Mathias Wohlfarth
2002-Jan-21 09:54 UTC
Antwort: Re: Problems Accessing Samba through a Firewall
Connecting through subnetworks is working fine, if you configure Samba as Winsserver and the client to use the SambaServer as a Wins-server. Names are resolved without the need of broadcast. regards MW David Collier-Brown <davecb@canada.sun.com>@lists.samba.org on 21.01.2002 18:22:29 Bitte antworten an David.Collier-Brown@Sun.COM Gesendet von: samba-admin@lists.samba.org An: heubach@heubach-edv.de Kopie: samba@lists.samba.org Org.Element: Telefon: Thema: Re: Problems Accessing Samba through a Firewall heubach@heubach-edv.de wrote:> I've got some problems with Samba 2.2.0 sitting in the DMZ behind a > firewall. > > I opened ports 137/138 UDP and 139 TCP to Samba. When I try to connectthe> Samba machine from a Windows NT 4.0 Workstation I get the error message > "Networkpath not found". If i open all ports to the Samba host it willwork.> After this I close all ports unless 139 TCP and it still works. But itstops> working after logging out and on again to the Windows NT host.Ok, ther's two parts to this situation: braodcast and unicast. Network neighbourhood is done using udp and some broadcasts: to get it to work you need a server on the subnet with the client. If you are maing the connection via NN, you have to have the machine accepting udp and directed broadcasts at the very least! Browsing and acerssing individual machines, however, is done with tcp, purely unicast. If you are maing the connection via windows explorer (not internet explorer) or the net use command, that's tcp, and you need only a name service and tcp. See http://www.oreilly.com/catalog/samba/chapter/book/ch09_02.html for the process of debugging it. A good netwrok snoop program like etherial will help you: tell it to just show the SMB packets and watch to see what ports they go to. --dave -- David Collier-Brown, | Always do right. This will gratify Performance & Engineering | some people and astonish the rest. Americas Customer Engineering, | -- Mark Twain (905) 415-2849 | davecb@canada.sun.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
MH - Entwicklung
2002-Jan-22 00:40 UTC
Antwort: Re: Problems Accessing Samba through a Firewall
Well, I missed to explain some details about the network structure: As mentioned the Samba host sits in the DMZ behind a firewall. The LAN is organized as an NT Domain with MS NT Servers. Windows Name Resolution is done via DNS and LMHOSTS. DNS is working fine (on both servers and clients) also LMHOSTS has no missleading entries. If I enter an UNC Path like \\myserver\myshare in Windows Explorer this should directly invoke a netbios session on Port 139, I suppose? There should be no other protocols involved. If indeed browsing is the problem it should work by opening ports 137/138 UDP? Maybe there is a missconfiguration in the firewall. I will check this in the afternoon (as I mentioned the firewall is not maintained by me). In order to have full access to a smb server (Samba or Windows) it should be sufficient to open Port 139 TCP and 137/138 UDP towards the smb server. Is this correct? Regards Manfred ----- Original Message ----- From: "Mathias Wohlfarth" <MathiasWohlfarth@bwb.org> To: "samba" <samba@lists.samba.org> Sent: Monday, January 21, 2002 6:52 PM Subject: Antwort: Re: Problems Accessing Samba through a Firewall> > Connecting through subnetworks is working fine, if you configure Samba as > Winsserver and the client to use the SambaServer as a Wins-server. > Names are resolved without the need of broadcast. > regards MW > > > > > David Collier-Brown <davecb@canada.sun.com>@lists.samba.org on 21.01.2002 > 18:22:29 > > Bitte antworten an David.Collier-Brown@Sun.COM > > Gesendet von: samba-admin@lists.samba.org > > > An: heubach@heubach-edv.de > Kopie: samba@lists.samba.org > Org.Element: > Telefon: > Thema: Re: Problems Accessing Samba through a Firewall > > > heubach@heubach-edv.de wrote: > > > I've got some problems with Samba 2.2.0 sitting in the DMZ behind a > > firewall. > > > > I opened ports 137/138 UDP and 139 TCP to Samba. When I try to connect > the > > Samba machine from a Windows NT 4.0 Workstation I get the error message > > "Networkpath not found". If i open all ports to the Samba host it will > work. > > After this I close all ports unless 139 TCP and it still works. But it > stops > > working after logging out and on again to the Windows NT host. > > > Ok, ther's two parts to this situation: > braodcast and unicast. > > Network neighbourhood is done using > udp and some broadcasts: to get it to work > you need a server on the subnet with the > client. If you are maing the connection via > NN, you have to have the machine accepting udp > and directed broadcasts at the very least! > > Browsing and acerssing individual machines, > however, is done with tcp, purely unicast. > > If you are maing the connection via windows > explorer (not internet explorer) or the > net use command, that's tcp, and you need > only a name service and tcp. > See > http://www.oreilly.com/catalog/samba/chapter/book/ch09_02.html > for the process of debugging it. > > A good netwrok snoop program like etherial > will help you: tell it to just show the SMB > packets and watch to see what ports they go to. > > --dave > -- > David Collier-Brown, | Always do right. This will gratify > Performance & Engineering | some people and astonish the rest. > Americas Customer Engineering, | -- Mark Twain > (905) 415-2849 | davecb@canada.sun.com > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
MH - Entwicklung
2002-Jan-22 00:42 UTC
Antwort: Re: Problems Accessing Samba through a Firewall
