samba - Feb 2019 - Make nmbd bind to interfaces only

Hi,
I would like to have nmbd only bind to the interfaces specified in the 
interfaces line of smb.conf, in the same way that smbd does. When 
researching this I did come across a mailing list thread saying there 
was no use case, but I think I have one.

For many years ClearOS has been providing NT4 style domains and 
unix-style shares. M$ upset the applecart last year with their 1803 
update when joining NT4 domains got broken (it has since been fixed 
since September '18, but I would assume the writing is on the wall for 
NT4 domains).

To get round the issue I loaded samba into docker using the 
https://github.com/Fmstrat/samba-domain container. I wanted to continue 
to use the ClearOS samba configuration (v4.7.1 and soon to follow Centos 
to 4.8.3) for its file-sharing as a domain member. One of the problems I 
had was that if the native ClearOS instance of samba was started, the 
docker instance would refuse to start because of a port clash. To get 
round this for smbd was easy. All I had to do was bind to interfaces 
only, but nmbd would not obey. For nmbd I had to set:

nmbd bind explicit broadcast = yes
socket address = 192.168.20.1

This is sort of OK if I have one LAN interface, but ClearOS is, among 
other things, a router/firewall and as such can have multiple LAN and/or 
VLAN interfaces. Socket address can only have one IP address so I can't 
get all LAN interfaces to bind to it. Is there a way round this or does 
it make a reasonable use case for a modification request.

Thanks,

Nick

Am 11.02.19 um 18:47 schrieb Nick Howitt via samba:
> Hi,
> I would like to have nmbd only bind to the interfaces specified in the 
> interfaces line of smb.conf, in the same way that smbd does. When 
> researching this I did come across a mailing list thread saying there 
> was no use case, but I think I have one.
>
> For many years ClearOS has been providing NT4 style domains and 
> unix-style shares. M$ upset the applecart last year with their 1803 
> update when joining NT4 domains got broken (it has since been fixed 
> since September '18, but I would assume the writing is on the wall for 
> NT4 domains).
>
> To get round the issue I loaded samba into docker using the 
> https://github.com/Fmstrat/samba-domain container. I wanted to 
> continue to use the ClearOS samba configuration (v4.7.1 and soon to 
> follow Centos to 4.8.3) for its file-sharing as a domain member. One 
> of the problems I had was that if the native ClearOS instance of samba 
> was started, the docker instance would refuse to start because of a 
> port clash.
You should start your container with a real ethernet adapter! Search for:

docker tap

or

docker tuntap
> To get round this for smbd was easy. All I had to do was bind to 
> interfaces only, but nmbd would not obey. For nmbd I had to set:
>
> nmbd bind explicit broadcast = yes
> socket address = 192.168.20.1
>
> This is sort of OK if I have one LAN interface, but ClearOS is, among 
> other things, a router/firewall and as such can have multiple LAN 
> and/or VLAN interfaces. Socket address can only have one IP address so 
> I can't get all LAN interfaces to bind to it. Is there a way round 
> this or does it make a reasonable use case for a modification request.
>
> Thanks,
>
> Nick
>
>
-- 
Harry Jede

On Mon, 11 Feb 2019 17:47:21 +0000
Nick Howitt via samba <samba at lists.samba.org> wrote:
> Hi,
> I would like to have nmbd only bind to the interfaces specified in
> the interfaces line of smb.conf, in the same way that smbd does. When 
> researching this I did come across a mailing list thread saying there 
> was no use case, but I think I have one.
> 
> For many years ClearOS has been providing NT4 style domains and 
> unix-style shares. M$ upset the applecart last year with their 1803 
> update when joining NT4 domains got broken (it has since been fixed 
> since September '18, but I would assume the writing is on the wall
> for NT4 domains).
> 
> To get round the issue I loaded samba into docker using the 
> https://github.com/Fmstrat/samba-domain container. I wanted to
> continue to use the ClearOS samba configuration (v4.7.1 and soon to
> follow Centos to 4.8.3) for its file-sharing as a domain member. One
> of the problems I had was that if the native ClearOS instance of
> samba was started, the docker instance would refuse to start because
> of a port clash. To get round this for smbd was easy. All I had to do
> was bind to interfaces only, but nmbd would not obey. For nmbd I had
> to set:
> 
> nmbd bind explicit broadcast = yes
> socket address = 192.168.20.1
> 
> This is sort of OK if I have one LAN interface, but ClearOS is, among 
> other things, a router/firewall and as such can have multiple LAN
> and/or VLAN interfaces. Socket address can only have one IP address
> so I can't get all LAN interfaces to bind to it. Is there a way round
> this or does it make a reasonable use case for a modification request.
> 
> Thanks,
> 
> Nick
> 
> 
You really need to upgrade from your NT4-style domain, they are, as you
are aware, very fragile and easily broken. Samba's and Microsoft's
emphasise is very much on AD and as such, the NT4-style code easily
gets broken by accident.

Rowland

On 11/02/2019 18:47, Rowland Penny via samba wrote:
> On Mon, 11 Feb 2019 17:47:21 +0000
> Nick Howitt via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>> I would like to have nmbd only bind to the interfaces specified in
>> the interfaces line of smb.conf, in the same way that smbd does. When
>> researching this I did come across a mailing list thread saying there
>> was no use case, but I think I have one.
>>
>> For many years ClearOS has been providing NT4 style domains and
>> unix-style shares. M$ upset the applecart last year with their 1803
>> update when joining NT4 domains got broken (it has since been fixed
>> since September '18, but I would assume the writing is on the wall
>> for NT4 domains).
>>
>> To get round the issue I loaded samba into docker using the
>> https://github.com/Fmstrat/samba-domain container. I wanted to
>> continue to use the ClearOS samba configuration (v4.7.1 and soon to
>> follow Centos to 4.8.3) for its file-sharing as a domain member. One
>> of the problems I had was that if the native ClearOS instance of
>> samba was started, the docker instance would refuse to start because
>> of a port clash. To get round this for smbd was easy. All I had to do
>> was bind to interfaces only, but nmbd would not obey. For nmbd I had
>> to set:
>>
>> nmbd bind explicit broadcast = yes
>> socket address = 192.168.20.1
>>
>> This is sort of OK if I have one LAN interface, but ClearOS is, among
>> other things, a router/firewall and as such can have multiple LAN
>> and/or VLAN interfaces. Socket address can only have one IP address
>> so I can't get all LAN interfaces to bind to it. Is there a way
round
>> this or does it make a reasonable use case for a modification request.
>>
>> Thanks,
>>
>> Nick
>>
>>
> You really need to upgrade from your NT4-style domain, they are, as you
> are aware, very fragile and easily broken. Samba's and Microsoft's
> emphasise is very much on AD and as such, the NT4-style code easily
> gets broken by accident.
Totally agree. M$ want to kill SMB1 and NT4 domains have not been used 
by them for ages. This is why I've been going down the AD route and, to 
keep it all in a single box, putting the AD DC into docker and still 
using unix shares.
>
> Rowland
>   
>

On 11/02/2019 18:32, Harry Jede via samba wrote:
> Am 11.02.19 um 18:47 schrieb Nick Howitt via samba:
>> Hi,
>> I would like to have nmbd only bind to the interfaces specified in 
>> the interfaces line of smb.conf, in the same way that smbd does. When 
>> researching this I did come across a mailing list thread saying there 
>> was no use case, but I think I have one.
>>
>> For many years ClearOS has been providing NT4 style domains and 
>> unix-style shares. M$ upset the applecart last year with their 1803 
>> update when joining NT4 domains got broken (it has since been fixed 
>> since September '18, but I would assume the writing is on the wall 
>> for NT4 domains).
>>
>> To get round the issue I loaded samba into docker using the 
>> https://github.com/Fmstrat/samba-domain container. I wanted to 
>> continue to use the ClearOS samba configuration (v4.7.1 and soon to 
>> follow Centos to 4.8.3) for its file-sharing as a domain member. One 
>> of the problems I had was that if the native ClearOS instance of 
>> samba was started, the docker instance would refuse to start because 
>> of a port clash.
>
> You should start your container with a real ethernet adapter! Search for:
>
> docker tap
>
> or
>
> docker tuntap
>
Thanks. Not so easy to research but I am trying. I'll also ask at the 
docker forums.

I am concerned as to how this will help as nmbd is binding to 0.0.0.0. 
If I introduce a new interface, won't nmbd effectively also bind to
that?
>> To get round this for smbd was easy. All I had to do was bind to 
>> interfaces only, but nmbd would not obey. For nmbd I had to set:
>>
>> nmbd bind explicit broadcast = yes
>> socket address = 192.168.20.1
>>
>> This is sort of OK if I have one LAN interface, but ClearOS is, among 
>> other things, a router/firewall and as such can have multiple LAN 
>> and/or VLAN interfaces. Socket address can only have one IP address 
>> so I can't get all LAN interfaces to bind to it. Is there a way
round
>> this or does it make a reasonable use case for a modification request.
>>
>> Thanks,
>>
>> Nick
>>
>>
>