After doing some system work, including upgrading the Samba server to
3.0.28a from 3.0.24, upgrading the kernel to 2.6.24, and changing the
firewall rulesk, the XP workstations which belong to that domain, the
right click "run as ..." option is slow to bring up a dialog. The
phenotype is this:
right click some program (for instance, a shortcut to the
"command prompt")
select "run as ..."
15 seconds elapse before the dialog appears
Once the dialog appears, a local machine account can login more or less
instantaneously, and a domain account can login in about 35-40 seconds.
Oddly, if instead of logging in, the dialog is closed, and then "run
as..." selected again, that dialog appears immediately. This is also
true if a different application is selected. Wait one minute though
(about, 30 seconds is not long enough, 45 seconds to 1 minute usually
is) and the next time it will be slow once more.
Working back through this it turned out that the firewall rule which had
previously allowed 137-138 access:
ACCEPT tcp -- xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy tcp
dpts:137:139 state NEW
ACCEPT udp -- xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy udp
dpts:137:139 state NEW
ACCEPT tcp -- xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy tcp
dpts:137:139
ACCEPT udp -- xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy udp
dpts:137:139
was no longer being applied. Logins still worked using 445, the only
issue was the slow "run as...".
So I changed the rules to:
REJECT tcp -- xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy tcp
dpts:137:139 reject-with icmp-port-unreachable
REJECT udp -- xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy udp
dpts:137:139 reject-with icmp-port-unreachable
And "run as..." was fast again.
So, by trial and error, I have so far learned that for a Samba
machine's firewall to work right
445 must be open
and the following ports must be set to REJECT (or ALLOW, but not DROP)
137-139 (as above)
80 (or there is a long webDAV delay if there is no http server)
Are there any others I should know about???
Thanks,
David Mathog
mathog@caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech