Samba share issue after upgrade from 6.1.9 to 6.2.4

[pyro.699]

I have spent 2 days googling and searching around the forums and am ready to ask for some help regarding this issue. I recently upgraded my server from 6.1.9 to 6.2.4 and after that, the samba shares have not worked at all - I have read a few other articles from members here in the release thread with a similar problem but any solution proposed there didn't seem to work.

 

Starting here I followed through and was linked to this article which also linked to a feature request which i believe was implemented in 6.2.4.

 

All of which provided great information for potential debugging avenues. I connect to my host through a combination of windows and linux computers, for the sake of simplicity I have only configured the SMB shares and when using a linux guest, will mount the share through a cifs share. Throughout me trying to get this working I have tried to setup a NFS Share - but was unable to get that working correctly either.

 

smbclient -L 127.0.0.1 -N -d 10

INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
Processing section "[global]"
doing parameter include = /etc/samba/smb-names.conf
doing parameter netbios name = Charmander
doing parameter server string = Media server
doing parameter hide dot files = no
doing parameter security = USER
doing parameter workgroup = WORKGROUP
doing parameter local master = yes
doing parameter map to guest = Bad User
doing parameter passdb backend = smbpasswd
doing parameter encrypt passwords = Yes
doing parameter null passwords = Yes
WARNING: The "null passwords" option is deprecated
doing parameter map archive = No
doing parameter map hidden = No
doing parameter map system = No
doing parameter map readonly = Yes
doing parameter create mask = 0777
doing parameter directory mask = 0777
doing parameter log level = 0
doing parameter syslog = 0
WARNING: The "syslog" option is deprecated
doing parameter syslog only = Yes
WARNING: The "syslog only" option is deprecated
doing parameter show add printer wizard = No
doing parameter disable spoolss = Yes
doing parameter load printers = No
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter invalid users = root
doing parameter unix extensions = No
doing parameter wide links = Yes
doing parameter use sendfile = Yes
doing parameter aio read size = 4096
doing parameter aio write size = 4096
doing parameter acl allow execute always = Yes
doing parameter include = /boot/config/smb-extra.conf
Processing section "[global]"
doing parameter interfaces = lo eth0 eth1
doing parameter preferred master = yes
doing parameter domain master = yes
doing parameter os level = 255
doing parameter include = /etc/samba/smb-shares.conf
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
add_interface: not adding duplicate interface 127.0.0.1
added interface eth0 ip=192.168.2.40 bcast=192.168.2.255 netmask=255.255.255.0
added interface eth1 ip=192.168.2.41 bcast=192.168.2.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="CHARMANDER"
Client started (version 4.4.5).
Connecting to 127.0.0.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061296
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED

 

/usr/bin/nmblookup -M -- - 2>/dev/null | /usr/bin/grep -Pom1 '^\S+'

192.168.2.41

 

Samba extra configuration:

[global]
interfaces = lo eth0 eth1
preferred master = yes
domain master = yes
os level = 255

 

Workgroup Settings

Workgroup: WORKGROUP
Local Master: Yes

 

df -h /mnt/disk*

Filesystem      Size  Used Avail Use% Mounted on
/dev/md1        1.9T  1.4T  442G  77% /mnt/disk1
/dev/md2        1.9T  1.4T  473G  75% /mnt/disk2
/dev/md3        932G  413G  519G  45% /mnt/disk3
/dev/md4        932G   15G  917G   2% /mnt/disk4
/dev/md5        1.9T  951G  912G  52% /mnt/disk5
/dev/md6        932G   33M  932G   1% /mnt/disk6

 

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.40  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 00:04:4b:15:99:ae  txqueuelen 1000  (Ethernet)
        RX packets 7056107  bytes 2903118903 (2.7 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5441547  bytes 3713613254 (3.4 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.41  netmask 255.255.255.0  broadcast 0.0.0.0
        ether 00:04:4b:15:99:ac  txqueuelen 1000  (Ethernet)
        RX packets 126303  bytes 39111094 (37.2 MiB)
        RX errors 0  dropped 57373  overruns 0  frame 0
        TX packets 98  bytes 7782 (7.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ham0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1200
        inet 25.*.*.*  netmask 255.0.0.0  broadcast 25.255.255.255
        ether *:*:*:*:*:*  txqueuelen 1000  (Ethernet)
        RX packets 33980  bytes 4311879 (4.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24201  bytes 4310850 (4.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.255.255.255
        loop  txqueuelen 1  (Local Loopback)
        RX packets 31791  bytes 4319233 (4.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 31791  bytes 4319233 (4.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

ip route

default via 192.168.2.1 dev eth0 
25.0.0.0/8 dev ham0  proto kernel  scope link  src 25.*.*.* 
127.0.0.0/8 dev lo  scope link 
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.40 
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.41 

 

Things I have tried:

• Using a bridge and a bonded bridge instead of having eth0 and eth1 separate.
  
• Different permutations of entries listed in the "Samba extra configuration" including an empty file and having "allow hosts = 0.0.0.0/24"
  
• Connecting to it from various ips, including the one located at ham0
  
• Rebooting the host in the hopes of it "magically" fixing itself
  
• Yelling at it
  

 

Any help would be greatly appreciated. I do not currently have physical access to the hardware, but am able to ssh into it from my current location.

 

Happy Holidays

-Cody

[Frank1940]

Did you find this thread?

 

    http://lime-technology.com/forum/index.php?topic=54910.0

 

Did you install the 'Local Master' plugin?  You can find it in the first post in this thread

 

    http://lime-technology.com/forum/index.php?topic=36543

 

Have tried reboot the clients?  Have you checked to see what your clients 'think' is the Local MAster?  (You will have to google for this one.)  Are all the clients affected or is only certain ones? 

 

Be sure that you understand the Windows ignores Capitalization of many names and Linux/Unix honors it.  (and I have no idea how Samba resolves this issue!)  For that reason, it is recommended that the Workgroup name be in all caps on all computers! 

 

By the way, you have my sympathy!  Troubleshooting Samba issues locally is a headache (as Samba solutions are often like witchcraft) but doing it remotely is not something that I would want to tackle. 

[Andrewch]

All great suggestions above. I've been through days of troubleshooting Samba issues between various devices.

 

In the end what resolved all my issues was a fully wired network. Not ideal and not possible for everyone but it sorted out my headache.

 

My witchcraft was not up to scratch.

[pyro.699]

Thank you for the replies.

 

As I mentioned in the original post, the issues can be reproduced on the host trying to use the smbclient. They are not specific to a windows client trying to access it.

 

Local Master is something that has been included as part of 6.2.4 as a direct configurable option.

 

To address other concerns in your posts.

* Yes I have rebooted both clients and hosts.

* All clients are effected, not just the host or one particular client

* Capitalization doesn't play a roll when using direct ip addresses

* The entire network is wired and none of it is wireless

 

I am open to all other solutions and suggestions

[Frank1940]

Thank you for the replies.

 

As I mentioned in the original post, the issues can be reproduced on the host trying to use the smbclient. They are not specific to a windows client trying to access it.

 

Local Master is something that has been included as part of 6.2.4 as a direct configurable option.

 

To address other concerns in your posts.

* Yes I have rebooted both clients and hosts.

* All clients are effected, not just the host or one particular client

* Capitalization doesn't play a roll when using direct ip addresses

* The entire network is wired and none of it is wireless

 

I am open to all other solutions and suggestions

 

Unfortunately, static IP addresses does NOT address the capitalization problem!  And each  computer must have a IP address before it even broadcasts that it is looking for a Samba network.  Each computer will join only to the workgroup to which it is assigned with the proper workgroup name. 

 

Assigning IP addresses without having collisions can be a problem if a combination of assigning static IP Addresses and using addresses assigned using DHCP which is 'turn-on' by default in every router that I have seen in the past twenty years.  If your network administrator is assigning IP addresses to computers, what is being done to assure that no device is ever connected to that network that uses DHCP to get an address.  By default, every OS that I have ever heard of uses DHCP by default to get its address.  It could be a case of your unRAID server and another computer/device having the same IP address but that does not seem to be the case because you seem to accessing the server from the outside world.  Each computer will join only to the workgroup to which is assigned by the workgroup name. 

 

If you are coming in from the outside world, you should be coming in through a VPN and not an open port on the router.  unRAID is not secured to run on the open Internet!!!! 

 

I would still suggest that you do this:

 

Have you checked to see what your clients 'think' is the Local Master?  (You will have to google for this one.)

 

This could provide an insight into what is going on. 

 

 

[pyro.699]

I am the network administrator for this particular network.

 

I am ensuring that there are no static ip conflicts. I name each of my computers on the network after Pokemon (cause I am a cool 90's kid) and am sure that the host name is unique.

 

I have seen the security flaws that are present in the standard unraid setup and done some work on my router to protect against that. The only IP's that are open to the outside world are 80 and 443 - and I am emhttp is not being served to port 80 but rather port 8081 and I am using nginx to server on those ports and have specified more specific rules to prevent outside issues.

 

I am connecting to my unraid server through a VPN called hamachi (via logmein) - so port 22 is closed on my router.

 

I will have to google how to check what my clients think that the local master is - however even from the host - trying to connect to 127.0.0.1 is providing a disconnected error - something about that feels very wrong.

[Frank1940]

Type  diagnostics  at the command prompt.  That will  write the diagnostics file to the Flash drive (either in the  logs  folder or the  root of the flash drive).  Attach that file to your next post. 

[Frank1940]

Follow on:  Did you read the first two posts in the release notes for version 6.2? 

 

    http://lime-technology.com/forum/index.php?topic=51874.0

 

In the second post, there is a whole section on Network changes and issues.  But read the entirety of these first two posts in any case as there might be a clue to some small 'gotcha' that you missed. 

 

It might also help if you were to post what MB and CPU you are using.  (I am suspecting that you are using a server class MB with remote management features...) 

[pyro.699]

I have read all of the networking changes, and unless I am missing something - it should be setup correctly. There is no special remote hardware that is setup - I have simply setup a VPN service called hamachi that I can use to simply ssh into the machine.

 

I was unable to attach the file directly to my post as it is greater than 320kb. I have uploaded it to an external server.

Diagnostics: -Removed-

 

Motherboard:

dmidecode -t 2

# dmidecode 3.0
Getting SMBIOS data from sysfs.
SMBIOS 2.4 present.

Handle 0x0002, DMI type 2, 8 bytes
Base Board Information
Manufacturer:  XFX  
Product Name: XFX nForce 780i 3-Way SLI
Version: 1
Serial Number: 1

 

CPU:

dmidecode -t 4

# dmidecode 3.0
Getting SMBIOS data from sysfs.
SMBIOS 2.4 present.

Handle 0x0004, DMI type 4, 35 bytes
Processor Information
Socket Designation: Socket 775
Type: Central Processor
Family: Other
Manufacturer: Intel
ID: FB 06 00 00 FF FB EB BF
Signature: Type 0, Family 6, Model 15, Stepping 11
Flags:
	FPU (Floating-point unit on-chip)
	VME (Virtual mode extension)
	DE (Debugging extension)
	PSE (Page size extension)
	TSC (Time stamp counter)
	MSR (Model specific registers)
	PAE (Physical address extension)
	MCE (Machine check exception)
	CX8 (CMPXCHG8 instruction supported)
	APIC (On-chip APIC hardware supported)
	SEP (Fast system call)
	MTRR (Memory type range registers)
	PGE (Page global enable)
	MCA (Machine check architecture)
	CMOV (Conditional move instruction supported)
	PAT (Page attribute table)
	PSE-36 (36-bit page size extension)
	CLFSH (CLFLUSH instruction supported)
	DS (Debug store)
	ACPI (ACPI supported)
	MMX (MMX technology supported)
	FXSR (FXSAVE and FXSTOR instructions supported)
	SSE (Streaming SIMD extensions)
	SSE2 (Streaming SIMD extensions 2)
	SS (Self-snoop)
	HTT (Multi-threading)
	TM (Thermal monitor supported)
	PBE (Pending break enabled)
Version: Intel(R) Core(TM)2 Quad CPU
Voltage: 1.7 V
External Clock: 267 MHz
Max Speed: 200 MHz
Current Speed: 2403 MHz
Status: Populated, Enabled
Upgrade: ZIF Socket
L1 Cache Handle: 0x000A
L2 Cache Handle: 0x000B
L3 Cache Handle: Not Provided
Serial Number:  
Asset Tag:  
Part Number: 

 

