Bug 541958

FW_CONFIGURATIONS_EXT="samba-server samba-client"

Configurations 'samba-server' and 'samba-client' are maintained by Samba team.

the question here is which method does the yast module use if the checkbox to open ports is ticked? Does it set FW_CONFIGURATIONS_*?

"FIREWALL": CWMFirewallInterfaces::CreateOpenFirewallWidget($[
    "services": [ "service:samba-server" ],
    "display_details": true
]),

YaST currently doesn't support any other method than FW_CONFIGURATIONS_* for opening a firewall port(s).

BTW: samba-server should contain all ports required by server, using samba-client should not be needed. It comes from the understanding what *-server vs *-client means.

Shouldn't there be something like FW_ALLOW_FW_BROADCAST_UDP="137 138"?

@Johan:
   pls verify if there is something like the one mentioned above. thanks!

I'll do some more testing on a clean setup. I'm not an expert on everything samba needs to be working so the setting I'm using might be too much. I'll do some testing with various settings and report back to this thread.

/etc/sysconfig/SuSEfirewall2.d/services/samba-server does not list any ports for UDP and BROADCAST.

Created attachment 321719 [details]
Fedora 11 iptables with samba client and server enabled

Created attachment 321720 [details]
Output of iptables-save on openSUSE 11.1 with samba server/client and netbios server interfaces allowed

Hi,

following a discussion on the -project mailing list, I decided to take a look at what Fedora and RHEL do in this field, since they have had a working implementation of samba and iptables for a long time, without the troubles we face on SUSE even after allowing samba client and server interfaces in SUSEfirewall using YaST.

You find attached the iptables generated on Fedora when the two options "samba client" and "samba server" are selected in their firewall tool (btw, it warns it uses an addtional helper called nf_conntrack_netbios_ns).

You also find attached what iptables-save returns on openSUSE 11.1 after allowing samba client, server and netbios server in YaST SuSEfirewall interface.

I hope this helps to finally find a solution :-)

reassigning..

Has this been fixed for 11.3?  The YaST2 Samba module should allow Netbios Server and Samba Client in the Firewall module.

This appears to still be an issue in openSuSE 11.3 RC2.  Selecting "Open Port In Firewall" permits other hosts to connect if they know the IP address of the SuSE Linux machine, but the machine is not visible in in the workgroup as NetBIOS traffic is not permitted. Additionally, attempting to display other hosts on the network through Dolphin gives the error message "Unable to find any workgroups in your local network".  Ticking the box in the Samba module really should enable "Samba Client" and "Netbios Server" in the Firewall module.

I have updated the distribution to reflect the current situation, but the issue is present in openSuSE 11.2 as well.

Ludwig, have you checked that RHEL info from comment 9?

see comment#7

Ludwig, I hope you've managed to make some progress.  I have tested against 11.3 Final and the issue persists.

Is there any updates on this issue? I just tried 11.3 ans as is pointed out this issue remain.

I fully understand if this is not a high priority since the people (like me) that want this can do the manual tweaking necessary. However I believe that unless this is properly fixed the option "Open ports in firewall" should be disable since it is highly misleading.

Unfortunately I'm not sure I have the expertise in network configuration not to open up too much. I thinks the following minimum needs to be achieved

* SMB Server detectable by clients on the network by browsing
* Full traffic (of course..) through the FW
* Discovery of other servers on the network through Dolphin

Basically a fully working SMB server. 

(There might be security implication by this but any person who enables SMB server would have to know that and be aware of the limitations/consequences)

I tend to agree Johan. Other clients on the network should at least be discoverable by default.  In any case, I have tested against 11.4 M4 now, and the Samba server module still does not open enough ports for proper Windows network browsing.  Dolphin complains that it cannot find any other workgroups or machines, just as before.

(In reply to comment #4)
> "FIREWALL": CWMFirewallInterfaces::CreateOpenFirewallWidget($[
>     "services": [ "service:samba-server" ],
>     "display_details": true
> ]),

So after talking in circles for years this turns out to be the culprit! The broadcast definition is in the netbios-server service file! So yast needs to specify both samba-server and netbios-server here to allow access to the server itself and name resolution. Do'h!

Ludwig, I don't suppose you could check in the necessary change?

This bug is still present in 11.4 M5.

Fix submitted to openSUSE:Factory in version 2.20.1

Thankyou so much Lukas.  Hope to see the change in M6 or beta.

It looks like "Samba Client" also has to be added to the list of permitted services before the user can view other automatically-discovered clients on the network through Dolphin as well.

OK, I'll add "Samba Client" as well.

Much obliged Lukas.  Thankyou.

Submitted new sources to openSUSE:Factory in version 2.20.2

Works nicely.  Yay!

Thanks for testing :)