samba - Apr 2019 - Specifying an IPv6 wildcard in the interfaces directive?

My network uses reserved IPv4 addresses (192.168.2.0/24) behind a NAT 
firewall, but public IPv6 addresses behind a filtering firewall.

My ISP (Comcast) assigns both IPv4 and IPv6 addresses dynamically.

As a result, the IPv4 address of my internal Samba server is statically 
assigned, but its IPv6 address is dynamically assigned.

The server has multiple IPv4 addresses assigned to it, all on interface 
enp3s0. One of these I'd like to use for Samba, but the other is used as 
a proxy address for another device on my network, so I do NOT want Samba 
to bind to it , as it would conflict with SMB services on the proxied 
device.

How would I go about configuring Samba so it will bind to ALL IPv6 
addresses on the server, but only ONE IPv4 address?

I currently have the following lines in smb.conf:

bind interfaces only = yes
interfaces = lo 192.168.2.3 ::/0

I was hoping that by specifying ::/0 (all IPv6 addresses) it would do 
what I want, but this doesn't seem to work; netstat shows that Samba is 
only binding to IPv6 on the loopback interface:

# netstat -plnt | grep mbd
tcp        0      0 127.0.0.1:139           0.0.0.0:* LISTEN      18876/smbd
tcp        0      0 192.168.2.3:139         0.0.0.0:* LISTEN      18876/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:* LISTEN      18876/smbd
tcp        0      0 192.168.2.3:445         0.0.0.0:* LISTEN      18876/smbd
tcp6       0      0 ::1:139                 :::* LISTEN      18876/smbd
tcp6       0      0 ::1:445                 :::* LISTEN      18876/smbd

If I remove the "interfaces" directive from the config, then samba
binds
to whatever IPv6 address is assigned to the interface, but also binds to 
both IPv4 addresses.

I've tried several other variations of "interfaces" that also
don't do
what I need:

(1) Binds to all IPv6 and all IPv4 addresses on enp3s0:
interfaces = lo enp3s0 192.168.2.3

(2) Likewise, binds to all IPv6 and all IPv4 addresses on enp3s0:
interfaces = lo enp3s0

(3) Doesn't bind to any IPv6 address on enp3s0:
interfaces = lo 192.168.2.3

Is there a way to get Samba to do this?

Thanks!

On Sat, Apr 20, 2019 at 3:32 PM Jeff Morris via samba
<samba at lists.samba.org> wrote:
>
>
> My network uses reserved IPv4 addresses (192.168.2.0/24) behind a NAT
> firewall, but public IPv6 addresses behind a filtering firewall.
>
> My ISP (Comcast) assigns both IPv4 and IPv6 addresses dynamically.
>
> As a result, the IPv4 address of my internal Samba server is statically
> assigned, but its IPv6 address is dynamically assigned.
Why can't your internal DHCP server assign reserved IP addresses,
suitable to a non-routable address space?
> The server has multiple IPv4 addresses assigned to it, all on interface
> enp3s0. One of these I'd like to use for Samba, but the other is used
as
> a proxy address for another device on my network, so I do NOT want Samba
> to bind to it , as it would conflict with SMB services on the proxied
> device.
So.... how are you segregating the IPv4 addresses on the same NIC? Are
you using tagged VLAN's, or is it just not working? Is there any
reason you can't put the proxy on a different port, rather than on a
different IP address?

I'm going to strongly suggest you stop playing the IPv6 and IPv4 and
exposed public IP and NAT and DHCP and static address and an umbrella
with two olives stick on the handle sticking out of it cocktail
approach to network configurations. The result is a chimera. Pick your
local standards:

* IPv4 or IPv6? One or the other, stop using both internally
* Always use static IP addresses for all IP addresses on servers, with
DHCP reservations if appropriate. It's usually possible, even with a
DHCP server in play, to set the DHCP range to be a subnet of the
allocated IP range and set static addresses in the rest of the space.

Why are you trying to expose the IPv6 address to the Internet at all?
If you have stable IPv4 and stable port forwarding with the NAT, why
don't you just use that?

Am 20.04.19 um 22:08 schrieb Nico Kadel-Garcia via
samba:
> * IPv4 or IPv6? One or the other, stop using both internally
that stops working from the moment on you have dns records in a
dual-stack and offer also public services unlinke you you don't want to
go down the dns-views rabbit hole

On 4/20/2019 1:08 PM, Nico Kadel-Garcia wrote:
> On Sat, Apr 20, 2019 at 3:32 PM Jeff Morris via samba
> <samba at lists.samba.org> wrote:
>> My network uses reserved IPv4 addresses (192.168.2.0/24) behind a NAT
>> firewall, but public IPv6 addresses behind a filtering firewall.
>>
>> My ISP (Comcast) assigns both IPv4 and IPv6 addresses dynamically.
>>
>> As a result, the IPv4 address of my internal Samba server is statically
>> assigned, but its IPv6 address is dynamically assigned.
> Why can't your internal DHCP server assign reserved IP addresses,
> suitable to a non-routable address space?
Well, of course it *can*, and indeed that's what I'm doing for IPv4. 
However, best practices recommend not using NAT for IPv6. One of the 
main driving factors toward the global migration to IPv6 is so we can 
have a "flat"  Internet again, with enough address space to allow all 
devices to be individually addressable, like we did years ago with IPv4 
(yes, I'm old enough to remember) :-), and get away from NAT, 
port-forwarding, and all the other horrible kludges that have been 
implemented over the years to try to compensate for the exhaustion of 
the IPv4 address space.
>> The server has multiple IPv4 addresses assigned to it, all on interface
>> enp3s0. One of these I'd like to use for Samba, but the other is
used as
>> a proxy address for another device on my network, so I do NOT want
Samba
>> to bind to it , as it would conflict with SMB services on the proxied
>> device.
> So.... how are you segregating the IPv4 addresses on the same NIC? Are
> you using tagged VLAN's, or is it just not working? Is there any
> reason you can't put the proxy on a different port, rather than on a
> different IP address?
Sorry, I should have been more explicit. Both addresses are on the same 
subnet, and thus are simply assigned to the same physical interface, I'm 
not using VLANs or virtual interfaces (or at least I wasn't when I wrote 
my initial message; I've since figured out a way to do this by using a 
virtual interface for each IP address. I'll explain more below.) Both of 
the addresses work fine and can communicate with other hosts on the 
network. I just need Samba to ignore one of them.