Well, I missed to explain some details about the network structure: As mentioned the Samba host sits in the DMZ behind a firewall. The LAN is organized as an NT Domain with MS NT Servers. Windows Name Resolution is done via DNS and LMHOSTS. DNS is working fine (on both servers and clients) also LMHOSTS has no missleading entries. If I enter an UNC Path like \\myserver\myshare in Windows Explorer this should directly invoke a netbios session on Port 139, I suppose? There should be no other protocols involved. If indeed browsing is the problem it should work by opening ports 137/138 UDP? Maybe there is a missconfiguration in the firewall. I will check this in the afternoon (as I mentioned the firewall is not maintained by me). In order to have full access to a smb server (Samba or Windows) it should be sufficient to open Port 139 TCP and 137/138 UDP towards the smb server. Is this correct? Regards Manfred ----- Original Message ----- From: "Mathias Wohlfarth" <MathiasWohlfarth@bwb.org> To: "samba" <samba@lists.samba.org> Sent: Monday, January 21, 2002 6:52 PM Subject: Antwort: Re: Problems Accessing Samba through a Firewall> > Connecting through subnetworks is working fine, if you configure Samba as > Winsserver and the client to use the SambaServer as a Wins-server. > Names are resolved without the need of broadcast. > regards MW > > > > > David Collier-Brown <davecb@canada.sun.com>@lists.samba.org on 21.01.2002 > 18:22:29 > > Bitte antworten an David.Collier-Brown@Sun.COM > > Gesendet von: samba-admin@lists.samba.org > > > An: heubach@heubach-edv.de > Kopie: samba@lists.samba.org > Org.Element: > Telefon: > Thema: Re: Problems Accessing Samba through a Firewall > > > heubach@heubach-edv.de wrote: > > > I've got some problems with Samba 2.2.0 sitting in the DMZ behind a > > firewall. > > > > I opened ports 137/138 UDP and 139 TCP to Samba. When I try to connect > the > > Samba machine from a Windows NT 4.0 Workstation I get the error message > > "Networkpath not found". If i open all ports to the Samba host it will > work. > > After this I close all ports unless 139 TCP and it still works. But it > stops > > working after logging out and on again to the Windows NT host. > > > Ok, ther's two parts to this situation: > braodcast and unicast. > > Network neighbourhood is done using > udp and some broadcasts: to get it to work > you need a server on the subnet with the > client. If you are maing the connection via > NN, you have to have the machine accepting udp > and directed broadcasts at the very least! > > Browsing and acerssing individual machines, > however, is done with tcp, purely unicast. > > If you are maing the connection via windows > explorer (not internet explorer) or the > net use command, that's tcp, and you need > only a name service and tcp. > See > http://www.oreilly.com/catalog/samba/chapter/book/ch09_02.html > for the process of debugging it. > > A good netwrok snoop program like etherial > will help you: tell it to just show the SMB > packets and watch to see what ports they go to. > > --dave > -- > David Collier-Brown, | Always do right. This will gratify > Performance & Engineering | some people and astonish the rest. > Americas Customer Engineering, | -- Mark Twain > (905) 415-2849 | davecb@canada.sun.com > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Hello! We had a misconfiguration on the firewall. Windows uses low UDP client ports, which were not allowed to pass the firewall. Everything's fine now. Thanks Manfred ----- Original Message ----- From: "Mathias Wohlfarth" <MathiasWohlfarth@bwb.org> To: "samba" <samba@lists.samba.org> Sent: Monday, January 21, 2002 6:52 PM Subject: Antwort: Re: Problems Accessing Samba through a Firewall> > Connecting through subnetworks is working fine, if you configure Samba as > Winsserver and the client to use the SambaServer as a Wins-server. > Names are resolved without the need of broadcast. > regards MW > > > > > David Collier-Brown <davecb@canada.sun.com>@lists.samba.org on 21.01.2002 > 18:22:29 > > Bitte antworten an David.Collier-Brown@Sun.COM > > Gesendet von: samba-admin@lists.samba.org > > > An: heubach@heubach-edv.de > Kopie: samba@lists.samba.org > Org.Element: > Telefon: > Thema: Re: Problems Accessing Samba through a Firewall > > > heubach@heubach-edv.de wrote: > > > I've got some problems with Samba 2.2.0 sitting in the DMZ behind a > > firewall. > > > > I opened ports 137/138 UDP and 139 TCP to Samba. When I try to connect > the > > Samba machine from a Windows NT 4.0 Workstation I get the error message > > "Networkpath not found". If i open all ports to the Samba host it will > work. > > After this I close all ports unless 139 TCP and it still works. But it > stops > > working after logging out and on again to the Windows NT host. > > > Ok, ther's two parts to this situation: > braodcast and unicast. > > Network neighbourhood is done using > udp and some broadcasts: to get it to work > you need a server on the subnet with the > client. If you are maing the connection via > NN, you have to have the machine accepting udp > and directed broadcasts at the very least! > > Browsing and acerssing individual machines, > however, is done with tcp, purely unicast. > > If you are maing the connection via windows > explorer (not internet explorer) or the > net use command, that's tcp, and you need > only a name service and tcp. > See > http://www.oreilly.com/catalog/samba/chapter/book/ch09_02.html > for the process of debugging it. > > A good netwrok snoop program like etherial > will help you: tell it to just show the SMB > packets and watch to see what ports they go to. > > --dave > -- > David Collier-Brown, | Always do right. This will gratify > Performance & Engineering | some people and astonish the rest. > Americas Customer Engineering, | -- Mark Twain > (905) 415-2849 | davecb@canada.sun.com > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >