Can only connect to samba shares some of the time

Hi,

I’m having the issue where I currently cannot connect to my samba share on the local network. As far as I can tell the issue is coming from the Susefirewall as when I turn it off I can connect fine. When I first installed OpenSUSE I had the same issue but fixed it by allowing the Samba Client service in the external zone of the firewall. I have now logged in this morning and can no longer connect, whenever I try and connect directly to the samba share (smb://newfishnas/data), it gives me the error “Could not display “smb://newfishnas/data” Error: Failed to mount windows share: invalid argument. Please select another viewer and try again.”. If I try and navigate to Network > Windows Network (which is where I normally go to get to the share) I get the error “Unable to mount location. Failed to retrieve share list from server: No such file or directory”. Is anyone able to help me with this issue?

I’m not sure what Logs or configs I should post so if anyone would like to see any of them please ask.

Thanks

Hi
Is the gvfs-backend-samba package installed?

Could be authentication type on the share, try connecting from the command line with some verbose output;


smbclient -d2 //<server>/share -U <username>

Hi Malcomlewis,

Thanks for your reply. I have the gvfs-backend-samba package installed. Please see below for the results of the command you asked me to run:


fish@FishPC-Linux:192.168.1.78/24 ~ $ smbclient -d2 //newfishnas/data -U generic
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/dhcp.conf
added interface enp4s0 ip=2001:8003:84ed:7d00:5d07:2ebc:26f:5bac bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp4s0 ip=2001:8003:84ed:7d00:ca60:ff:fec4:6eea bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp4s0 ip=192.168.1.78 bcast=192.168.1.255 netmask=255.255.255.0
Enter generic's password: 
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
Connection to newfishnas failed (Error NT_STATUS_UNSUCCESSFUL)

EDIT:

if I disable my firewall in YaST and re-run the command I get the below result:


fish@FishPC-Linux:192.168.1.78/24 ~ $ smbclient -d2 //newfishnas/data -U generic
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/dhcp.conf
added interface enp4s0 ip=2001:8003:84ed:7d00:5d07:2ebc:26f:5bac bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp4s0 ip=2001:8003:84ed:7d00:ca60:ff:fec4:6eea bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp4s0 ip=192.168.1.78 bcast=192.168.1.255 netmask=255.255.255.0
Enter generic's password: 
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
Got a positive name query response from 192.168.1.2 ( 192.168.1.2 )
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
smb: \> 

Hi
So fire up YaST -> Security and Users -> Firewall -> Allowed Services and on the right select the dropdown ‘Service to Allow’, select Samba Client and hit the add button so it appears in the list, then hit next etc.

Hi Malcom,

I have already allowed the Samba Client service in the firewall. I had this issue when I first installed OpenSUSE and that’s how I fixed it the first time.

Hi
So are ports 137-139 and 445 open on the client when you have the firewall running?

I’ve had to go to work so I’m not at home atm. I’ll check when I get home.

Hi, I’m back now. Is running netstat -lntu the proper way to check this?


fish@FishPC-Linux:192.168.1.78/24 ~ $ netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:30000         0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:55606         0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:1120          0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:35521         0.0.0.0:*               LISTEN      
tcp        0      0 :::139                  :::*                    LISTEN      
tcp        0      0 ::1:631                 :::*                    LISTEN      
tcp        0      0 ::1:25                  :::*                    LISTEN      
tcp        0      0 :::445                  :::*                    LISTEN      
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           
udp        0      0 0.0.0.0:47354           0.0.0.0:*                           
udp        0      0 0.0.0.0:47819           0.0.0.0:*                           
udp        0      0 0.0.0.0:68              0.0.0.0:*                           
udp        0      0 192.168.1.78:123        0.0.0.0:*                           
udp        0      0 127.0.0.1:123           0.0.0.0:*                           
udp        0      0 0.0.0.0:123             0.0.0.0:*                           
udp        0      0 192.168.1.255:137       0.0.0.0:*                           
udp        0      0 192.168.1.78:137        0.0.0.0:*                           
udp        0      0 0.0.0.0:137             0.0.0.0:*                           
udp        0      0 192.168.1.255:138       0.0.0.0:*                           
udp        0      0 192.168.1.78:138        0.0.0.0:*                           
udp        0      0 0.0.0.0:138             0.0.0.0:*                           
udp        0      0 :::5353                 :::*                                
udp        0      0 :::5353                 :::*                                
udp        0      0 :::60350                :::*                                
udp        0      0 2001:8003:84ed:7d00:123 :::*                                
udp        0      0 2001:8003:84ed:7d00:123 :::*                                
udp        0      0 fe80::ca60:ff:fec4::123 :::*                                
udp        0      0 ::1:123                 :::*                                
udp        0      0 :::123                  :::*                                
udp        0      0 :::50058                :::*           

The below output is a little clearer:


fish@FishPC-Linux:192.168.1.78/24 ~ $ sudo netstat -lntup |grep smbd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1519/smbd           
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1519/smbd           
tcp        0      0 :::139                  :::*                    LISTEN      1519/smbd           
tcp        0      0 :::445                  :::*                    LISTEN      1519/smbd           
fish@FishPC-Linux:192.168.1.78/24 ~ $ sudo netstat -lntup |grep nmbd
udp        0      0 192.168.1.255:137       0.0.0.0:*                           1043/nmbd           
udp        0      0 192.168.1.78:137        0.0.0.0:*                           1043/nmbd           
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1043/nmbd           
udp        0      0 192.168.1.255:138       0.0.0.0:*                           1043/nmbd           
udp        0      0 192.168.1.78:138        0.0.0.0:*                           1043/nmbd           
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1043/nmbd          

On Sat 06 Aug 2016 01:16:02 AM CDT, Ateya wrote:

The below output is a little clearer:

Code:

fish@FishPC-Linux:192.168.1.78/24 ~ $ sudo netstat -lntup |grep smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN 1519/smbd tcp 0 0 0.0.0.0:445
0.0.0.0:* LISTEN 1519/smbd tcp 0
0 :::139 :::* LISTEN 1519/smbd
tcp 0 0 :::445 :::*
LISTEN 1519/smbd fish@FishPC-Linux:192.168.1.78/24 ~ $ sudo
netstat -lntup |grep nmbd udp 0 0 192.168.1.255:137
0.0.0.0:* 1043/nmbd udp 0 0
192.168.1.78:137 0.0.0.0:* 1043/nmbd
udp 0 0 0.0.0.0:137
0.0.0.0:* 1043/nmbd udp 0 0
192.168.1.255:138 0.0.0.0:* 1043/nmbd
udp 0 0 192.168.1.78:138
0.0.0.0:* 1043/nmbd udp 0 0
0.0.0.0:138 0.0.0.0:* 1043/nmbd

Hi
You need to scan from a remote machine to see which ones are open, eg
nmap.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.27-27-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Hi,

Sorry for the late response, here are the results:


generic@NewFishNAS ~ $ sudo nmap -sS -sU -O -p 137-139,445 192.168.1.78/24


Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-07 09:50 AWST
Nmap scan report for 192.168.1.78
Host is up (0.00024s latency).
PORT    STATE         SERVICE
137/tcp closed        netbios-ns
138/tcp closed        netbios-dgm
139/tcp open          netbios-ssn
445/tcp open          microsoft-ds
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed        netbios-ssn
445/udp closed        microsoft-ds
MAC Address: C8:60:00:C4:6E:EA (Asustek Computer)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

On Sun 07 Aug 2016 02:06:01 AM CDT, Ateya wrote:

malcolmlewis;2788029 Wrote:
> Hi
> You need to scan from a remote machine to see which ones are open, eg
> nmap.
>
> –
> Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter
> #276890)
> openSUSE Leap 42.1|GNOME 3.16.2|4.1.27-27-default
> If you find this post helpful and are logged into the web interface,
> please show your appreciation and click on the star below… Thanks!

Hi,

Sorry for the late response, here are the results:

Code:

generic@NewFishNAS ~ $ sudo nmap -sS -sU -O -p 137-139,445
192.168.1.78/24

Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-07 09:50 AWST
Nmap scan report for 192.168.1.78
Host is up (0.00024s latency).
PORT STATE SERVICE
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
445/tcp open microsoft-ds
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
445/udp closed microsoft-ds
MAC Address: C8:60:00:C4:6E:EA (Asustek Computer)
No exact OS matches for host (If you know what OS is running on it,
see Nmap OS/Service Fingerprint and Correction Submission Page ).

Hi
Manually add ports 137 tcp and 138 tcp on the client (YaST firewall ->
allowed service -> advanced button) and see how it goes.

Does seem strange though, maybe tied to the NAS your using?


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.27-27-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

Hi,

Just tried adding the ports manually. No change. I doubt it’s the NAS causing the issue as connecting to it from other PCs work fine and I had no problem connecting to it on this computer up until recently.

If I assign my network card to the “internal zone” in the firewall config I can connect to the NAS aswell, is there any harm in just leaving it on that setting? Would leaving it on that setting be the same as not having the firewall running as it applies no filtering to the internal zone?

On Mon 08 Aug 2016 12:56:02 AM CDT, Ateya wrote:

malcolmlewis;2788237 Wrote:
> Hi
> Manually add ports 137 tcp and 138 tcp on the client (YaST firewall ->
> allowed service -> advanced button) and see how it goes.
>
> Does seem strange though, maybe tied to the NAS your using?
>
> –
> Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter
> #276890)
> openSUSE Leap 42.1|GNOME 3.16.2|4.1.27-27-default
> If you find this post helpful and are logged into the web interface,
> please show your appreciation and click on the star below… Thanks!

Hi,

Just tried adding the ports manually. No change. I doubt it’s the NAS
causing the issue as connecting to it from other PCs work fine and I had
no problem connecting to it on this computer up until recently.

If I assign my network card to the “internal zone” in the firewall
config I can connect to the NAS aswell, is there any harm in just
leaving it on that setting? Would leaving it on that setting be the same
as not having the firewall running as it applies no filtering to the
internal zone?

Hi
Yes, it will skip, all strange, I have an apple airport acting as my
NAS, no firewall changes needed to connect…

Maybe remove samba client and see if that helps… else maybe there are
some additional rules.


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.27-27-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

I’m happy to just use this workaround from now on. But yeah it is very strange. Thankyou for all of your help.

exact same trouble here and it is NOT the nas. All other computers can see the workgroup and all thats in the workgroup.

Not one single windows box in this place, all linux of one kind or another and one bsd all firewalled.

The only one having problems is opensuse.

Tumbleweed has to have the firewall turned off to see the workgroup. You can connect to the nas in tumbleweed with the nas ip.

It is a firewall problem period. it shows the proper ports open when you configure the firewall but it will not let samba see any workgroups at all.

Are you sure you have all required ports open for client to be able to establish a connection with the server?

netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
                            ||

|—|

                            |

|

|

Dixon-DT:/home/gregory # netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1953/smbd            
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1953/smbd            
tcp        0      0 :::139                  :::*                    LISTEN      1953/smbd            
tcp        0      0 :::445                  :::*                    LISTEN      1953/smbd            
udp        0      0 192.168.2.255:137       0.0.0.0:*                           1421/nmbd            
udp        0      0 192.168.2.14:137        0.0.0.0:*                           1421/nmbd            
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1421/nmbd            
udp        0      0 192.168.2.255:138       0.0.0.0:*                           1421/nmbd            
udp        0      0 192.168.2.14:138        0.0.0.0:*                           1421/nmbd            
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1421/nmbd        

The above is with the firewall ports open and also 2 custom rules

192.168.2.0/24 tcp all all
192.168.2.0/24 udp all all

with the above 2 custom rules i can browse the workgroup.

deleting the 2 custom rules and changing nothing else is below and I can NOT see any workgroups but can use the ip to connect.

Dixon-DT:/home/gregory # netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1953/smbd            
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1953/smbd            
tcp        0      0 :::139                  :::*                    LISTEN      1953/smbd            
tcp        0      0 :::445                  :::*                    LISTEN      1953/smbd            
udp        0      0 192.168.2.255:137       0.0.0.0:*                           1421/nmbd            
udp        0      0 192.168.2.14:137        0.0.0.0:*                           1421/nmbd            
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1421/nmbd            
udp        0      0 192.168.2.255:138       0.0.0.0:*                           1421/nmbd            
udp        0      0 192.168.2.14:138        0.0.0.0:*                           1421/nmbd            
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1421/nmbd 

the 192.168.2.14 is static for a system running zoneminder which works very well.

All my ip’s are static and outside (below) the dhcp range of the router.

Beats me but i see nothing different in the output of the netstat command when i delete the 2 custom rules but it works.

Check that you have the ’ ip_conntrack_netbios_ns’ module loaded. This allows replies from NetBIOS broadcasts through the firewall (on unprivileged ports) which would otherwise be blocked by iptables.

modprobe ip_conntrack_netbios_ns

That is what I think your issue is due to. :slight_smile:

This may be of interest to you…

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html#sec.security.firewall.SuSE.yast

In particular…

FW_SERVICES_ACCEPT_RELATED_* (firewall) This is how the SuSEFirewall2 implementation considers packets RELATED by netfilter.
For example, to allow finer grained filtering of Samba broadcast packets, RELATED packets are not accepted unconditionally. Variables starting with FW_SERVICES_ACCEPT_RELATED_ allow restricting RELATED packets handling to certain networks, protocols and ports.
This means that adding connection tracking modules (conntrack modules) to FW_LOAD_MODULES does not automatically result in accepting the packets tagged by those modules. Additionally, you must set variables starting with FW_SERVICES_ACCEPT_RELATED_ to a suitable value.

I note this old bug report mentions

To browse smb shares from your linux system whilst iptables is running you’ll
have to load the “ip_conntrack_netbios_ns” module. This allows netbios
broadcasts sent from your system back through the firewall:

modprobe ip_conntrack_netbios_ns

To have this loaded each time iptables starts add this to
/etc/sysconfig/iptables-config:
IPTABLES_MODULES=“ip_conntrack_netbios_ns”