Chris Cruft

I had setup NTP on ducati early on (11 February) in the project. And generally I was happy with the result. My objectives were to sync with reliable servers on the Internet and to allow local clients (including my Netware 4.2 server running SNTP.NLM and Windows XP) to retrieve time from the Linux server.

The problem I face now is that the Netware server is complaining that it cannot connect to the NTP server on ducati:

I suspect a firewall problem again. Consulting the /etc/services file, I note that NTP appears to use port 123. A quick change using the system-config-securitylevel command and suddenly everything starts working again:

Recap on the DNS Query refusal problem on suzuki: Here is an example of a failing command as run from ducati:

Screen clipping taken: 26/03/2005, 17:04

Eureka! I disabled the firewall on suzuki (system-config-securitylevel) and suddenly queries started working. Further investigations show that suzuki and ducati behave differently. After changing firewall settings on suzuki, I got it to work just fine. I needed to specify the domain:tcp port to get it to answer queries. The really confusing part: now ducati doesn’t work unless I explicitly list domain:udp!!! Why is one box using tcp and the other udp for queries? I am using the dig command:

dig @suzuki.hapgoods.com ural.hapgoods.com

To be safe, I have added both protocols (domain:tcp and domain:udp) to both ducati and suzuki.

UPDATE (09/09/2005): it seems that udp is used for queries and tcp is used for zone transfers. Seems logical as the zone transfer needs to be completed reliably, sequentially and completely. See http://www.aboutdebian.com/dns.htm for a hint at this application of the two protocols.

Earlier, I had setup samba using SWAT and, despite some early problems that were perhaps related to Windows, I finally got it working. Now I am motivated to add a share to support Microsoft FrontPage, which is the tool I will be using to setup my website. I do have Apache running on the server (http://www.hapgoods.com returns the Apache default page). Some relevant commands and such:

http://www.hapgoods.com:901

This will start the SWAT utility.

/etc/samba/smb.conf

Samba configuration file

smbclient -L localhost -U%

See the current public shares

testparm -v -s

See the value of all parameters

pdbedit -l

List all samba users

smbstatus

Check status of smb shares

I changed some parameters in an attempt to get the Windows clients (running WinXP Home with SP2) to detect config changes on the server more quickly:

preferred master = Yes

Was “Auto”

Os level = 65

Was 20

Domain master = Yes

Was “Auto”

These changes were recommended by Linux Home Networking (http://www.linuxhomenetworking.com/linux-hn/samba.htm).

Changed Web share to not be read-only.

Changed Global section to only allow connections from local network (192.168.1.0).

Changed attributes of /var/www/html (the Web share target) to be 777 -this is a BAD solution to the permissions issues of Apache that I will need to resolve.

01/05/2005 more samba

Today I am going to try to improve on the samba configuration. Particularly for Matt, this is the primary reason to have bought a server.

First, I got tired of the out-of-date documentation on www.linuxhomenetworking.com. There are also some frustrating typos (there is no such global parameter as domain, despite table 10-2). So I went to the source: www.samba.org. I found some excellent documentation.

First, I want to make sure that all users can access the samba shares. I was having problems using account pah1 to access samba -despite the fact that pah1 was a valid Linux user and had a share (using the homes section). The key: I forgot to use the smbpasswd command to create the samba user.

smbpasswd -a pah1

The samba.org website also gives lots of examples of using smbclient under Linux to do testing.

21/08/2005 swat

I had originally built a basic swat configuration that allowed maintenance from only one PC on my network. That worked well until this past weekend when I tried to figure out some other problems with samba. I had forgotten that I had limited swat access to only one PC. So today I began the quest for a smarter swat security configuration. Basically, I want to be able to administer samba remotely from ANY machine on my network. But I do not want anyone outside my network to be able to access it at all. Here is an appropriate configuration:

Screen clipping taken: 22/08/2005, 16:14

Don’t forget to reload the config files:

[root@ducati xinetd.d]# service xinetd restart

Also, I had to adjust the firewall settings with system-config-securitylevel to allow the swat protocol to get through.

I ran tcpdump on suzuki to try to diagnose the problem noted on 17/02/2005.  I think I have a smoking gun here, but I’m still not sure if the problem is with the firewall on suzuki (of which I know very little) or a security setting in named.

07:24:41.233917 IP 192.168.1.20.32957 > 192.168.1.5.domain:  61972+ A? ducati.hapgoods.com. (37)

07:24:41.234063 IP 192.168.1.5 > 192.168.1.20: icmp 73: host 192.168.1.5 unreachable - admin prohibited

Similar output results regardless of where I originate the query (except suzuki itself, where everything works nicely).  Because the /etc/named.conf files on suzuki and ducati are similar, I am starting to suspect that the problem is actually with a firewall setting on suzuki.

Is it a problem with SELinux?  Here is something that would make you think so: http://www.cavebear.com/cbblog-archives/2005_01.html

On the other hand, I need to check if iptables is running.