samba - Dec 2005 - smbclient lookup fails when querying local machine

Debian Sarge, Samba 2.2.12 (legacy install), openLDAP 2.2.17, connecting to a
PDC running Samba 2.2.8a. The machine in question failed DIAGNOSIS.txt step 3.

I've got a really odd issue -- a Samba server that can "smbclient
-L" everyone but itself. Samba still serves shares and PDC authentication
works fine, but this failure is annoying, and as such, must be fixed. :)

--

issued from boothost.1230.good-sam.com with IP 172.21.23.1 [local machine
querying remote machine]:
<output1>
boothost:/opt/samba/var# smbclient -L boothost.0010.good-sam.com -Uaccount1
Password: 
added interface ip=172.21.23.1 bcast=172.21.23.255 nmask=255.255.255.0
Domain=[GSS] OS=[Unix] Server=[Samba 2.2.8a]

        Sharename      Type      Comment
        ---------      ----      -------
# SNIP: list of shares
</output1>

--

issued from boothost.1230.good-sam.com with IP 172.21.23.1 [local machine
querying itself]:
<output2>
boothost:/opt/samba/var# smbclient -L boothost.1230.good-sam.com -Uaccount1
added interface ip=172.21.23.1 bcast=172.21.23.255 nmask=255.255.255.0
Password:
session setup failed: Call timed out: server did not respond after 20000
milliseconds
</output2>

--

NMBLookup fails for all hosts. I can ping the PDC but "nmblookup
$any_host_including_PDC" fails.
<output3>
boothost:/opt/samba/var# nmblookup boothost.1230.good-sam.com
querying boothost.1230.good-sam.com on 172.21.23.255
name_query failed to find name boothost.1230.good-sam.com
</output3>

--

<smb.conf>
[global]
workgroup = GSS
netbios name = BOOTHOST-1230
server string = 1230 Boothost Server
password server = [anonymized for the Intarweb but the value is known good * RP]
encrypt passwords = Yes
security = domain
log file = /opt/samba/var/log/%m.log
log level = 0
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = No
os level = 75
preferred master = True
domain master = False
dns proxy = No
wins support = No
wins server = 172.16.102.41
name resolve order = wins bcast host
</smb.conf>

--

boothost.1230.good-sam.com is listed as master browser for this subnet in
log.nmbd, but another interesting note: every time I restart Samba, it goes
through this battle to get there:

Log level 0:
<log.nmbd>
[2005/12/05 15:23:18, 0] nmbd/nmbd.c:terminate(59)
  Got SIGTERM: going down...
[2005/12/05 15:23:21, 0] nmbd/nmbd.c:main(795)
  Netbios nameserver version 2.2.12 started.
  Copyright Andrew Tridgell and the Samba Team 1994-2002
[2005/12/05 15:23:21, 0] nmbd/nmbd_nameregister.c:register_name_response(109)
  register_name_response: server at IP 172.16.102.41 rejected our name
registration of BOOTHOST-1230<20> with error code 5.
[2005/12/05 15:23:21, 0] nmbd/nmbd_mynames.c:my_name_register_failed(40)
  my_name_register_failed: Failed to register my name BOOTHOST-1230<20> on
subnet UNICAST_SUBNET.
[2005/12/05 15:23:21, 0] nmbd/nmbd_namelistdb.c:standard_fail_register(290)
  standard_fail_register: Failed to register/refresh name
BOOTHOST-1230<20> on subnet UNICAST_SUBNET
[2005/12/05 15:23:21, 0] nmbd/nmbd_nameregister.c:register_name_response(109)
  register_name_response: server at IP 172.16.102.41 rejected our name
registration of BOOTHOST-1230<03> with error code 5.
[2005/12/05 15:23:21, 0] nmbd/nmbd_mynames.c:my_name_register_failed(40)
  my_name_register_failed: Failed to register my name BOOTHOST-1230<03> on
subnet UNICAST_SUBNET.
[2005/12/05 15:23:21, 0] nmbd/nmbd_namelistdb.c:standard_fail_register(290)
  standard_fail_register: Failed to register/refresh name
BOOTHOST-1230<03> on subnet UNICAST_SUBNET
[2005/12/05 15:23:21, 0] nmbd/nmbd_nameregister.c:register_name_response(109)
  register_name_response: server at IP 172.16.102.41 rejected our name
registration of BOOTHOST-1230<00> with error code 5.
[2005/12/05 15:23:21, 0] nmbd/nmbd_mynames.c:my_name_register_failed(40)
  my_name_register_failed: Failed to register my name BOOTHOST-1230<00> on
subnet UNICAST_SUBNET.
[2005/12/05 15:23:21, 0] nmbd/nmbd_namelistdb.c:standard_fail_register(290)
  standard_fail_register: Failed to register/refresh name
BOOTHOST-1230<00> on subnet UNICAST_SUBNET
[2005/12/05 15:23:55, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
  *****

  Samba name server BOOTHOST-1230 is now a local master browser for workgroup
GSS on subnet 172.21.23.1

  *****
</log.nmbd>

Does the PDC rejecting my name registration have anything to do with my
smbclient trouble? And for that matter, why is the PDC rejecting my name
registration? Does anyone have any ideas?

Thanks!
Ryan

> I've got a really odd issue -- a Samba server that can "smbclient
-L"
> everyone but itself.
> session setup failed: Call timed out: server did not respond after
> 20000 milliseconds
This looks a lot like a firewall issue - are you sure your machine can
connect to itself on that interface on the SMB port?  It is possible to
get this behaviour by blocking the wrong thing at least with the Linux
firewall, so that would be the first place I'd check.
> my_name_register_failed: Failed to register my name BOOTHOST-1230<20>
> on subnet UNICAST_SUBNET. [2005/12/05 15:23:21, 0]
> nmbd/nmbd_namelistdb.c:standard_fail_register(290)
> standard_fail_register: Failed to register/refresh name
Out of curiosity, does it still do this if the name is <= 8 chars?

Cheers,
Adam.

>> I've got a really odd issue -- a Samba server that can
"smbclient -L"
>> everyone but itself.
>> session setup failed: Call timed out: server did not respond after
>> 20000 milliseconds
> This looks a lot like a firewall issue - are you sure your machine can
> connect to itself on that interface on the SMB port?  It is possible to
> get this behaviour by blocking the wrong thing at least with the Linux
> firewall, so that would be the first place I'd check.
Port 139 is specifically set to "accept" for both TCP and UDP in my
iptables config, and nmap yields the following with the firewall running:

PORT     STATE SERVICE
139/tcp  open  netbios-ssn

Is there another port I need to open? 139 is the only one of which I'm
aware.
>> my_name_register_failed: Failed to register my name
BOOTHOST-1230<20>
>> on subnet UNICAST_SUBNET. [2005/12/05 15:23:21, 0]
>> nmbd/nmbd_namelistdb.c:standard_fail_register(290)
>> standard_fail_register: Failed to register/refresh name
> Out of curiosity, does it still do this if the name is <= 8 chars?
No, it does not; it's able to register a new NetBIOS name ok. Changing the
NetBIOS name to BH1230 still yields a smbclient timeout though:

boothost:/opt/samba/var# smbclient -L BH1230 -Uvalidusr
added interface ip=172.21.23.1 bcast=172.21.23.255 nmask=255.255.255.0
Got a positive name query response from 172.16.102.41 ( 172.21.23.1 )
Password:
session setup failed: Call timed out: server did not respond after 20000
milliseconds

Something else I found over the weekend: my original NetBIOS name has the wrong
IP address listed in the PDC's wins.dat:

"BOOTHOST-1230#00" 1134682795 172.16.104.136 44R
"BOOTHOST-1230#03" 1134682795 172.16.104.136 44R
"BOOTHOST-1230#20" 1134682795 172.16.104.136 44R

wins.dat should list the IP address for this host as 172.21.23.1.

I've changed the NetBIOS name of the machine at the incorrect address and
rejoined the domain, and then rejoined the domain with the machine at the
appropriate IP address; unfortunately, wins.dat on the PDC still lists the wrong
IP address for all three "BOOTHOST-1230" entries. Is there any way I
can force these incorrect entries out of wins.dat WITHOUT restarting samba on
the PDC?

Thanks!

Ryan

> wins.dat should list the IP address for this host as 172.21.23.1.
In this case using -L 172.21... instead of -L BH1230 should work.
There was a post earlier with the subject "Changed IP address" that
recommended editing wins.dat to fix the IP problem.

Cheers,
Adam.

No such luck:

in smb.conf:
name resolve order = host bcast

Results:
boothost:~# smbclient -L 172.21.23.1 -Uvalidusr
added interface ip=172.21.23.1 bcast=172.21.23.255 nmask=255.255.255.0
Password:
session setup failed: Call timed out: server did not respond after 20000
milliseconds

Can bad WINS entries affect results even if WINS isn't in the "name
resolve order"?

--
>>> Adam Nielsen <adam.nielsen@uq.edu.au> 12/12/2005 4:33:00 PM
>>>
> wins.dat should list the IP address for this host as 172.21.23.1.
In this case using -L 172.21... instead of -L BH1230 should work.
There was a post earlier with the subject "Changed IP address" that
recommended editing wins.dat to fix the IP problem.

Cheers,
Adam.

Hi Ryan,
> boothost:~# smbclient -L 172.21.23.1 -Uvalidusr
> added interface ip=172.21.23.1 bcast=172.21.23.255 nmask=255.255.255.0
> Password:
> session setup failed: Call timed out: server did not respond after
> 20000 milliseconds
> 
> Can bad WINS entries affect results even if WINS isn't in the
"name
> resolve order"?
When you use -L <ip> it bypasses WINS, hosts, lmhosts, etc. altogether
and connects directly to that IP address.  So that would explain why -L
BH1230 doesn't work, because WINS might be mapping back to an IP, but
you still get the timeout when connecting to that IP anyway.

