Gentoo Archives: gentoo-admin

From: Miroslav Rovis <m.rovis@××××.hr>
To: gentoo-admin@l.g.o
Subject: [gentoo-admin] "Denied connection", network cannot be established, xinetd or pam.d/su related?
Date: Tue, 11 Jul 2006 22:43:14
Message-Id: 44B42921.1010305@inet.hr
1 Where you see '#myCMNT', that's my comment.
2 --------------------------------------------------
3 #myCMNT output of # ifconfig
4
5 eth0 Link encap:Ethernet HWaddr 00:08:A1:7F:1F:2C
6 inet addr:192.168.2.110 Bcast:192.168.2.255 Mask:255.255.255.0
7 inet6 addr: fe80::208:a1ff:fe7f:1f2c/64 Scope:Link
8 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
9 RX packets:11277 errors:0 dropped:0 overruns:0 frame:0
10 TX packets:6933 errors:0 dropped:0 overruns:0 carrier:0
11 collisions:0 txqueuelen:1000
12 RX bytes:6864442 (6.5 Mb) TX bytes:846312 (826.4 Kb)
13 Interrupt:17 Base address:0xa000
14
15 eth1 Link encap:Ethernet HWaddr 00:0E:2E:32:23:3B
16 inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
17 inet6 addr: fe80::20e:2eff:fe32:233b/64 Scope:Link
18 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
19 RX packets:509 errors:0 dropped:0 overruns:0 frame:0
20 TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
21 collisions:0 txqueuelen:1000
22 RX bytes:57650 (56.2 Kb) TX bytes:2376 (2.3 Kb)
23 Interrupt:18 Base address:0xc000
24
25 lo Link encap:Local Loopback
26 inet addr:127.0.0.1 Mask:255.0.0.0
27 inet6 addr: ::1/128 Scope:Host
28 UP LOOPBACK RUNNING MTU:16436 Metric:1
29 RX packets:4888 errors:0 dropped:0 overruns:0 frame:0
30 TX packets:4888 errors:0 dropped:0 overruns:0 carrier:0
31 collisions:0 txqueuelen:0
32 RX bytes:872425 (851.9 Kb) TX bytes:872425 (851.9 Kb)
33
34 --------------------------------------------------
35 #myCMNT output of # route
36
37 Kernel IP routing table
38 Destination Gateway Genmask Flags Metric Ref Use
39 Iface
40 gentoo-A8V * 255.255.255.255 UH 0 0 0 eth1
41 exDeoWG-net * 255.255.255.0 U 0 0 0 eth1
42 SE555-net * 255.255.255.0 U 0 0 0 eth0
43 loopback localhost 255.0.0.0 UG 0 0 0 lo
44 default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
45
46 --------------------------------------------------
47 #myCMNT output of # route -n
48
49 Kernel IP routing table
50 Destination Gateway Genmask Flags Metric Ref Use
51 Iface
52 192.168.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
53 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
54 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
55 127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
56 0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
57 --------------------------------------------------
58 #myCMNT
59 # /etc/hosts: This file describes a number of hostname-to-address
60 # ...
61 # $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/hosts,v 1.8
62 2003/08/04 20:12:25 azarah Exp $
63 #
64
65 127.0.0.1 localhost gentoo-A8V
66 192.168.3.1 gentoo-A8V
67 192.168.3.2 WXP-9nda3j
68 10.10.10.1 pitr-int
69 10.10.10.2 dustpuppy-int
70 10.10.10.3 poseidon-int
71 134.68.220.30 toucan
72 # IPV6 versions of localhost and co
73 ::1 ip6-localhost ip6-loopback
74 fe00::0 ip6-localnet
75 ff00::0 ip6-mcastprefix
76 ff02::1 ip6-allnodes
77 ff02::2 ip6-allrouters
78 ff02::3 ip6-allhosts
79
80 --------------------------------------------------
81 #myCMNT /etc/hosts.allow
82
83 portmap: 192.168.2.0/255.255.255.0
84 portmap: 255.255.255.255 0.0.0.0
85
86 portmap: 192.168.3.0/255.255.255.0
87 portmap: 255.255.255.255 0.0.0.0
88
89 swat: 127.0.0.1
90
91 --------------------------------------------------
92 #myCMNT /etc/hosts.deny
93
94 portmap: ALL
95 swat: ALL
96
97 --------------------------------------------------
98 #myCMNT
99 # /etc/host.conf:
100 # $Header:
101 /var/cvsroot/gentoo-x86/sys-libs/glibc/files/2.3.6/host.conf,v 1.1
102 2006/02/21 23:35:21 vapier Exp $
103
104 # The file /etc/host.conf contains configuration ...
