12 Replies Latest reply: Dec 27, 2008 6:16 PM by Network 23
HandyMac Level 2 (420 points)
Suddenly, a process called "smbclient" is trying to establish a network connection, according to Little Snitch. About every five minutes a series of LS windows pops up, informing me that, e.g.

"Finder via smbclient
wants to connect to
c-67-164-151-171.hsd1.nm.comcast.net on TCP port 139 (netbios-ssn).
Established by: /usr/bin/smbclient"

LS shows alerts like this regarding four currently running apps (Finder, QuickTime, TextEdit, CheckOff). When I look in Activity Monitor, it shows 1 to 4 "smbclient" processes running when these messages show up. Anyone know what "smbclient" is, and why it would be doing this?

MacBook Pro 17" 2.16GHz, Mac OS X (10.5.5), 2GB RAM, 160GB HD, SuperDrive
  • nerowolfe Level 6 (13,065 points)
    smbclient (samba) is a computer (usually windows) network protocol, associated with netbios.
    Any Window Boxes on your network?
    Are you running filesharing?

    Message was edited by: nerowolfe
  • Kappy Level 10 (266,058 points)
    See this page for the manual pages for smbclient.
  • HandyMac Level 2 (420 points)
    Thanks for the info, though at my level of knowledge it doesn't tell me much. My MBP isn't networked with anything but the Internet; no Windows anywhere near (I've got a Ubuntu installation in a VirtualBox VM, but I haven't started it up in months); no filesharing.

    Sounds kinda suspicious that this would start happening now. No alerts in the past 20 minutes or so, though. If I didn't have Little Snitch, I wouldn't even know it was happening. I also get occasional flurries of "automountd" wanting to connect to "Backups/backupdb" at various Internet addresses.
  • Kappy Level 10 (266,058 points)
    smbclient is a Unix process that communicates with the Samba server. You don't need to be running Windows as most Linux distros also use a Samba server/client to communicate on Windows networks. What you are seeing may be caused by your VirtualBox VM.
  • HandyMac Level 2 (420 points)
    Thanks for the info, though I'm afraid it's rather beyond my level of expertise.

    "What you are seeing may be caused by your VirtualBox VM." Seems doubtful if the VM isn't running; in fact, last time I tried it wouldn't even start up.

    Anyway, after the flurry of such alerts yesterday evening (four series of four as described, as I recall), there've been no more. I can't help but wonder if this was some kind of "exploit" from somewhere on the 'Net, trying to get my Mac to "communicate with the [whose?] Samba server" and send it/them some information.
  • nerowolfe Level 6 (13,065 points)
    HandyMac wrote:
    Thanks for the info, though I'm afraid it's rather beyond my level of expertise.

    It's possible that it was a probe from the internet. If you are connected directly to the internet or do not have a router with NAT or a good firewall, these probes, usually for the infamous winders port 139 (netbios) may get through to your computer but they are harmless. If they are getting through, however, it does show that you may have open port(s).
    All my ports are set to stealth.
    Check your computer firewall settings and also log into your router and check the settings there as well.

    Message was edited by: nerowolfe
  • Kappy Level 10 (266,058 points)
    Although it may not be running now it may have initiated the process during installation or when you first installed your Windows client. Like with Parallels and VM Fusion the networking extensions are run at boot up whether the VM is active or not.

    It's easy enough to verify by asking VirtualBox tech support. It may even be in the documentation if you're willing to read through most of it.
  • gmg7 Level 1 (0 points)
    If I got a Leopard Why would I need a Family Pack?? What is the difference to a Single Pack? I do though want accounts on the computer not just one account username!
  • Kappy Level 10 (266,058 points)
    You are threadjacking. Please post your question as a separate topic in the appropriate forum.
  • Andrew No Thanks Level 1 (5 points)
    I'm having a similar issue. Little Snitch pops up to tell me that:
    "Finder via smbclient wants to connect to on TCP port 139 (netbios-ssn)"
    The connection is established by: "/usr/bin/smbclient" with the Process ID of 426
    The PArent Application is: "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder" with a Process ID of 218

    Can anyone provide any enlightenment as to what is going on. Why does Mac OS Finder need to make this connection? I have no applications running.
    Should I tell Little Snitch to deny these 'smbclient' connections forever? Or will that break some part of my Mac OS. I am running Time Machine over my wireless network using a Time Capsule. But I don't remember these messages popping up while I was setting up Time Machine, so I can't beleive this is the cause.

    Any help would be wildly appreciated!

  • techiejohn Level 1 (5 points)
    I ran into this same problem. I was on a hotel network and I would get a Little Snitch alert asking me to allow smbclient to connect to some IP. Looking at the process it was being launched by Finder. When I killed and had Finder relaunch, it would do it again.

    So, I ran trusty dtrace and found that Finder basically runs what is equivalent to nmblookup -M -- -. This queries the local network for master browsers. One of the IPs listed was the IP that smbclient was trying to connect to. So if you run that nmblookup from the Terminal you should see the IP that Little Snitch is warning you about.

    There's nothing to worry about. It appears to be normal SMB service discovery stuff.

    Hope this helps!

  • Network 23 Level 6 (11,900 points)
    Do you have File Sharing turned on, and when you go into the Sharing preference and click the Options for File Sharing, is "Share files and folders using SMB" on? That would activate a lot of SMB code.

    Because I can't find any SMB processes running in my Activity monitor, but I switched off SMB sharing a long time ago and never turn it on.