Can NOT connect to samba server!

I have and opensuse server on my home lan. It will NOT allow me to connect to the samba shares. On the other hand, I have a Raspberry Pi server on the same lan, with an almost identical setup, and it DOES allow connections. And I can NOT find out why. I’ve spent several days worth of hours trying to fix this.

Let me plunge right in, with what I’ve checked already.
Permissions on the share and inherited directories and files: check, a-ok (i.e. user and group, 770)
testparm smb.conf: a-ok (actual results follow)

# testparm smb.conf
Load smb config files from smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[shared-herb]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
    workgroup = SLAN
    netbios name = HERB
    server string = ""
    interfaces = 127.0.0/8, eth0, 172.16.0.0/24, enp2s0, 172.16.0.0/24
    bind interfaces only = Yes
    map to guest = Bad User
    obey pam restrictions = Yes
    name resolve order = bcast, host, lmhosts, wins
    show add printer wizard = No
    os level = 99
    domain master = No
    idmap config * : backend = tdb

[shared-herb]
    comment = all home
    path = /home/share
    force user = mark
    read only = No
    create mask = 0775
    directory mask = 0775
    inherit acls = Yes


for comparison, here is the smb.conf for the r-pi server, which is working:

#=================== Global Settings =======================

[global]

## Browsing/Identification ###

workgroup = SLAN
netbios name = rpi

local master = yes
preferred master = yes
os level = 65
server string = ""
wins support = no
domain logons = No
domain master = No
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
# wins server = 
name resolve order = bcast host lmhosts wins


show add printer wizard = No

#### Networking ####

   interfaces = 127.0.0.0/8 eth0 172.16.0.0/24
   bind interfaces only = yes

#### Debugging/Accounting ####

  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d

####### Authentication #######

   security = user
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   map to guest = bad user

########## Printing ##########

   load printers = yes
   printing = cups
   printcap name = cups
   printcap cache time = 750
   cups options = raw
   use client driver = yes


#======================= Share Definitions =======================

[shared]
   comment = big common space
   inherit acls = Yes
   path = /home/shared   
   browseable = yes
   read only = no
   force user = mark
   create mask = 0775
   directory mask = 0775


[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = yes
   read only = yes
   create mask = 0700


The latter is slightly edited to remove names and commented lines.

here is the result of smbtree -L


SLAN
    \\RPI
        \\RPI\Dude               Brother HL-2270DW series
        \\RPI\PDF                PDF
        \\RPI\IPC$               IPC Service ("")
        \\RPI\shared             big common space
    \\HERB            
        \\HERB\IPC$               IPC Service ("")
        \\HERB\shared-herb        all home

Herb is the server that won’t allow connections.

All the machines on my lan can see the servers with their names - win7 AND ubuntu boxes. But when I try to ping the names? Nogo.

 ping -c3 HERB
ping: unknown host HERB

Ditto the R-Pi server.

But, if I use their url, no prob:

 ping -c3 172.16.0.114
PING 172.16.0.114 (172.16.0.114) 56(84) bytes of data.
64 bytes from 172.16.0.114: icmp_seq=1 ttl=64 time=0.688 ms
64 bytes from 172.16.0.114: icmp_seq=2 ttl=64 time=0.641 ms
64 bytes from 172.16.0.114: icmp_seq=3 ttl=64 time=0.589 ms

--- 172.16.0.114 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.589/0.639/0.688/0.045 ms
mark@main:~$ ping -c3 172.16.0.104
PING 172.16.0.104 (172.16.0.104) 56(84) bytes of data.
64 bytes from 172.16.0.104: icmp_seq=1 ttl=64 time=1.16 ms
64 bytes from 172.16.0.104: icmp_seq=2 ttl=64 time=1.11 ms
64 bytes from 172.16.0.104: icmp_seq=3 ttl=64 time=1.10 ms


Let me see, where else did I go? How about nmap from the client side. Using Zenmap:
172.16.0.104 (the openSuse server that won’t allow Samba connection)


Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-10 19:15 EDT
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:15
Scanning 172.16.0.104 [1 port]
Completed ARP Ping Scan at 19:15, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:15
Completed Parallel DNS resolution of 1 host. at 19:15, 0.11s elapsed
Initiating SYN Stealth Scan at 19:15
Scanning 172.16.0.104 [1000 ports]
Discovered open port 445/tcp on 172.16.0.104
Discovered open port 139/tcp on 172.16.0.104
Discovered open port 22/tcp on 172.16.0.104
Completed SYN Stealth Scan at 19:16, 13.02s elapsed (1000 total ports)
Initiating Service scan at 19:16
Scanning 3 services on 172.16.0.104
Completed Service scan at 19:16, 11.02s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 172.16.0.104
Retrying OS detection (try #2) against 172.16.0.104
NSE: Script scanning 172.16.0.104.
Initiating NSE at 19:16
Completed NSE at 19:17, 40.06s elapsed
Nmap scan report for 172.16.0.104
Host is up (0.0011s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 6.2 (protocol 2.0)
| ssh-hostkey: 1024 59:a9:2d:bb:77:2e:96:75:67:a1:55:97:49:32:49:92 (DSA)
|_2048 06:06:5f:9c:be:bc:76:51:f1:4d:d4:e6:59:25:aa:91 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: HERB)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: HERB)
MAC Address: 00:13:20:C8:20:C3 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 - 3.9 (93%), Linux 3.0 - 3.9 (93%), Linux 2.6.32 - 3.6 (92%), Linux 2.6.32 (90%), Linux 2.6.22 - 2.6.36 (90%), Linux 2.6.39 (90%), Crestron XPanel control system (89%), Netgear DG834G WAP or Western Digital WD TV media player (89%), Linux 2.6.32 - 2.6.35 (88%), Linux 2.6.32 - 3.2 (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.114 days (since Tue Mar 10 16:33:30 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=250 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
| nbstat:
|   NetBIOS name: HERB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     HERB<00>      Flags: <unique><active>
|     HERB<03>      Flags: <unique><active>
|     HERB<20>      Flags: <unique><active>
|     \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|       SLAN<00>        Flags: <group><active>
|       SLAN<1d>        Flags: <unique><active>
|_     SLAN<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Unix (Samba 4.1.17-3.30.1-3375-SUSE-oS13.1-i386)
|   NetBIOS computer name: HERB
|   Workgroup: SLAN
|_  System time: 2015-03-10T19:07:54-04:00
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   1.11 ms 172.16.0.104

NSE: Script Post-scanning.
Initiating NSE at 19:17
Completed NSE at 19:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.54 seconds
           Raw packets sent: 3098 (141.528KB) | Rcvd: 59 (4.748KB)

vs 172.16.0.114 (the raspbian server that does allow smb connex)


Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-10 19:22 EDT
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:22
Scanning 172.16.0.114 [1 port]
Completed ARP Ping Scan at 19:22, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:22
Completed Parallel DNS resolution of 1 host. at 19:22, 0.12s elapsed
Initiating SYN Stealth Scan at 19:22
Scanning 172.16.0.114 [1000 ports]
Discovered open port 445/tcp on 172.16.0.114
Discovered open port 22/tcp on 172.16.0.114
Discovered open port 139/tcp on 172.16.0.114
Discovered open port 631/tcp on 172.16.0.114
Completed SYN Stealth Scan at 19:23, 14.22s elapsed (1000 total ports)
Initiating Service scan at 19:23
Scanning 4 services on 172.16.0.114
Completed Service scan at 19:23, 11.03s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 172.16.0.114
Retrying OS detection (try #2) against 172.16.0.114
NSE: Script scanning 172.16.0.114.
Initiating NSE at 19:23
Completed NSE at 19:23, 40.02s elapsed
Nmap scan report for 172.16.0.114
Host is up (0.00073s latency).
Not shown: 995 filtered ports
PORT    STATE  SERVICE     VERSION
22/tcp  open   ssh         OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 1024 38:ec:2f:77:74:6e:17:25:27:a1:97:30:56:33:43:2e (DSA)
| 2048 ae:b3:b6:51:b7:e1:f1:cb:b3:41:79:3a:e7:4d:11:c9 (RSA)
|_256 2d:41:ea:81:a4:be:93:d6:09:16:25:6e:9d:47:6e:7e (ECDSA)
80/tcp  closed http
139/tcp open   netbios-ssn Samba smbd 3.X (workgroup: SLAN)
445/tcp open   netbios-ssn Samba smbd 3.X (workgroup: SLAN)
631/tcp open   ipp         CUPS 1.5
| http-methods: GET HEAD OPTIONS POST PUT
| Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Home - CUPS 1.5.3
MAC Address: B8:27:EB:4D:3A:AF (Raspberry Pi Foundation)
Aggressive OS guesses: Android 4.1.1 (94%), HP P2000 G3 NAS device (93%), Linux 3.0 - 3.9 (93%), Linux 2.6.31 - 2.6.35 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 2.6.32 - 3.9 (89%), Linux 2.6.26 - 2.6.35 (89%), Crestron XPanel control system (88%), Linux 2.6.15 - 2.6.30 (88%), Linux 2.6.22 (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 127.357 days (since Mon Nov  3 09:49:13 2014)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| nbstat:
|   NetBIOS name: PI-SERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     RPI<00>        Flags: <unique><active>
|     RPI<03>        Flags: <unique><active>
|     RPI<20>        Flags: <unique><active>
|     SLAN<1e>        Flags: <group><active>
|_    SLAN<00>        Flags: <group><active>
| smb-os-discovery:
|   OS: Unix (Samba 3.6.6)
|   Computer name: RPI
|   NetBIOS computer name:
|   Domain name:
|   FQDN: RPI
|_  System time: 2015-03-10T19:23:18-04:00
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 172.16.0.114

NSE: Script Post-scanning.
Initiating NSE at 19:23
Completed NSE at 19:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.43 seconds
           Raw packets sent: 3085 (140.764KB) | Rcvd: 68 (5.084KB)


About the only difference I can see that MIGHT be significant is the Smbv2 compatibility. The WORKING server is

|_smbv2-enabled: Server doesn't support SMBv2 protocol

And I can’t find, via google, how to enable or disable a SMB protocol version on the server. From what I’ve read, this should not be an issue.

What else. How about distros and version details - ok.
The non-working openSuse server (cat /proc/version):

Linux version 3.11.10-25-desktop (geeko@buildhost) (gcc version 4.8.1 20130909 [gcc-4_8-branch revision 202388] (SUSE Linux) ) #1 SMP PREEMPT Wed Dec 17 17:57:03 UTC 2014 (8210f77)

and 

$  cat /etc/*-release
NAME=openSUSE
VERSION="13.1 (Bottle)"
VERSION_ID="13.1"
PRETTY_NAME="openSUSE 13.1 (Bottle) (i586)"
ID=opensuse
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:opensuse:13.1"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://opensuse.org/"
ID_LIKE="suse"
openSUSE 13.1 (i586)
VERSION = 13.1
CODENAME = Bottle


The working raspberry pi Raspbian server:

Linux version 3.12.28+ (dc4@dc4-XPS13-9333) (gcc version 4.8.3 20140303 (prerelease) (crosstool-NG linaro-1.13.1+bzr2650 - Linaro GCC 2014.03) ) #709 PREEMPT Mon Sep 8 15:28:00 BST 2014

~$ cat /etc/*-release
PRETTY_NAME="Raspbian GNU/Linux 7 (wheezy)"
NAME="Raspbian GNU/Linux"
VERSION_ID="7"
VERSION="7 (wheezy)"
ID=raspbian
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"


I can connect to the drive via sshfs, and I can connect to the machine via ssh.

So I’m reduced to sitting here and saying things like “Holy Cow, Batman! Why won’t it work?” Your analysis is welcome, hopefully somebody can see something I don’t!

On 3/10/2015 10:36 PM, spokesinger wrote:
>
> I have and opensuse server on my home lan. It will NOT allow me to
> connect to the samba shares. On the other hand, I have a Raspberry Pi
> server on the same lan, with an almost identical setup, and it DOES
> allow connections. And I can NOT find out why. I’ve spent several days
> worth of hours trying to fix this.
>
> Let me plunge right in, with what I’ve checked already.
> Permissions on the share and inherited directories and files: check,
> a-ok (i.e. user and group, 770)
> testparm smb.conf: a-ok (actual results follow)
>
<snip>
> I can connect to the drive via sshfs, and I can connect to the machine
> via ssh.
>
> So I’m reduced to sitting here and saying things like “Holy Cow, Batman!
> Why won’t it work?” Your analysis is welcome, hopefully somebody can see
> something I don’t!
>

Have you checked that Samba Server, Netbios Server and Samba Client are all allowed services through SuSEfirewall2?
YaST > Security and Users > Firewall > Allowed services.
Are both smb.service and nmb.service running?


systemctl status nmb.service
systemctl status smb.service

I noticed that both your machines have elevated OS levels in their respective smb.conf, which do you plan on having as
the master browser?

