Configuring Samba for local lan workgroup

Reading https://forums.opensuse.org/content.php/199-Configure-Samba-for-Local-Lan-Workgroup
there is a section “Configure the Firewall for Samba”

There it reads “Set your network services: Go To Yast ==> Security & users ==> Firewall ==> Allowed Services ==> set these allowed services: Netbios server, Samba client, Samba server.”

On a recent clean install of Opensuse leap 15.1 in “firewall configuration”, the only services are “samba” and “samba-client”. I guess “samba” == “Samba Server” but what is the equivalent of “Netbios server”?

I ask because I am trying to use smbtree to browse my current network accessible samba shares (Linux and Windows). I have enabled both “samba” and “samba-client” on the zone “internal” to which my eth0 is allocated. If I have the firewall enabled and use “smbtree -b -d 3” I get:

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[global]”
directory_create_or_exist_strict: invalid ownership on directory /var/lib/samba/lock/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.
Unable to initialize messaging context
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[global]”
added interface eth0 ip=192.168.111.88 bcast=192.168.111.255 netmask=255.255.255.0
name_resolve_bcast: Attempting broadcast lookup for name MSBROWSE<0x1>

i.e. NO shares showing.

If I disable the firewall I get (too verbose with the - d 3) but showing all my shares.

smbtree -b -d
Unable to initialize messaging context
WORKGROUP
\TIGRU tigru
\TIGRU\IPC$ IPC Service (tigru)
\TIGRU\home Home
\TIGRU\surveillance
\TIGRU\homes System default share
\TIGRU\gilliansfolder A place to keep non-photo-non-music junk
\TIGRU\raysfolder junk drop from all computers
\TIGRU\Network Recycle Bin 1 [RAID5 Disk Volume: Drive 1 2 3]
\TIGRU\Public System default share
\TIGRU\Usb System default share
\TIGRU\Web System default share
\TIGRU\Recordings System default share
\TIGRU\Download System default share
\TIGRU\Multimedia System default share
\SUKI Rays portable Windows
\LINUXTWO Samba 4.2.4-3.54.2-3638-SUSE-oS13.1-i386
\LINUXTWO\Officejet_Pro_8600 Officejet_Pro_8600
\LINUXTWO\Officejet_Pro_8600_fax Officejet_Pro_8600_fax
\LINUXTWO\IPC$ IPC Service (Samba 4.2.4-3.54.2-3638-SUSE-oS13.1-i386)
\LINUXTWO\rayshomel2 linuxtwo home for ray
\LINUXTWO\print$ Printer Drivers
\LINUXTWO\users All users
\LINUXTWO\profiles Network Profiles Service
\DECOBERTLOCAL Netbios-Arada 0.9.10
\CATS Samba 4.9.5-git.149.9593f64a5c3lp151.1.3-SUSE-oS
\CATS\IPC$ IPC Service (Samba 4.9.5-git.149.9593f64a5c3lp151.1.3-SUSE-oS15.0-x86_64)
\CATS\catsdl Downloads on cats
\CATS\print$ Printer Drivers
\CATS\groups All groups
\CATS\users All users
\CATS\profiles Network Profiles Service
\ANN-HP

So, the firewall is interfering with smbtree activities on the network. If I turn on dropped packet logging I get a packet dropped every time I run smbtree (6 times shown below) with firewall enabled viz:

Jul 14 12:04:16 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=44195 DF PROTO=UDP SPT=137 DPT=38345 LEN=70
Jul 14 12:10:14 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=2470 DF PROTO=UDP SPT=137 DPT=48070 LEN=70
Jul 14 12:13:11 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=3793 DF PROTO=UDP SPT=137 DPT=35594 LEN=70
Jul 14 12:20:41 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=42352 DF PROTO=UDP SPT=137 DPT=58558 LEN=70
Jul 14 12:33:22 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52327 DF PROTO=UDP SPT=137 DPT=59941 LEN=70
Jul 14 12:54:15 cats kernel: FINAL_REJECT: IN=eth0 OUT= MAC=f4:6d:04:9c:b7:aa:00:40:f4:d1:5b:9d:08:00 SRC=192.168.111.254 DST=192.168.111.88 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=40772 DF PROTO=UDP SPT=137 DPT=44976 LEN=70

The destination ports vary a lot, the source is always 137 which is one of the smb ports. The destination is the computer “cats” (192.168.111.88) and the source is the master browser (and router). Cats is rejecting UDP messages from the master browser.
How can I stop it dropping them? Is this related to “Netbios server” service that I cannot find to enable in the firewall? Obviously I could just turn off the firewall, but I would prefer not.

Thankyou in advance for any help you can give.

I think I might have found a culprit for this. Looking at the logs I see:

cats kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

Perhaps this means that the conntrack_netbios_ns helper has not been used. That is, the Opensuse developers have decided to turn off automatic helper assignment but have not included a firewall rule using CT target to load it.

It exists in the system i.e. lsmod|grep netbios gives:

nf_conntrack_netbios_ns 16384 2
nf_conntrack_broadcast 16384 1 nf_conntrack_netbios_ns
nf_conntrack 155648 11 nf_conntrack_ipv6,nf_conntrack_ipv4,nf_conntrack_broadcast,nf_conntrack_sane,nf_conntrack_netlink,nf_conntrack_netbios_ns,xt_CT,nf_nat_ipv6,xt_conntrack,nf_nat_ipv4,nf_nat

I don’t think I have the necessary knowledge to patch that into the firewall rules. I looked at https://home.regit.org/netfilter-en/secure-use-of-helpers/ but it is beyond my capability to translate that into what I do in an Opensuse GUI.
Anybody any suggestions?

Which fire wall? 15.1 has transitioned to firewald. If arrived via upgrades it may be possible you are still trying to use susefirewall.

Hi Gogalthorp, I am pretty sure I am using firewalld. I only installed 15.1 from the distribution media a few days ago. I am trying to get it at least as good functionally as 42.3 was.

Here is the output of “systemctl status firewalld”:

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-07-14 16:07:11 CEST; 1h 30min ago
Docs: man:firewalld(1)
Main PID: 28819 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─28819 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

I configured it using YAST under the heading of “firewall”. However, it tells me nothing about which firewall is in use. Nor does it tell me just what rules are invoked when I enable “samba client”.
Therefore I installed firewall-config. There it shows exactly the same services as the YAST plugin but more options. There I can see helpers. It also tells me that the automatic helpers are off. I think I might try turning them on and seeing what happens.
Thanks for your attention.

Suspicions confirmed, when I used firewall-config to turn on the automatic helpers, the browse now works with the firewall on.

Unfortunately, the YAST firewall module for firewalld has no such option. I guess that there is a file somewhere with the necessary configuration.

It looks like the YAST firewall module has been “simplified” i.e. no longer much use.

I may just make the helpers automatic permanently rather than try to get Opensuse 15.1 changed to work out of the box for samba browsing.
I suspect that someone will have to make changes to the service “samba client” to add in CT rules. With the YAST module you cannot see what rules are added for this service although there are command line tools plus diff I suppose.

I am not skilled enough in iptables to do that myself.