105
106 order hosts, bind
107
108 # Valid values are on and off. If set to on, the resolv+ library
109 # will return all valid addresses for a host that appears in the
110 # /etc/hosts file, instead of only the first. This is off by
111 # default, as it may cause a substantial performance loss at sites
112 # with large hosts files.
113 #
114 multi on
115
116 --------------------------------------------------
117 #myCMNT
118 # /etc/networks
119 # ...
120
121 loopback 127.0.0.0
122
123 SE555-net 192.168.2.0
124
125 exDeoWG-net 192.168.3.0
126
127 --------------------------------------------------
128 #myCMNT /etc/resolv.conf
129 # Generated by dhcpcd for interface eth0
130 nameserver 192.168.2.1
131
132 --------------------------------------------------
133 #myCMNT
134 # /etc/nsswitch.conf:
135 # $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v
136 1.1 2005/05/17 00:52:41 vapier Exp $
137
138 passwd: compat
139 shadow: compat
140 group: compat
141
142 # passwd: db files nis
143 # shadow: db files nis
144 # group: db files nis
145
146 hosts: files dns
147 networks: files dns
148
149 services: db files
150 protocols: db files
151 rpc: db files
152 ethers: db files
153 netmasks: files
154 netgroup: files
155 bootparams: files
156
157 automount: files
158 aliases: files
159
160 --------------------------------------------------
161 #myCMNT Windows XP SP2
162 #myCMNT Start Menu > Settings > Network Connections > Local Area
163 connection, right click > Properties > Internet Properties > Properties,
164 fill in 192.168.3.2 255.255.255.0 ... click Advanced, click "WINS" tab,
165 fill in 192.168.3.1, OK all. As many times before.
166
167 C:\Documents and Settings\Myrons>ping wxp-9nda3j
168
169 Pinging wxp-9nda3j [192.168.3.2] with 32 bytes of data:
170
171 Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
172 Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
173 Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
174
175 Ping statistics for 192.168.3.2:
176 Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
177 Approximate round trip times in milli-seconds:
178 Minimum = 0ms, Maximum = 0ms, Average = 0ms
179 Control-C
180 ^C
181 C:\Documents and Settings\Myrons>ping 192.168.3.2
182
183 Pinging 192.168.3.2 with 32 bytes of data:
184
185 Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
186 Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
187 Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
188
189 Ping statistics for 192.168.3.2:
190 Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
191 Approximate round trip times in milli-seconds:
192 Minimum = 0ms, Maximum = 0ms, Average = 0ms
193 Control-C
194 ^C
195
196 C:\Documents and Settings\Myrons>time
197 The current time is: 9:22:50.46
198 Enter the new time:
199
200 C:\Documents and Settings\Myrons>ping 192.168.3.1
201
202 Pinging 192.168.3.1 with 32 bytes of data:
203
204 Request timed out.
205
206 Ping statistics for 192.168.3.1:
207 Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
208 Control-C
209 ^C
210 C:\Documents and Settings\Myrons>
211
212 --------------------------------------------------
213 #myCMNT Linux
214 gentoo-A8V ~ # ping 192.168.3.1
215 PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
216 64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.039 ms
217 64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.034 ms
218 64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=0.035 ms
219
220 --- 192.168.3.1 ping statistics ---
221 3 packets transmitted, 3 received, 0% packet loss, time 1999ms
222 rtt min/avg/max/mdev = 0.034/0.036/0.039/0.002 ms
223
224 gentoo-A8V ~ # date
225 Tue Jul 11 21:22:51 CEST 2006
226 gentoo-A8V ~ # ping 192.168.3.2
227 PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data.
228 ping: sendmsg: Operation not permitted
229 ping: sendmsg: Operation not permitted
230 ping: sendmsg: Operation not permitted
231
232 --- 192.168.3.2 ping statistics ---
233 3 packets transmitted, 0 received, 100% packet loss, time 2008ms
234
235 gentoo-A8V ~ #
236
237 --------------------------------------------------
238 #myCMNT /var/log/messages (with my comments ;-) along)
239
240 #myCMNT the following actually happened, or at least started, right
241 after 9:22:50.46 post meridiem on Windows, see the Windows log above
242 Jul 11 21:23:27 gentoo-A8V Unknown InputIN=eth1 OUT=
243 MAC=00:0e:2e:32:23:3b:00:04:61:99:74:af:08:00 SRC=192.168.3.2
244 DST=192.168.3.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=1365 PROTO=UDP
245 SPT=137 DPT=137 LEN=76
246 #myCMNT Sure enough, that's my nVidia Ethernet's MAC on Windows box:
247 00:04:61:99:74:AF
248 #myCMNT Sure enough, that's Windows pinging Linux, see SRC and DST
249 Jul 11 21:23:29 gentoo-A8V Unknown InputIN=eth1 OUT=
250 MAC=00:0e:2e:32:23:3b:00:04:61:99:74:af:08:00 SRC=192.168.3.2
251 DST=192.168.3.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=1366 PROTO=UDP
252 SPT=137 DPT=137 LEN=76
253 ...
254 #myCMNT the following actually happened, or at least started, right
255 after 21:22:51 on Linux, see Linux log above
256 #myCMNT But what's this? I log in as miro, open KDE konsole, than su to
257 root and I was pinging from Linux like that. I *didn't* su at this time.
258 I su'd earlier, maybe hours earlier...
259 Jul 11 21:23:33 gentoo-A8V su[14896]: Successful su for root by miro
260 Jul 11 21:23:33 gentoo-A8V su[14896]: + pts/8 miro:root
261 Jul 11 21:23:33 gentoo-A8V su(pam_unix)[14896]: session opened for user
262 root by (uid=1000)
263 Jul 11 21:23:33 gentoo-A8V su(pam_unix)[14896]: session closed for user root
264 Jul 11 21:23:34 gentoo-A8V su[14901]: Successful su for root by miro
265 Jul 11 21:23:34 gentoo-A8V su[14901]: + pts/8 miro:root
266 Jul 11 21:23:34 gentoo-A8V su(pam_unix)[14901]: session opened for user
267 root by (uid=1000)
268 Jul 11 21:22:01 gentoo-A8V su(pam_unix)[14901]: session closed for user root
269 Jul 11 21:23:03 gentoo-A8V Unknown OutputIN= OUT=eth1 SRC=192.168.3.1
270 DST=192.168.3.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21985 PROTO=ICMP
271 TYPE=0 CODE=0 ID=512 SEQ=5888
272 #myCMNT Sure enough, that's Linux pinging Windows, see SRC and DST
273 Jul 11 21:23:08 gentoo-A8V Unknown OutputIN= OUT=eth1 SRC=192.168.3.1
274 DST=192.168.3.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21986 PROTO=ICMP
275 TYPE=0 CODE=0 ID=512 SEQ=6144
276 ...
277 Jul 11 21:24:37 gentoo-A8V Unknown OutputIN= OUT=eth1 SRC=192.168.3.1
278 DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
279 SPT=137 DPT=137 LEN=58
280
281 --------------------------------------------------
282 #myCMNT This line (a few of these) above, when I pinged Windows from
283 Linux (pls. take a look), is possibly an indication, hopefully, because
284 I have no other clue within my difficult and time-consuming grasp...
285
286 ping: sendmsg: Operation not permitted
287
288 Heeellppp! ...
289
290 --------------------------------------------------
291 #myCMNT /etc/pam.d/samba
292 #%PAM-1.0
293 # * pam_smbpass.so authenticates against the smbpasswd file
294 # * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility
295 # (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only
296 auth required pam_smbpass.so nodelay
297 account include system-auth
298 session include system-auth
299 password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
300
301 --------------------------------------------------
302 #myCMNT
303 # /etc/conf.d/portmap: config file for /etc/init.d/portmap
304
305 # Listen on localhost only by default
306 #PORTMAP_OPTS="-l"
307
308 --------------------------------------------------
309 #myCMNT /etc/samba/smb.conf
310 # Samba config file created using SWAT
311 # from 127.0.0.1 (127.0.0.1)
312 # Date: 2006/07/11 13:51:39
313
314 [global]
315 workgroup = EXDEOWG
316 interfaces = eth1
317 security = SHARE
318 os level = 99
319 preferred master = Yes
320 domain master = Yes
321 wins support = Yes
322 hosts allow = 192.168.3.2.
323
324 [data]
325 comment = Data
326 path = /export
327 force user = miro
328 force group = users
329 read only = No
330 guest ok = Yes
331
332 [WXP-9nda3j]
333 path = //WXP-9nda3j/I
334 force user = miro
335 force group = users
336 read only = No
337 guest ok = Yes
338
339 [homes]
340 valid users = %S
341 read only = No
342 browseable = No
343
344 --------------------------------------------------
345 #myCMNT /var/log/samba/log.nmbd
346 [2006/07/11 21:24:37, 0] libsmb/nmblib.c:send_udp(791)
347 Packet send failed to 192.168.3.255(137) ERRNO=Operation not permitted
348 [2006/07/11 21:24:37, 0] nmbd/nmbd_packets.c:send_netbios_packet(163)
349 send_netbios_packet: send_packet() to IP 192.168.3.255 port 137 failed
350 [2006/07/11 21:24:37, 0] nmbd/nmbd_namequery.c:query_name(237)
351 query_name: Failed to send packet trying to query name EXDEOWG<1d>
352 ...
353 #myCMNT here nmbd process went on every 5 minutes (and is still going)
354 #myCMNT sure I have to spare you that!
355 Packet send failed to 192.168.3.255(138) ERRNO=Operation not permitted
356 [2006/07/11 22:09:37, 0] libsmb/nmblib.c:send_udp(791)
357 Packet send failed to 192.168.3.255(137) ERRNO=Operation not permitted
358 [2006/07/11 22:09:37, 0] nmbd/nmbd_packets.c:send_netbios_packet(163)
359 send_netbios_packet: send_packet() to IP 192.168.3.255 port 137 failed
360 [2006/07/11 22:09:37, 0] nmbd/nmbd_namequery.c:query_name(237)
361 query_name: Failed to send packet trying to query name EXDEOWG<1d>
362 ...
363
364 --------------------------------------------------
365 #myCMNT /var/log/samba/log.winbindd
366 [2006/07/11 12:08:58, 0] lib/util.c:smb_panic2(1562)
367 BACKTRACE: 5 stack frames:
368 #0 winbindd(smb_panic2+0x6e) [0x5555555ed51e]
369 #1 winbindd(init_domain_list+0x12d) [0x55555559916d]
370 #2 winbindd(main+0x41a) [0x555555592a1a]
371 #3 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x2b283323f644]
372 #4 winbindd [0x55555559132a]
373 [2006/07/11 13:47:35, 1] nsswitch/winbindd.c:main(978)
374 winbindd version 3.0.22 started.
375 Copyright The Samba Team 2000-2004
376 [2006/07/11 13:47:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(781)
377 winbindd: idmap uid range missing or invalid
378 [2006/07/11 13:47:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(782)
379 winbindd: cannot continue, exiting.
380 [2006/07/11 13:47:35, 1] nsswitch/winbindd.c:main(1011)
381 Could not init idmap -- netlogon proxy only
382 [2006/07/11 13:47:35, 0] lib/util.c:smb_panic2(1554)
383 PANIC: Could not fetch our SID - did we join?
384
385 [2006/07/11 13:47:35, 0] lib/util.c:smb_panic2(1562)
386 BACKTRACE: 5 stack frames:
387 #0 /usr/sbin/winbindd(smb_panic2+0x6e) [0x5555555ed51e]
388 #1 /usr/sbin/winbindd(init_domain_list+0x12d) [0x55555559916d]
389 #2 /usr/sbin/winbindd(main+0x41a) [0x555555592a1a]
390 #3 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x2b63ed808644]
391 #4 /usr/sbin/winbindd [0x55555559132a]
392
393 --------------------------------------------------
394 #myCMNT /var/log/samba/log.smbd
395 [2006/07/11 15:07:18, 0] lib/access.c:check_access(328)
396 Denied connection from (192.168.3.1)
397 [2006/07/11 15:07:18, 1] smbd/process.c:process_smb(1187)
398 Connection denied from 192.168.3.1
399 [2006/07/11 15:07:25, 0] lib/access.c:check_access(328)
400 Denied connection from (192.168.3.1)
401 [2006/07/11 15:07:25, 1] smbd/process.c:process_smb(1187)
402 Connection denied from 192.168.3.1
403 #myCMNT I have nothing more recent in that log, and that's a little
404 strange, because that must be related somehow to the output when pinging
405 Windows:
406
407 ping: sendmsg: Operation not permitted
408
409 --------------------------------------------------
410 #myCMNT /etc/pam.d/su Complete, this is the crunch, I guess.
