Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited) - Samba

This is a discussion on Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited) - Samba ; Here's my analysis results describing my message: 1 0.000000 192.168.1.101 -> 192.168.1.254 DNS Standard query AAAA vic-cai-l0047.localdomain 2 0.029740 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No such name 3 0.029889 192.168.1.101 -> 192.168.1.254 DNS Standard query A vic-cai-l0047.localdomain 4 ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)

  1. Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)

    Here's my analysis results describing my message:

    1 0.000000 192.168.1.101 -> 192.168.1.254 DNS Standard query AAAA vic-cai-l0047.localdomain
    2 0.029740 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No such name
    3 0.029889 192.168.1.101 -> 192.168.1.254 DNS Standard query A vic-cai-l0047.localdomain
    4 0.056225 192.168.1.254 -> 192.168.1.101 DNS Standard query response, No such name
    5 0.056738 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20>
    6 0.057018 Dell_b0:3b:f2 -> Broadcast ARP Who has 192.168.1.101? Tell 192.168.1.100
    7 0.057032 Giga-Byt_49:21:e7 -> Dell_b0:3b:f2 ARP 192.168.1.101 is at 00:16:e6:49:21:e7
    8 0.057139 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100
    9 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited)
    10 0.326384 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20>
    11 0.326732 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100
    12 0.326763 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited)
    13 0.596355 192.168.1.101 -> 192.168.1.255 NBNS Name query NB VIC-CAI-L0047<20>
    14 0.596734 192.168.1.100 -> 192.168.1.101 NBNS Name query response NB 192.168.1.100
    15 0.596758 192.168.1.101 -> 192.168.1.100 ICMP Destination unreachable (Host administratively prohibited)

    192.168.1.101 is my linux client, 192.168.1.100 is my windows machine(containing the shares I want to access from the fedora 9 box), and 192.168.1.254 is my local DNS server. Obviously there're no messages sent to the linux machine on destination port 139 or 145. All messages coming from the windows machine are originating from port 137 on the windows machine.
    I tried to disable the NetworkManager service but this didn't solve the problem. I also got level 5 debugging from smbclient; it's as follows:
    INFO: Current debug levels:
    all: True/5
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    registry: False/0
    lp_load_ex: refreshing parameters
    Initialising global parameters
    params.cm_process() - Processing configuration file "/etc/samba/smb.conf"
    Processing section "[global]"
    doing parameter workgroup = MYGROUP
    doing parameter server string = Samba Server Version %v
    doing parameter log file = /var/log/samba/log.%m
    doing parameter max log size = 50
    doing parameter security = user
    doing parameter passdb backend = tdbsam
    doing parameter load printers = yes
    doing parameter cups options = raw
    pm_process() returned Yes
    Attempting to register new charset UCS-2LE
    Registered charset UCS-2LE
    Attempting to register new charset UTF-16LE
    Registered charset UTF-16LE
    Attempting to register new charset UCS-2BE
    Registered charset UCS-2BE
    Attempting to register new charset UTF-16BE
    Registered charset UTF-16BE
    Attempting to register new charset UTF8
    Registered charset UTF8
    Attempting to register new charset UTF-8
    Registered charset UTF-8
    Attempting to register new charset ASCII
    Registered charset ASCII
    Attempting to register new charset 646
    Registered charset 646
    Attempting to register new charset ISO-8859-1
    Registered charset ISO-8859-1
    Attempting to register new charset UCS2-HEX
    Registered charset UCS2-HEX
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    Substituting charset 'UTF-8' for LOCALE
    added interface eth0 ip=fe80::216:e6ff:fe49:21e7%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
    added interface eth0 ip=192.168.1.101 bcast=192.168.1.255 netmask=255.255.255.0
    Netbios name list:-
    my_netbios_names[0]="LOCALHOST"
    Client started (version 3.2.0rc1-15.fc9).
    Opening cache file at /var/lib/samba/gencache.tdb
    tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
    gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
    sitename_fetch: No stored sitename for
    no entry for vic-cai-l0047#20 found.
    resolve_lmhosts: Attempting lmhosts lookup for name vic-cai-l0047<0x20>
    getlmhostsent: lmhost entry: 127.0.0.1 localhost
    resolve_wins: Attempting wins lookup for name vic-cai-l0047<0x20>
    resolve_wins: WINS server resolution selected and no WINS servers listed.
    resolve_hosts: Attempting host lookup for name vic-cai-l0047<0x20>
    resolve_hosts: getaddrinfo failed for name vic-cai-l0047 [Name or service not known]
    name_resolve_bcast: Attempting broadcast lookup for name vic-cai-l0047<0x20>
    socket option SO_KEEPALIVE = 0
    socket option SO_REUSEADDR = 1
    socket option SO_BROADCAST = 1
    Could not test socket option TCP_NODELAY.
    Could not test socket option TCP_KEEPCNT.
    Could not test socket option TCP_KEEPIDLE.
    Could not test socket option TCP_KEEPINTVL.
    socket option IPTOS_LOWDELAY = 0
    socket option IPTOS_THROUGHPUT = 0
    socket option SO_SNDBUF = 122880
    socket option SO_RCVBUF = 122880
    socket option SO_SNDLOWAT = 1
    socket option SO_RCVLOWAT = 1
    socket option SO_SNDTIMEO = 0
    socket option SO_RCVTIMEO = 0
    Sending a packet of len 50 to (192.168.1.255) on port 137
    Sending a packet of len 50 to (192.168.1.255) on port 137
    Sending a packet of len 50 to (192.168.1.255) on port 137
    Connection to vic-cai-l0047 failed (Error NT_STATUS_BAD_NETWORK_NAME)

