Mohammed El-Afifi
2008-Jul-02 13:22 UTC
[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)
I'm using fedora 9, 64-bit edition, on a machine acting as a client. I've installed samba-client 3.2.0 from a binary package. I amn't running the server portion of samba(smbd, nmbd, or even winbindd). I'm trying to access shares on another windows machine, on the same network 192.168.1.0/24. Both machines, the client and the server, are using DHCP to acquire IP addresses. When I type the command smbclient -L <windows host name> I get an error about bad network name. I traced my smbclient session with tcpdump and wireshark, jut to find out some strange behaviour.? 1. smbclient tries DNS requests and receives unresolved host replies. This's totally sane since my DNS works for resolving external?names only, not those inside my network. 2. smbclient then tries to resolve the netbios name. It broadcasts a message and it really receives response from the windows machine resolving the name successfully. However after smbclient receives the successful netbios response, it sends and ICMP message to the windows machine indicating "unreachable destination host(administratively prohibited)". 3. Steps 1 and 2 repeat for a few times(about 3 times), each time ending with the strange ICMP message. I can't see what's wrong with my network configuration. I can access the other windows machine by IP address pretty well. I can access all internet sites successfully. I've disabled the kernal firewall and selinux, but with no progress. I've redhat 9(installed on the same machine having fedora 9) with samba-client installed(a very old version of course, 2.2 maybe), and it can access the windows machine seamlessly. So I wonder if it's something related to my samba version, my fedora 9 OS, or may I be missing something critical in my smb.conf, taking into consideration that I haven't changed smb.conf from the stock one shipping with the samba-client binary package? Appreciating your help for any suggestions!
Scott Lovenberg
2008-Jul-02 18:39 UTC
[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)
Mohammed El-Afifi wrote:> I'm using fedora 9, 64-bit edition, on a machine acting as a client. I've installed samba-client 3.2.0 from a binary package. I amn't running the server portion of samba(smbd, nmbd, or even winbindd). > I'm trying to access shares on another windows machine, on the same network 192.168.1.0/24. Both machines, the client and the server, are using DHCP to acquire IP addresses. > When I type the command > smbclient -L <windows host name> > I get an error about bad network name. I traced my smbclient session with tcpdump and wireshark, jut to find out some strange behaviour. > 1. smbclient tries DNS requests and receives unresolved host replies. This's totally sane since my DNS works for resolving external names only, not those inside my network. > 2. smbclient then tries to resolve the netbios name. It broadcasts a message and it really receives response from the windows machine resolving the name successfully. However after smbclient receives the successful netbios response, it sends and ICMP message to the windows machine indicating "unreachable destination host(administratively prohibited)". > 3. Steps 1 and 2 repeat for a few times(about 3 times), each time ending with the strange ICMP message. > I can't see what's wrong with my network configuration. I can access the other windows machine by IP address pretty well. I can access all internet sites successfully. I've disabled the kernal firewall and selinux, but with no progress. > I've redhat 9(installed on the same machine having fedora 9) with samba-client installed(a very old version of course, 2.2 maybe), and it can access the windows machine seamlessly. So I wonder if it's something related to my samba version, my fedora 9 OS, or may I be missing something critical in my smb.conf, taking into consideration that I haven't changed smb.conf from the stock one shipping with the samba-client binary package? > Appreciating your help for any suggestions! > > > >Perhaps a routing problem? Does either machine have multiple network cards? If you're not using wireless, make sure that the NetworkManager service is disabled; I've had nothing but problems with it in F9. Also, is the ICMP response in regards to Windows trying to make a connection on ports 139 and 445 at the same time? For some silly reason Windows will open two connections at the same time. I believe that the default samba (server) setting is to drop the port 445 requests and use the port 139 connections.