Have you created Samba users on openSUSE with smbpasswd?


smbpasswd -a <username>

<username> must be a valid Linux user on openSUSE.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Yes - note the nmap scan for open ports

Discovered open port 445/tcp on 172.16.0.104
Discovered open port 139/tcp on 172.16.0.104
Discovered open port 22/tcp on 172.16.0.104

Are both smb.service and nmb.service running?

Yeup, checked that.

systemctl status nmb.service
systemctl status smb.service
systemctl status nmb.service
nmb.service - Samba NMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled)
   Active: active (running) since Tue 2015-03-10 21:36:45 EDT; 18h ago
 Main PID: 3209 (nmbd)
   Status: "nmbd: ready to serve connections..."
   CGroup: /system.slice/nmb.service
           └─3209 /usr/sbin/nmbd -D

Mar 10 21:36:45 herb systemd[1]: Starting Samba NMB Daemon...
Mar 10 21:36:45 herb nmbd[3209]: [2015/03/10 21:36:45.630531,  0] ../lib/ut...y)
Mar 10 21:36:45 herb nmbd[3209]: STATUS=daemon 'nmbd' finished starting up ...ns
Mar 10 21:36:45 herb systemd[1]: Started Samba NMB Daemon.
Mar 10 21:37:08 herb nmbd[3209]: [2015/03/10 21:37:08.939746,  0] ../source...2)
Mar 10 21:37:08 herb nmbd[3209]: *****
Mar 10 21:37:08 herb nmbd[3209]: Mar 10 21:37:08 herb nmbd[3209]: Samba name server HERB is now a loc...04
Mar 10 21:37:08 herb nmbd[3209]: Mar 10 21:37:08 herb nmbd[3209]: *****
Hint: Some lines were ellipsized, use -l to show in full.

status smb.service
smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled)
   Active: active (running) since Tue 2015-03-10 21:36:48 EDT; 18h ago
  Process: 3345 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited, status=0/SUCCESS)
 Main PID: 3401 (smbd)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/smb.service
           ├─3401 /usr/sbin/smbd -D
           └─3474 /usr/sbin/smbd -D

Mar 10 23:40:34 herb smbd[4038]: pam_env(samba:setcred): Unable to open env...ed
Mar 10 23:40:34 herb smbd[4038]: PAM audit_log_acct_message() failed: Opera...ed
Mar 10 23:40:34 herb smbd[4038]: pam_unix(samba:session): session closed fo...dy
Mar 10 23:40:34 herb smbd[4038]: [2015/03/10 23:40:34.255872,  0] ../source...r)
Mar 10 23:40:34 herb smbd[4038]: smb_pam_error_handler: PAM: session close ...or
Mar 10 23:40:34 herb smbd[4039]: pam_env(samba:setcred): Unable to open env...ed
Mar 10 23:40:34 herb smbd[4039]: PAM audit_log_acct_message() failed: Opera...ed
Mar 10 23:40:34 herb smbd[4039]: pam_unix(samba:session): session closed fo...dy
Mar 10 23:40:34 herb smbd[4039]: [2015/03/10 23:40:34.271290,  0] ../source...r)
Mar 10 23:40:34 herb smbd[4039]: smb_pam_error_handler: PAM: session close ...or
Hint: Some lines were ellipsized, use -l to show in full.


I noticed that both your machines have elevated OS levels in their respective smb.conf, which do you plan on having as
the master browser?

I had set that so when Herb is running it takes the master browser win - but I think I will lower the OS level on Herb and just let Pi do that all the time - Herb is not on 24/7. Have you created Samba users on openSUSE with smbpasswd?
You know, I am positive I did this - but I am going to run a verification check. And, I just did: (pdbedit -L -v) as root. Username exists.

