samba - Jul 2008 - smbclient sending ICMP unreachable destination host(administratively prohibited)

I'm using fedora 9, 64-bit edition, on a machine acting as a client.
I've installed samba-client 3.2.0 from a binary package. I amn't running
the server portion of samba(smbd, nmbd, or even winbindd).
I'm trying to access shares on another windows machine, on the same network
192.168.1.0/24. Both machines, the client and the server, are using DHCP to
acquire IP addresses.
When I type the command
smbclient -L <windows host name>
I get an error about bad network name. I traced my smbclient session with
tcpdump and wireshark, jut to find out some strange behaviour.?
	1. smbclient tries DNS requests and receives unresolved host replies.
This's totally sane since my DNS works for resolving external?names only,
not those inside my network.
	2. smbclient then tries to resolve the netbios name. It broadcasts a message
and it really receives response from the windows machine resolving the name
successfully. However after smbclient receives the successful netbios response,
it sends and ICMP message to the windows machine indicating "unreachable
destination host(administratively prohibited)".
	3. Steps 1 and 2 repeat for a few times(about 3 times), each time ending with
the strange ICMP message.
I can't see what's wrong with my network configuration. I can access the
other windows machine by IP address pretty well. I can access all internet sites
successfully. I've disabled the kernal firewall and selinux, but with no
progress.
I've redhat 9(installed on the same machine having fedora 9) with
samba-client installed(a very old version of course, 2.2 maybe), and it can
access the windows machine seamlessly. So I wonder if it's something related
to my samba version, my fedora 9 OS, or may I be missing something critical in
my smb.conf, taking into consideration that I haven't changed smb.conf from
the stock one shipping with the samba-client binary package?
Appreciating your help for any suggestions!

Mohammed El-Afifi wrote:
> I'm using fedora 9, 64-bit edition, on a machine acting as a client.
I've installed samba-client 3.2.0 from a binary package. I amn't running
the server portion of samba(smbd, nmbd, or even winbindd).
> I'm trying to access shares on another windows machine, on the same
network 192.168.1.0/24. Both machines, the client and the server, are using DHCP
to acquire IP addresses.
> When I type the command
> smbclient -L <windows host name>
> I get an error about bad network name. I traced my smbclient session with
tcpdump and wireshark, jut to find out some strange behaviour.
> 	1. smbclient tries DNS requests and receives unresolved host replies.
This's totally sane since my DNS works for resolving external names only,
not those inside my network.
> 	2. smbclient then tries to resolve the netbios name. It broadcasts a
message and it really receives response from the windows machine resolving the
name successfully. However after smbclient receives the successful netbios
response, it sends and ICMP message to the windows machine indicating
"unreachable destination host(administratively prohibited)".
> 	3. Steps 1 and 2 repeat for a few times(about 3 times), each time ending
with the strange ICMP message.
> I can't see what's wrong with my network configuration. I can
access the other windows machine by IP address pretty well. I can access all
internet sites successfully. I've disabled the kernal firewall and selinux,
but with no progress.
> I've redhat 9(installed on the same machine having fedora 9) with
samba-client installed(a very old version of course, 2.2 maybe), and it can
access the windows machine seamlessly. So I wonder if it's something related
to my samba version, my fedora 9 OS, or may I be missing something critical in
my smb.conf, taking into consideration that I haven't changed smb.conf from
the stock one shipping with the samba-client binary package?
> Appreciating your help for any suggestions!
>
>
>       
>   
Perhaps a routing problem?  Does either machine have multiple network 
cards?  If you're not using wireless, make sure that the NetworkManager 
service is disabled; I've had nothing but problems with it in F9. 

Also, is the ICMP response in regards to Windows trying to make a 
connection on ports 139 and 445 at the same time?  For some silly reason 
Windows will open two connections at the same time.  I believe that the 
default samba (server) setting is to drop the port 445 requests and use 
the port 139 connections.

Here's my analysis results describing my message:

  1   0.000000 192.168.1.101 -> 192.168.1.254 DNS Standard query AAAA
vic-cai-l0047.localdomain
  2   0.029740 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No
such name
  3   0.029889 192.168.1.101 -> 192.168.1.254 DNS Standard query A
vic-cai-l0047.localdomain
  4   0.056225 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No
such name
  5   0.056738 192.168.1.101 -> 192.168.1.255 NBNS Name query NB
VIC-CAI-L0047<20>
  6   0.057018 Dell_b0:3b:f2 -> Broadcast    ARP Who has 192.168.1.101?  Tell
192.168.1.100
  7   0.057032 Giga-Byt_49:21:e7 -> Dell_b0:3b:f2 ARP 192.168.1.101 is at
00:16:e6:49:21:e7
  8   0.057139 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB
192.168.1.100
  9   0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable
(Host administratively prohibited)
 10   0.326384 192.168.1.101 -> 192.168.1.255 NBNS Name query NB
VIC-CAI-L0047<20>
 11   0.326732 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB
192.168.1.100
 12   0.326763 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable
(Host administratively prohibited)
 13   0.596355 192.168.1.101 -> 192.168.1.255 NBNS Name query NB
VIC-CAI-L0047<20>
 14   0.596734 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB
192.168.1.100
 15   0.596758 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable
(Host administratively prohibited)

192.168.1.101 is my linux client, 192.168.1.100 is my windows machine(containing
the shares I want to access from the fedora 9 box), and 192.168.1.254 is my
local DNS server. Obviously there're no messages sent to the linux machine
on destination port 139 or 145. All messages coming from the windows machine are
originating from port 137 on the windows machine.
I tried to disable the NetworkManager service but this didn't solve the
problem. I also got level 5 debugging from smbclient; it's as follows:
INFO: Current debug levels:
  all: True/5
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
  dmapi: False/0
  registry: False/0
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = MYGROUP
doing parameter server string = Samba Server Version %v
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::216:e6ff:fe49:21e7%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.1.101 bcast=192.168.1.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="LOCALHOST"
Client started (version 3.2.0rc1-15.fc9).
Opening cache file at /var/lib/samba/gencache.tdb
tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb:
Permission denied
gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
sitename_fetch: No stored sitename for
no entry for vic-cai-l0047#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name vic-cai-l0047<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
resolve_wins: Attempting wins lookup for name vic-cai-l0047<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name vic-cai-l0047<0x20>
resolve_hosts: getaddrinfo failed for name vic-cai-l0047 [Name or service not
known]
name_resolve_bcast: Attempting broadcast lookup for name
vic-cai-l0047<0x20>
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 1
socket option SO_BROADCAST = 1
Could not test socket option TCP_NODELAY.
Could not test socket option TCP_KEEPCNT.
Could not test socket option TCP_KEEPIDLE.
Could not test socket option TCP_KEEPINTVL.
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 122880
socket option SO_RCVBUF = 122880
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
Sending a packet of len 50 to (192.168.1.255) on port 137
Sending a packet of len 50 to (192.168.1.255) on port 137
Sending a packet of len 50 to (192.168.1.255) on port 137
Connection to vic-cai-l0047 failed (Error NT_STATUS_BAD_NETWORK_NAME)

Note the last 3 red lines; it seems that smbclient doesn't see the response
packets although tcpdump and wireshark show they're received in the kernel
IP tables. The ICMP messages also aren't seen in the logging to be sent by
my linux client. Think I'm going to investigate more and produce a similar
logging information for smbclient on the redhat 9 box to see where they differ.


----- Original Message ----
From: Scott Lovenberg <scott.lovenberg@gmail.com>
To: Mohammed El-Afifi <mohammed_elafifi@yahoo.com>
Cc: samba@lists.samba.org
Sent: Wednesday, July 2, 2008 9:38:41 PM
Subject: Re: [Samba] smbclient sending ICMP unreachable destination
host(administratively prohibited)


Mohammed El-Afifi wrote:
> I'm using fedora 9, 64-bit edition, on a machine acting as a client.
I've installed samba-client 3.2.0 from a binary package. I amn't running
the server portion of samba(smbd, nmbd, or even winbindd).
> I'm trying to access shares on another windows machine, on the same
network 192.168.1.0/24. Both machines, the client and the server, are using DHCP
to acquire IP addresses.
> When I type the command
> smbclient -L <windows host name>
> I get an error about bad network name. I traced my smbclient session with
tcpdump and wireshark, jut to find out some strange behaviour.
>     1. smbclient tries DNS requests and receives unresolved host replies.
This's totally sane since my DNS works for resolving external names only,
not those inside my network.
>     2. smbclient then tries to resolve the netbios name. It broadcasts a
message and it really receives response from the windows machine resolving the
name successfully. However after smbclient receives the successful netbios
response, it sends and ICMP message to the windows machine indicating
"unreachable destination host(administratively prohibited)".
>     3. Steps 1 and 2 repeat for a few times(about 3 times), each time
ending with the strange ICMP message.
> I can't see what's wrong with my network configuration. I can
access the other windows machine by IP address pretty well. I can access all
internet sites successfully. I've disabled the kernal firewall and selinux,
but with no progress.
> I've redhat 9(installed on the same machine having fedora 9) with
samba-client installed(a very old version of course, 2.2 maybe), and it can
access the windows machine seamlessly. So I wonder if it's something related
to my samba version, my fedora 9 OS, or may I be missing something critical in
my smb.conf, taking into consideration that I haven't changed smb.conf from
the stock one shipping with the samba-client binary package?
> Appreciating your help for any suggestions!
>
>
>      
>  
Perhaps a routing problem?  Does either machine have multiple network 
cards?  If you're not using wireless, make sure that the NetworkManager 
service is disabled; I've had nothing but problems with it in F9. 

