jesnow l33t
Joined: 26 Apr 2006 Posts: 856
|
Posted: Mon Oct 24, 2022 6:10 pm Post subject: samba in ssh tunnel: NT_STATUS_CONNECTION_RESET [solved!] |
|
|
Samba debugging is the worst. And: One false move and you can lose the parts that *are* working and not know why.
Edit: My complaint about Samba stands, but samba wasn't at fault. Once I figured out one thing (below) it all worked flawlessly.
I'm working on getting samba going over an ssh tunnel. This is very deep in the weeds -- unless you have done this yourself, it's not worth reading any further. Our story so far: I've been using samba *successfully* to provide access to my home data through an ssh tunnel for years. It works great with macos and Windows, but I never tried the linux version, I assumed it would be easy. Bad assumption. Yes I should use NFS for this, eventually I will but not now.
Samba works in my local net, I use it every single day via fstab mount, for example (the server ssh and smb is merckx):
/etc/fstab on bartali (local net):
Code: |
//merckx/jesnow /mnt/merckx-jesnow cifs credentials=/root/smb-merckx/.credential,vers=3.11,uid=jesnow,gid=users,_netdev 0 1
|
It also works through the ssh tunnel, I have dyndns set up, and an external domain name "vesarius.net" and ssh listening on a nonstandard port with forwarding turned on, and everything works on mac and windows (I'm pretty proud of that). So for example:
.ssh/config on Chair1 (macos):
Code: |
Geol-E237-Chair1:~ jesnow$ cat .ssh/config
XAuthLocation /opt/X11/bin/xauth
host *
controlmaster auto
controlpath /tmp/ssh-%r@%h:%p
ServerAliveInterval 60
ServerAliveCountMax 10
ConnectTimeout 300
Host merckx
User jesnow
HostName merckx.vesarius.net
Port 2223
ForwardX11 Yes
ForwardX11Trusted Yes
#LocalForward 127.0.0.2:139 merckx:139
LocalForward 127.0.0.1:44445 merckx:445
LocalForward 127.0.0.1:2049 merckx:2049
|
And so in Finder I can "connect to server", "smb://localhost:44445/" and it works. I'm doing it right now. so smb.conf, .ssh/config and so forth all work correctly. I even got it going in windows 10, though that's much more difficult, requiring you to create a virtual NIC to connect to, then open the tunnel and connect it to that. And that all works.
I say this all because it narrows down the possibilities for the problems I'm having with the linux client.
So my work linux box (pogacar) is also behind a firewall with no access from outside. I ssh to it only if I start ssh on the remote client (pogacar) and open a reverse tunnel to port 22. But that works. I can also get NoMachine going (very slowly) on port 4000 over a different reverse tunnel. All of this works.
What fails is when I try to mount (to pogacar) the samba shares on merckx through the tunnel.
Code: |
mount -t cifs //127.0.0.1/ /mnt/merckx-jesnow/ -o port=44445,credentials=/root/smb-merckx/.cred,vers=3.11,uid=jesnow,gid=jesnow
mount error: Server abruptly closed the connection.
This can happen if the server does not support the SMB version you are trying to use.
The default SMB version recently changed from SMB1 to SMB2.1 and above. Try mounting with vers=1.0.
mount error(112): Host is down
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
|
So I can see the mount attempt in dmesg on client pogacar:
Code: |
[493328.986893] CIFS: Attempting to mount \\127.0.0.1\
|
And I'm pretty sure that both client and server are speaking SMB3 just fine. I'm using the same samba and cifs-tools versions on both. This command works on the local net (obviously without the port specified). So this error message is a complete red herring, SMB1 has been deprecated for a long time now. The protocol error is not the problem, the host is not down. It knows it's talking to a samba server on a nonstandard port (because you get a very different error message it you change the -p argument).
Back on the server there is no sign of a connection, even when you turn the log level up.
On the server I can do:
Code: |
jesnow@merckx ~ $ smbclient -L localhost
Password for [WORKGROUP\jesnow]:
Sharename Type Comment
--------- ---- -------
amoresrv Disk
min Disk
public Disk
windata Disk
ccache Disk
portage Disk
IPC$ IPC IPC Service (Merckx)
jesnow Disk Home Directories
SMB1 disabled -- no workgroup available
|
On a local client I can do:
Code: |
bartali ~ # smbclient -L //merckx/ -W GEOSC
Password for [GEOSC\jesnow]:
Sharename Type Comment
--------- ---- -------
amoresrv Disk
min Disk
public Disk
windata Disk
ccache Disk
portage Disk
IPC$ IPC IPC Service (Merckx)
jesnow Disk Home Directories
SMB1 disabled -- no workgroup available
|
when you do that you get in smbd.log
Code: |
bartali (ipv4:192.168.1.116:43174) connect to service IPC$ initially as user jesnow (uid=1000, gid=100) (pid 9799)
|
But on the remote client:
Code: |
pogacar ~ # !550
smbclient -L 127.0.0.1 -p 44445 -W GEOSC
protocol negotiation failed: NT_STATUS_CONNECTION_RESET
|
So it looks like it knows it's connected to a samba server, but the server shows no sign of having been connected to. If you try connecting on the wrong port it knows that:
Code: |
pogacar ~ # smbclient -L 127.0.0.1 -p 44444 -W GEOSC
do_connect: Connection to 127.0.0.1 failed (Error NT_STATUS_CONNECTION_REFUSED)
|
The ssh config file on pogacar looks like this:
Code: |
Host *
ForwardX11 yes
ForwardX11Trusted yes
Host merckx
Hostname merckx.vesarius.net
User jesnow
RemoteForward 42223 localhost:22
RemoteForward 43632 localhost:3632
RemoteForward 44000 localhost:4000
LocalForward 44445 merckx.vesarius.net:445
LocalForward 44000 bartali:4000
Port 2223
|
So the one thing I'm thinking is that where it specifies the forward tunnel, I should just have used the name of the ssh host merckx as I did on the Mac (above) and not the HostName of the ssh server I'm tunneling to/through. I have to go in to change it and reset the tunnel, so I'll do that.
Edit: This was indeed the problem. I changed the config file on the client machine to read:
Code: | LocalForward 44445 merckx:445 |
Now everything works flawlessly.
But so, smbd.log even at level 3 doesn't seem to log any initial connects. /var/log/messages is useless (thanks to constant brute force attacks, 100's per minute clogging it up). It's really very frustrating. Anybody with clues or knowing ways to glean information from Samba's cryptic and misleading please help. Many thanks in advance.
Cheers,
Jon.
Epilog, Dec. 2023: After abandoning this whole configureation in favor of nfs over wireguard, I've had to return to it because of a wiregurard issue. This post was the only record I had of how to make the (insanely difficult) connection of samba through an ssh tunnel. And it itsn't quite right above
The mount command was as follows (for the record):
Code: |
vanaert jesnow # mount -t cifs //127.0.0.1/jesnow /mnt/test/ -o port=44445,credentials=/root/smb-merckx/.cred,vers=3.11,uid=jesnow,gid=jesnow
|
Good luck remembering such constructs even for a few months!
Cheers,
Jon. |
|