Samba vs. Firewall and/or SELinux
Hi all. I created a smb-share on my el6 for all windows-pcs in my home-network (I'm the only Linux-User in my family) for sharing all the stuff we have, like music and videos and documents. The share will be shown on the other pcs (Windows XP), but they can't open it. The error-message ist "Share not found" on our preferred language of course! SELINUX-CONFIG sh-4.1# cat /etc/selinux/targeted/contexts/files/file_contexts.local # This file is auto-generated by libsemanage # Do not edit directly. /data(/.*)?system_u:object_r:samba_share_t:s0 FIREWALL-CONFIG (Port 901 is for SWAT) sh-4.1# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Dec 20 17:28:14 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 901 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT COMMIT # Completed on Thu Dec 20 17:28:14 2012 SAMBA "Alice im Wunderland" is the testfile I uploaded with disabled Firewall and disabled SELinux sh-4.1# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[public]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = NETZWERK server string = Samba Server Version %v security = SHARE log file = /var/log/samba/log.%m max log size = 50 cups options = raw [public] comment = hier kannn reinkopiert werden path = /data/public read only = No create mask = 0777 guest only = Yes guest ok = Yes sh-4.1# cat /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest sh-4.1# ls -lisah /data/public total 144M 1703938 12K drwxrwxrwx. 4 nobody users 12K Dec 27 13:39 . 1703937 4.0K drwxr-xr-x. 3 root root 4.0K Dec 22 19:43 .. 1706985 144M -rwxrw-rw- 1 nobody nobody 144M Dec 27 13:39 Disney_ Alice im Wunderland (1951).mp4
Re: Samba vs. Firewall and/or SELinux
On Thu, Dec 27, 2012 at 8:09 AM, Ibrahim Yurtseven wrote: > Hi all. > > I created a smb-share on my el6 for all windows-pcs in my home-network > (I'm the only Linux-User in my family) for sharing all the stuff we > have, like music and videos and documents. The share will be shown on > the other pcs (Windows XP), but they can't open it. The error-message > ist "Share not found" on our preferred language of course! What do your family members see with \\ipaddress\, where "ipaddress" is the IP address of the Samba server? And are you using the built-in Samba, or a hand-compiled one? > SELINUX-CONFIG > sh-4.1# cat /etc/selinux/targeted/contexts/files/file_contexts.local > # This file is auto-generated by libsemanage > # Do not edit directly. > > /data(/.*)?system_u:object_r:samba_share_t:s0 > Not relevant with SELinux disabled. > FIREWALL-CONFIG (Port 901 is for SWAT) > sh-4.1# cat /etc/sysconfig/iptables > # Generated by iptables-save v1.4.7 on Thu Dec 20 17:28:14 2012 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -p tcp -m state --state NEW -m tcp --dport 901 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT > COMMIT > # Completed on Thu Dec 20 17:28:14 2012 Not relevant with firewall turned off temporarily. And strongly, strongly, strongly consider using the "system-config-firewall" tool to manage these, rather than doing them manually. > SAMBA "Alice im Wunderland" is the testfile I uploaded with disabled > Firewall and disabled SELinux > sh-4.1# testparm > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[public]" > Loaded services file OK. > Server role: ROLE_STANDALONE > Press enter to see a dump of your service definitions > > [global] > workgroup = NETZWERK > server string = Samba Server Version %v > security = SHARE > log file = /var/log/samba/log.%m > max log size = 50 > cups options = raw > > [public] > comment = hier kannn reinkopiert werden > path = /data/public > read only = No > create mask = 0777 > guest only = Yes > guest ok = Yes > sh-4.1# cat /etc/samba/smbusers > # Unix_name = SMB_name1 SMB_name2 ... > root = administrator admin > nobody = guest pcguest smbguest > sh-4.1# ls -lisah /data/public > total 144M > 1703938 12K drwxrwxrwx. 4 nobody users 12K Dec 27 13:39 . > 1703937 4.0K drwxr-xr-x. 3 root root 4.0K Dec 22 19:43 .. > 1706985 144M -rwxrw-rw- 1 nobody nobody 144M Dec 27 13:39 > Disney_ Alice im Wunderland (1951).mp4
Re: Samba vs. Firewall and/or SELinux
Nico Kadel-Garcia wrote: > What do your family members see with \\ipaddress\, where "ipaddress" > is the IP address of the Samba server? And are you using the built-in > Samba, or a hand-compiled one? I'm using the samba rpms from the official repo, installed with yum. On "\\ip" they can see my share named "public", but they can't open it with activated SELinux and activated firewall. They have writable access to this share with deactivated firewall and disabled SELinux. So it must be a problem with the firewall and/or SELinux. I think SELinux isn't correctly configured. > Not relevant with SELinux disabled. > Not relevant with firewall turned off temporarily. I want to offer this share with activated firewall and enabled SELinux > consider using the "system-config-firewall" tool to > manage these, rather than doing them manually. I opened the ports in the frontend, but it won't help! -- Ibrahim "Arastirmacilar" Yurtseven 2.6.32-279.19.1.el6.i686
Re: Crash in tg3 driver on SL6.3 when interface goes down
On 26/12/12 19:21, Vladimir Mosgalin wrote: Hello everybody. For a few months I've been experiencing this problem - it was a bit hard to track because it usually happens only during shutdown, when network interfaces go down, so I just didn't notice it. A kernel panic happens when one of the interfaces, provided by tg3 driver goes down. "ifdown eth2" is enough to cause it. It doesn't matter if this interface was actively used or even if the link was up - I can unplug the cable, boot up (interface is configured to use dhcp, it will attempt to go up and fail), then execute "ifdown eth2" and system will crash. It's a bit hard to get the full message of the crash as this happens on the machine which I use for remote logging itself.. The best thing I can get right away are screenshots, however, some of information might be missing on them. It goes like this on shutdown (or "ifdown eth2", or "service network restart" etc): 1) interfaces are being brought down, at some point eth2 is being brought down 2) nothing happens for about 10 seconds, system appears to be hang 3) lots of lines with call traces appear and scroll through the screen. These are last lines which I captured in screenshot: http://img202.imageshack.us/img202/5459/20121225205828.png 4) about 10 second pause again 5) kernel panic happens, more lines scroll. Again, here are some of the last ones: http://img5.imageshack.us/img5/397/20121225205838.png 6) system hangs completely This happens on latest kernel-2.6.32-279.19.1.el6.x86_64. It also happened on 2.6.32-279.11.1.el6.x86_64 and 2.6.32-279.14.1.el6.x86_64. It didn't happen in SL6.2 with (official, not from elrepo) kmod-tg3-3.122 package installed which was present in 6.2-fastbugs repository. I found some information about tg3 crashes like this http://elrepo.org/bugs/view.php?id=315 or this http://bugs.centos.org/view.php?id=5428 but in either case 3.122 version of tg3 driver solved the problem. However, I'm already using 3.122 and still experience crash. The controller in question is Broadcom NetXtreme BCM5701, PCI-X version which is inserted into PCI-X slot of Supermicro X7SBE. There haven't been any hardware changes lately and it is working stable. I'm pretty sure that this bug has appeared somewhere along the 6.2->6.3 upgrade or in one of the 6.3 kernels. It's a bit hard to track because it appears simply as "hang during reboot or shutdown", which rarely happens for this system, but I'm sure that few months ago it rebooted and powered off just fine. This is interface used for internet connection. VLANs are not used. There exists sixxs-based IPv6 interface in system, configured to work over this interface. This problem doesn't happen with other (intel e1000e) network interfaces. $ cat /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 BOOTPROTO=dhcp ONBOOT=yes TYPE=Ethernet HWADDR=00:02:A5:E7:0A:10 PEERDNS=no NOZEROCONF=yes $ ifconfig eth2 eth2 Link encap:Ethernet HWaddr 00:02:A5:E7:0A:10 inet addr: inet6 addr: fe80::202:a5ff:fee7:a10/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:130906804 errors:0 dropped:0 overruns:0 frame:0 TX packets:178575110 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:83971053482 (78.2 GiB) TX bytes:205754543966 (191.6 GiB) Interrupt:52 $ dmesg|grep '\(eth2\|tg3\)' tg3.c:v3.122 (December 7, 2011) tg3 :03:02.0: PCI INT A -> GSI 52 (level, low) -> IRQ 52 tg3 :03:02.0: eth2: Tigon3 [partno(253212-001) rev 0105] (PCIX:133MHz:64-bit) MAC address 00:02:a5:e7:0a:10 tg3 :03:02.0: eth2: attached PHY is 5701 (10/100/1000Base-T Ethernet) (WireSpeed[1], EEE[0]) tg3 :03:02.0: eth2: RXcsums[0] LinkChgREG[0] MIirq[0] ASF[0] TSOcap[0] tg3 :03:02.0: eth2: dma_rwctrl[76db000f] dma_mask[64-bit] ADDRCONF(NETDEV_UP): eth2: link is not ready tg3 :03:02.0: eth2: Link is up at 100 Mbps, full duplex tg3 :03:02.0: eth2: Flow control is on for TX and on for RX ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready Does anyone know some solution or workaround? I'm fine with installing other version of this driver from kmod (if I knew where to get better version), but not very comfortable with using kernel-3.5/3.6/3.7 etc from elrepo. Elrepo has an updated kmod package for the tg3 driver you could try. With elrepo installed; yum install kmod-tg3 and reboot. If it doesn't fix the issue, try giving the elrepo folks a ping to see if there is a more recent version you could try that might fix the issue. Hope that helps.
