[Samba] Apparent bug remains in v4.0.7 - Hosts allow parameter causing errors and vey slow MS Office document access

[Phil Quesinberry]

From smb.conf:
hosts allow = 10.0.0. 127.

Same story using the following syntax instead:
hosts allow = 10.0.0.0/24 127.0.0.1/8

If I comment out the hosts allow line, the slow MS Office document access
and most of the errors in the log go away.

From log.samba:
[2013/07/04 00:15:52, 0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
NTLMSSP NTLM2 packet check failed due to invalid signature!
[2013/07/04 00:15:52, 0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
NTLMSSP NTLM2 packet check failed due to invalid signature!
[2013/07/04 00:16:03, 0]
../source4/lib/socket/access.c:356(socket_check_access)
socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
(LOCAL/unixdom)
[2013/07/04 00:16:03, 0]
../source4/lib/socket/access.c:356(socket_check_access)
socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
(LOCAL/unixdom)
[2013/07/04 00:16:03, 0]
../source4/lib/socket/access.c:356(socket_check_access)
socket_check_access: Denied connection to 'smbd' from LOCAL/unixdom
(LOCAL/unixdom)
...
(dozens to hundreds of these "Denied connection to smbd" messages per
second)

From log.smbd:
[2013/07/04 00:17:11.857930, 1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Broken pipe
[2013/07/04 00:17:11.860705, 1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Broken pipe
[2013/07/04 00:17:37.207795, 1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer
[2013/07/04 00:17:37.210691, 1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer
[2013/07/04 00:17:37.213195, 1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer
[2013/07/04 00:17:37.219431, 1]
../source3/rpc_server/rpc_ncacn_np.c:622(make_external_rpc_pipe_p)
tstream_npa_connect_recv to /usr/local/samba/var/run/ncalrpc/np for pipe
wkssvc and user HERSCHLAUREN\vquesinberry failed: Connection reset by peer

I just compiled and am now running 4.07 stable but the problem was also
present in 4.0.6. We'd like to be able to use the hosts allow parameter to
ensure that no one outside the LAN can access the server but I can always
use iptables to do the job if necessary.

Testparm output:
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[hldata]"
Processing section "[C]"
Processing section "[D]"
Processing section "[MacData]"
Processing section "[QBooks]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions

[global]
workgroup = HERSCHLAUREN
realm = HERSCHLAUREN.COM
server string = HerschLinux
server role = active directory domain controller
passdb backend = samba_dsdb
max log size = 524288
deadtime = 15
add machine script = /usr/sbin/useradd -n -g machines -d /dev/null
-s /sbin/nologin %u
preferred master = Yes
domain master = Yes
wins support = Yes
allow dns updates = nonsecure and secure
dns forwarder = 10.0.0.1
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config * : backend = tdb
invalid users = nobody, root
hosts allow = 10.0.0., 127.
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr

[netlogon]
path = /usr/local/samba/var/locks/sysvol/herschlauren.com/scripts

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[homes]
path = /home
read only = No

[hldata]
comment = Data directory for entire Windows share (Samba)
path = /hldata
valid users = *CENSORED*
read only = No

[C]
comment = C: Drive
path = /hldata/C
valid users = *CENSORED*

[D]
comment = D: Drive
path = /hldata/D
valid users = *CENSORED*
read only = No

[MacData]
comment = MacData directory
path = /hldata/D/D Drive/MacData
valid users = *CENSORED*
read only = No

[QBooks]
comment = QuickBooks directory
path = /hldata/D/D Drive/qbooks
valid users = *CENSORED*

[printers]
comment = All Printers
path = /usr/local/samba/var/spool
printable = Yes
print ok = Yes
browseable = No

[print$]
comment = Point and Print Printer Drivers
path = /usr/local/samba/var/print


Regards,

Phil Quesinberry
Q Systems Engineering, Inc.
Embedded Hardware/Software Development and VoIP Business Telephone Hosting
Improve your business telephone services and save money
(410) 969-8002
http://www.qsystemsengineering.com <http://www.qsystemsengineering.com/>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba