[SOLVED] Cannot connect to SMB File Share via Port 445

Dalian · 2022-11-20 14:05:01

I have an Azure File Share that's open to the internet and I'm trying to map it in Arch. I am using netcap to test the connection:

nc -zvw3 <IP_Address> 445

This returns:

<IP_Address> 445 (microsoft-ds): Connection timed out

I have tried setting a rule in iptables

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds

smb and nmb services seem fine:

systemctl status smb

● smb.service - Samba SMB Daemon
     Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; preset: disab>
     Active: active (running) since Sun 2022-11-20 14:34:45 EET; 1h 6min ago

systemctl status nmb

● nmb.service - Samba NMB Daemon
     Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled; preset: disab>
     Active: active (running) since Sun 2022-11-20 14:34:45 EET; 1h 7min ago

I'm not good with networking but I took a tcpdump and tried to read it in Wireshark. I found these two events sent from here to the file share address but I don't know how to interpret them:

5	1.042219	192.168.0.105	<IP_Address>	TCP	74	58566 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2205119901 TSecr=0 WS=128

6	2.067547	192.168.0.105	<IP_Address>	TCP	74	[TCP Retransmission] [TCP Port numbers reused] 58566 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=2205120926 TSecr=0 WS=128

Anyone know where else I could look for clues? I want to understand if this is a local problem (with the samba configuration) or the port is blocked somewhere else.

Last edited by Dalian (2022-11-20 20:14:30)

seth · 2022-11-20 15:16:22

sudo iptables -L

You didn't post the entire output, did you?
You don't need to specifically allow anything unless you've other restricting rules.

nc -zvw3 <IP_Address> 445

According to https://learn.microsoft.com/en-us/azure … abs=smb311 the host is probably not just some IP?
Are you az-logged in? => https://aur.archlinux.org/packages/azure-cli
Is the <IP_Address> more like 123.45.67.89 or more like 1234::567:89 or like myazlogin.azure.mickeysoft.com?

systemctl status smb

https://wiki.archlinux.org/title/Samba#Client
That's for the server (unless smbnetfs)

using netcap

Fyi: "netcat"

Dalian · 2022-11-20 15:39:52

seth wrote:

You didn't post the entire output, did you?
You don't need to specifically allow anything unless you've other restricting rules.

I didn't, because this was the only rule set in iptables so nothing else was there

According to https://learn.microsoft.com/en-us/azure … abs=smb311 the host is probably not just some IP?
Are you az-logged in? => https://aur.archlinux.org/packages/azure-cli
Is the <IP_Address> more like 123.45.67.89 or more like 1234::567:89 or like myazlogin.azure.mickeysoft.com?

The script by Microsoft has the Storage Account and FileShare name as variables - I have tried that too (and yes, I am logged in in az), but I have also tried it directly with the IP. The format is xx.xxx.xx.xxx

https://wiki.archlinux.org/title/Samba#Client
That's for the server (unless smbnetfs)

Is there anything I need to configure for the SMB Client? I took a generic smb.conf from the internet and just added the following lines:

   client smb encrypt = default
   client max protocol = SMB3_11

seth · 2022-11-20 15:54:34

this was the only rule set in iptables so nothing else was there

I assume you put it there?
Unless you're using more complex netfilter rules (firewalld?) just remove that rule.

The script by Microsoft has the Storage Account and FileShare name as variables

…
fileHost=$(echo $smbPath | tr -d "/")
echo $fileHost

nc -zvw3 $fileHost 445

will print the host you're attempting.

Is there anything I need to configure for the SMB Client?

No. Also you need to first establish an uninhibited connection on 445.
nc isnt't trying anything smb related, it just knocks on the port.

You can also try "nmap -p 445 $fileHost"

Slithery · 2022-11-20 15:59:00

Exposing a SMB share to the internet is a terrible idea with regards to security.

seth · 2022-11-20 16:07:59

https://learn.microsoft.com/en-us/azure … ure-portal

Optionally internet-accessible file shares with iNtErNeT-SaFe SMB 3.0+.

The only alternative is NFS, which isn't WAN-grade either… it's a microsoft service after all.

Dalian · 2022-11-20 17:04:15

seth wrote:

No. Also you need to first establish an uninhibited connection on 445.
nc isnt't trying anything smb related, it just knocks on the port.

I understand this, trying to mount it gives me a different error which I assumed is because I can't even get a response from the port, so I am trying to fix this.

You can also try "nmap -p 445 $fileHost"

Nmap scan report for $fileHost
Host is up (0.056s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds

Edit: I found this script that checks for connectivity issues on Azure Files: https://github.com/Azure-Samples/azure- … tics/Linux and got this:

Error: Port 445 is not reachable from this client and the error is Connection Timeout

So I decided to check and it turns out my ISP only allows LAN Connectivity to this port - I'll have to request access from them.

Last edited by Dalian (2022-11-20 20:13:46)

Arch Linux

#1 2022-11-20 14:05:01

[SOLVED] Cannot connect to SMB File Share via Port 445

#2 2022-11-20 15:16:22

Re: [SOLVED] Cannot connect to SMB File Share via Port 445

#3 2022-11-20 15:39:52

Re: [SOLVED] Cannot connect to SMB File Share via Port 445

#4 2022-11-20 15:54:34

Re: [SOLVED] Cannot connect to SMB File Share via Port 445

#5 2022-11-20 15:59:00

Re: [SOLVED] Cannot connect to SMB File Share via Port 445

#6 2022-11-20 16:07:59

Re: [SOLVED] Cannot connect to SMB File Share via Port 445

#7 2022-11-20 17:04:15

Re: [SOLVED] Cannot connect to SMB File Share via Port 445

Board footer