[PC-BSD Testing] Testing Digest, Vol 33, Issue 20

Ian Robinson fitchkendall at gmail.com
Mon Oct 19 11:52:17 PDT 2009


Dru Lavigne said:

>When sharing with Samba, the current firewall rules are blocking smb as I
had to disable the firewall in order to use smb:/
>However, I still could not see the shares, so there are additional Samba
settings required.

==================================================

I had the same problems with NFS & Samba several versions ago and reported
this on Ticket #6 ( http://trac.pcbsd.org/ticket/6 ).  I determined that pf
was creating a blocking problem and that the default Samba configuration
file needed some adjustments.

1.  PF Solution:

I posted the pf solution at
http://forums.pcbsd.org/viewtopic.php?f=1&t=12998&hilit=+NFS , where I said:

"I had wrestled for a long time trying to connect client computers to my
pcbsd server using NFS and Samba. The problem was that the client computers
could not penetrate the server's pf firewall. I had to disable the firewall
until I figured it out.

Finally, I learned preserve the protection of a firewall while letting
network traffic pass in and out. I discussed this near the end of the topic
labeled "Quick and not so dirty way to use NFS and Samba to which I referred
you at viewtopic.php?f=24&t=10362<http://forums.pcbsd.org/viewtopic.php?f=24&t=10362>

pf.conf needed only two critical lines identifying the name of the network
interface card, the tcp/ip address and netmask of the network. One line lets
information "pass in" through the firewall. The other line lets information
"pass out".

Here is the relevant excerpt about modifications to pf.conf on the server
side:
*Quote:*
Part 2. ========= Modify /etc/pf.conf (SERVER) ===========
# at the top of the file, define a macro variable to identify the local
network
*Code:*
#
lan = "192.168.1.0/24"
#

At the end of the file, add lines to pass all traffic to/from local network.
Notice the local network is identified here as the macro variable $lan.
Here, xl0 is the network interface card (NIC)

*Code:*
#
pass in on xl0 from $lan to any keep state
pass out on xl0 from any to $lan keep state
#
I'm guessing that that you are having the same problem. So, edit the
original pf.conf to put in those three lines of code"

2.  Samba Solution:

I published the Samba adjustments at
http://forums.pcbsd.org/viewtopic.php?f=24&t=10362&hilit=+NFS where I said:

"Part 5. =================== Modify /usr/local/etc/smb.conf (Server)
======================

*Code:*
[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
   workgroup = MYGROUP  <------------------------------------ (change to
your Windows workgroup)

# server string is the equivalent of the NT Description field
   server string = Samba Server   <---------------------------(change to
meet your naming needs)

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the Samba-HOWTO-Collection for details.
   security = user   <------------------------------------ (change to
security = share )

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1.  127.    <-----------(change to match the 1st
three parts of your network tcp address, keep 127. )

                 * * *

[homes]

   comment = Home Directories
   browseable = no
   writable = yes

              * * *

[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
printable = yes
#
# >>> Custom Additions to Locate Files and Permit Access
<<<==============================
#
[FK_SERVER]                   <------------------- Section Label, here w/ my
server's name
    comment = general user documents and files
    path = /server_files         <------------------ Path to location of the
files you want to share
    public = yes
    read only = no
    writeable = yes
    browseable = yes
    guest ok = yes
    available = yes
    guest account = nobody
    force group = nogroup
    force user = nobody
    create mask = 0777
    directory mask = 0777
    nt acl support = No
#
#  End Samba Changes"


Dru probably nailed down all these things a few moments after her post since
it was years ago she helped me focus in on some nuances of NFS and the need
to pass through the firewall while keeping state, but I thought I try to
pinpoint the problem and the inelegant but effective work-around that I
concocted.

Ian Robinson
Salem, OH





On Mon, Oct 19, 2009 at 1:51 PM, <testing-request at lists.pcbsd.org> wrote:

> Send Testing mailing list submissions to
>        testing at lists.pcbsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.pcbsd.org/mailman/listinfo/testing
> or, via email, send a message with subject or body 'help' to
>        testing-request at lists.pcbsd.org
>
> You can reach the person managing the list at
>        testing-owner at lists.pcbsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Testing digest..."
>
>
> Today's Topics:
>
>   1. Share tab of a folder in dolphin (Dru Lavigne)
>   2. Alpha 10152009 failed setup video (George Vlasov)
>   3. Re: Share tab of a folder in dolphin (Fabrizio Parrella)
>   4.  How to make inetd in 8-alpha play? (Walt Pawley)
>   5. Re: How to make inetd in 8-alpha play? (Kris Moore)
>   6. Re: How to make inetd in 8-alpha play? (Walt Pawley)
>   7. Re: How to make inetd in 8-alpha play? (Fabrizio Parrella)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 18 Oct 2009 20:41:26 +0000
> From: Dru Lavigne <drulavigne at sympatico.ca>
> Subject: [PC-BSD Testing] Share tab of a folder in dolphin
> To: <testing at lists.pcbsd.org>
> Message-ID: <BLU149-W23ED7FE9BC7C5A826CB166ACC20 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Sharing currently doesn't work for either NFS or Samba.
>
> NFS won't work until:
>
> /usr/local/kde4/lib/kde4/libexec/fileshareset is set suid root
>
> Additionally, that file is designed for Linux, meaning it has to be
> modified as so:
>
> $smb_exports::conf_file = '/usr/local/etc/smb.conf';
>
> my $authorisation_group:   either the default "fileshare" group should be
> created by the operating system or this line should be changed to the BSD
> equivalent used by NFS
>
> system'/usr/sbin/exportfs', '-r');  this is not the command used in BSD and
> /etc/rc.d/nfsd should do all the proper mounting stuff, meaning that this
> whole section should be replaced with the BSD nfsd startup script.
>
> I think the above should get sharing through NFS to work, but I may have
> missed something else
>
> ---
>
> When sharing with Samba, the current firewall rules are blocking smb as I
> had to disable the firewall in order to use smb:/  However, I still could
> not see the shares, so there are additional Samba settings required.
> However, the More Samba Options in the Share tab does not ask for the root
> password, meaning the settings are useless as they are greyed out. Also,
> system settings (administrator mode) has disappeared from Kickoff ->
> Applications. And Samba settings in Kickoff are still screwy  as some stuff
> is still greyed out (I think Josh was working on this?)
>
> ---
>
> If you right-click a folder in dolphin -> Properties -> Sharing -> Allowed
> Users -> Choose Group, all of the system groups show in the drop down menu
> for the new file share group which is a security risk for novice users. Is
> it possible to not show this list and only show groups the user has made (or
> the fileshare group above)? Ideally, there would be a New button in this
> screen so the user could create a group.
>
> Cheers,
>
> Dru
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.pcbsd.org/pipermail/testing/attachments/20091018/e636ef97/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Sun, 18 Oct 2009 22:27:48 -0400
> From: George Vlasov <george.vlasov at gmail.com>
> Subject: [PC-BSD Testing] Alpha 10152009 failed setup video
> To: testing at lists.pcbsd.org
> Message-ID: <4ADBCEA4.9040706 at gmail.com>
> Content-Type: text/plain; charset=KOI8-U; format=flowed
>
> Hi,
>
> Installed Alpha 10152009 on machine with integrated VIA Apollo KM266, S3
> ProSavage8, 32 Mb shared memory. Setup properly recognizes chipset but
> after Apply
> or Skip, the only way out is to power off/on.
>
> Menu option "Run X in VESA mode" shows line "xvesa set" but still guide to
> "Detecting video card and monitor capabilities" with exactly same result.
>
> Thanks,
>
> George
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 18 Oct 2009 23:00:26 -0400
> From: "Fabrizio Parrella" <fabrizio at bibivu.com>
> Subject: Re: [PC-BSD Testing] Share tab of a folder in dolphin
> To: "PC-BSD Testing list" <testing at lists.pcbsd.org>
> Message-ID: <7BDB8F8D19184413939AF23857DCC3D5 at Fabrizio>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>        reply-type=original
>
>
> ----- Original Message -----
> From: Dru Lavigne
> To: testing at lists.pcbsd.org
>
> If you right-click a folder in dolphin -> Properties -> Sharing -> Allowed
> Users -> Choose Group, all of the system groups show in the drop down menu
> for the new file share group which is a security risk for novice users. Is
> it possible to not show this list and only show groups the user has made
> (or
> the fileshare group above)? Ideally, there would be a New button in this
> screen so the user could create a group.
> -------
>
> Not sure if this is PC-BSD or KDE thing, but here I suggest to show select
> box where the user can type the group or part of it and then click a
> "search" to fill the found groups.  I believe the way that XP does is very
> intuitive for users/groups.
>
> Fabry
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 19 Oct 2009 01:58:22 -0700
> From: Walt Pawley <walt at wump.org>
> Subject: [PC-BSD Testing]  How to make inetd in 8-alpha play?
> To: <testing at lists.pcbsd.org>
> Message-ID: <p0624082bc701d649f985@[10.0.0.10]>
> Content-Type: text/plain; charset="us-ascii"
>
> I've been trying for a few days to get inetd to actually work.
> I'm most likely missing something that's obvious, but I've sort
> of run out of ideas as to what to Google, apropos, etc. to find
> the missing link.
>
> I've un-commented the services I want in /etc/inetd.conf and
> bumbled into un-commenting the ALL : ALL : allow line in
> /etc/hosts.allow (first time I've run into this for some
> reason) and enabled inetd at boot (it does run - just won't let
> me connect to anything). By adding the -d option to inetd, I
> get errors for each service that ipsec initialization failed,
> though subsequent diagnostic output seemed to indicate that
> inetd didn't care and was enabling the service.
>
> About the only thing I've seen about the latter is that it
> occurs when ipsec isn't compiled into the kernel.
>
> What am I missing?
> --
>
> Walter M. Pawley <walt at wump.org>
> Wump Research & Company
> 676 River Bend Road, Roseburg, OR 97471
>         541-672-8975
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 19 Oct 2009 11:37:22 -0400 (EDT)
> From: Kris Moore <kris at pcbsd.org>
> Subject: Re: [PC-BSD Testing] How to make inetd in 8-alpha play?
> To: PC-BSD Testing list <testing at lists.pcbsd.org>
> Message-ID: <alpine.BSF.2.00.0910191136300.40459 at hubble.localhost>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
>
> On Mon, 19 Oct 2009, Walt Pawley wrote:
>
> > I've been trying for a few days to get inetd to actually work.
> > I'm most likely missing something that's obvious, but I've sort
> > of run out of ideas as to what to Google, apropos, etc. to find
> > the missing link.
> >
> > I've un-commented the services I want in /etc/inetd.conf and
> > bumbled into un-commenting the ALL : ALL : allow line in
> > /etc/hosts.allow (first time I've run into this for some
> > reason) and enabled inetd at boot (it does run - just won't let
> > me connect to anything). By adding the -d option to inetd, I
> > get errors for each service that ipsec initialization failed,