Also, is the ICMP response in regards to Windows trying to make a 
connection on ports 139 and 445 at the same time?  For some silly reason 
Windows will open two connections at the same time.  I believe that the 
default samba (server) setting is to drop the port 445 requests and use 
the port 139 connections.

Hallo, Mohammed,

Du (mohammed_elafifi) meintest am 02.07.08:
> 9   0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination
> unreachable (Host administratively prohibited)
Why is "ICMP Destination unreachable" - sounds like a silly firewall  
rule.

Viele Gruesse!
Helmut

Sorry?I didn't mean to reply to your private mail directly.Actually my
windows box is running windows xp sp2. Besides, I don't understand why, in
any case, I would need nmbd. My linux box is acting as a client, so actually my
windows box is responding (as a server) to my linux broadcast request.


----- Original Message ----
From: Helmut Hullen <Hullen@t-online.de>
To: samba@lists.samba.org
Sent: Thursday, July 3, 2008 9:41:00 AM
Subject: Re: [Samba] smbclient sending ICMP unreachable destination
host(administratively prohibited)

Hallo, Mohammed,

Du (mohammed_elafifi) meintest am 02.07.08:
> 9? 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination
> unreachable (Host administratively prohibited)
Why is "ICMP Destination unreachable" - sounds like a silly firewall? 
rule.

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/listinfo/samba

Thanks a lot, Helmut. It was really iptables blocking access to the linux
machine and spawning the ICMP unreachable host messages.
Actually what happened is that I've just known today that the front-end(GUI)
for the firewall in fedora 9 has a bug of not really disabling the firewall when
it's disabled from within the GUI.
smbclient acted completely well and could access the windows machine seamlessly
when I disabled the iptables service from the command line. I'll handle the
issue of these IP filters later.


----- Original Message ----
From: Helmut Hullen <Hullen@t-online.de>
To: samba@lists.samba.org
Sent: Thursday, July 3, 2008 11:55:00 AM
Subject: Re: [Samba] smbclient sending ICMP unreachable destination
host(administratively prohibited)

Hallo, Mohammed,

Du meintest am 03.07.08 zum Thema Re: [Samba] smbclient sending ICMP unreachable
destination host(administratively prohibited):

>>> 9  0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination
>>> unreachable (Host administratively prohibited)
>> Why is "ICMP Destination unreachable" - sounds like a silly
firewall
>> rule.
> Actually
> my windows box is running windows xp sp2. Besides, I don't understand
> why, in any case, I would need nmbd. My linux box is acting as a
> client, so actually my windows box is responding (as a server) to my
> linux broadcast request.
"firewall" is neither a single device nor is it a single program - it
is
a bundle of measures.
On Linux machines "ICMP" may be blocked by "iptables". On
windows
machines it may be blocked by "personal firewalls" or by virus
scanners.

And there may be other "things".

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Thanks a lot, Helmut. It was really iptables blocking access to the linux
machine and spawning the ICMP unreachable host messages.
Actually what happened is that I've just known today that the front-end(GUI)
for the firewall in fedora 9 has a bug of not really disabling the firewall when
it's disabled from within the GUI.
smbclient acted completely well and could access the windows machine seamlessly
when I disabled the iptables service from the command line. I'll handle the
issue of these IP filters later.


----- Original Message ----
From: Helmut Hullen <Hullen@t-online.de>
To: samba@lists.samba.org
Sent: Thursday, July 3, 2008 11:55:00 AM
Subject: Re: [Samba] smbclient sending ICMP unreachable destination
host(administratively prohibited)

Hallo, Mohammed,

Du meintest am 03.07.08 zum Thema Re: [Samba] smbclient sending ICMP unreachable
destination host(administratively prohibited):

>>> 9  0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination
>>> unreachable (Host administratively prohibited)
>> Why is "ICMP Destination unreachable" - sounds like a silly
firewall
>> rule.
> Actually
> my windows box is running windows xp sp2. Besides, I don't understand
> why, in any case, I would need nmbd. My linux box is acting as a
> client, so actually my windows box is responding (as a server) to my
> linux broadcast request.
"firewall" is neither a single device nor is it a single program - it
is
a bundle of measures.
On Linux machines "ICMP" may be blocked by "iptables". On
windows
machines it may be blocked by "personal firewalls" or by virus
scanners.

And there may be other "things".

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba