[Bug 225635] New: Firewall Blocks Samba Client
https://bugzilla.novell.com/show_bug.cgi?id=225635 Summary: Firewall Blocks Samba Client Product: SUSE Linux 10.1 Version: Final Platform: 32bit OS/Version: SuSE Linux 10.1 Status: NEW Severity: Enhancement Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: stanaland@gmail.com QAContact: qa@suse.de Below are some wishlists and/or complaints after spending all day trying to get samba to work: 1. When configuring the Firewall's allowed services, it is easy enough to allow the Samba Server as it is in the drop down ("Service to Allow"). However, there is no "Samba Client", so it is difficult to allow all of the tcp and udp ports necessary to allow samba browsing from Suse 10.1. 2. It is possible to fix this by changing the interface from External Zone to Internal Zone--I have a Computer Science degree and I barely understand how zones work or what they are supposed to be....it would be nice if this was made clearer in the Suse Firewall module. 3. Turns out that by adding "wins support = true" to the smb.conf [global], you do not even have to open firewall ports. Why isn't this option a default or atleast available in Yast? 4. Why does one have to be an expert at Samba to use it on Linux? Aside from the firewall and "wins support" issues, my default samba configuration had profiles, groups, and users. How come there is no explanation of the difference? Further, once these are deleted there doesn't appear to be an easy way to bring them back. IMHO, the yast setup should have only a few high level options in the Samba Yast tool For example, check boxes to turn on/off the following: 1. Enable Samba Client (including opening firewall) 2. Enable Samba Server (including opening firewall) 3. Allow Users to Share Files 4. Allow Users to Access Their Home Directories And perhaps a few basic settings for each of the above options. Other than that, experts can always edit their smb.conf. Please do some work on this. I have been using Linux since 1999, and getting Samba to work is just as bad. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=225635 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |locilka@novell.com |screening@forge.provo.novell| |.com | ------- Comment #1 from mhorvath@novell.com 2006-12-03 19:03 MST ------- Thank you for your suggestions. Please don't write more than one problem/enhancement into one bug report. Thank you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=225635 ------- Comment #2 from stanaland@gmail.com 2006-12-03 19:43 MST ------- After some testing, it seems that maybe #3 may not be true. It was something I read on Google, but I am not 100% sure that the "wins support" option helped after all. I apologize for putting multiple items on the report, but I would like to clarify that my main point is that regardless of the details, "Network Neighborhood" *browsing* and *sharing* needs to be improved in Yast. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=225635 locilka@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Comment #3 from locilka@novell.com 2006-12-04 00:46 MST ------- Yes, this is known behavior. SuSEfirewall2 uses iptables (a state-matching firewal). Browsing is done by sending a broadcast packet to a multicast network, clients return a reply which should be considered related to the already opened connection. But iptables evaluate that reply as a new connection and deny it. There is a possibility how to solve it but it might be a security hole: http://forums.fedoraforum.org/archive/index.php/t-91024.html --- cut --- To browse smb shares from your linux system whilst iptables is running you'll have to load the "ip_conntrack_netbios_ns" module. This allows netbios broadcasts sent from your system back through the firewall: modprobe ip_conntrack_netbios_ns To have this loaded each time iptables starts add this to /etc/sysconfig/iptables-config: IPTABLES_MODULES="ip_conntrack_netbios_ns" --- cut --- *** This bug has been marked as a duplicate of bug 223465 *** -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=225635#c4
Lukas Ocilka
participants (1)
-
bugzilla_noreply@novell.com