    Note the last 3 red lines; it seems that smbclient doesn't see the response packets although tcpdump and wireshark show they're received in the kernel IP tables. The ICMP messages also aren't seen in the logging to be sent by my linux client. Think I'm going to investigate more and produce a similar logging information for smbclient on the redhat 9 box to see where they differ.


    ----- Original Message ----
    From: Scott Lovenberg
    To: Mohammed El-Afifi
    Cc: samba@lists.samba.org
    Sent: Wednesday, July 2, 2008 9:38:41 PM
    Subject: Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)


    Mohammed El-Afifi wrote:
    > I'm using fedora 9, 64-bit edition, on a machine acting as a client. I've installed samba-client 3.2.0 from a binary package. I amn't running the server portion of samba(smbd, nmbd, or even winbindd).
    > I'm trying to access shares on another windows machine, on the same network 192.168.1.0/24. Both machines, the client and the server, are using DHCP to acquire IP addresses.
    > When I type the command
    > smbclient -L
    > I get an error about bad network name. I traced my smbclient session with tcpdump and wireshark, jut to find out some strange behaviour.
    > 1. smbclient tries DNS requests and receives unresolved host replies. This's totally sane since my DNS works for resolving external names only, not those inside my network.
    > 2. smbclient then tries to resolve the netbios name. It broadcasts a message and it really receives response from the windows machine resolving the name successfully. However after smbclient receives the successful netbios response, it sends and ICMP message to the windows machine indicating "unreachable destination host(administratively prohibited)".
    > 3. Steps 1 and 2 repeat for a few times(about 3 times), each time ending with the strange ICMP message.
    > I can't see what's wrong with my network configuration. I can access the other windows machine by IP address pretty well. I can access all internet sites successfully. I've disabled the kernal firewall and selinux, but with no progress.
    > I've redhat 9(installed on the same machine having fedora 9) with samba-client installed(a very old version of course, 2.2 maybe), and it can access the windows machine seamlessly. So I wonder if it's something related to my samba version, my fedora 9 OS, or may I be missing something critical in my smb.conf, taking into consideration that I haven't changed smb.conf from the stock one shipping with the samba-client binary package?
    > Appreciating your help for any suggestions!
    >
    >
    >
    >

    Perhaps a routing problem? Does either machine have multiple network
    cards? If you're not using wireless, make sure that the NetworkManager
    service is disabled; I've had nothing but problems with it in F9.

    Also, is the ICMP response in regards to Windows trying to make a
    connection on ports 139 and 445 at the same time? For some silly reason
    Windows will open two connections at the same time. I believe that the
    default samba (server) setting is to drop the port 445 requests and use
    the port 139 connections.




    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)

    On Wed, Jul 02, 2008 at 04:26:31PM -0700, Mohammed El-Afifi wrote:
    > 192.168.1.101 is my linux client, 192.168.1.100 is my
    > windows machine(containing the shares I want to access
    > from the fedora 9 box), and 192.168.1.254 is my local DNS
    > server. Obviously there're no messages sent to the linux
    > machine on destination port 139 or 145. All messages
    > coming from the windows machine are originating from port
    > 137 on the windows machine.


    If your Windows box is a very old one (i.e. Win95 or so),
    you need to start nmbd on the Linux box.

    Volker

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iD8DBQFIbGlaUzqjrWwMRl0RAlAyAJ9fmwHtyzfhZePsAHth67 x4ey2OzwCdHQQ8
    0uDl0dUr3dyv6AYOPbkie/g=
    =b+yP
    -----END PGP SIGNATURE-----


  3. Re: [Samba] smbclient sending ICMP unreachable destination host(administratively prohibited)

    Hallo, Mohammed,

    Du (mohammed_elafifi) meintest am 02.07.08:

    > 9 0.057171 192.168.1.101 -> 192.168.1.100 ICMP Destination
    > unreachable (Host administratively prohibited)


    Why is "ICMP Destination unreachable" - sounds like a silly firewall
    rule.

    Viele Gruesse!
    Helmut
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread