From: Miroslav Rovis <m.rovis@inet.hr>
To: gentoo-admin@lists.gentoo.org
Subject: [gentoo-admin] "Denied connection", network cannot be established, xinetd or pam.d/su related?
Date: Wed, 12 Jul 2006 00:41:37 +0200 [thread overview]
Message-ID: <44B42921.1010305@inet.hr> (raw)
Where you see '#myCMNT', that's my comment.
--------------------------------------------------
#myCMNT output of # ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:A1:7F:1F:2C
inet addr:192.168.2.110 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::208:a1ff:fe7f:1f2c/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11277 errors:0 dropped:0 overruns:0 frame:0
TX packets:6933 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6864442 (6.5 Mb) TX bytes:846312 (826.4 Kb)
Interrupt:17 Base address:0xa000
eth1 Link encap:Ethernet HWaddr 00:0E:2E:32:23:3B
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
inet6 addr: fe80::20e:2eff:fe32:233b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:509 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57650 (56.2 Kb) TX bytes:2376 (2.3 Kb)
Interrupt:18 Base address:0xc000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4888 errors:0 dropped:0 overruns:0 frame:0
TX packets:4888 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:872425 (851.9 Kb) TX bytes:872425 (851.9 Kb)
--------------------------------------------------
#myCMNT output of # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
gentoo-A8V * 255.255.255.255 UH 0 0 0 eth1
exDeoWG-net * 255.255.255.0 U 0 0 0 eth1
SE555-net * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
--------------------------------------------------
#myCMNT output of # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.3.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
--------------------------------------------------
#myCMNT
# /etc/hosts: This file describes a number of hostname-to-address
# ...
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/hosts,v 1.8
2003/08/04 20:12:25 azarah Exp $
#
127.0.0.1 localhost gentoo-A8V
192.168.3.1 gentoo-A8V
192.168.3.2 WXP-9nda3j
10.10.10.1 pitr-int
10.10.10.2 dustpuppy-int
10.10.10.3 poseidon-int
134.68.220.30 toucan
# IPV6 versions of localhost and co
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
--------------------------------------------------
#myCMNT /etc/hosts.allow
portmap: 192.168.2.0/255.255.255.0
portmap: 255.255.255.255 0.0.0.0
portmap: 192.168.3.0/255.255.255.0
portmap: 255.255.255.255 0.0.0.0
swat: 127.0.0.1
--------------------------------------------------
#myCMNT /etc/hosts.deny
portmap: ALL
swat: ALL
--------------------------------------------------
#myCMNT
# /etc/host.conf:
# $Header:
/var/cvsroot/gentoo-x86/sys-libs/glibc/files/2.3.6/host.conf,v 1.1
2006/02/21 23:35:21 vapier Exp $
# The file /etc/host.conf contains configuration ...
order hosts, bind
# Valid values are on and off. If set to on, the resolv+ library
# will return all valid addresses for a host that appears in the
# /etc/hosts file, instead of only the first. This is off by
# default, as it may cause a substantial performance loss at sites
# with large hosts files.
#
multi on
--------------------------------------------------
#myCMNT
# /etc/networks
# ...
loopback 127.0.0.0
SE555-net 192.168.2.0
exDeoWG-net 192.168.3.0
--------------------------------------------------
#myCMNT /etc/resolv.conf
# Generated by dhcpcd for interface eth0
nameserver 192.168.2.1
--------------------------------------------------
#myCMNT
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v
1.1 2005/05/17 00:52:41 vapier Exp $
passwd: compat
shadow: compat
group: compat
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
--------------------------------------------------
#myCMNT Windows XP SP2
#myCMNT Start Menu > Settings > Network Connections > Local Area
connection, right click > Properties > Internet Properties > Properties,
fill in 192.168.3.2 255.255.255.0 ... click Advanced, click "WINS" tab,
fill in 192.168.3.1, OK all. As many times before.
C:\Documents and Settings\Myrons>ping wxp-9nda3j
Pinging wxp-9nda3j [192.168.3.2] with 32 bytes of data:
Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.3.2:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\Myrons>ping 192.168.3.2
Pinging 192.168.3.2 with 32 bytes of data:
Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
Reply from 192.168.3.2: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.3.2:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
C:\Documents and Settings\Myrons>time
The current time is: 9:22:50.46
Enter the new time:
C:\Documents and Settings\Myrons>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.3.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Documents and Settings\Myrons>
--------------------------------------------------
#myCMNT Linux
gentoo-A8V ~ # ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=0.035 ms
--- 192.168.3.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.034/0.036/0.039/0.002 ms
gentoo-A8V ~ # date
Tue Jul 11 21:22:51 CEST 2006
gentoo-A8V ~ # ping 192.168.3.2
PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 192.168.3.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2008ms
gentoo-A8V ~ #
--------------------------------------------------
#myCMNT /var/log/messages (with my comments ;-) along)
#myCMNT the following actually happened, or at least started, right
after 9:22:50.46 post meridiem on Windows, see the Windows log above
Jul 11 21:23:27 gentoo-A8V Unknown InputIN=eth1 OUT=
MAC=00:0e:2e:32:23:3b:00:04:61:99:74:af:08:00 SRC=192.168.3.2
DST=192.168.3.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=1365 PROTO=UDP
SPT=137 DPT=137 LEN=76
#myCMNT Sure enough, that's my nVidia Ethernet's MAC on Windows box:
00:04:61:99:74:AF
#myCMNT Sure enough, that's Windows pinging Linux, see SRC and DST
Jul 11 21:23:29 gentoo-A8V Unknown InputIN=eth1 OUT=
MAC=00:0e:2e:32:23:3b:00:04:61:99:74:af:08:00 SRC=192.168.3.2
DST=192.168.3.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=1366 PROTO=UDP
SPT=137 DPT=137 LEN=76
...
#myCMNT the following actually happened, or at least started, right
after 21:22:51 on Linux, see Linux log above
#myCMNT But what's this? I log in as miro, open KDE konsole, than su to
root and I was pinging from Linux like that. I *didn't* su at this time.
I su'd earlier, maybe hours earlier...
Jul 11 21:23:33 gentoo-A8V su[14896]: Successful su for root by miro
Jul 11 21:23:33 gentoo-A8V su[14896]: + pts/8 miro:root
Jul 11 21:23:33 gentoo-A8V su(pam_unix)[14896]: session opened for user
root by (uid=1000)
Jul 11 21:23:33 gentoo-A8V su(pam_unix)[14896]: session closed for user root
Jul 11 21:23:34 gentoo-A8V su[14901]: Successful su for root by miro
Jul 11 21:23:34 gentoo-A8V su[14901]: + pts/8 miro:root
Jul 11 21:23:34 gentoo-A8V su(pam_unix)[14901]: session opened for user
root by (uid=1000)
Jul 11 21:22:01 gentoo-A8V su(pam_unix)[14901]: session closed for user root
Jul 11 21:23:03 gentoo-A8V Unknown OutputIN= OUT=eth1 SRC=192.168.3.1
DST=192.168.3.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21985 PROTO=ICMP
TYPE=0 CODE=0 ID=512 SEQ=5888
#myCMNT Sure enough, that's Linux pinging Windows, see SRC and DST
Jul 11 21:23:08 gentoo-A8V Unknown OutputIN= OUT=eth1 SRC=192.168.3.1
DST=192.168.3.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21986 PROTO=ICMP
TYPE=0 CODE=0 ID=512 SEQ=6144
...
Jul 11 21:24:37 gentoo-A8V Unknown OutputIN= OUT=eth1 SRC=192.168.3.1
DST=192.168.3.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=137 DPT=137 LEN=58
--------------------------------------------------
#myCMNT This line (a few of these) above, when I pinged Windows from
Linux (pls. take a look), is possibly an indication, hopefully, because
I have no other clue within my difficult and time-consuming grasp...
ping: sendmsg: Operation not permitted
Heeellppp! ...