411 #myCMNT I'd need another day just to study it. Don't have. Help!
412 #%PAM-1.0
413
414 auth sufficient pam_rootok.so
415
416 # If you want to restrict users begin allowed to su even more,
417 # create /etc/security/suauth.allow (or to that matter) that is only
418 # writable by root, and add users that are allowed to su to that
419 # file, one per line.
420 #auth required pam_listfile.so item=ruser sense=allow
421 onerr=fail file=/etc/security/suauth.allow
422
423 # Uncomment this to allow users in the wheel group to su without
424 # entering a passwd.
425 #auth sufficient pam_wheel.so use_uid trust
426
427 # Alternatively to above, you can implement a list of users that do
428 # not need to supply a passwd with a list.
429 #auth sufficient pam_listfile.so item=ruser sense=allow
430 onerr=fail file=/etc/security/suauth.nopass
431
432 # Comment this to allow any user, even those not in the 'wheel'
433 # group to su
434 # auth required pam_wheel.so use_uid
435 #myCMNT The one line above, the one hash in begin, not knowing that
436 #myCMNT cost me 4 days rooting only in kde...
437 #myCMNT So... I couldn't bother learning what that wheel group is at all.
438
439 auth include system-auth
440
441 account include system-auth
442
443 password include system-auth
444
445 session include system-auth
446 session required pam_env.so
447 session optional pam_xauth.so
448
449
450 --------------------------------------------------
451 #myCMNT output of:
452 #myCMNT cat /etc/xinetd.conf | grep -v '^#'
453 #myCMNT and one (1) comment of mine
454
455 defaults
456 {
457 log_type = SYSLOG daemon info
458 log_on_failure = HOST
459 log_on_success = PID HOST DURATION EXIT
460 #myCMNT I added my eth1 network: 192.168.3.0
461 only_from = localhost 192.168.3.0
462 cps = 50 10
463 instances = 50
464 per_source = 10
465 v6only = no
466 groups = yes
467 umask = 002
468 }
469
470 includedir /etc/xinetd.d
471
472 --------------------------------------------------
473 #myCMNT output of:
474 #myCMNT cat /etc/xinetd.d/echo-dgram | grep -v '^#'
475
476 service echo
477 {
478 disable = no
479 id = echo-dgram
480 type = INTERNAL
481 wait = yes
482 socket_type = dgram
483 }
484 --------------------------------------------------
485 #myCMNT output of:
486 #myCMNT cat /etc/xinetd.d/echo-stream | grep -v '^#'
487 service echo
488 {
489 disable = no
490 id = echo-stream
491 type = INTERNAL
492 wait = no
493 socket_type = stream
494 }
495 --------------------------------------------------
496 #myCMNT output of:
497 #myCMNT cat /etc/xinetd.d/echo-udp | grep -v '^#'
498 service echo
499 {
500 type = INTERNAL UNLISTED
501 id = echo-dgram
502 socket_type = dgram
503 protocol = udp
504 user = root
505 wait = yes
506 port = 7
507 disable = no
508 }
509 --------------------------------------------------
510 #myCMNT output of:
511 #myCMNT cat /etc/xinetd.d/echo-tcp | grep -v '^#'
512 service echo
513 {
514 type = INTERNAL
515 id = echo-stream
516 socket_type = stream
517 protocol = tcp
518 user = root
519 wait = no
520 disable = no
521 }
522
523 --------------------------------------------------
524 #myCMNT I couldn't figure whether any other files in /etc/xinetd.d
525 #myCMNT might be of concern here.
526 --------------------------------------------------
527
528 That's all folks.
529 Grateful if anyone takes time to consider and help relieve this situation.
530
531 Miroslav Rovis, new gentoo user (two weeks and not done yet...)
532 www.exDeo.com
533
534 P.S. LFS was easier, LFSers have "by the book" guide that rarely
535 fails... But LFS takes triple (or longer) the time to build... Gentoo
536 looks great, if only I solve this and a few other issues yet...
537 P.S.2 My gentoo is with modular X, synced and updated around July 6 I
538 guess, and it's an AMD64 box, if that is of any concern in this matter.
539
540
541
542 --
543 gentoo-admin@g.o mailing list