, with what appears to be stored values
timing out - because restarting Samba may be needed to fix it (quickly)
even if the server has the firewall shut off. Rather than experimenting
with further firewall rules for the campus Winbind servers (I think) I
gave up and once again set ports 137-139 to ACCEPT for on campus
machines.  Note that that alone did not immediately speed up "run
as...", but a subsequent restart of samba did, and it is still fast 14
hours later.

If one of the Samba developers could explain this messy interaction it
would be greatly appreciated.

Thank you,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

More information about the samba mailing list