(Not really proud of the specs - Believe me I am looking to upgrade - lol)

 

Thanks again for your help

-Cody

[Frank1940]

I took a look at your logs and found they are full of entries like these:

 

Dec 26 01:40:01 Charmander rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="1326" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Dec 26 01:40:02 Charmander login[1912]: invalid password for 'root'  on '/dev/pts/2' from '202.71.9.205'
Dec 26 01:40:02 Charmander login[1912]: REPEATED login failures on '/dev/pts/2' from '202.71.9.205'
Dec 26 01:40:03 Charmander login[1946]: invalid password for 'root'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:03 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:04 Charmander login[1977]: invalid password for 'UNKNOWN'  on '/dev/pts/10' from '171.231.149.16'
Dec 26 01:40:04 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:04 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'
Dec 26 01:40:05 Charmander in.telnetd[2062]: connect from 202.71.9.205 (202.71.9.205)
Dec 26 01:40:06 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:06 Charmander login[1946]: invalid password for 'UNKNOWN'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:06 Charmander login[1946]: REPEATED login failures on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:06 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:07 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:07 Charmander login[2067]: invalid password for 'root'  on '/dev/pts/13' from '202.71.9.205'
Dec 26 01:40:08 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:08 Charmander login[1947]: REPEATED login failures on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:08 Charmander in.telnetd[2076]: connect from 171.231.149.16 (171.231.149.16)
Dec 26 01:40:08 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:08 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'

 

My guess would be that you are are being hacked!

[trurl]

I took a look at your logs and found they are full of entries like these:

 

Dec 26 01:40:01 Charmander rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="1326" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Dec 26 01:40:02 Charmander login[1912]: invalid password for 'root'  on '/dev/pts/2' from '202.71.9.205'
Dec 26 01:40:02 Charmander login[1912]: REPEATED login failures on '/dev/pts/2' from '202.71.9.205'
Dec 26 01:40:03 Charmander login[1946]: invalid password for 'root'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:03 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:04 Charmander login[1977]: invalid password for 'UNKNOWN'  on '/dev/pts/10' from '171.231.149.16'
Dec 26 01:40:04 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:04 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'
Dec 26 01:40:05 Charmander in.telnetd[2062]: connect from 202.71.9.205 (202.71.9.205)
Dec 26 01:40:06 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:06 Charmander login[1946]: invalid password for 'UNKNOWN'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:06 Charmander login[1946]: REPEATED login failures on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:06 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:07 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:07 Charmander login[2067]: invalid password for 'root'  on '/dev/pts/13' from '202.71.9.205'
Dec 26 01:40:08 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:08 Charmander login[1947]: REPEATED login failures on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:08 Charmander in.telnetd[2076]: connect from 171.231.149.16 (171.231.149.16)
Dec 26 01:40:08 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:08 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'

 

My guess would be that you are are being hacked!

bots are ubiquitous and relentless.

[pyro.699]

I took a look at your logs and found they are full of entries like these:

 

Dec 26 01:40:01 Charmander rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="1326" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Dec 26 01:40:02 Charmander login[1912]: invalid password for 'root'  on '/dev/pts/2' from '202.71.9.205'
Dec 26 01:40:02 Charmander login[1912]: REPEATED login failures on '/dev/pts/2' from '202.71.9.205'
Dec 26 01:40:03 Charmander login[1946]: invalid password for 'root'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:03 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:04 Charmander login[1977]: invalid password for 'UNKNOWN'  on '/dev/pts/10' from '171.231.149.16'
Dec 26 01:40:04 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:04 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'
Dec 26 01:40:05 Charmander in.telnetd[2062]: connect from 202.71.9.205 (202.71.9.205)
Dec 26 01:40:06 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:06 Charmander login[1946]: invalid password for 'UNKNOWN'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:06 Charmander login[1946]: REPEATED login failures on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:06 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:07 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:07 Charmander login[2067]: invalid password for 'root'  on '/dev/pts/13' from '202.71.9.205'
Dec 26 01:40:08 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:08 Charmander login[1947]: REPEATED login failures on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:08 Charmander in.telnetd[2076]: connect from 171.231.149.16 (171.231.149.16)
Dec 26 01:40:08 Charmander sshd[1993]: Failed password for root from 218.65.30.134 port 14907 ssh2
Dec 26 01:40:08 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'

 

My guess would be that you are are being hacked!

