On Mon, Jun 12, 2017 at 09:51:53AM +0200, Reindl Harald via samba wrote:> Am 12.06.2017 um 09:41 schrieb Mike Brown via samba: >> On Mon, Jun 12, 2017 at 09:28:20AM +0200, Reindl Harald via samba wrote: >>> Am 12.06.2017 um 09:03 schrieb Mike Brown via samba: >>>> On Mon, Jun 12, 2017 at 01:53:10PM +1200, Andrew Bartlett via samba wrote: >>>>> On Sun, 2017-06-11 at 20:08 -0500, Mike Brown via samba wrote: >>>>>> Yes, I know, XP-SP3 is very old.????It works for what I need it for.????I >>>>>> have >>>>>> some programs that will never be updated for Win 7. >>>>>> >>>>>> Note that XP-SP3 and Fedora 14 work together just fine, so I'm >>>>>> guessing that >>>>>> a newer version of Samba is what is keeping me from logging in from >>>>>> XP. >>>>>> But, I do not know what to put in the smb.conf file to allow XP to >>>>>> mount >>>>>> a share. >>>>> >>>>> Try configuring XP to use NTLMv2 (ideally), or set 'ntlm auth = yes' if >>>>> you really can't set that for some reason (it is a security policy >>>>> setting on the client, in local security policies). >>>> >>>> Damn firewall. By default, Samba isn't allowed to connect. Found it by >>>> using wireshark to look at the packets and that gave me the clue >>> >>> no need for wireshark - normally one does simply "telnet host port" before >>> even consider debug deeper >> >> Not sure I would have gotten the same info back. Normally it is connection >> refused when I do something like that. The wireshark message was more >> concise. Either way, it was solved > > yeah and when you get connection refused on a TCP port the service is not > reachable at all - it's not running or some firewall in front and hence the > ICMP "port unrechable" responseWith wireshark the response was "Destination unreachable (Host administratively prohibited)." The "administratively prohibited" was the big clue. MB -- e-mail: vidiot at vidiot.com | vidiot at vidiot.net /~\ The ASCII 6082066843 at email.uscc.net (140 char limit) \ / Ribbon Campaign Visit - URL: http://vidiot.com/ X Against http://vidiot.net/ / \ HTML Email "You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock Sherlock - The Abominable Bride - 1/01/16
Am 12.06.2017 um 10:00 schrieb Mike Brown via samba:> On Mon, Jun 12, 2017 at 09:51:53AM +0200, Reindl Harald via samba wrote: >>>>> Damn firewall. By default, Samba isn't allowed to connect. Found it by >>>>> using wireshark to look at the packets and that gave me the clue >>>> >>>> no need for wireshark - normally one does simply "telnet host port" before >>>> even consider debug deeper >>> >>> Not sure I would have gotten the same info back. Normally it is connection >>> refused when I do something like that. The wireshark message was more >>> concise. Either way, it was solved >> >> yeah and when you get connection refused on a TCP port the service is not >> reachable at all - it's not running or some firewall in front and hence the >> ICMP "port unrechable" response > > With wireshark the response was "Destination unreachable (Host > administratively prohibited)." The "administratively prohibited" was the > big clue.the big clue is can you connect to the port or not --reject-with type Type can be -icmp-net-unreachable -icmp-host-unreachable -icmp-port-unreachable -icmp-proto-unreachable -icmp-net-prohibited -icmp-host-prohibited -icmp-admin-prohibited "-j REJECT --reject-with icmp-admin-prohibited" could be anything from above and is just a rule detail where the default is "icmp-port-unreachable"
On Mon, Jun 12, 2017 at 02:19:00PM +0200, Reindl Harald via samba wrote:> Am 12.06.2017 um 10:00 schrieb Mike Brown via samba: >> On Mon, Jun 12, 2017 at 09:51:53AM +0200, Reindl Harald via samba wrote: >>>>>> Damn firewall. By default, Samba isn't allowed to connect. Found it by >>>>>> using wireshark to look at the packets and that gave me the clue >>>>> >>>>> no need for wireshark - normally one does simply "telnet host port" before >>>>> even consider debug deeper >>>> >>>> Not sure I would have gotten the same info back. Normally it is connection >>>> refused when I do something like that. The wireshark message was more >>>> concise. Either way, it was solved >>> >>> yeah and when you get connection refused on a TCP port the service is not >>> reachable at all - it's not running or some firewall in front and hence the >>> ICMP "port unrechable" response >> >> With wireshark the response was "Destination unreachable (Host >> administratively prohibited)." The "administratively prohibited" was the >> big clue. > > the big clue is can you connect to the port or not > > --reject-with type > Type can be > -icmp-net-unreachable > -icmp-host-unreachable > -icmp-port-unreachable > -icmp-proto-unreachable > -icmp-net-prohibited > -icmp-host-prohibited > -icmp-admin-prohibited > > "-j REJECT --reject-with icmp-admin-prohibited" could be anything from > above and is just a rule detail where the default is > "icmp-port-unreachable"I've managed to avoid working with iptables. But yes, being able to connect or not is a big clue. I just didn't think of using telnet to do a quick test. I've used in the past for some things, but just didn't think of it this time around. MB -- e-mail: vidiot at vidiot.com | vidiot at vidiot.net /~\ The ASCII 6082066843 at email.uscc.net (140 char limit) \ / Ribbon Campaign Visit - URL: http://vidiot.com/ X Against http://vidiot.net/ / \ HTML Email "You're Sherlock Holmes, wear the damn hat!" - Watson to Sherlock Sherlock - The Abominable Bride - 1/01/16