Try running "netstat -lnp | grep smbd" to get a list of all ports that
Samba has open, and make sure they're all opened on the firewall
(including the 'lo' interface.)  I have a feeling there are two or
three different ports that need to be opened.

Cheers,
Adam.

Adam: 

boothost:~# netstat -lnp|grep smbd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN    
2968/smbd

Port 139 is open in the iptables config for both TCP and UDP.

Thanks,
Ryan
>>> Adam Nielsen <adam.nielsen@uq.edu.au> 12/14/2005 4:58:05 PM
>>>
Hi Ryan,
> boothost:~# smbclient -L 172.21.23.1 -Uvalidusr
> added interface ip=172.21.23.1 bcast=172.21.23.255 nmask=255.255.255.0
> Password:
> session setup failed: Call timed out: server did not respond after
> 20000 milliseconds
> 
> Can bad WINS entries affect results even if WINS isn't in the
"name
> resolve order"?
When you use -L <ip> it bypasses WINS, hosts, lmhosts, etc. altogether
and connects directly to that IP address.  So that would explain why -L
BH1230 doesn't work, because WINS might be mapping back to an IP, but
you still get the timeout when connecting to that IP anyway.

Try running "netstat -lnp | grep smbd" to get a list of all ports that
Samba has open, and make sure they're all opened on the firewall
(including the 'lo' interface.)  I have a feeling there are two or
three different ports that need to be opened.

Cheers,
Adam.

> Port 139 is open in the iptables config for both TCP and UDP.
Hmm, I have an additional port open:

tcp        0      0 192.168.0.1:139         0.0.0.0:*               LISTEN     
2694/smbd
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN     
2694/smbd
tcp        0      0 192.168.0.1:445         0.0.0.0:*               LISTEN     
2694/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN     
2694/smbd

But I don't know whether that's CIFS or something.  Are you able to
"telnet localhost 139"?  I suspect that doing that would also timeout,
whereas I can connect immediately.  If telnet also times out, it's
almost certainly a firewall issue.  Also check your "hosts allow" line
in smb.conf.

Cheers,
Adam.

OK, I've opened port 445 in the iptables config. Further testing shows no
changed after doing this.

I can telnet to 139:
<snip>
boothost:~# telnet localhost 139
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
</snip>

Trying to smbclient to NETBios name, public IP, and loopback all produce the
same error:
<snip>
session setup failed: Call timed out: server did not respond after 20000
milliseconds
</snip>

I have neither a "hosts allow" nor a "hosts deny" line in my
smb.conf.

Thanks a bunch for all your help, Adam.

Ryan

>>> Adam Nielsen <adam.nielsen@uq.edu.au> 12/18/2005 5:02:30 PM
>>>
Hmm, I have an additional port open:

tcp        0      0 192.168.0.1:139         0.0.0.0:*               LISTEN     
2694/smbd
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN     
2694/smbd
tcp        0      0 192.168.0.1:445         0.0.0.0:*               LISTEN     
2694/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN     
2694/smbd

But I don't know whether that's CIFS or something.  Are you able to
"telnet localhost 139"?  I suspect that doing that would also timeout,
whereas I can connect immediately.  If telnet also times out, it's
almost certainly a firewall issue.  Also check your "hosts allow" line
in smb.conf.

Cheers,
Adam.

> I can telnet to 139:
Hmm, that's bizarre.  It seems like smbd is ignoring the connection on
purpose.  I'm afraid I'm out of ideas.  You could try adding "hosts
allow = 127." line to smb.conf just in case (along with your other
subnets so they can still access the server) however I don't think it
would make much difference.

I would suggest getting hold of a packet sniffer like Ethereal just to
see what's going on, but I suspect all you'd see is the initial request
being sent on port 139 and then nothing further.

Sorry I couldn't be more helpful!

Cheers,
Adam.

Adam:

Your suggestions have been great, and have helped me solve a few other problems
on different servers.

Thanks again!

Ryan
>>> Adam Nielsen <adam.nielsen@uq.edu.au> 12/19/2005 5:49:04 PM
>>>
> I can telnet to 139:
Hmm, that's bizarre.  It seems like smbd is ignoring the connection on
purpose.  I'm afraid I'm out of ideas.  You could try adding "hosts
allow = 127." line to smb.conf just in case (along with your other
subnets so they can still access the server) however I don't think it
would make much difference.

I would suggest getting hold of a packet sniffer like Ethereal just to
see what's going on, but I suspect all you'd see is the initial request
being sent on port 139 and then nothing further.

Sorry I couldn't be more helpful!

Cheers,
Adam.

-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------