 

They are trying, thats obvious. On the other hand I'm not sure how this cold relate to samba disconnecting me. I will deal with the security issues asap, but failed attempts like this shouldn't be preventing access from localhost.

[JonathanM]

They are trying, thats obvious. On the other hand I'm not sure how this cold relate to samba disconnecting me. I will deal with the security issues asap, but failed attempts like this shouldn't be preventing access from localhost.

Can you be positive they all failed?

[Frank1940]

Plus the number of attempts and with your hardware, you could be experiencing the equivalent of a DOS attack.  Furthermore, no one is has the time to wade through more than 6MB of syslogs for you!!! 

[pyro.699]

Plus the number of attempts and with your hardware, you could be experiencing the equivalent of a DOS attack.  Furthermore, no one is has the time to wade through more than 6MB of syslogs for you!!! 

 

I appreciate you pointing out the security issue.

 

I have gone ahead and patched that all up, restarted the server, reran a bunch of the commands above to try and connect to the samba share from both the host itself and clients - all with the same outcome. I went ahead and reran the diagnostics file and am uploading it here.

 

Thanks again for looking.

charmander-diagnostics-20161230-1159.zip

[Frank1940]

Go into that Diagnostics File to the system   folder and look at the  ifconfig.txt  file.  Look at the eth0 receive packets bytes received.  All of this traffic occurred in a period of three minutes.  Do you have an explanation for that.  Are the data disks receiving this information  (Are they staying spun up even if you try to spin them down)?

 

I also found this in the syslog:

 

Dec 30 11:55:45 Charmander avahi-daemon[10444]: Joining mDNS multicast group on interface ham0.IPv4 with address 25.6.239.12.
Dec 30 11:55:45 Charmander avahi-daemon[10444]: New relevant interface ham0.IPv4 for mDNS.
Dec 30 11:55:45 Charmander avahi-daemon[10444]: Registering new address record for 25.6.239.12 on ham0.IPv4.

 

A search indicates that this address is assigned to the United Kingdom - UK Ministry of Defence. 

 

There is a whole lot more lines in your go file than is found in the normal go file.  Is this something that you placed there? 

 

Is this server still directly on the Internet?  While I am no security expert, there is general consensus (confirmed by LimeTech) that unRAID servers should not be directly exposed to the Internet.  If you have to conect to a server from the WAN, the preferred method is to use a VPN. 

 

[pyro.699]

I have placed a bunch of information in my go file. Copying over new ssh configs, starting up hamachi (the vpn tunneling system), copying over the timezone information, setting up pip so i can have python modules available for cron scripts. I also touch /etc/nologin to prevent anyone other than root logging in. the sshd_config file has password authentication now turned off. I also have a lot of new lines with comments explaining each section to myself.

 

the 25.0.0.0/24 space is reserved for the ham0 interface. That is the ip address that is assigned to this particular.

root@Charmander:/var/log# hamachi
  version    : 2.0.1.13
  pid        : 10717
  status     : logged in
  client id  : 196-***-***
  address    : 25.6.239.12
  nickname   : Charmander
  lmi account: ********@gmail.com

 

The only ports that are exposed to the open internet is 80 and 443 - all others are closed. emhttp does not connect to port 80 - but rather port 8081. I have used nginx running in a docker container to expose a site that is designed to be on the open internet. Everything else that is related to unraid is inaccessible outside the Hamachi VPN and internal network. If you would like to see my nginx configs that are part of the docker container, i can share those as well.

 

Samba runs on ports 137-139 /  445 - connecting to it through the host 127.0.0.1 should not pose any problems.

 

To address your concern about the large volume of traffic in 3 minutes - I am going to assume that is my docker container for deluge seeding some of my recent downloads.

 

I can start to disable some of these services if you think they are causing a problem with my ability to connect via smbclient, I am just having a difficult time picturing exactly what would  be interfering.

 

Thanks again Frank!

[bonienl]

You have both telnet and ssh opened for the outside world. I would start closing that first.

 

[Frank1940]

Let's try some things:

 

First, from the command prompt, type:      ping 8.8.8.8

 

Second, from a Windows computer, open a Command Prompt window.  Then type:

 

      ping 192.168.2.40

and

      ping 192.168.2.41

 

If you don't get the proper response, post back  with the error message (if any).

 

If these tests are successful, then let's move on to try this.  Open up Windows Explorer and in the address bar enter first:   

 

      \\192.168.2.40  (Press<Enter>)

and  then try:

 

    \\192.168.2.41

 

What did you get?  Report back any error messages.

     

[pyro.699]

Let's try some things:

 

First, from the command prompt, type:      ping 8.8.8.8

 

Second, from a Windows computer, open a Command Prompt window.  Then type:

 

      ping 192.168.2.40

and

      ping 192.168.2.41

 

If you don't get the proper response, post back  with the error message (if any).

 

If these tests are successful, then let's move on to try this.  Open up Windows Explorer and in the address bar enter first:   

 

      \\192.168.2.40  (Press<Enter>)

and  then try:

 

    \\192.168.2.41

 

What did you get?  Report back any error messages.

     

I do not currently have access to any windows computers. Only OSx and Linux. I am still on vacation and only have access to these computers remotely. I will be home on Tuesday if debugging from windows is that important.

 

Luxray is a linux box that is used as a media computer to play the files. (Yes, i name all my computers after Pokmeon )

ping 8.8.8.8

PING 8.8.8.8 (8.8.8. 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=21.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=19.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=27.0 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 19.129/22.451/27.085/3.380 ms

 

ping 192.168.2.40

PING 192.168.2.40 (192.168.2.40) 56(84) bytes of data.
64 bytes from 192.168.2.40: icmp_seq=1 ttl=64 time=0.118 ms
64 bytes from 192.168.2.40: icmp_seq=2 ttl=64 time=0.149 ms
^C
--- 192.168.2.40 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.118/0.133/0.149/0.019 ms

 

ping 192.168.2.41

PING 192.168.2.41 (192.168.2.41) 56(84) bytes of data.
64 bytes from 192.168.2.41: icmp_seq=1 ttl=64 time=0.574 ms
64 bytes from 192.168.2.41: icmp_seq=2 ttl=64 time=0.266 ms
^C
--- 192.168.2.41 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.266/0.420/0.574/0.154 ms

 

ifconfig - run on a computer other than the unraid server.

docker0   Link encap:Ethernet  HWaddr 02:42:bc:53:7b:20
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth1      Link encap:Ethernet  HWaddr d4:3d:7e:9a:3d:e8
          inet addr:192.168.2.50  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fd00:bc4d:fbdc:5c42:851c:c177:4879:86ac/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:c61:26d9:6a55:7956/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:acfd:f5c3:8bc2:a43b/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:55e6:da67:cd4b:2612/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:acfd:f5c3:8bc2:a43b/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:851c:c177:4879:86ac/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:38a3:db8b:a2b:bcc3/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:55e6:da67:cd4b:2612/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:38a3:db8b:a2b:bcc3/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:70be:e856:e9c9:5825/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:c61:26d9:6a55:7956/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:d63d:7eff:fe9a:3de8/64 Scope:Global
          inet6 addr: fe80::d63d:7eff:fe9a:3de8/64 Scope:Link
          inet6 addr: fd00:bc4d:fbdc:5c42:41d4:882d:24ff:d0a3/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413::3/128 Scope:Global
          inet6 addr: 2607:fea8:be60:413:70be:e856:e9c9:5825/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:41d4:882d:24ff:d0a3/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:d63d:7eff:fe9a:3de8/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28480648 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6349823 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:36488804599 (36.4 GB)  TX bytes:2221799475 (2.2 GB)
          Interrupt:20 Memory:f7f00000-f7f20000

ham0      Link encap:Ethernet  HWaddr 7a:79:19:49:b1:0e
          inet addr:25.73.177.14  Bcast:25.255.255.255  Mask:255.0.0.0
          inet6 addr: 2620:9b::1949:b10e/96 Scope:Global
          inet6 addr: fe80::7879:19ff:fe49:b10e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1404  Metric:1
          RX packets:441195 errors:0 dropped:0 overruns:0 frame:0
          TX packets:355253 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:209186271 (209.1 MB)  TX bytes:139962909 (139.9 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2173383 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2173383 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:322483380 (322.4 MB)  TX bytes:322483380 (322.4 MB)

 

You have both telnet and ssh opened for the outside world. I would start closing that first.