I can't put the proxy on a different port because I am proxying SMB (TCP 
port 445) for a non-rooted Android device. Since the device isn't 
rooted, it can't run an SMB server on port 445 (only on non-privileged 
ports), and since Windows can not utilize SMB servers on any other port 
than 445, I've ended up having to set up a proxy for it on my Linux 
server. It's an ugly kludge and I don't like it, but sigh, that's
what I
get for living in a world where manufacturers have decided that people 
should not have administrative access to the hardware that they 
themselves own. :-(

So basically, I have two addresses in the same subnet assigned to the 
Ethernet interface on my Linux server (192.168.2.3, 192.168.2.4.) I want 
incoming TCP connections to port 445 on the first address to go to the 
samba daemon running on the server, and I want incoming TCP connections 
to port 445 on the second address to be NATed and routed by the Linux 
server to the Android device. I also want incoming TCP connections to 
port 445 for *any* IPv6 address on the server to go to the samba daemon 
running on the server.
> I'm going to strongly suggest you stop playing the IPv6 and IPv4 and
> exposed public IP and NAT and DHCP and static address and an umbrella
> with two olives stick on the handle sticking out of it cocktail
> approach to network configurations. The result is a chimera. Pick your
> local standards:
>
> * IPv4 or IPv6? One or the other, stop using both internally
Well, you're welcome to your opinion. I do disagree however. I'm simply 
running dual-stack, which is a perfectly valid network configuration, no 
olives or umbrellas involved. (Although there have been a fair share of 
cocktails.) :-D The necessity of running NAT for IPv4 and DHCP for IPv6 
isn't my choice, it's the result of the combination of my ISP's
choices
and the global depletion of IPv4 addresses. If you can convince Comcast 
to provide static routing of IPv6, it would make my life a lot easier, 
so good luck with that! ;-) I don't feel that running private IPv6 
addresses and NATting IPv6 is a very good solution since it's a step 
backwards. In a perfect world, everyone would get themselves migrated to 
IPv6, and I could drop all the kludgy IPv4 NATting and so forth and not 
have to support a legacy protocol (IPv4) at all, but realistically I 
don't expect to see that happen in my lifetime. :-( (And indeed I have 
old gear on my network that won't support IPv6 anyway, like my Amiga.) ;-)
> * Always use static IP addresses for all IP addresses on servers, with
> DHCP reservations if appropriate. It's usually possible, even with a
> DHCP server in play, to set the DHCP range to be a subnet of the
> allocated IP range and set static addresses in the rest of the space.
Of course, and I agree completely, and that's exactly what I'm doing 
with IPv4. Again, I don't have any choice with regards to IPv6. That's 
how Comcast assigns them, so if I want to use static IPv6 addresses, I 
would have to NAT it, which I don't want to do, as I explained above. 
(In fairness, I don't think my IPv6 /64 has ever changed, but 
technically it is dynamic, so if it ever does change I don't want to 
have to go around and reconfigure everything on my network.)
> Why are you trying to expose the IPv6 address to the Internet at all?
Because that's considered best practice for IPv6 implementations. (And 
they're not really "exposed", they are behind a firewall and not 
accessible from outside, just not NATted.)
> If you have stable IPv4 and stable port forwarding with the NAT, why
> don't you just use that?
Because it's a legacy protocol. Alternate answer: because I'm a hacker 
and like doing interesting things with technology and learning from the 
experience. Again, this is my *home* network. If this were a business's 
network that I was administering for an employer or a client, I would 
make very different decisions based on their business needs.

I appreciate your feedback, but at the end of the day, I wasn't trying 
to solicit network architecture advice, I was just asking a 
straightforward question: Can Samba be configured to bind to a specific 
IPv4 address, while at the same time binding to all IPv6 addresses? Many 
daemons support this via separate configuration directives for IPv4 vs. 
IPv6 bindings for example. Other than this one problem with needing to 
use this Linux server as both an SMB server and a proxy to another SMB 
server, everything on my network is working fine and well under control. :-)

I've figured out a way to do what I need though: rather than assigning 
both IP addresses to the same interface, I've set up an interface alias 
(not a VLAN, just a simple interface alias, a la "eth0:0" style), and 
put the second IP address on that. This way, I can simply have Samba 
bind to the Ethernet interface, so it gets the one IPv4 address and 
whatever IPv6 address is assigned, while the second IPv4 address gets 
forwarded to the Android device. So my smb.conf now simply contains 
"interfaces lo enp3s0", and everything works as I wanted, since the 
second IP address which I'm using as a proxy is now on enp3s0:0 instead. 
It's working well.

Thanks again for the feedback!