Mohammed El-Afifi
2008-Jul-02 23:26 UTC
[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)
Here's my analysis results describing my message: 1 0.000000 192.168.1.101 -> 192.168.1.254 DNS Standard query AAAA vic-cai-l0047.localdomain 2 0.029740 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No such name 3 0.029889 192.168.1.101 -> 192.168.1.254 DNS Standard query A vic-cai-l0047.localdomain 4 0.056225 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No such name 5 0.056738 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20> 6 0.057018 Dell_b0:3b:f2 -> Broadcast ARP Who has 192.168.1.101? Tell 192.168.1.100 7 0.057032 Giga-Byt_49:21:e7 -> Dell_b0:3b:f2 ARP 192.168.1.101 is at 00:16:e6:49:21:e7 8 0.057139 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100 9 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited) 10 0.326384 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20> 11 0.326732 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100 12 0.326763 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited) 13 0.596355 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20> 14 0.596734 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100 15 0.596758 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited) 192.168.1.101 is my linux client, 192.168.1.100 is my windows machine(containing the shares I want to access from the fedora 9 box), and 192.168.1.254 is my local DNS server. Obviously there're no messages sent to the linux machine on destination port 139 or 145. All messages coming from the windows machine are originating from port 137 on the windows machine. I tried to disable the NetworkManager service but this didn't solve the problem. I also got level 5 debugging from smbclient; it's as follows: INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter workgroup = MYGROUP doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = user doing parameter passdb backend = tdbsam doing parameter load printers = yes doing parameter cups options = raw pm_process() returned Yes Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=fe80::216:e6ff:fe49:21e7%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.1.101 bcast=192.168.1.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="LOCALHOST" Client started (version 3.2.0rc1-15.fc9). Opening cache file at /var/lib/samba/gencache.tdb tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only. sitename_fetch: No stored sitename for no entry for vic-cai-l0047#20 found. resolve_lmhosts: Attempting lmhosts lookup for name vic-cai-l0047<0x20> getlmhostsent: lmhost entry: 127.0.0.1 localhost resolve_wins: Attempting wins lookup for name vic-cai-l0047<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name vic-cai-l0047<0x20> resolve_hosts: getaddrinfo failed for name vic-cai-l0047 [Name or service not known] name_resolve_bcast: Attempting broadcast lookup for name vic-cai-l0047<0x20> socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 1 socket option SO_BROADCAST = 1 Could not test socket option TCP_NODELAY. Could not test socket option TCP_KEEPCNT. Could not test socket option TCP_KEEPIDLE. Could not test socket option TCP_KEEPINTVL. socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 122880 socket option SO_RCVBUF = 122880 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 Sending a packet of len 50 to (192.168.1.255) on port 137 Sending a packet of len 50 to (192.168.1.255) on port 137 Sending a packet of len 50 to (192.168.1.255) on port 137 Connection to vic-cai-l0047 failed (Error NT_STATUS_BAD_NETWORK_NAME) Note the last 3 red lines; it seems that smbclient doesn't see the response packets although tcpdump and wireshark show they're received in the kernel IP tables. The ICMP messages also aren't seen in the logging to be sent by my linux client. Think I'm going to investigate more and produce a similar logging information for smbclient on the redhat 9 box to see where they differ. ----- Original Message ---- From: Scott Lovenberg <scott.lovenberg@gmail.com> To: Mohammed El-Afifi <mohammed_elafifi@yahoo.com> Cc: samba@lists.samba.org Sent: Wednesday, July 2, 2008 9:38:41 PM Subject: Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited) Mohammed El-Afifi wrote:> I'm using fedora 9, 64-bit edition, on a machine acting as a client. I've installed samba-client 3.2.0 from a binary package. I amn't running the server portion of samba(smbd, nmbd, or even winbindd). > I'm trying to access shares on another windows machine, on the same network 192.168.1.0/24. Both machines, the client and the server, are using DHCP to acquire IP addresses. > When I type the command > smbclient -L <windows host name> > I get an error about bad network name. I traced my smbclient session with tcpdump and wireshark, jut to find out some strange behaviour. > 1. smbclient tries DNS requests and receives unresolved host replies. This's totally sane since my DNS works for resolving external names only, not those inside my network. > 2. smbclient then tries to resolve the netbios name. It broadcasts a message and it really receives response from the windows machine resolving the name successfully. However after smbclient receives the successful netbios response, it sends and ICMP message to the windows machine indicating "unreachable destination host(administratively prohibited)". > 3. Steps 1 and 2 repeat for a few times(about 3 times), each time ending with the strange ICMP message. > I can't see what's wrong with my network configuration. I can access the other windows machine by IP address pretty well. I can access all internet sites successfully. I've disabled the kernal firewall and selinux, but with no progress. > I've redhat 9(installed on the same machine having fedora 9) with samba-client installed(a very old version of course, 2.2 maybe), and it can access the windows machine seamlessly. So I wonder if it's something related to my samba version, my fedora 9 OS, or may I be missing something critical in my smb.conf, taking into consideration that I haven't changed smb.conf from the stock one shipping with the samba-client binary package? > Appreciating your help for any suggestions! > > > >Perhaps a routing problem? Does either machine have multiple network cards? If you're not using wireless, make sure that the NetworkManager service is disabled; I've had nothing but problems with it in F9. Also, is the ICMP response in regards to Windows trying to make a connection on ports 139 and 445 at the same time? For some silly reason Windows will open two connections at the same time. I believe that the default samba (server) setting is to drop the port 445 requests and use the port 139 connections.
