[Pkg-samba-maint] Bug#459972: winbind: want to limit libnss_wins checks to WINS (no broadcasting)

Matt Swift debian-bugs at mattswift.net
Thu Jan 10 17:54:59 UTC 2008 

I tested a little more carefully, and the results are below

Summary of test environment:

Debian host Corax running Samba (version, dependencies, etc. in
initial report).  smb.conf globals included below. key settings are

	wins support = Yes
	dns proxy = No
	wins proxy = Yes

Corax is on a LAN (that's interface eth2 in smb.conf below).  DNS
server and Internet gateway on an embedded-Linux dedicated firewall
also on the LAN.  Corax is running a routed openvpn server (that's
interface tun0) but no hosts connected.  One other machine on the LAN
during testing: WinXP Pro box called Plankton, whose WINS server is
Corax.

winbindd installed but NOT running.

I conducted four tests (1-4) in each of four conditions (A-D).
During the tests, I monitored network traffic with Wireshark on both
Corax and Plankton (they're connected by a switch, not a hub).

Between conditions, I restarted nmbd and confirmed all instances were
stopped before restarting.

Each test was done with hostname 'luckyN' or 'luckyNN' where N is a
digit.  These are valid Netbios names, and because I increased the
number with each test (never re-using a hostname) caches shouldn't
affect results.  I represent the changing test hostname with just
"<unknown>" below.  The default domain name on all machines is
swift.private.

condition A
  /etc/samba/smb.conf -> name resolve order = wins
  /etc/nsswitch.conf -> hosts: files dns wins

condition B
  /etc/samba/smb.conf -> name resolve order = wins bcast
  /etc/nsswitch.conf -> hosts: files dns wins

Condition C and D are same as A and B but without "wins" in the NSS
layer.

condition C
  /etc/samba/smb.conf -> name resolve order = wins
  /etc/nsswitch.conf -> hosts: files dns

condition D
  /etc/samba/smb.conf -> name resolve order = wins bcast
  /etc/nsswitch.conf -> hosts: files dns

Test 1 gave one of two results (one for conditions A/B, another for
C/D).  Tests 2-4 gave the same results in all four conditions.  There
were other surprises as well.  See my comments on each test. My
expectations are probably incorrect in places, but still there seems
to be a problem with Samba.

test 1 (conditions A B)

  corax% ping <unknown>

  DNS query for <unknown>.swift.private fails
  assume that a WINS lookup fails
  NBNS broadcast from Corax for <unknown> (3 packets)

  comment: Samba SHOULDN'T broadcast when "name resolve order" doesn't
  contain "bcast" (condition B).

test 1 (C D)

  corax% ping <unknown>

  DNS query for <unknown>.swift.private fails

  comment: as expected


test 2 (A B C D)

  corax% nmblookup -U localhost -R <unknown>

  fails, i.e., no network traffic, no broadcast

  comment: Samba SHOULD broadcast when "name resolve order" contains
  "bcast" (conditions B and D).  Comment below on test 4 may apply as
  well.


test 3 (A B C D)

  plankton% ping <unknown>

  DNS query for <unknown>.swift.private fails
  NBNS query to Corax for <unknown> fails
  NBNS broadcast from Plankton for <unknown> (3 packets)

  comment: Samba SHOULD broadcast when "name resolve order" contains
  "bcast" (conditions B and D) -- but maybe Samba is smart enough to
  refrain from broadcasting after a failed query from a WinXP client
  that we know is going to fall back on doing a broadcast itself?

  
test 4 (A B C D)

  plankton% nblookup <unknown>

  NBNS query to Corax for <unknown> fails
  
  comment: same as for test 3, but regarding the question is Samba
  smart enough, etc., in this case, the assumption that Plankton will
  fall back on a broadcast is wrong because the WINS query was made
  with a diagnostic tool (nblookup) not the normal WinXP name
  resolution procedure.


smb.conf excerpt (value of "name resolve order" was varied):

[global]
	workgroup = TRANSFINITES
	netbios aliases = BRAIN
	server string = 
	interfaces = 127.0.0.1, eth2, tun0
	bind interfaces only = Yes
	obey pam restrictions = Yes
	passdb backend = tdbsam
	guest account = sambaguest
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
	log level = 3 passdb:5 auth:10 winbind:5
	log file = /var/log/samba/log.%m
	max log size = 1000
	name resolve order = wins
	printcap name = cups
	lm announce = No
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	wins proxy = Yes
	wins support = Yes
	ldap ssl = no
	panic action = /usr/share/samba/panic-action %d
	invalid users = root
	printer admin = @lp
	printing = cups
	print command = 
	lpq command = %p
	lprm command =

More information about the Pkg-samba-maint mailing list