I am not sure where you are getting telnet and ssh opened to the outside world. My router explicitly blocks all ports but 443 and 80 (or rather the only ports being forwarded are).

 

 

Finally, i was able to have a work around to get access to the files.

 

I changed my /etc/fstab mounting lines from:

//192.168.2.40/Backup    /mnt/charmander    cifs    username=media,iocharset=utf8,file_mode=0644,dir_mode=0644,noperm,nofail    0    0

to

[email protected]:/mnt/user/Backup              /mnt/charmander         fuse.sshfs              _netdev,user,idmap=user,transform_symlinks,identityfile=/root/.ssh/id_rsa,allow_other,default_permissions,uid=1000,gid=1000,umask=0   0     0

 

Yes i understand the second option is a huge security issue, but is only temporary until i can actually get samba working. The fact that i can get sshfs to actually mount and be successful - should remove concerns about a connectivity issue on the network.

[bonienl]

You have both telnet and ssh opened for the outside world. I would start closing that first.

I am not sure where you are getting telnet and ssh opened to the outside world. My router explicitly blocks all ports but 443 and 80 (or rather the only ports being forwarded are).

 

Your syslog shows

 

Dec 26 01:40:03 Charmander login[1946]: invalid password for 'root'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:03 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:04 Charmander login[1977]: invalid password for 'UNKNOWN'  on '/dev/pts/10' from '171.231.149.16'
Dec 26 01:40:04 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:04 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'

 

These are login attemps from outside. Don't think this is you, unless you are able to travel between Slovakia and Taiwan in 0 seconds

 

[pyro.699]

You have both telnet and ssh opened for the outside world. I would start closing that first.

I am not sure where you are getting telnet and ssh opened to the outside world. My router explicitly blocks all ports but 443 and 80 (or rather the only ports being forwarded are).

 

Your syslog shows

 

Dec 26 01:40:03 Charmander login[1946]: invalid password for 'root'  on '/dev/pts/0' from '92.62.242.130.fibermax.bg'
Dec 26 01:40:03 Charmander login[1982]: invalid password for 'UNKNOWN'  on '/dev/pts/12' from '220-133-241-171.HINET-IP.hinet.net'
Dec 26 01:40:04 Charmander login[1977]: invalid password for 'UNKNOWN'  on '/dev/pts/10' from '171.231.149.16'
Dec 26 01:40:04 Charmander login[1947]: invalid password for 'UNKNOWN'  on '/dev/pts/11' from 'bband-dyn244.178-41-156.t-com.sk'
Dec 26 01:40:04 Charmander login[1967]: invalid password for 'root'  on '/dev/pts/1' from '27-105-153-76-adsl-TXG.dynamic.so-net.net.tw'

 

These are login attemps from outside. Don't think this is you, unless you are able to travel between Slovakia and Taiwan in 0 seconds

 

Ya never know But yes, those logs were from the 26th - I have since patched that up and removed the "openness" to the world wide web. Now it is just port 80 and 443 that are open. You are looking at an older diagnostics report There should be a new one attached to one of the posts that is much smaller.

 

Thanks for looking though!

[saarg]

Let's try some things:

 

First, from the command prompt, type:      ping 8.8.8.8

 

Second, from a Windows computer, open a Command Prompt window.  Then type:

 

      ping 192.168.2.40

and

      ping 192.168.2.41

 

If you don't get the proper response, post back  with the error message (if any).

 

If these tests are successful, then let's move on to try this.  Open up Windows Explorer and in the address bar enter first:   

 

      \\192.168.2.40  (Press<Enter>)

and  then try:

 

    \\192.168.2.41

 

What did you get?  Report back any error messages.

     

I do not currently have access to any windows computers. Only OSx and Linux. I am still on vacation and only have access to these computers remotely. I will be home on Tuesday if debugging from windows is that important.

