9 Replies Latest reply: Nov 9, 2006 12:20 PM by Arno Hahma
Arno Hahma Level 1 Level 1 (10 points)
When I connect a share from a server with Mac OS X clients, i.e. with Finder and -K or mount_smbfs, these things make the connection to the port 139, which is deprecated (netbios -port). All modern Samba implementations use the port 445 instead. Even if I instruct mount_smbfs not to use netbios with mount_smbfs -I server.ip.address //server.ip.address/share, it STILL uses netbios ports to make the connection! This seems like a serious bug to me.

Now, as our network policy forbids using netbios and firewalls block this protocol, Apples simply do not work in this environment.

Question: how to force the samba -related clients to use port 445 and forget about 137/139 once and for all? I have not found any hints anywhere, how to do this.

The only client, that respects /etc/smb.conf is smbclient, and suprise, surprise, that one works flawlessly and does use port 445, when told so. But, all the other samba-clients don't read smb.conf at all and don't have any configuration options anywhere - or do they?

Arno

G5 Dual 2.0 GHz, Mac OS X (10.4.8)
  • Rick Van Vliet Level 5 Level 5 (6,385 points)
    This is only a comment, not the answer to your question, however:

    SMB.conf file is used to configure the server end of samba, not necessarily the client.

    Our question to you might be: what kind of server are you connecting to via SMB?
    Linux? UNIX? OSX-server? Windows?
    (if Windows, what version of server software, please)

    (something to try: do your cmd+K connect to...
    and when you enter the servername/IPaddress, end it with ":445)
    like:
    SMB://[Server_IP]/[Share]:445

    Is that what you are trying?
  • Arno Hahma Level 1 Level 1 (10 points)
    SMB.conf file is used to configure the server end of
    samba, not necessarily the client.


    I am aware of this, however, smb.conf was the only samba-related configuratin file I found. As smbclient turned out to actually use it, I hoped it would influence the other samba-clients as well - it does not.


    Our question to you might be: what kind of server are
    you connecting to via SMB?
    Linux? UNIX? OSX-server? Windows?


    All of them, makes no difference really. All work flawlessly, if I connect from Windows or from Linux, but none works, if I connect from Mac OS X.

    (if Windows, what version of server software,
    please)


    Windows 2003 Server.

    and when you enter the servername/IPaddress, end it
    with ":445)


    I'll try this. So far, I put the :445 at the end of the server name - it had no influence: SMB://[Server_IP]:445/[Share]. Also, putting it to the end has no effect. It still tries to port 139.

    like:
    SMB://[Server_IP]/[Share]:445

    Is that what you are trying?


    Yes, this exactly - and the same in Finder. The above just does not work, mount_smbfs stubbornly tries to connect to the port 139 and so does Finder.

    Arno
  • BDAqua Level 10 Level 10 (119,390 points)
    There might be some clues here...
    http://www.mactech.com/articles/mactech/Vol.21/21.02/Security/index.html

    Near the bottom, search for "Manual firewall configuration", then "Kernel Twaeking", (yes, it's misspelled).
  • BDAqua Level 10 Level 10 (119,390 points)
    Hey, I just found a possible option...

    In Sharing>Firewall>New... , click on Port Name drop down, and there's an SMB (without NetBios) option!
  • Arno Hahma Level 1 Level 1 (10 points)
    Hey, I just found a possible option...

    In Sharing>Firewall>New... , click on Port Name drop
    down, and there's an SMB (without NetBios) option!


    This only affects incoming connections, so no avail. I will try this with Mac OS X as the client, that one allows tweaking the rules more accurately. I'll let you know...

    Arno
  • Arno Hahma Level 1 Level 1 (10 points)
    There might be some clues here...
    http://www.mactech.com/articles/mactech/Vol.21/21.02/S
    ecurity/index.html


    This is actually a nice link for all sorts of other stuff, but did not help much in this case.


    Near the bottom, search for "Manual firewall
    configuration", then "Kernel Twaeking", (yes, it's
    misspelled).


    Now, I have tried this as well with Mac OS X Server as the client allowing much more flexibility to the firewall rules without the need to resort to manual tweaking. Result: mount_smbfs hangs and gets a timeout after a while. This is obvious, as I have now closed the port 139 to both ways - so, no answer -> timeout.

    Bottom line: mount_smbfs does not work on the kernel level, so tweaking the kernel does not help much here. There should simply be some way to instruct mount_smbfs to use the port 445 and then everything would work.

    Arno
  • Arno Hahma Level 1 Level 1 (10 points)
    Bottom line: mount_smbfs does not work on the kernel
    level, so tweaking the kernel does not help much
    here. There should simply be some way to instruct
    mount_smbfs to use the port 445 and then everything
    would work.


    Wait, wait! I just discovered running this command loads a kernel extension - so it is indeed kernel-related. Firewall settings do not work, so maybe there is some kernel variable to set the samba port? Not in the documentation, though...


    Arno
  • BDAqua Level 10 Level 10 (119,390 points)
    I've been searching for that setting... no luck yet.:-(
  • Arno Hahma Level 1 Level 1 (10 points)
    kernel-related. Firewall settings do not work, so
    maybe there is some kernel variable to set the samba
    port? Not in the documentation, though...


    This looks very bad, from the Darwin 8.8 kernel source tree:


    /*
    * Common definintions and structures for SMB/CIFS protocol
    */

    #ifndef NETSMB_SMB_H
    #define NETSMB_SMB_H

    #ifndef PRIVSYM
    #define PRIVSYM _private_extern_
    #endif

    #define SMBTCPPORT 139

    /*
    * SMB dialects that we have to deal with.
    */

    which indicates the port 139 has been hard coded. D*mn it...

    Arno