# A couple of Samba problems

## enigma_0Z

Alright, I'm kinda a linux networking n00b (not windows networking, mind you) and I can't see my Linux box from a Windows XP or 98 computer. And, I can't seem to connect to the XP box, even though I can connect to the 98 box and view, download, modify it's files, etc.

Can some one help me?

----------

## fennec

 *Quote:*   

> I can't see my Linux box from a Windows XP or 98 computer

 

-> what your smb.conf file looks like ? 

 *Quote:*   

> I can't seem to connect to the XP box

 

-> From your linux box ?

----------

## enigma_0Z

I can connect to Win98 but not WinXP from linux.

Here's my smb.conf . I've got a commented line that I want to ask you about, I'll point it out in the code:

[global]

# Replace MYWORKGROUPNAME with your workgroup/domain

workgroup = House

# Of course this has no REAL purpose other than letting

# everyone know its not Windows!

# %v prints the version of Samba we are using.

server string = Samba Server %v

# We are going to use cups, so we are going to put it in here  :Wink: 

printcap name = cups

printing = cups

load printers = yes

# We want a log file and we do not want it to get bigger than 50kb.

log file = /var/log/samba/log.%m

max log size = 50

# We are going to set some options for our interfaces...

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# This is a good idea, what we are doing is binding the

# samba server to our local network.

# For example, if eth0 is our local network device

interfaces = lo eth0

bind interfaces only = yes

# Now we are going to specify who we allow, we are afterall

# very security conscience, since this configuration does

# not use passwords!

hosts allow = 127.0.0.1 XXX.0/255 ## THIS LINE ##

hosts deny = 0.0.0.0/0

# Other options for this are USER, DOMAIN, ADS, and SERVER

# The default is user

security = user

# No passwords, so we're going to use a guest account!

guest account = samba

guest ok = yes

# Now we setup our print drivers information!

[print$]

comment = Printer Drivers

path = /etc/samba/printer # this path holds the driver structure

guest ok = yes

browseable = yes

# Modify this to "username,root" if you don't want root to

# be the only printer admin)

write list = root

# Now we'll setup a printer to share, while the name is arbitrary

# it should be consistent throughout Samba and CUPS!

[Canon-i850]

comment = Canon i850 Network Printer

printable = yes

path = /var/spool/samba

public = yes

guest ok = yes

# Modify this to "username,root" if you don't want root to

# be the only printer admin)

printer admin = root

# Now we setup our printers share.  This should be

# browseable, printable, public.

[printers]   

comment = All Printers

browseable = yes 

printable = yes   

writable = no

public = yes   

guest ok = yes

path = /var/spool/samba

# Modify this to "username,root" if you don't want root to

# be the only printer admin)

printer admin = root

# We create a new share that we can read/write to from anywhere

# This is kind of like a public temp share, anyone can do what

# they want here.

[public]

comment = Public Files

browseable = yes

public = yes

create mode = 0766

guest ok = yes

path = /home/samba/public

That line, I'd rather not reveal IP address on my network, but that tells it to accept all IP addresses from XXX.0.* thru XXX.255.* right?

----------

## enigma_0Z

I also get an odd error when running cupsaddsmb... here it is:

```
root@tux-machine samba # cupsaddsmb -H tux-machine -U root -h tux-machine -v -a

Password for root required to access tux-machine via SAMBA: 

Running command: smbclient //tux-machine/print\$ -N -U'root%**********' -c 'mkdir W32X86;put /var/spool/cups/tmp/417de811df297 W32X86/local.ppd;put /usr/share/cups/drivers/cupsdrv5.dll W32X86/cupsdrv5.dll;put /usr/share/cups/drivers/cupsui5.dll W32X86/cupsui5.dll;put /usr/share/cups/drivers/cups5.hlp W32X86/cups5.hlp'

Domain=[TUX-MACHINE] OS=[Unix] Server=[Samba 3.0.7]

tree connect failed: NT_STATUS_BAD_NETWORK_NAME
```

Two notes:

1. After I do that, I get the thing asking for a password again, and...

2. I've masked out my password, it's not really asterisks

----------

## fennec

 *Quote:*   

> hosts allow = 127.0.0.1 XXX.0/255 ## THIS LINE ## 

 

Example : 

```
hosts allow = 127.0.0.1 192.168.0.0/192.168.0.255 ## 
```

Is that what you mean by XXX ? like the full address? 

Personnally i'd use 

```
hosts allow = 192.168.1. 127.

```

For the rest Make sure same workgroup setup on all computers... =P 

 *Quote:*   

> interfaces = lo eth0 

 

there make sure its not something else you access your linux box with windows xp box ( ie.: ad-hoc wifi, or direct cable to eth1, etc.. ) 

Then on your windows XP box under

Control Panel > Administrative Tools > Local Security Policy > ....

There is some stuff about NTLM settings... 

I am not a home right now, but you need to keep in mind that if your windows xp box is setup to restrict to NTLMv2 only, or whatever... it might be why it doesnt work. I had problem with this before, as i hardened my windows boxes before having a linux box on the lan  :Razz: 

----------

## enigma_0Z

The XXX is the first octet, I want to allow all hosts with that first octet instead of specifying IP addresses because we are on DHCP

----------

## enigma_0Z

Hmm, does Windows XP use Active Directory? The way I've got the network set up is, TCP/IP to the internet and network when needed. And then, I've got IPX/SPX and NetBEUI piggybacked into the network. Perhaps I need kerberos support? I looked into local IP policys on the computer in question, and all the authentication was using kerberos.

I"m recompiling samba with kerberos support included, is there anything that I need to add to my smb.conf to make it work?

----------

## enigma_0Z

OK, I've tried to add the IPX protocaul as a module in the kernel, but when I try to modprobe it I get this error:

```
# modprobe ipx

FATAL: Error inserting ipx (/lib/modules/2.6.8-gentoo-r3/kernel/net/ipx/ipx.ko): Unknown symbol in module, or unknown parameter (see dmesg)
```

And in dmesg...

```
ipx: Unknown symbol make_EII_client

ipx: Unknown symbol destroy_EII_client
```

I've also tried to add kerberos support to samba by recompiling with this command:

```
USE=''kerberos" emerge -pv samba

USE="kerberos" emerge -v samba"
```

The pretend output indicated that it was going to have kerberos support, but when I try to mount anything, I get a message saying "No kerberos support compiled in."

I'm going to try to add kerberos to make.conf and try again.

UPDATE, still no go, 'no kerberos support compiled in"

Anyone else have this bug?

----------

## petrjanda

1. Can you ping?

2. You do NOT need kerberos

3. just comment out the hosts allow/deny lines.

----------

## enigma_0Z

Yes I can ping poth PC's, but they don't seem to see me in the network browser

----------

## petrjanda

Do you have a firewall? What about your logs? I noticed it complains about a bad domain name in one of the errors you posted, try keeping the domain name same in every case, and simple (one word)

----------

## enigma_0Z

Well, McAffe firewall is set to allow NetBEUI traffic, and I tried disabling the the Windows firewall, but that didn't help. I'm not actually using a domain name, I'm using a workgroup. I've got my computer's set up with the domain housedomain and the name tux-machine

Another tidibt of info that may help, I can smbclient to myself, but only if security is set to user.

----------

## fennec

 *enigma_0Z wrote:*   

> Hmm, does Windows XP use Active Directory? The way I've got the network set up is, TCP/IP to the internet and network when needed. And then, I've got IPX/SPX and NetBEUI piggybacked into the network. Perhaps I need kerberos support? I looked into local IP policys on the computer in question, and all the authentication was using kerberos.
> 
> I"m recompiling samba with kerberos support included, is there anything that I need to add to my smb.conf to make it work?

 

Have you take a look at those settings in Local Security Policies in your Windows XP ( those have nothing to do with ADS, they are local policies... )

----------

## enigma_0Z

It's a windows XP Home system, I couldn't seem to find local security policies. Which Admin tool would it be under?

Perhaps it's having trouble resolving the computer name, should I add it to /etc/hosts?

----------

## fennec

 *Quote:*   

> Perhaps it's having trouble resolving the computer name, should I add it to /etc/hosts?

 

 -> can you ping the name ? 

 *Quote:*   

> It's a windows XP Home system, I couldn't seem to find local security policies. Which Admin tool would it be under? 

 

 -> try ... Start > run > gpedit.msc

[/code]

----------

## enigma_0Z

OK, I can now ping the name (with the name in /etc/hosts), but there is not gpedit.msc file. I try to run it and it says "no such file or folder". I think it's because WinXP Home doesn't have group policies.