Helmut Hullen
2008-Jul-03 07:29 UTC
[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)
Hallo, Mohammed, Du (mohammed_elafifi) meintest am 02.07.08:> 9 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination > unreachable (Host administratively prohibited)Why is "ICMP Destination unreachable" - sounds like a silly firewall rule. Viele Gruesse! Helmut
Mohammed El-Afifi
2008-Jul-03 08:04 UTC
[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)
Sorry?I didn't mean to reply to your private mail directly.Actually my windows box is running windows xp sp2. Besides, I don't understand why, in any case, I would need nmbd. My linux box is acting as a client, so actually my windows box is responding (as a server) to my linux broadcast request. ----- Original Message ---- From: Helmut Hullen <Hullen@t-online.de> To: samba@lists.samba.org Sent: Thursday, July 3, 2008 9:41:00 AM Subject: Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited) Hallo, Mohammed, Du (mohammed_elafifi) meintest am 02.07.08:> 9? 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination > unreachable (Host administratively prohibited)Why is "ICMP Destination unreachable" - sounds like a silly firewall? rule. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/listinfo/samba
Mohammed El-Afifi
2008-Jul-03 17:50 UTC
[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)
Thanks a lot, Helmut. It was really iptables blocking access to the linux machine and spawning the ICMP unreachable host messages. Actually what happened is that I've just known today that the front-end(GUI) for the firewall in fedora 9 has a bug of not really disabling the firewall when it's disabled from within the GUI. smbclient acted completely well and could access the windows machine seamlessly when I disabled the iptables service from the command line. I'll handle the issue of these IP filters later. ----- Original Message ---- From: Helmut Hullen <Hullen@t-online.de> To: samba@lists.samba.org Sent: Thursday, July 3, 2008 11:55:00 AM Subject: Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited) Hallo, Mohammed, Du meintest am 03.07.08 zum Thema Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited):>>> 9 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination >>> unreachable (Host administratively prohibited)>> Why is "ICMP Destination unreachable" - sounds like a silly firewall >> rule.> Actually > my windows box is running windows xp sp2. Besides, I don't understand > why, in any case, I would need nmbd. My linux box is acting as a > client, so actually my windows box is responding (as a server) to my > linux broadcast request."firewall" is neither a single device nor is it a single program - it is a bundle of measures. On Linux machines "ICMP" may be blocked by "iptables". On windows machines it may be blocked by "personal firewalls" or by virus scanners. And there may be other "things". Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Mohammed El-Afifi
2008-Jul-03 17:50 UTC
[Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)
Thanks a lot, Helmut. It was really iptables blocking access to the linux machine and spawning the ICMP unreachable host messages. Actually what happened is that I've just known today that the front-end(GUI) for the firewall in fedora 9 has a bug of not really disabling the firewall when it's disabled from within the GUI. smbclient acted completely well and could access the windows machine seamlessly when I disabled the iptables service from the command line. I'll handle the issue of these IP filters later. ----- Original Message ---- From: Helmut Hullen <Hullen@t-online.de> To: samba@lists.samba.org Sent: Thursday, July 3, 2008 11:55:00 AM Subject: Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited) Hallo, Mohammed, Du meintest am 03.07.08 zum Thema Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited):>>> 9 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination >>> unreachable (Host administratively prohibited)>> Why is "ICMP Destination unreachable" - sounds like a silly firewall >> rule.> Actually > my windows box is running windows xp sp2. Besides, I don't understand > why, in any case, I would need nmbd. My linux box is acting as a > client, so actually my windows box is responding (as a server) to my > linux broadcast request."firewall" is neither a single device nor is it a single program - it is a bundle of measures. On Linux machines "ICMP" may be blocked by "iptables". On windows machines it may be blocked by "personal firewalls" or by virus scanners. And there may be other "things". Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Apparently Analagous Threads
- Does this tell me anything? Traffic report
- why is my "nmbd" confused about network interfaces?
- Re: Samba errors with smb QUERY_PATH_INFO, Error: STATUS_OBJECT_NAME_NOT_FOUND
- PuTTY: Forwarded connection refused by server: Administratively prohibited [open failed]
- Fwd: Win 7 Pro