Bug 462307

Summary: /etc/sysconfig/SuSEfirewall2.d/services/samba-server wrong
Product: [openSUSE] openSUSE 11.1 Reporter: Forgotten User taWGjDL4xO <forgotten_taWGjDL4xO>
Component: YaST2Assignee: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Status: RESOLVED INVALID QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P5 - None CC: forgotten_taWGjDL4xO
Version: Final   
Target Milestone: ---   
Hardware: i586   
OS: openSUSE 11.1   
Whiteboard:
Found By: Community User Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User taWGjDL4xO 2008-12-24 05:21:23 UTC 
I have so much trouble getting the terminology right that I will be a bit pedantic in this report or I'll get it wrong.

If Samba is to operate in openSUSE 11.1 when SuSEfirewall2 is running, then five entries in the file /etc/sysconfig/SuSEfirewall2 are enabled as follows:

The first is FW_DEV_EXT is set to include the network interface/s
There is a Yast2 tool for this at Security and Users --> Firewall --> Interfaces and it works

The second is FW_SERVICES_EXT_TCP is set to include 139 and 445 (or their respective synonyms netbios-ssn and microsoft-ds)
There is a tool for this at Security and Users --> Firewall --> Allowed Services --> Add Service --> Samba Server and it does not work.
The third is: This tool in past releases (like 11.0) concurrently sets the third parameter FW_SERVICES_EXT_UDP to include 137 and 138 (or their respective synonyms netbios-ns and netbios-dgm). The tool (Allowed Services --> Add Service --> Samba Server) does not work for this either.

NB this is similar to bug 443132 but it is different in that in bug 443132 the problem that the tool was not present. In my report the tool is present but it does not work.

The fourth is FW_ALLOW_FW_BROADCAST_EXT which must be set to "yes" or for better security to 137 and 138 (or their respective synonyms netbios-ns and netbios-dgm).
There is a tool for this at Security and Users --> Firewall --> Allowed Services --> Add Service --> Samba Server and it does not work. Once again this is similar to bug 443132 except there was no tool there. Here there is a tool but it doesn't work.
There is a second (alternative) tool for this at Firewall --> Broadcast --> External Zone --> here enter netbios-ns and netbios-dgm (or 137 and 138) and click Next. This does work.

The fifth is FW_SERVICES_ACCEPT_RELATED_EXT which is set for a world wide trusted network like 0/0 or with better security to the local LAN e.g. 10.1.1.0/24,udp,137

These then are the tools that do and don't work. There is another tool mentioned in bug 443132 (Network Services --> Samba Server --> Startup --> Firewall. That's covered by the bug report presumably but I can confirm that it still doesn't work.

The really big issue is that the tool "Security and Users --> Firewall --> Allowed Services --> Add Service --> Samba Server" is a make it or break it tool for Samba users. The three settings that it controls can be fixed/set for Samba in a separate/alternate tool: Yast's etc/sysconfig --> Network --> Firewall tool. But that's so difficult for new users as to be of limited use to the point where users mostly just turn the firewall off or abandon Samba.
Comment 1 Forgotten User taWGjDL4xO 2008-12-30 04:44:04 UTC 
Leave broadcasts and the connection tracker engine out of consideration for this bug -- they aren't the issue here. I've found the issue and lay it out for you below:

I have checked the text file /etc/sysconfig/SuSEfirewall2 more closely between 10.2, 11.0 and 11.3 to see what is different when the Samba Server tool (located at Yast --> Security and Users --> Allowed Services -->add Samba Server) is used.

In 10.3 and 11.0 the tool causes port designations to be added to the lines FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_TCP and FW_ALLOW_FW_BROADCAST_EXT.
In 11.1 a new approach is used. The tool no longer causes port assignment similar to 10.x, 11.1. Instead it causes the term "samba-server" to be added to the line FW_CONFIGURATIONS_EXT (similar to the way apache and ssh are treated). Putting that phrase in that line doesn't cause any firewall effect yet for Samba and that's where the fix-it focus should be.
Comment 2 Forgotten User taWGjDL4xO 2008-12-30 06:50:14 UTC 
OK guys here's how to fix it:
The file the file samba-server located at /etc/sysconfig/SuSEfirewall.d/services/samba-server as installed via the downloadable DVD contains erroneous settings.

Contents as supplied are:
## Name: Samba Server
## Description: Opens ports for Samba Server.

# space separated list of allowed TCP ports
TCP="netbios-ssn microsoft-ds"

# space separated list of allowed UDP ports
UDP=""

# space separated list of allowed RPC services
RPC=""

# space separated list of allowed IP protocols
IP=""

# space separated list of allowed UDP broadcast ports
BROADCAST=""

The correct contents are:
## Name: Samba Server
## Description: Opens ports for Samba Server.

# space separated list of allowed TCP ports
TCP="netbios-ssn microsoft-ds"

# space separated list of allowed UDP ports
UDP="netbios-ns netbios-dgm"

# space separated list of allowed RPC services
RPC=""

# space separated list of allowed IP protocols
IP=""

# space separated list of allowed UDP broadcast ports
BROADCAST="netbios-ns netbios-dgm"

So to fix the bug edit the file /etc/sysconfig/SuSEfirewall.d/services/samba-server and add the two port designations: netbios-ns netbios-dgm
into the two lines UDP="" and BROADCAST="" as illustrated

Then the firewall tool for Samba located at Yast --> Security and Users --> Firewall --> Allowed Services --> Add --> Samba Server will work
Comment 3 Forgotten User taWGjDL4xO 2008-12-30 11:02:37 UTC 
Correction: in the post immediatelly above I put a typo in the path
The correct paths are /etc/sysconfig/SuSEfirewall2.d/services and /eyc/sysconfig/SuSEfirewall2.d/services/samba-server

It's too hard to edit and get stuff right here (because I'm careless) so the full fix is described better here:

http://www.swerdna.net.au/lanprimer/fix.html
Comment 4 Lars Müller 2009-01-09 18:27:51 UTC 
The setting for the netbios are already correct and stored in /etc/sysconfig/SuSEfirewall2.d/services/netbios-server

I've check this on a 11.1 installation.  Please reopen if /etc/sysconfig/SuSEfirewall2.d/services/netbios-server and /etc/sysconfig/SuSEfirewall2.d/services/samba-server are missing on your 11.1 system.
Comment 5 Forgotten User taWGjDL4xO 2009-01-09 22:04:26 UTC 
The new Service and its config file are there and working fine. I had missed its arrival on the scene entirely, my bad.

Thanks