Re: Samba vs. Firewall and/or SELinux
Earl A Ramirez wrote: > What is the output of ls -dZ /data/public sh-4.1$ ls -dZ /data/public drwxrwxrwx. nobody nobody system_u:object_r:samba_share_t:s0 /data/public -- Ibrahim "Arastirmacilar" Yurtseven 2.6.32-279.19.1.el6.i686
Re: SL 6.3 doesn't no network present until user logs in on GUI
On Fri, Dec 14, 2012 at 10:33 PM, Nico Kadel-Garcia wrote: > On Thu, Dec 13, 2012 at 2:58 PM, Konstantin Olchanski > wrote: >> On Wed, Dec 12, 2012 at 09:19:05PM -0500, Nico Kadel-Garcia wrote: >>> >>> Since it's packaged as the default from the upstream vendor >>> distribution, and since the "system-config-network" tool from the >>> upstream vendor provides no ability to access or manipulate this >>> feature or numerous others, ... >> >> Complaint rejected. >> >> RTFM the "Deployment Guide", section "Networking". >> >> It tells you to use "nm-connection-editor". It even explains all this >> business >> of "system" and "user" network connections. >> >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/part-Networking.html > > You've apparently read the document. I'll withdraw the complaint that > there is no way to turn it off. But having to install and activate > NetworkManager, and run the X applications to turn off this misfeature > is. well, it's not our favorite upstream vendor's proudest > moment. It's particularly problematical on limited environment > features such as KVM servers where you *should not* be running > graphical logins because they suck resources away from more critical > applications. > >> P.S. system-config-network is gone, but of late, it was simpler >> to "vi /etc/sysconfig/network-scripts/ifcfg-ethX", and "Look Ma! Vi those >> files directly still works, even with the NetworkManager!" > > Unfortunately, ifcfg-eth* is not a reliable convention. KVM bridges, > for example, may be named almost any arbitrary suffix. Pair bonded > devices and wireless devices and PPP connections add other > possibilities: it adds up to confusion. NM in F-17/F-18 understands ifcfg files defining bonds, bridges, vlans. I've installed an X-less F-18 and uninstalled NM without a hitch so it's still uninstallable (but I didn't try to do so with GNOME or another DE installed), so it *SHOULD* still be uninstallable in EL-7. Since you're so enamored with NM, I look forward to your reaction to firewalld when you move to EL-7. :)
Re: SL 6.3 doesn't no network present until user logs in on GUI
On Thu, Dec 27, 2012 at 10:05 AM, Tom H wrote: > NM in F-17/F-18 understands ifcfg files defining bonds, bridges, vlans. > > I've installed an X-less F-18 and uninstalled NM without a hitch so > it's still uninstallable (but I didn't try to do so with GNOME or > another DE installed), so it *SHOULD* still be uninstallable in EL-7. > Since you're so enamored with NM, I look forward to your reaction to > firewalld when you move to EL-7. :) Since F-18 is only in beta, not released yet, I'll reserve judgment until it's actually published. So far, from F-17, I'm afraid the switch to SL 7 is going to pretty painful. The switch to "systemd" instead of "initscripts", and the switch from "/bin" and "/sbin" to "/usr/bin" and "/usr/sbin" for numerous core utilities are going to create a serious burden for people doing cross-platform work. Revising the network component layout is going to be even more delightful, The need for more sophisticated tools and discard of some of the complex old hackery is understandable, it's just gong to be hard.