 

Luxray is a linux box that is used as a media computer to play the files. (Yes, i name all my computers after Pokmeon )

ping 8.8.8.8

PING 8.8.8.8 (8.8.8. 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=21.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=19.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=27.0 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 19.129/22.451/27.085/3.380 ms

 

ping 192.168.2.40

PING 192.168.2.40 (192.168.2.40) 56(84) bytes of data.
64 bytes from 192.168.2.40: icmp_seq=1 ttl=64 time=0.118 ms
64 bytes from 192.168.2.40: icmp_seq=2 ttl=64 time=0.149 ms
^C
--- 192.168.2.40 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.118/0.133/0.149/0.019 ms

 

ping 192.168.2.41

PING 192.168.2.41 (192.168.2.41) 56(84) bytes of data.
64 bytes from 192.168.2.41: icmp_seq=1 ttl=64 time=0.574 ms
64 bytes from 192.168.2.41: icmp_seq=2 ttl=64 time=0.266 ms
^C
--- 192.168.2.41 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.266/0.420/0.574/0.154 ms

 

ifconfig

docker0   Link encap:Ethernet  HWaddr 02:42:bc:53:7b:20
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth1      Link encap:Ethernet  HWaddr d4:3d:7e:9a:3d:e8
          inet addr:192.168.2.50  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fd00:bc4d:fbdc:5c42:851c:c177:4879:86ac/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:c61:26d9:6a55:7956/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:acfd:f5c3:8bc2:a43b/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:55e6:da67:cd4b:2612/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:acfd:f5c3:8bc2:a43b/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:851c:c177:4879:86ac/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:38a3:db8b:a2b:bcc3/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:55e6:da67:cd4b:2612/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:38a3:db8b:a2b:bcc3/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:70be:e856:e9c9:5825/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:c61:26d9:6a55:7956/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:d63d:7eff:fe9a:3de8/64 Scope:Global
          inet6 addr: fe80::d63d:7eff:fe9a:3de8/64 Scope:Link
          inet6 addr: fd00:bc4d:fbdc:5c42:41d4:882d:24ff:d0a3/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413::3/128 Scope:Global
          inet6 addr: 2607:fea8:be60:413:70be:e856:e9c9:5825/64 Scope:Global
          inet6 addr: 2607:fea8:be60:413:41d4:882d:24ff:d0a3/64 Scope:Global
          inet6 addr: fd00:bc4d:fbdc:5c42:d63d:7eff:fe9a:3de8/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28480648 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6349823 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:36488804599 (36.4 GB)  TX bytes:2221799475 (2.2 GB)
          Interrupt:20 Memory:f7f00000-f7f20000

ham0      Link encap:Ethernet  HWaddr 7a:79:19:49:b1:0e
          inet addr:25.73.177.14  Bcast:25.255.255.255  Mask:255.0.0.0
          inet6 addr: 2620:9b::1949:b10e/96 Scope:Global
          inet6 addr: fe80::7879:19ff:fe49:b10e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1404  Metric:1
          RX packets:441195 errors:0 dropped:0 overruns:0 frame:0
          TX packets:355253 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:209186271 (209.1 MB)  TX bytes:139962909 (139.9 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2173383 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2173383 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:322483380 (322.4 MB)  TX bytes:322483380 (322.4 MB)

 

You have both telnet and ssh opened for the outside world. I would start closing that first.

I am not sure where you are getting telnet and ssh opened to the outside world. My router explicitly blocks all ports but 443 and 80 (or rather the only ports being forwarded are).

 

 

Finally, i was able to have a work around to get access to the files.

 

I changed my /etc/fstab mounting lines from:

//192.168.2.40/Backup    /mnt/charmander    cifs    username=media,iocharset=utf8,file_mode=0644,dir_mode=0644,noperm,nofail    0    0

to

[email protected]:/mnt/user/Backup              /mnt/charmander         fuse.sshfs              _netdev,user,idmap=user,transform_symlinks,identityfile=/root/.ssh/id_rsa,allow_other,default_permissions,uid=1000,gid=1000,umask=0   0     0

 

Yes i understand the second option is a huge security issue, but is only temporary until i can actually get samba working. The fact that i can get sshfs to actually mount and be successful - should remove concerns about a connectivity issue on the network.

 

Is that ifconfig from your unraid server? If it is, how come you have IPv6?

[pyro.699]

Is that ifconfig from your unraid server? If it is, how come you have IPv6?

 

No, it is the address of the computer I used to ping the unraid server. Ill modify my post to make that more clear.