Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

I recently installed Leap 15 KDE, and followed the recommendations at https://forums.opensuse.org/content.php/199-Configure-Samba-for-Local-Lan-Workgroup.

Samba works correctly if firewalld is disabled. If firewalld is enabled and active, incoming samba connections work, but outgoing ones do not.

Leap 15’s firewall configuration is a bit different from what is described in the HOWTO. In YaST===>Security and Users===>Firewall (Configure a firewall), I set the network Device to External. I checked services samba and samba-client to be allowed. Service Netbios server seems to not exist.

The smb.conf file is

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
    netbios name = T61-oS15KDE
    workgroup = CANDH
    server string = ""
    name resolve order = bcast host lmhosts wins
    local master = yes
    preferred master = auto
    os level = 65
    passdb backend = tdbsam
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    include = /etc/samba/dhcp.conf
#    logon path = \\%L\profiles\.msprofile
#    logon home = \\%L\%U\.9xprofile
#    logon drive = P:
    usershare allow guests = No
    ldap admin dn = 
    wins server = 
    wins support = No
[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes
[profiles]
    comment = Network Profiles Service
    path = %H
    read only = No
    store dos attributes = Yes
    create mask = 0600
    directory mask = 0700
[users]
    comment = All users
    path = /home
    read only = No
    inherit acls = Yes
    veto files = /aquota.user/groups/shares/
[groups]
    comment = All groups
    path = /home/groups
    read only = No
    inherit acls = Yes
[printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    create mask = 0600
    browseable = No
[print$]
    comment = Printer Drivers
    path = /var/lib/samba/drivers
    write list = @ntadmin root
    force group = ntadmin
    create mask = 0664
    directory mask = 0775


What do I need to set to get samba out through the firewall?

Thanks,
Howard

Do you mean that you’re using this machine as a samba server and that remote hosts cannot reach it?

Please show us explicitly how your firewall is configured.

sudo firewall-cmd --zone=public --list-all

Service Netbios server seems to not exist.

Do you mean that your machine is not discoverable as you’d assumed? You should know that NetBIOS network discovery relied on the use of the NT1 (SMB1) protocol. It has well-known security implications so now disabled by default. (However, it can still be enabled if desired.) None of this should stop samba connectivity from working though, assuming client and server can work with SMB2 and SMB3 protocols.

There are several Linux and Win10 machines on the home network. None are set as a samba server that I know of.

Another Linux machine can reach this one with the firewall on, but the reverse connection fails unless the firewall is off. With the firewall on, in Dolphin Network===>Samba Shares returns

Unable to find any workgroups in your local network. This might be caused by an enabled firewall.

howard@linux-unj6:~> sudo firewall-cmd --zone=public --list-all
[sudo] password for root: 
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun0
  sources: 
  services: dhcpv6-client samba samba-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

howard@linux-unj6:~> 

This is when using wired ethernet and VPN.

I mentioned NetBIOS only because it was mentioned in the HOWTO.

Thanks for starting this as a new thread.

Regards,
Howard

Ok, that is as expected. It is the NetBIOS discovery that has been inhibited as I mentioned before, but that shouldn’t stop you reaching the shares using something like ‘smb://<netbios_name>’ , and of course you can always save the share(s) to ‘Places’ in Dolphin.

You can still use the CLI utility as a discovery tool though…

smbtree

This is when using wired ethernet and VPN.

Just noticed this comment. Can you explain a bit more about your network setup? Can you ping your other samba hosts successfully when the VPN is active?

I haven’t tested or encountered your problem,
But IMO there is a fair chance that if you configured your interface in the home, internal or trusted zones you shouldn’t have any problems.
The External (and public) zones are when you are facing a an unprotected network with threats, and I assume your samba is safely within your LAN protected by a firewall running elsewhere.

For more info on firewalld zones…

https://firewalld.org/documentation/man-pages/firewalld.zones.html

TSU

With the firewall running, I can reach other machines from Dolphin using “smb://IP address/”, but not ‘smb://<netbios_name>’.

That did nothing. I got

howard@T61-oS15KDE:~> smbtree                               
howard@T61-oS15KDE:~>

Thanks.

Incoming ADSL line to modem to router with wired and wireless connections. Connections are wired to Win10 only machine, wired to dual-boot Win10 and Linux Mint 18.2 KDE, several usually wireless laptops dual-boot Win10 and at the moment Mint, and this laptop dual-boot Win10 and openSUSE Leap 15 KDE, now wired because wi-fi is working on only with Win10 (there will be another thread on that). All normally run VPN.

With VPN active on all, I can successfully ping both the wired Win10 machine and the wired Mint 18.2 machine.

Cheers.

Successful ping was with IP address. Ping with netBIOS name gave

howard@T61-oS15KDE:~> ping HP-GB-LM182KDE
ping: HP-GB-LM182KDE: Name or service not known 

Howard

Yes, machines are within LAN. Switching the interface device on this to home zone in the firewall made no difference. Turning off the firewall is the only way for samba to go out.
Howard

Yes, that won’t make a difference if you’ve allowed the requisite services (as your previous output showed). I can’t replicate your issue even with the firewall active (zone public or otherwise). I have no problem resolving netbios names.

Hi Howard. I stand corrected. After thinking this through further, I realised my router’s DNS server function was helping with the name resolution. When I killed DNS on my openSUSE host (by removing /etc/resolv.conf), I then rely only on NetBIOS name resolution, I could no longer ping by name.

I can confirm the same behaviour as you get reflected by attempted lookups…

# systemctl start firewalld
# nmblookup LINUX-N8NK
name_query failed to find name LINUX-N8NK
# systemctl stop firewalld
# nmblookup LINUX-N8NK
192.168.1.12 LINUX-N8NK<00>
#

I’ll need to dig into this further.

The following Archwiki reference helps…

“Browsing” network fails with “Failed to retrieve share list from server” And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being “ESTABLISHED” or “RELATED”, and hence the packet is dropped. A possible solution is to add:
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

https://wiki.archlinux.org/index.php/samba#.22Browsing.22_network_fails_with_.22Failed_to_retrieve_share_list_from_server.22

If I do this on the fly (with firewall active)…

iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

then suddenly,

~> nmblookup linux-n8nk
192.168.1.12 linux-n8nk<00>

and similarly ‘smb://linux-n8nk’ works with Dolphin.

Next, to incorporate this in firewalld.

The issue described in this thread was also the subject of this Red Hat bug report. Comment #c26](https://bugzilla.redhat.com/show_bug.cgi?id=1297235#c26) onwards discusses the idea of opening source port 137, but discouraged in favour of connection tracking helpers (as the suggested iptables rule does)…

To allow the source port for samba is a work around that opens a big hole in the firewall.

Because of a kernel change it is needed since kernel 4.7 to use the netfilter conntrack helpers in a different way than before. This also applies to the netbios-ns helper that is used for samba. The support for the now required handling of conntrack helpers has been introduced with firewalld version 0.4.4, but there has been an issue with SELinux as firewalld needs to be able to search for kernel modules and to analyse them.

Ok, I’ve found some useful info in ‘man firewall-cmd’

 Automatic Helpers Options
       --get-automatic-helpers
           Print the automatic helpers setting.

       --set-automatic-helpers=value
           For the secure use of iptables and connection tracking helpers it is recommended to turn AutomaticHelpers off. But this might have side effects on other
           services using the netfilter helpers as the sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will be changed. With the system setting, the
           default value set in the kernel or with sysctl will be used. Possible values are: yes, no and system. The default value is system.

           This is a runtime and permanent change and will also reload the firewall to be able to make the helpers usable.

Initially, I got

# cat /proc/sys/net/netfilter/nf_conntrack_helper       
0

After invoking

# firewall-cmd --set-automatic-helpers=yes
success

the following is reported

# cat /proc/sys/net/netfilter/nf_conntrack_helper
1

Now, it should be possible for NetBIOS name resolution to work. :slight_smile:

BTW, this can also be changed using the graphical ‘firewalld-config’ utility: Options > Configure Automatic Helper Assignment > Yes

Are you sure you followed all steps required when modifying firewalld?
And, for such a drastic change as changing zones, I’d even suspect that a reboot would be recommended if not required.
I’d also recommend trying the other 2 zones I suggested as well although I’d be surprised that the “home” zone wasn’t sufficient.

TSU

Outstanding. I had just found the Archwiki reference you mention above, but you went much further.

I made the change with the ‘firewalld-config’ utility, and Dolphin now navigates around the network correctly. I put the device back in the external zone since this laptop roams and connects to networks other than my home one. No reboot needed.

Thanks for all the research and guidance on this. Very helpful. Problem solved.

Best regards,
Howard

Glad to have been of help with this. :slight_smile:

Good job guys ^^

It works ^^

I really need to read documentation about firewalld…