I’m going to change the master browser level for Herb to something lower than the Pi. And I notice the smbstatus you suggested returned some errors

Mar 10 23:40:34 herb smbd[4038]: pam_env(samba:setcred): Unable to open env file: /etc/environment: Permission denied
Mar 10 23:40:34 herb smbd[4038]: PAM audit_log_acct_message() failed: Operation not permitted
Mar 10 23:40:34 herb smbd[4038]: pam_unix(samba:session): session closed for user nobody
Mar 10 23:40:34 herb smbd[4038]: [2015/03/10 23:40:34.255872,  0] ../source3/auth/pampass.c:89(smb_pam_error_handler)
Mar 10 23:40:34 herb smbd[4038]: smb_pam_error_handler: PAM: session close failed : System error
Mar 10 23:40:34 herb smbd[4039]: pam_env(samba:setcred): Unable to open env file: /etc/environment: Permission denied
Mar 10 23:40:34 herb smbd[4039]: PAM audit_log_acct_message() failed: Operation not permitted
Mar 10 23:40:34 herb smbd[4039]: pam_unix(samba:session): session closed for user nobody
Mar 10 23:40:34 herb smbd[4039]: [2015/03/10 23:40:34.271290,  0] ../source3/auth/pampass.c:89(smb_pam_error_handler)
Mar 10 23:40:34 herb smbd[4039]: smb_pam_error_handler: PAM: session close failed : System error


Now, I don’t understand those messages explicitly. And googling the first error isn’t much help.

I am wondering if it isn’t something network related (which is why I’m going to try the lowered OS priority), and not Samba specifically at all. I’m still chasing shadows.

I am also going to explicitly open ports 137-138, as I notice they are not reported as open. I don’t think they are required, but they are pretty standard - and I just let Yast do the firewall rules for Samba profile - and Yast reports all required ports open and ready.

One point to add - in my notes I notice one of the first checks I ran was to turn off the firewall and see if anything worked - it made no difference then. I’m still going to explicitly open 137-138, jic.

Nope. No good. I still can’t ping the machine name. Trying to “get there” using Nemo - which does list Herb in the network dialogue:
:Failed to retrieve share list from server: Connection refused

And, drilling down under network into the Windows network - the share is listed - and it asks for a pw, all good and proper - but it rejects correct pw entries.

No joy yet.

I’ve been using sshfs with my desktop (xubuntu) as a workaround - but I’m getting desparate to get my laptop (win7) back to work.

On 3/11/2015 5:16 PM, spokesinger wrote:
>
> Nope. No good. I still can’t ping the machine name. Trying to “get
> there” using Nemo - which does list Herb in the network dialogue:
>
> :Failed to retrieve share list from server: Connection
> refused
>
> And, drilling down under network into the Windows network - the share is
> listed - and it asks for a pw, all good and proper - but it rejects
> correct pw entries.
>
> No joy yet.
>
> I’ve been using sshfs with my desktop (xubuntu) as a workaround - but
> I’m getting desparate to get my laptop (win7) back to work.
>
>
spokesinger;

Have you tested with AppArmor disabled?
YaST > Security and Users > AppArmor Configuration
The default AppArmor profile for Samba can cause permission problems.

Can you ping via IP number?


ping -c3 172.16.0.104

Ping will not use Netbios name resolution unless you add “wins” to the hosts: line of /etc/nsswitch.conf. For example:


hosts:  	files mdns_minimal [NOTFOUND=return] wins dns


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Ok, here is the latest - and there IS news.

Amongst everything else, I figured there were just too many variables. So:

I shut down the r-pi server.
I disabled Apparmor on the opensuse server (herb).
I turned off the firewall on herb.

And it finally worked.

Whilst I think the firewall is the primary problem, I do not think it was ALL the problem. I made a number of small changes to smb.conf to hopefully make things work. And, I had previously turned off the firewall to test the setup. Somewhere in between then and now, I’ve done enough changes to make it work.

Now I have to figure out how to fix the firewall. I think I’m going to delete the Samba profiles provided by the opensuse firewall2, and just tell the firewall to open the correct ports for the correct protocols (I’ll have to look it up, but I think it is 137-139 tcp and udp; and 441 tcp. And retry with the firewall in place. I COULD just explicitly add the proper ports - but that would leave an iptables file that would be hard to read. Iptables is hard enough as it is, don’t want to make it worse!

Thanks for tossing your feedback at this problem. Appreciated!

Oh! AND, thanks for the tip about name recognition! I’m putting that in my journal for future reference.

On 3/13/2015 7:06 PM, spokesinger wrote:
>
> Ok, here is the latest - and there IS news.
>
> Amongst everything else, I figured there were just too many variables.
> So:
>
> I shut down the r-pi server.
> I disabled Apparmor on the opensuse server (herb).
> I turned off the firewall on herb.
>
> And it finally worked.
>
> Whilst I think the firewall is the primary problem, I do not think it
> was ALL the problem. I made a number of small changes to smb.conf to
> hopefully make things work. And, I had previously turned off the
> firewall to test the setup. Somewhere in between then and now, I’ve done
> enough changes to make it work.
>
> Now I have to figure out how to fix the firewall. I think I’m going to
> delete the Samba profiles provided by the opensuse firewall2, and just
> tell the firewall to open the correct ports for the correct protocols
> (I’ll have to look it up, but I think it is 137-139 tcp and udp; and 441
> tcp. And retry with the firewall in place. I COULD just explicitly add
> the proper ports - but that would leave an iptables file that would be
> hard to read. Iptables is hard enough as it is, don’t want to make it
> worse!
>
> Thanks for tossing your feedback at this problem. Appreciated!
>
>
Just allowing Samba Server, Netbios Server and Samba Client are sufficient and equivalent to opening the the following
ports used by nmbd and smbd:
Port 135 TCP used by smbd,
Port 137 UDP used by nmbd,
Port 138 UDP used by nmbd,
Port 139 TCP used by smbd, and
Port 445 TCP used by smbd
Keep in mind that SuSEfirewall2 is regenerated on each boot so that if you try to set iptables directly they will not be
preserved between boots without a little extra work.

I suspect AppArmor was the real culprit.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Yup - got that. Actually, at this point, I’m not sure but I should just light a candle and say a prayer whilst waving some incense about - and I might get results.

After I turned off Apparmor, and the firewall, etc, and got things working, I turned the firewall back on thru yast, WITHOUT doing any of the edits I mentioned. (Which I would do thru OpenSuse firewall, as I’ve never had good luck trying to edit iptables directly.) And everything still worked.

So last night I shut everything down. Rebooted the samba server this morn, and two desktops - ubuntu and Win7. At first I can’t connect - but for some reason nmb crashed - I restart it - and all sharing is available as before.

By the way - venzkep - you probably already know this - but I did not until this morning. I had noticed previously that OpenSuse firewall was setting iptables using service names, rather than port numbers. Since that doesn’t translate automatically in my head, I looked up where the service names were stored - and this could be useful to other searchers: the file **/etc/services **contains the full service-name/port number cross reference table. And if I understand correctly, iptables goes to that file for that info.

Anyway, it is weird that it would not work with Apparmor off and the firewall on - and then it DOES work with Apparmor off and the firewall on. But it is working atm - which I would think supports your thinking that the culprit at the moment was Apparmor.

It is not 100% - as using cli “mount” from ubuntu will result in errors, whilst Nemo will make the connection. The Win7 box can get to the files, and that was the immediate objective. I think the mount error may be related to the (fairly recent??) change in samba default security from ntlm to ntlmssp - but I haven’t had any luck fixing that yet - and that is a different issue.

Thanks again, venskep, for sticking with this one!

I can’t edit the original title to mark it “Solved”, so I’ll add that to the tags

On 3/15/2015 2:06 PM, spokesinger wrote:
>
<snip>

>
> Thanks again, venskep, for sticking with this one!
>
>
spokesinger;

Glad to hear you have your Samba shares working now. Enjoy sharing your files.

Since you know that sharing works with AppArmor disabled there are three options for you.

  1. Leave AppArmor disabled

  2. Set AppArmor to complain rather than enforce for user.sbin.[s,n]mbd.
    Yast > and Users > AppArmor Configuration > Settings > Configure

  3. Edit the AppArmor profiles for [s,n]mbd.
    Yast > Security and Users > AppArmor Configuration > Manage Existing Profiles
    AppArmor should show denied access in /var/log/messages and/or /var/log/apparmor/. If you choose this option you will
    need to read up on AppArmor profiles and how to allow files and directories.

I note that /etc/services should exist on all Unix/Linux systems. It was there on Solaris.


P.V.
“We’re all in this together, I’m pulling for you” Red Green