Samba via inetd, not a good idea?

Wed, 23 Aug 2000 22:42:39 -0500 

Dear all,

I set up Samba to run via inetd (and through tcpd) so I coud easily
control host access (default deny-all policy).  This sounds worse than
it actually is: all you have to do is run `sambaconfig' and hit `i'.
Everything will be taken care of except the deny-all policy.  This is
trivial: just put `ALL : ALL' in `/etc/hosts.deny' and you're done.

This setup works fine except for the fact that `nmbd' has a tendency
to start looping which creates tons of messages in `/var/log/nmb',
`/var/log/daemon.log*' and `/var/log/syslog*'.  Typical entries look
like

  Aug 23 16:03:08 bilbo nmbd[5346]: connect from 172.16.x.y
  Aug 23 16:03:08 bilbo inetd[5328]: /usr/sbin/tcpd: exit status 0x1

for daemon.log and syslog.

This repeats for a bit with only the `nmbd' process ID changing until
`inetd' gets sick of it and says

  Aug 23 16:03:08 bilbo inetd[5328]: netbios-ns/udp server failing (looping), 
service terminated

The entries in `/var/log/nmb' say

  [2000/08/23 16:03:08, 1] nmbd/nmbd.c: main(757)
    Netbios nameserver version 2.0.7 started.
    Copyright Andrew Tridgell 1994-1998
  [2000/08/23 16:03:08, 0] lib/pidfile.c:pidfile_create(86)
    ERROR: nmbd is already running. File /var/samba/nmbd.pid exists and process 
id 5346 is running.

This happens for a variety of IP addresses and some of these have at
some points in time successfully established connections via `smbd'.

Apparently, `nmbd' stays around for a bit after `inetd' starts it, but
I don't quite understand why the looping occurs.  Anyways, I found
that `smb.conf' supports `hosts deny' and `hosts allow' keywords with
the same syntax as used for `/etc/hosts.deny' and `/etc/hosts.allow'.

So I figured I'd better run as daemons instead of from `inetd' and
added something like this to the `[global]' section of my `smb.conf'

  hosts deny  = ALL EXCEPT localhost    # deny-all policy
  hosts allow = 172.16.                 # private class B network

and ran `sambaconfig' again.  So far, so good.  I haven't seen any
looping in the last few hours.  Uh, after starting it with the `-a'
flag (already filed a bug report about this).

All in all, it looks like running Samba from `inetd' is not such a
good idea.
-- 
Olaf Meeuwissen       Epson Kowa Corporation, Research and Development

Reply via email to