Brian M
2004-Oct-22 22:41 UTC
[Samba] how is Samba 3.x advertising itself to Windows clients across LAN, WAN ?
We recently installed Samba 3.x server on Linux system (RHEL 3.0, using stock RH samba packages). We are observing following messages in logs: lib/access.c:check_access(328) and access is denied. I know why we get access denied: we have restricted "hosts allow =" setting. My question is: why are we getting connection requests in first place? I think something is advertising this system, but what? And how do we turn off? Background: We have not put system into production, still in staging - we have not yet announced system existence. Yet we get connection requests from scattering of systems across internal network. Pattern of connection requests look random many different hosts on many different subnets on local site LAN and from other sites across WAN. Most look to be from Windows- some are clients, some are servers. It looks like random sampling of systems, not from a single source of small set of hosts so it does not suggest security scanning, nor some worm or virus. Comparing to a Samba 2.x system (on Solaris, compiled from source) - that is located on same subnet, and is advertised system - we do \not\ see connection requests from these same systems. We are aware NIMDA would find open Samba fileshares to dump payload, but we do not see similar requests between Solaris/Samba 2.x and Linux/Samba 3.x systems. Since we are not seeing on Samba 2.x, we think is some "feature" of 3.x which we do not yet understand. Any advise? Spasibo...
Gerald (Jerry) Carter
2004-Oct-26 13:06 UTC
[Samba] how is Samba 3.x advertising itself to Windows clients across LAN, WAN ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian M wrote: | We recently installed Samba 3.x server on Linux | system (RHEL 3.0, using stock RH samba packages). | | We are observing following messages in logs: | lib/access.c:check_access(328) | and access is denied. I know why we get access | denied: we have restricted "hosts allow =" setting. | My question is: why are we getting connection requests | in first place? I think something is advertising this | system, but what? And how do we turn off? This is probably due to browse list syncrhonization. try setting the os level = 0 and local master = no (assuming this is a standalone file/print server). cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBfkuWIR7qMdg1EfYRAsFDAKC0ZP98+3HAbszQTti0zDntpGegzgCfVB7N o6/8WyYCoQJmA9K5CtUHE9s=agfM -----END PGP SIGNATURE-----