BIND: How to reply rev lookup with hostname and not FQDN
Hello geniuses! I'm running SL carbon here and BIND. There is one piece of software I need to install, that is failing as follows: When I configure its TCP/IP settings, the hostname I give to it is ucm9pub (I can't even add the domain name, it rejects the dots). From a packet capture I see the response from the DNS server as hostname.domain.ext, and that is why I believe the install fails the reverse lookup. How can I reduce the response from BIND to spit out only the hostname? Like, just ucm9pub instead of ucm9pub.domain.ext? Thanks! *José Pablo Méndez *
Re: BIND: How to reply rev lookup with hostname and not FQDN
Sorry, forgot to add the error I get: "Host Name returned by DNS Server for IP address does not agree with the locally defined hostname. There is a configuration mismatch." *José Pablo Méndez * On Thu, Dec 27, 2012 at 7:42 PM, José Pablo Méndez Soto wrote: > Hello geniuses! > > I'm running SL carbon here and BIND. There is one piece of software I need > to install, that is failing as follows: > > When I configure its TCP/IP settings, the hostname I give to it is ucm9pub > (I can't even add the domain name, it rejects the dots). From a packet > capture I see the response from the DNS server as hostname.domain.ext, and > that is why I believe the install fails the reverse lookup. > > How can I reduce the response from BIND to spit out only the hostname? > Like, just ucm9pub instead of ucm9pub.domain.ext? > > Thanks! > > > *José Pablo Méndez > * >
Re: BIND: How to reply rev lookup with hostname and not FQDN
On Thu, Dec 27, 2012 at 8:42 PM, José Pablo Méndez Soto wrote: > Hello geniuses! > > I'm running SL carbon here and BIND. There is one piece of software I need > to install, that is failing as follows: > > When I configure its TCP/IP settings, the hostname I give to it is ucm9pub > (I can't even add the domain name, it rejects the dots). From a packet > capture I see the response from the DNS server as hostname.domain.ext, and > that is why I believe the install fails the reverse lookup. > > How can I reduce the response from BIND to spit out only the hostname? Like, > just ucm9pub instead of ucm9pub.domain.ext? > > Thanks! In order for reverse DNS to spit out only the hostname, you'd basically have to break it nad set up a DNS domain that is just the short name. It's feasiable to take the out put if "host IPADDRESS" and parse it to stip off the domain, if it matches. Why do you want to do this?
Re: BIND: How to reply rev lookup with hostname and not FQDN
On Thu, Dec 27, 2012 at 8:45 PM, José Pablo Méndez Soto wrote: > Sorry, forgot to add the error I get: > > "Host Name returned by DNS Server for IP address does not agree with the > locally defined hostname. There is a configuration mismatch." Your local hostname should be a fully qualified hostname. If it's not, lots of software can have interesting issues.
Re: BIND: How to reply rev lookup with hostname and not FQDN
Not following. You suggest to program BIND to strip off the domain if the query comes from certain IP¿? I am trying to install the server but getting the error I posted on my 2nd email. I am getting from the situation described, that the hostname is not matching the FQDN. *José Pablo Méndez * On Thu, Dec 27, 2012 at 8:22 PM, Nico Kadel-Garcia wrote: > On Thu, Dec 27, 2012 at 8:45 PM, José Pablo Méndez Soto > wrote: > > Sorry, forgot to add the error I get: > > > > "Host Name returned by DNS Server for IP address does not agree with the > > locally defined hostname. There is a configuration mismatch." > > > Your local hostname should be a fully qualified hostname. If it's not, > lots of software can have interesting issues. >
Re: BIND: How to reply rev lookup with hostname and not FQDN
Ah silly me... I was configuring the reverse zone file to return the FQDN. So, to achieve what I wrote this email thread initially, its a matter of changing the PTR line for this specific server/record, from 10 IN PTR ucm9pub.arda.inet. to 10 IN PTR ucm9pub. However, I got this fixed by doing a full restart of named instead of small reloads. Turns out, the reply from BIND was appending the in.arpa-net to the FQDN, and here is where the other software was complaining. To avoid appending that suffix, there must be a dot at the end of 10 IN PTR ucm9pub.arda.inet. However, for some reason it was there before, and the reloads were not applying it. I got it to work by using the above line and service named restart. Thanks, *José Pablo Méndez * On Thu, Dec 27, 2012 at 9:26 PM, José Pablo Méndez Soto wrote: > Not following. You suggest to program BIND to strip off the domain if the > query comes from certain IP¿? > > I am trying to install the server but getting the error I posted on my 2nd > email. I am getting from the situation described, that the hostname is not > matching the FQDN. > > *José Pablo Méndez > * > > > On Thu, Dec 27, 2012 at 8:22 PM, Nico Kadel-Garcia wrote: > >> On Thu, Dec 27, 2012 at 8:45 PM, José Pablo Méndez Soto >> wrote: >> > Sorry, forgot to add the error I get: >> > >> > "Host Name returned by DNS Server for IP address does not agree with the >> > locally defined hostname. There is a configuration mismatch." >> >> >> Your local hostname should be a fully qualified hostname. If it's not, >> lots of software can have interesting issues. >> > >
Figured out my flash-plugin problem
Hi All, Figured out my flash-plugin problem: If you are using flash-plugin higher than 11.1.102.63 and you are getting reversed colors and artifacts in Firefox, open a flash video right click in the video while it is playing, go to "settings", "Display" (tab), unclick "Enable hardware acceleration" Hope this helps someone else, -T