----------

## enigma_0Z

Well, I could ping it the other day, but now I'm timing out...

I think the problem is that the XP PC is expecting NetBEUI to come over IPX. Is there a way that I can force Samba to use IPX for that computer? any special smbclient option?

----------

## fennec

 *enigma_0Z wrote:*   

> OK, I can now ping the name (with the name in /etc/hosts), but there is not gpedit.msc file. I try to run it and it says "no such file or folder". I think it's because WinXP Home doesn't have group policies.

 

Ok, sorry, i did not know there is no console for that on XP Home... You might need to change it in the registry directly... try googling about this...

----------

## fennec

http://www.governmentsecurity.org/forum/index.php?showtopic=6526  ( Look for disable Lan Manager authentication topic )

----------

## enigma_0Z

Yeah, I wish there was... Is very helpful on my own XP Pro installation  :Smile: 

Do you really think that's the problem? It's my Mom's computer, and I don't want to screw anything up.

On a side note, I was able to ping the PC, but now it times out. And, the samba connection also times out.

----------

## enigma_0Z

Hmm, that's set to zero. That means that it will send LM and NTLM responses, right? Is there another optoin that I should set?

----------

## petrjanda

You need to open samba ports on the server/client if you haven't done that yet. My clients have Windows XP professional, I didn't have to install any IPX support, hell you shouldnt even need IPX, perhaps NetBEUI is useless too.

----------

## enigma_0Z

I know how to open ports in mcaffee, but is there something that I have to do to that darned windows firewall??

Another piece of info too:

If I add the computers to /etc/hosts, I can ping them by name, but I can only smbclinet into the 98 PC, if I try to do so with the XP machines, it times out. Another thing too, It seems that if I don't add the XP computers to /etc/hosts, I can't ping them by name, but I can do so with the 98 PC.

----------

## fennec

```
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]

"LMCOMPATIBILITYLEVEL"=DWORD:00000002

Level 0 - Send LM response and NTLM response; never use NTLMv2

Level 1 - Use NTLMv2 session security if negotiated

Level 2 - Send NTLM response only

Level 3 - Send NTLMv2 response only

Level 4 - DC refuses LM responses

Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
```

I would set it up to Level 1 - Use NTLMv2 session security if negotiated as it might try to use NTLMv2

Check those settings on samba's side too...

----------

## fennec

Can you load this ? secpol.msc

----------

## enigma_0Z

 *fennec wrote:*   

> 
> 
> ```
> [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
> 
> ...

 

Where would I check the setting in samba? I have not items in smb.conf relating to NTLM.

----------

## enigma_0Z

 *fennec wrote:*   

> Can you load this ? secpol.msc

 

Nope.

I only want to modify the registry as a last resort. Thanks for trying to help

----------

## fennec

http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/

----------

## fennec

 *enigma_0Z wrote:*   

>  *fennec wrote:*   Can you load this ? secpol.msc 
> 
> Nope.
> 
> I only want to modify the registry as a last resort. Thanks for trying to help

 

man win xp home s*cks

----------

## enigma_0Z

AARRRGGGHHH!! The registry edit didn't work!!!

Is there a way to disable NTLMv2 security in Samba instead of enabling it in windows?

----------

## fennec

 *enigma_0Z wrote:*   

> AARRRGGGHHH!! The registry edit didn't work!!!
> 
> Is there a way to disable NTLMv2 security in Samba instead of enabling it in windows?

 

Take a look at this > http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Or try Google  :Razz: 

----------

## enigma_0Z

It seems that according to this url: http://www.samba.org/samba/docs/man/smb.conf.5.html , My config is set up to use Lanman and plaintext auth, but not NTLMv2, which is how the PC in question  is also (using option zero). I'm totally stumped. 

I can sometimes ping the computer, other times I can't. On another odd note, the 98 PC can only sometimes access the XP PC, but the XP can always access the 98 PC.

----------

## fennec

i have seen this before, to you really need NetBEUI on your network ?

----------

## enigma_0Z

Yes, that is what facilitates file & print sharing through windows in small networks, is it not? I've only got a small network, and no servers. The computers are hooked up through a hub and that hub is uplinked to an internet hookup

----------

## fennec

 *enigma_0Z wrote:*   

> Yes, that is what facilitates file & print sharing through windows in small networks, is it not? I've only got a small network, and no servers. The computers are hooked up through a hub and that hub is uplinked to an internet hookup

 

You DO NOT need NetBEUI... TCP/IP only is needed... you should remove it from each computer.. 

do you have a router, any dhcp server ?

----------

## fennec

And what is your use for IPX/SPX?

----------

## enigma_0Z

Well, I have no router, no DHCP server, so I can't route TCP/IP. That's why I have IPX/SPX and NetBEUI, IPX/SPX seems to broadcast instead of route, and NetBEUI is transmitted through that... Our IP addresses are assigned by the internet servers.

In any case, would removing NetBEUI and IPX/SPX solve my problem? The network works XP to XP

----------

## fennec

Ok well, what I sugges is that you remove both IPX/SPX and NetBEUI. Setup manually the IP addresses on each of your box, I think I dont have to point that they all need to be on the same range. 

Is your internet provided through a cable or dsl modem ?

Is your internet using dhcp ? 

Is your internet connected to one computer in particular which shares it to other computers ?

I'll wait for your answers and we will get a step further.

----------

## enigma_0Z

We're set up thru a cable modem

Yes, we are using dhcp thru/for the internet

No, all the computers are hooked up to a hub which connects to the aforementioned cable modem

it's a small home network, will making these changes to the network even fix samba not working? it seems to time out when connecting to Windows XP PC's, but not 98 ones.

----------

## fennec

so each of your computers are getting an IP address of the cable modem ?

----------

## enigma_0Z

Yes

----------

## fennec

So, each of your computers have public IP ?

----------

## enigma_0Z

yes Each of my computers gets their IP addresses from our ISP. We are not behind a router or NAT, so I don't see how we can manually assign IP addresses

----------

## fennec

yes, that's what I figured out now, well its going to be hard for you to setup this way unless you have an additionnal nic in each box or that you get yourself a cheap NAT box, if you only had windows 98 boxes, it would have worked correctly with NetBeui, but xp and linux won't be getting along pretty good with this. 

Also, the way you are setup, your computers are open to new exploits ( which are used by worms ) and also to anyone that would hack into your computers. 

I strongly believe that you should isolate your lan from the internet...

----------

## fennec

you could also use the linux box as your gateway/firewall to the internet

----------

## enigma_0Z

Unfortuantely, the wiring in our house wouldn't allow for my linux box to be a internet gateway... besides, then my computer would have to be on anytime that anyone wants to get onto the internet, right?

Besides, we've got a pretty strong firewall/virus scanner on all the PC's. In fact, any viruses that we encounter are dealt wtih swiftly and usually don't spread  :Smile: 

Perhaps I'll just wait for the bugfix/feature in a later version of samba   :Rolling Eyes: 

----------

## UberLord

 *fennec wrote:*   

> And what is your use for IPX/SPX?

 

Red Alert LAN party with 1 case of beer per victim!!!!

Seriously, aside from talking to a Netware server in a large corp there should be no reason.....

----------

## fennec

 *enigma_0Z wrote:*   

> Unfortuantely, the wiring in our house wouldn't allow for my linux box to be a internet gateway... besides, then my computer would have to be on anytime that anyone wants to get onto the internet, right?
> 
> Besides, we've got a pretty strong firewall/virus scanner on all the PC's. In fact, any viruses that we encounter are dealt wtih swiftly and usually don't spread 
> 
> Perhaps I'll just wait for the bugfix/feature in a later version of samba  

 

But NETBEUI is dead crappy protocol... just get yourself a little nat router that you will hook up directly to the cable modem ( its available for 35$ )

----------

## enigma_0Z

Yeah, it's dead, yeah it's crappy but it works with what I've got...

Unfortuantely, I don't have the money to go and buy a NAT... I'll just wait for a update/bugfix in Samba, they should add XP functionality, right?

----------

## fennec

 *enigma_0Z wrote:*   

> Yeah, it's dead, yeah it's crappy but it works with what I've got...
> 
> Unfortuantely, I don't have the money to go and buy a NAT... I'll just wait for a update/bugfix in Samba, they should add XP functionality, right?

 

XP functionnality  ?

this problem you have have nothing to do with this i believe, its more in the fact that you use a crappy protocol not designed for windows xp

----------

## enigma_0Z

Well the point is that I can't fix it without making major changes to my network, and that's something that i can't do right now

----------

## fennec

well, good luck

----------