> > though subsequent diagnostic output seemed to indicate that
> > inetd didn't care and was enabling the service.
> >
> > About the only thing I've seen about the latter is that it
> > occurs when ipsec isn't compiled into the kernel.
> >
> > What am I missing?
> > --
> >
> > Walter M. Pawley <walt at wump.org>
> > Wump Research & Company
> > 676 River Bend Road, Roseburg, OR 97471
> >         541-672-8975
> > _______________________________________________
> > Testing mailing list
> > Testing at lists.pcbsd.org
> > http://lists.pcbsd.org/mailman/listinfo/testing
> >
> > !DSPAM:1,4adc31e315311831220542!
> >
> >
> >
>
> Do you have inetd_enable in rc.conf?
>
> http://www.freebsd.org/doc/en/books/handbook/network-inetd.html
>
> --
> Kris Moore
> PC-BSD Software
>
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 19 Oct 2009 10:44:29 -0700
> From: Walt Pawley <walt at wump.org>
> Subject: Re: [PC-BSD Testing] How to make inetd in 8-alpha play?
> To: PC-BSD Testing list <testing at lists.pcbsd.org>
> Cc: Kris Moore <kris at pcbsd.org>
> Message-ID: <p0624082dc70253905741@[10.0.0.10]>
> Content-Type: text/plain; charset="us-ascii"
>
> At 11:37 AM -0400 10/19/09, Kris Moore wrote:
> >On Mon, 19 Oct 2009, Walt Pawley wrote:
> >
> >> I've been trying for a few days to get inetd to actually work.
> >> I'm most likely missing something that's obvious, but I've sort
> >> of run out of ideas as to what to Google, apropos, etc. to find
> >> the missing link.
> >>
> >> I've un-commented the services I want in /etc/inetd.conf and
> >> bumbled into un-commenting the ALL : ALL : allow line in
> >> /etc/hosts.allow (first time I've run into this for some
> >> reason) and enabled inetd at boot (it does run - just won't let
> >> me connect to anything). By adding the -d option to inetd, I
> >> get errors for each service that ipsec initialization failed,
> >> though subsequent diagnostic output seemed to indicate that
> >> inetd didn't care and was enabling the service.
> >>
> >> About the only thing I've seen about the latter is that it
> >> occurs when ipsec isn't compiled into the kernel.
> >>
> >> What am I missing?
> >>
> >
> >Do you have inetd_enable in rc.conf?
> >
> >http://www.freebsd.org/doc/en/books/handbook/network-inetd.html
> >
>
> I'd actually edited /etc/defaults/rc.conf like ...
>
> $ grep -i inetd /etc/defaults/rc.conf
> # wump 19/18/09 01:23   turned on inetd
> #inetd_enable="NO"              # Run the network daemon dispatcher
> (YES/NO).
> inetd_enable="YES"              # Run the network daemon dispatcher
> (YES/NO).
> inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different
> one.
> inetd_flags="-wW -C 60"         # Optional flags to inetd
>
> which seemed to start inetd just fine, though it didn't work.
> Manually executing inetd with the -d option got me this ...
>
> /usr/sbin/inetd -d -wW -C 60
> ADD : ftp proto=tcp accept=1 max=0 user=root
> group=(null)class=daemon builtin=0x0 server=/usr/libexec/ftpd
> policy=""
> inetd: ftp/tcp: ipsec initialization failed; in entrust
> inetd: ftp/tcp: ipsec initialization failed; out entrust
> inetd: enabling ftp, fd 4
> inetd: registered /usr/libexec/ftpd on 4
> ...
>
> On the off chance that actually having the inetd_enable="YES" in the
> file /etc/rc.conf, I swapped the commenting on the two enable lines
> I now have in /etc/defaults/rc.conf so it say "NO" and edited
> /etc/rc.conf to contain the "YES", like ...
>
> grep -i inetd /etc/rc.conf
> inetd_enable="YES"             # Run the network daemon dispatcher
> (YES/NO).
>
> and rebooted. Still doesn't play nice. Sigh ...
> --
>
> Walter M. Pawley <walt at wump.org>
> Wump Research & Company
> 676 River Bend Road, Roseburg, OR 97471
>         541-672-8975
>
>
> ------------------------------
>
> Message: 7
> Date: Mon, 19 Oct 2009 13:51:31 -0400
> From: Fabrizio Parrella <fabrizio at bibivu.com>
> Subject: Re: [PC-BSD Testing] How to make inetd in 8-alpha play?
> To: PC-BSD Testing list <testing at lists.pcbsd.org>
> Cc: Kris Moore <kris at pcbsd.org>
> Message-ID: <4ADCA723.6030805 at bibivu.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> sorry if I may ask a few questions that you already answered:
>    - does it work on 7.x?
>        - if so, check the logs on 8 (they should be stored wherever the
> syslogd are.. messages I believe)
>    - if u manually start it, does it run?
>        - if so, if you execute "/etc/rc.d/inetd start" does it start?
>
> Fabry
>
> Walt Pawley wrote:
> > At 11:37 AM -0400 10/19/09, Kris Moore wrote:
> >
> >> On Mon, 19 Oct 2009, Walt Pawley wrote:
> >>
> >>
> >>> I've been trying for a few days to get inetd to actually work.
> >>> I'm most likely missing something that's obvious, but I've sort
> >>> of run out of ideas as to what to Google, apropos, etc. to find
> >>> the missing link.
> >>>
> >>> I've un-commented the services I want in /etc/inetd.conf and
> >>> bumbled into un-commenting the ALL : ALL : allow line in
> >>> /etc/hosts.allow (first time I've run into this for some
> >>> reason) and enabled inetd at boot (it does run - just won't let
> >>> me connect to anything). By adding the -d option to inetd, I
> >>> get errors for each service that ipsec initialization failed,
> >>> though subsequent diagnostic output seemed to indicate that
> >>> inetd didn't care and was enabling the service.
> >>>
> >>> About the only thing I've seen about the latter is that it
> >>> occurs when ipsec isn't compiled into the kernel.
> >>>
> >>> What am I missing?
> >>>
> >>>
> >> Do you have inetd_enable in rc.conf?
> >>
> >> http://www.freebsd.org/doc/en/books/handbook/network-inetd.html
> >>
> >>
> >
> > I'd actually edited /etc/defaults/rc.conf like ...
> >
> > $ grep -i inetd /etc/defaults/rc.conf
> > # wump 19/18/09 01:23   turned on inetd
> > #inetd_enable="NO"              # Run the network daemon dispatcher
> (YES/NO).
> > inetd_enable="YES"              # Run the network daemon dispatcher
> (YES/NO).
> > inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different
> one.
> > inetd_flags="-wW -C 60"         # Optional flags to inetd
> >
> > which seemed to start inetd just fine, though it didn't work.
> > Manually executing inetd with the -d option got me this ...
> >
> > /usr/sbin/inetd -d -wW -C 60
> > ADD : ftp proto=tcp accept=1 max=0 user=root
> > group=(null)class=daemon builtin=0x0 server=/usr/libexec/ftpd
> > policy=""
> > inetd: ftp/tcp: ipsec initialization failed; in entrust
> > inetd: ftp/tcp: ipsec initialization failed; out entrust
> > inetd: enabling ftp, fd 4
> > inetd: registered /usr/libexec/ftpd on 4
> > ...
> >
> > On the off chance that actually having the inetd_enable="YES" in the
> > file /etc/rc.conf, I swapped the commenting on the two enable lines
> > I now have in /etc/defaults/rc.conf so it say "NO" and edited
> > /etc/rc.conf to contain the "YES", like ...
> >
> > grep -i inetd /etc/rc.conf
> > inetd_enable="YES"             # Run the network daemon dispatcher
> (YES/NO).
> >
> > and rebooted. Still doesn't play nice. Sigh ...
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.pcbsd.org/pipermail/testing/attachments/20091019/a7186570/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Testing mailing list
> Testing at lists.pcbsd.org
> http://lists.pcbsd.org/mailman/listinfo/testing
>
>
> End of Testing Digest, Vol 33, Issue 20
> ***************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pcbsd.org/pipermail/testing/attachments/20091019/e352a944/attachment-0001.html 


More information about the Testing mailing list