--------------------------------------------------
#myCMNT /etc/pam.d/samba
#%PAM-1.0
# * pam_smbpass.so authenticates against the smbpasswd file
# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility
# (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only
auth required pam_smbpass.so nodelay
account include system-auth
session include system-auth
password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
--------------------------------------------------
#myCMNT
# /etc/conf.d/portmap: config file for /etc/init.d/portmap
# Listen on localhost only by default
#PORTMAP_OPTS="-l"
--------------------------------------------------
#myCMNT /etc/samba/smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2006/07/11 13:51:39
[global]
workgroup = EXDEOWG
interfaces = eth1
security = SHARE
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
hosts allow = 192.168.3.2.
[data]
comment = Data
path = /export
force user = miro
force group = users
read only = No
guest ok = Yes
[WXP-9nda3j]
path = //WXP-9nda3j/I
force user = miro
force group = users
read only = No
guest ok = Yes
[homes]
valid users = %S
read only = No
browseable = No
--------------------------------------------------
#myCMNT /var/log/samba/log.nmbd
[2006/07/11 21:24:37, 0] libsmb/nmblib.c:send_udp(791)
Packet send failed to 192.168.3.255(137) ERRNO=Operation not permitted
[2006/07/11 21:24:37, 0] nmbd/nmbd_packets.c:send_netbios_packet(163)
send_netbios_packet: send_packet() to IP 192.168.3.255 port 137 failed
[2006/07/11 21:24:37, 0] nmbd/nmbd_namequery.c:query_name(237)
query_name: Failed to send packet trying to query name EXDEOWG<1d>
...
#myCMNT here nmbd process went on every 5 minutes (and is still going)
#myCMNT sure I have to spare you that!
Packet send failed to 192.168.3.255(138) ERRNO=Operation not permitted
[2006/07/11 22:09:37, 0] libsmb/nmblib.c:send_udp(791)
Packet send failed to 192.168.3.255(137) ERRNO=Operation not permitted
[2006/07/11 22:09:37, 0] nmbd/nmbd_packets.c:send_netbios_packet(163)
send_netbios_packet: send_packet() to IP 192.168.3.255 port 137 failed
[2006/07/11 22:09:37, 0] nmbd/nmbd_namequery.c:query_name(237)
query_name: Failed to send packet trying to query name EXDEOWG<1d>
...
--------------------------------------------------
#myCMNT /var/log/samba/log.winbindd
[2006/07/11 12:08:58, 0] lib/util.c:smb_panic2(1562)
BACKTRACE: 5 stack frames:
#0 winbindd(smb_panic2+0x6e) [0x5555555ed51e]
#1 winbindd(init_domain_list+0x12d) [0x55555559916d]
#2 winbindd(main+0x41a) [0x555555592a1a]
#3 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x2b283323f644]
#4 winbindd [0x55555559132a]
[2006/07/11 13:47:35, 1] nsswitch/winbindd.c:main(978)
winbindd version 3.0.22 started.
Copyright The Samba Team 2000-2004
[2006/07/11 13:47:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(781)
winbindd: idmap uid range missing or invalid
[2006/07/11 13:47:35, 0] nsswitch/winbindd_util.c:winbindd_param_init(782)
winbindd: cannot continue, exiting.
[2006/07/11 13:47:35, 1] nsswitch/winbindd.c:main(1011)
Could not init idmap -- netlogon proxy only
[2006/07/11 13:47:35, 0] lib/util.c:smb_panic2(1554)
PANIC: Could not fetch our SID - did we join?
[2006/07/11 13:47:35, 0] lib/util.c:smb_panic2(1562)
BACKTRACE: 5 stack frames:
#0 /usr/sbin/winbindd(smb_panic2+0x6e) [0x5555555ed51e]
#1 /usr/sbin/winbindd(init_domain_list+0x12d) [0x55555559916d]
#2 /usr/sbin/winbindd(main+0x41a) [0x555555592a1a]
#3 /lib/tls/libc.so.6(__libc_start_main+0xe4) [0x2b63ed808644]
#4 /usr/sbin/winbindd [0x55555559132a]
--------------------------------------------------
#myCMNT /var/log/samba/log.smbd
[2006/07/11 15:07:18, 0] lib/access.c:check_access(328)
Denied connection from (192.168.3.1)
[2006/07/11 15:07:18, 1] smbd/process.c:process_smb(1187)
Connection denied from 192.168.3.1
[2006/07/11 15:07:25, 0] lib/access.c:check_access(328)
Denied connection from (192.168.3.1)
[2006/07/11 15:07:25, 1] smbd/process.c:process_smb(1187)
Connection denied from 192.168.3.1
#myCMNT I have nothing more recent in that log, and that's a little
strange, because that must be related somehow to the output when pinging
Windows:
ping: sendmsg: Operation not permitted
--------------------------------------------------
#myCMNT /etc/pam.d/su Complete, this is the crunch, I guess.
#myCMNT I'd need another day just to study it. Don't have. Help!
#%PAM-1.0
auth sufficient pam_rootok.so
# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth required pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.allow
# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth sufficient pam_wheel.so use_uid trust
# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth sufficient pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.nopass
# Comment this to allow any user, even those not in the 'wheel'
# group to su
# auth required pam_wheel.so use_uid
#myCMNT The one line above, the one hash in begin, not knowing that
#myCMNT cost me 4 days rooting only in kde...
#myCMNT So... I couldn't bother learning what that wheel group is at all.
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session required pam_env.so
session optional pam_xauth.so
--------------------------------------------------
#myCMNT output of:
#myCMNT cat /etc/xinetd.conf | grep -v '^#'
#myCMNT and one (1) comment of mine
defaults
{
log_type = SYSLOG daemon info
log_on_failure = HOST
log_on_success = PID HOST DURATION EXIT
#myCMNT I added my eth1 network: 192.168.3.0
only_from = localhost 192.168.3.0
cps = 50 10
instances = 50
per_source = 10
v6only = no
groups = yes
umask = 002
}
includedir /etc/xinetd.d
--------------------------------------------------
#myCMNT output of:
#myCMNT cat /etc/xinetd.d/echo-dgram | grep -v '^#'
service echo
{
disable = no
id = echo-dgram
type = INTERNAL
wait = yes
socket_type = dgram
}
--------------------------------------------------
#myCMNT output of:
#myCMNT cat /etc/xinetd.d/echo-stream | grep -v '^#'
service echo
{
disable = no
id = echo-stream
type = INTERNAL
wait = no
socket_type = stream
}
--------------------------------------------------
#myCMNT output of:
#myCMNT cat /etc/xinetd.d/echo-udp | grep -v '^#'
service echo
{
type = INTERNAL UNLISTED
id = echo-dgram
socket_type = dgram
protocol = udp
user = root
wait = yes
port = 7
disable = no
}
--------------------------------------------------
#myCMNT output of:
#myCMNT cat /etc/xinetd.d/echo-tcp | grep -v '^#'
service echo
{
type = INTERNAL
id = echo-stream
socket_type = stream
protocol = tcp
user = root
wait = no
disable = no
}
--------------------------------------------------
#myCMNT I couldn't figure whether any other files in /etc/xinetd.d
#myCMNT might be of concern here.
--------------------------------------------------
That's all folks.
Grateful if anyone takes time to consider and help relieve this situation.
Miroslav Rovis, new gentoo user (two weeks and not done yet...)
www.exDeo.com
P.S. LFS was easier, LFSers have "by the book" guide that rarely
fails... But LFS takes triple (or longer) the time to build... Gentoo
looks great, if only I solve this and a few other issues yet...
P.S.2 My gentoo is with modular X, synced and updated around July 6 I
guess, and it's an AMD64 box, if that is of any concern in this matter.
--
gentoo-admin@gentoo.org mailing list
reply other threads:[~2006-07-11 22:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44B42921.1010305@inet.hr \
--to=m.rovis@inet.hr \
--cc=gentoo-admin@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox