croc – another file transfer method

I have lost count of the number of times I have had to send a large file to someone at work, usually in a hurry. I’ve used Dropbox, ownCloud, Firefox Send (no longer available) etc. Transferring large files became a bit easier when e-mail service providers increased the size limit for attachments, but that is still not a solution for very large files. The xkcd cartoon FILE TRANSFER sums up the situation nicely.

I recently discovered the command line utility croc, which the author claims is a way to ‘easily and securely transfer stuff from one computer to another.’ I thought I’d give it a try, if only to have another tool to fall back on in an emergency. It does rely on both ends having croc installed, but hopefully that should not be a show-stopper as croc is available for Linux, Windows, macOS and BSD. To quote the author:

croc differs from a utility like scp because it doesn’t require any two computers to have enabled port-forwarding. Instead, croc will uses a relay – a temporary server setup locally (if both computers are on lan) or publicly (default is at croc4.schollz.com). Any two computers can connect to the relay, and after securing their channel with PAKE [password authenticated key exchange], they can transfer encrypted metadata and data through the relay. The relay works by first having the computers communicate the PAKE protocol via websockets, and then exchanging encrypted metadata, and then stapling the TCP connections directly so that they can transfer directly.

So, to use croc you will be dependent on the public relay provided by the author unless you set up your own relay (instructions are provided in the author’s original 2018 blog post introducing croc – see link above – and in various third-party articles about croc, such as ‘Securely Transfer Files and Folders Between Computers Using Croc‘ and ‘Transfer Files And Folders Between Computers With Croc‘).

Anyway, I installed croc in Lubuntu and Gentoo Linux from the author’s GitHub repository and indeed it is easy to use and works fine. The binary releases for the various OSs and Linux distributions can be found on the Releases page of the GitHub repository or via the OS package manager.

Lubuntu 20.10:

user $ wget https://github.com/schollz/croc/releases/download/v9.1.6/croc_9.1.6_Linux-64bit.deb
user $ sudo dpkg -i croc_9.1.6_Linux-64bit.deb

Gentoo Linux:

root # emerge net-misc/croc

(Note that croc ebuilds are not currently marked as Stable in the Gentoo Linux Portage tree, so you’ll have to unmask them by keyword if you are using the Stable branch.)

Termux:

I even installed croc in Termux on my Samsung Galaxy Note 20 Ultra 5G, and it works in Android too:

$ pkg install croc

Other OSs and other Linux distributions:

See the instructions in the README file online.

Using croc

Using croc is as simple as entering a command on one computer, informing (via e-mail, telephone, SMS, Signal or other social media) the person using the other computer of the command to use, and entering that command on the other computer. For example:

Sender

user $ croc send Documents/flight-times.ods
Sending 'flight-times.ods' (16.6 kB)
Code is: 8878-salary-courage-roger
On the other computer run

croc 8878-salary-courage-roger

Receiver

user $ croc 8878-salary-courage-roger
Accept 'flight-times.ods' (16.6 kB)? (Y/n) 

If the receiving user then enters ‘Y’, the sending user sees something similar to this:

user $ croc send Documents/flight-times.ods
Sending 'flight-times.ods' (16.6 kB)
Code is: 8878-salary-courage-roger
On the other computer run

croc 8878-salary-courage-roger

Sending (->192.168.1.74:60740)
 100% |████████████████████| (17/17 kB, 10.918 MB/s)
user $ 

and the receiving user sees something similar to this:

user $ croc 8878-salary-courage-roger
Accept 'flight-times.ods' (16.6 kB)? (Y/n) Y

Receiving (<-[::1]:39442)
 100% |████████████████████| (17/17 kB, 3.989 MB/s)
user $ 

The observant reader will notice that the above example shows a file being transferred on the same computer. When transferred between different computers the IP addresses of each computer will be displayed instead. I have used croc to transfer files between different computers on my home network (I would normally just use my NAS for this, though), between remote computers on the Internet, and between my computers and my phone via mobile broadband, and croc works in all cases.

I have not mentioned all croc’s features. I’ll leave you to read up on croc in more detail in the links I’ve given above. It looks like it might be a useful tool to have installed.

Using open-plc-utils in Linux with Powerline (HomePlug) adapters

According to the open-plc-utils documentation, open-plc-utils supports INT6000, INT6300, INT6400, AR6410, QCA7000, AR7400 and AR7420 and later Powerline products from Qualcomm Atheros. ‘INT’ stands for ‘Intellon’, which was acquired by Atheros in 2009. ‘AR’ stands for ‘Atheros’, which was acquired by Qualcomm in 2011. ‘QCA’ stands for ‘Qualcomm Atheros’.

The open-plc-utils command int6k supports legacy chipsets INT6000, INT6300 and INT6400.

The open-plc-utils command plctool supports QCA6410, QCA7000 and QCA7420 chipsets.

The open-plc-utils command amptool supports AR7400 and QCA7450 chipsets.

I have used open-plc-utils successfully with the following Powerline products:

  • NETGEAR XAVB1301-100UKS (uses AR6405 chipset).
  • NETGEAR XAVB5221-100UKS (uses QCA7420 chipset).
  • TP-Link TL-PA4010 (uses QCA7420 chipset).
  • TP-Link TL-PA4010P (uses QCA7420 chipset).
  • TP-Link TL-PA4020P (uses QCA7420 chipset).

For example, I used open-plc-utils to update the chipset firmware in my TP-Link Powerline adapters, as explained in my earlier post ‘Updating the Powerline adapters in my home network‘.

Below I summarise how I install open-plc-utils in Linux and how I use them to interrogate the Powerline adapters in my home network.

1. Download the open-plc-utils source code

user $ cd
user $ wget https://github.com/qca/open-plc-utils/archive/refs/heads/master.zip
user $ unzip master.zip # (This creates ~/open-plc-utils-master directory.)

2. Install plc-utils

user $ cd ~/open-plc-utils-master/
user $ cat README # Tells you how to install/uninstall plc-utils.
user $ sudo make
user $ sudo make install
user $ sudo make manuals

3. Bookmark the documentation index pages in your Web browser

user $ cd ~/open-plc-utils-master/docbook

Bookmark file:///home/<username>/open-plc-utils-master/docbook/index.html

Bookmark file:///home/<username>/open-plc-utils-master/docbook/toolkit.html

4. Use open-plc-utils commands to interrogate the adapters in the network

One example of the many possible commands:

user $ plcstat -t -i eno1 # eno1 is the Ethernet interface on this computer.
 P/L NET TEI ------ MAC ------ ------ BDA ------ TX  RX  CHIPSET FIRMWARE
 LOC STA 038 11:11:11:11:11:11 88:88:88:88:88:88 n/a n/a QCA7420 MAC-QCA7420-1.5.0.26-02-20200114-CS
 REM STA 003 33:33:33:33:33:33 55:55:55:55:55:55 277 268 QCA7420 MAC-QCA7420-1.5.0.26-02-20200114-CS
 REM CCO 004 22:22:22:22:22:22 FF:FF:FF:FF:FF:FF 009 009 QCA7420 MAC-QCA7420-1.5.0.26-02-20200114-CS

(For security reasons, in the output above I have edited the MAC addresses of the three adapters, and the BDA of the two STAs. The BDA of the CCO adapter, which is automatically selected, really is displayed as FF:FF:FF:FF:FF:FF though.)

  • LOC = ‘Local’, i.e. the Powerline adapter connected to this computer.
  • REM = ‘Remote’, i.e. the other Powerline adapters in the network.
  • CCO = ‘Central Coordinator’, i.e. the automatically selected Powerline adapter acting as the coordinator of the Powerline adapters in this network.
  • STA = ‘Station’, i.e. the Powerline adapters being coordinated by the CCO.
  • MAC = The MAC address of the adapter.
  • BDA = ‘Bridged Destination Address’ (see the Powerline specifications for the meaning).
  • TX/RX = the transmission/reception rate in Mbps of the adapter.
  • CHIPSET = Atheros Qualcomm chipset type.
  • FIRMWARE = Atheros Qualcomm chipset firmware version.

For other open-plc-utils commands, consult the documentation in a Web browser.

5. Optional: Create a Bash script to interrogate Powerline adapters in your network

user $ cd
user $ nano ~/homeplug.sh
user $ chmod +x ~/homeplug.sh

homeplug.sh

#!/bin/bash
#
# This script is to interrogate a network to find the details of the Powerline
# HomePlug wall adapters in the network. It uses open-plc-utils tools:
# https://github.com/qca/open-plc-utils
# See https://github.com/qca/open-plc-utils/blob/master/README for
# instructions on how to install (and uninstall) the tools.
# Therefore this script is limited to the chipsets that open-plc-utils supports:
# https://github.com/qca/open-plc-utils/blob/master/plc/chipset.h
#
# The command int6k supports legacy chipsets INT6000, INT6300 and INT6400.
# The command plctool supports QCA6410, QCA7000 and QCA7420 devices.
# The command amptool supports chipsets AR7400 and QCA7450.
# NETGEAR XAVB1301-100UKS uses AR6405. NETGEAR XAVB5221-100UKS uses QCA7420.
# TP-Link TL-PA4010, TL-PA4010P and TL-PA4020P use QCA7420.
#
echo "================================================================================"
# Specify the interface on this PC connected to a HomePlug device:
export PLC=$( ifconfig | head -1 | cut -d ":" -f1 )
echo
echo -n "The Ethernet interface on this PC is: "
echo $PLC
echo
echo "================================================================================"
echo
#
# Step 1. Send VS_SW_VER to local device to determine its MAC address and device type.
#
MACINT6K=$( int6k -qr | awk -F ' ' '{print $2}' )
MACPLCTOOL=$( plctool -qr | awk -F ' ' '{print $2}' )
if [[ $MACINT6K != $MACPLCTOOL ]]
then
  echo "Unable to determine MAC address of local HomePlug wall adapter."
  exit
else
  MAC=$MACINT6K
fi
echo "Details for the HomePlug wall adapter connected to this computer:"
echo
if [ $( int6k -qI $MAC | wc -l ) -lt 2 ]
then
  plctool -m $MAC
  plctool -qI $MAC
  echo
  CHIPSET=$( plctool -qr $MAC | awk -F ' ' '{print $3}' )
  echo -n "Chipset: "
  echo $CHIPSET
  CHIPSETTYPE=2
else
  int6k -m $MAC
  int6k -qI $MAC
  echo
  CHIPSET=$( int6k -qr $MAC | awk -F ' ' '{print $3}' )
  echo -n "Chipset: "
  echo $CHIPSET
  CHIPSETTYPE=1
fi
echo
echo "================================================================================"
#
# Step 2. Send VS_NW_INFO (int6k -m or plctool -m, depending on device type)
# to local MAC address to find MAC addresses of the other devices.
#
if [[ $CHIPSETTYPE == 2 ]]
then
  plctool -qm $MAC | grep MAC | cut -d " " -f3 > maclist.txt
elif [[ $CHIPSETTYPE == 1 ]]
then
  int6k -qm $MAC | grep MAC | cut -d " " -f3 > maclist.txt
else
  echo "Unable to determine chipset of the local HomePlug wall adapter."
  exit
fi
#
# Step 3. Send VS_SW_VER (int6k -r or plctool -r, depending on device type) to
# each device to find the device type of each.
#
echo -n "" > chipsetlist.txt
while read -r MAC
do
  if [ $( int6k -qI $MAC | wc -l ) -lt 2 ]
  then
    CHIPSET=$( plctool -qr $MAC | awk -F ' ' '{print $3}' )
    echo $CHIPSET >> chipsetlist.txt
  else
    CHIPSET=$( int6k -qr $MAC | awk -F ' ' '{print $3}' )
    echo $CHIPSET >> chipsetlist.txt
  fi
done < maclist.txt
#
# Step 4. Send VS_NW_INFO (int6k -m or plctool -m, depending on device type) to
# each device to determine full PHY Rate.
#
echo
echo "Details for the other HomePlug wall adapters in the network"
echo "(adapters in Power Saving Mode are not shown):"
while read -r MAC && read -r CHIPSET <&3
do
  echo
  if [ $( int6k -qI $MAC | wc -l ) -lt 2 ]
  then
    plctool -m $MAC
    plctool -qI $MAC
  else
    int6k -m $MAC
    int6k -qI $MAC
  fi
  echo
  echo -n "Chipset: "
  echo $CHIPSET
  echo
  echo "--------------------------------------------------------------------------------"
done <maclist.txt 3<chipsetlist.txt
rm maclist.txt chipsetlist.txt
echo
echo "Some of the abbreviations are listed below, but refer to the open-plc-utils"
echo "documentation for more details. (Also see http://www.homeplug.org/ for"
echo "detailed HomePlug specifications)"
echo
echo "BDA   Bridged Destination Address"
echo "CCo   Central Coordinator"
echo "DAK   Device Access Key"
echo "MDU   Multiple Dwelling Unit"
echo "NID   Network Identifier"
echo "NMK   Network Membership Key"
echo "PIB   Parameter Information Block"
echo "SNID  Short Network Identifier"
echo "STA   Station"
echo "TEI   Terminal Equipment Identifier"
echo
exit

 
Run homeplug.sh to see details of Powerline adapters with Qualcomm Atheros chipsets in the network:

user $ ./homeplug.sh

N.B. Adapters in Power Saving Mode are not detected, so, if you want to see details of all Powerline adapters on the network, make sure none of the adapters are in Power Saving Mode before you run the script.

Below is the script’s output for my home network with the following three TP Link Powerline adapters currently connected to wall power sockets:

  • TP-Link TL-PA4010P(UK) VER:5.0 (one device)
  • TP-Link TL-PA4010(UK) VER:3.0 (two devices)

I also own the following Powerline adapters, which are currently not plugged in to wall power sockets, but this script would detect them if they were plugged in (as I have seen previously):

  • TL-PA4020P(UK) VER:4.0 (one adapter)
  • NETGEAR XAVB1301-100UKS (three adapters)
  • NETGEAR XAVB5221-100UKS (two adapters)
user $ ./homeplug.sh 
================================================================================

The Ethernet interface on this PC is: eno1

================================================================================

Details for the HomePlug wall adapter connected to this computer:

eno1 11:11:11:11:11:11 Fetch Network Information
eno1 11:11:11:11:11:11 Found 1 Network(s)

source address = 11:11:11:11:11:11

        network->NID = 99:99:99:99:99:99:99
        network->SNID = 5
        network->TEI = 38
        network->ROLE = 0x00 (STA)
        network->CCO_DA = 22:22:22:22:22:22
        network->CCO_TEI = 4
        network->STATIONS = 2

                station->MAC = 33:33:33:33:33:33
                station->TEI = 3
                station->BDA = 55:55:55:55:55:55
                station->AvgPHYDR_TX = 279 mbps Primary
                station->AvgPHYDR_RX = 276 mbps Primary

                station->MAC = 22:22:22:22:22:22
                station->TEI = 4
                station->BDA = FF:FF:FF:FF:FF:FF
                station->AvgPHYDR_TX = 009 mbps Primary
                station->AvgPHYDR_RX = 009 mbps Primary

        PIB 0-0 8836 bytes
        MAC 11:11:11:11:11:11
        DAK 66:66:66:66:66:66:66:66:66:66:66:66:66:66:66:66
        NMK 77:77:77:77:77:77:77:77:77:77:77:77:77:77:77:77
        NID 99:99:99:99:99:99:99
        Security level 0
        NET Qualcomm Atheros Enabled Network
        MFG tpver_401115_191120_901
        USR tpver_401115_191120_901
        CCo Auto
        MDU N/A

Chipset: QCA7420

================================================================================

Details for the other HomePlug wall adapters in the network
(adapters in Power Saving Mode are not shown):

eno1 33:33:33:33:33:33 Fetch Network Information
eno1 33:33:33:33:33:33 Found 1 Network(s)

source address = 33:33:33:33:33:33

        network->NID = 99:99:99:99:99:99:99
        network->SNID = 5
        network->TEI = 3
        network->ROLE = 0x00 (STA)
        network->CCO_DA = 22:22:22:22:22:22
        network->CCO_TEI = 4
        network->STATIONS = 2

                station->MAC = 22:22:22:22:22:22
                station->TEI = 4
                station->BDA = FF:FF:FF:FF:FF:FF
                station->AvgPHYDR_TX = 305 mbps Primary
                station->AvgPHYDR_RX = 319 mbps Primary

                station->MAC = 11:11:11:11:11:11
                station->TEI = 38
                station->BDA = 88:88:88:88:88:88
                station->AvgPHYDR_TX = 276 mbps Primary
                station->AvgPHYDR_RX = 279 mbps Primary

        PIB 0-0 8836 bytes
        MAC 33:33:33:33:33:33
        DAK 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (none/secret)
        NMK 77:77:77:77:77:77:77:77:77:77:77:77:77:77:77:77
        NID 99:99:99:99:99:99:99
        Security level 0
        NET Qualcomm Atheros Enabled Network
        MFG tpver_401013_171025_901
        USR tpver_401013_171025_901
        CCo Auto
        MDU N/A

Chipset: QCA7420

--------------------------------------------------------------------------------

eno1 22:22:22:22:22:22 Fetch Network Information
eno1 22:22:22:22:22:22 Found 1 Network(s)

source address = 22:22:22:22:22:22

        network->NID = 99:99:99:99:99:99:99
        network->SNID = 5
        network->TEI = 4
        network->ROLE = 0x02 (CCO)
        network->CCO_DA = 22:22:22:22:22:22
        network->CCO_TEI = 4
        network->STATIONS = 2

                station->MAC = 33:33:33:33:33:33
                station->TEI = 3
                station->BDA = 55:55:55:55:55:55
                station->AvgPHYDR_TX = 319 mbps Primary
                station->AvgPHYDR_RX = 305 mbps Primary

                station->MAC = 11:11:11:11:11:11
                station->TEI = 38
                station->BDA = 88:88:88:88:88:88
                station->AvgPHYDR_TX = 009 mbps Primary
                station->AvgPHYDR_RX = 009 mbps Primary

        PIB 0-0 8836 bytes
        MAC 22:22:22:22:22:22
        DAK 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (none/secret)
        NMK 77:77:77:77:77:77:77:77:77:77:77:77:77:77:77:77
        NID 99:99:99:99:99:99:99
        Security level 0
        NET Qualcomm Atheros Enabled Network
        MFG tpver_401013_171025_901
        USR tpver_401013_171025_901
        CCo Auto
        MDU N/A

Chipset: QCA7420

--------------------------------------------------------------------------------

Some of the abbreviations are listed below, but refer to the open-plc-utils
documentation for more details. (Also see http://www.homeplug.org/ for
detailed HomePlug specifications)

BDA   Bridged Destination Address
CCo   Central Coordinator
DAK   Device Access Key
MDU   Multiple Dwelling Unit
NID   Network Identifier
NMK   Network Membership Key
PIB   Parameter Information Block
SNID  Short Network Identifier
STA   Station
TEI   Terminal Equipment Identifier


For security reasons, in the output above I have edited the network membership key, device access key, network identifier and adapter addresses in the above output as follows:

  • I have changed the three MAC addresses of the three adapters to be 11:11:11:11:11:11, 22:22:22:22:22:22 and 33:33:33:33:33:33.
  • I have changed the two BDAs of the two adapters that are Stations (STAs) to be 55:55:55:55:55:55 and 88:88:88:88:88:88.
  • I have changed the DAK of the adapter connected to the computer on which the script was run to be 66:66:66:66:66:66:66:66:66:66:66:66:66:66:66:66.
  • I have changed the NMK of the three adapters to be 77:77:77:77:77:77:77:77:77:77:77:77:77:77:77:77.
  • I have changed the NID of the three adapters to be 99:99:99:99:99:99:99.

Some of the information that can be gleaned from the above output of the script:

  • the adapter with MAC address 22:22:22:22:22:22 has been automatically set as the CCO (Central Coordinator) for the Powerline network, and the other two adapters (MAC addresses 11:11:11:11:11:11 and 33:33:33:33:33:33) are STAs (Stations);
  • the only DAK that can be read is for the adapter connected to the computer;
  • the BDA of the CCO is reported as FF:FF:FF:FF:FF:FF;
  • all three Powerline adapters use the QCA7420 chipset;
  • the two Powerline stations are different models of TP-Link adapter (TP-Link versions ending in ‘401115_191120_901’ and ‘401013_171025_901’); the central coordinator is the same TP-Link model as one of the stations (TP-Link version ending in ‘401013_171025_901’).

Indeed, a TP-Link TL-PA4010P(UK) VER:5.0 adapter is connected to this computer, and the two remote adapters are TP-Link TL-PA4010(UK) VER:3.0, one of which is currently acting as the CCO. Last year I updated the Qualcomm Atheros firmware in all of them (see my 2020 post ‘Updating the Powerline adapters in my home network‘).

Using NetworkManager in Gentoo Linux

My current two laptops running Gentoo Linux (both with OpenRC, elogind, eudev and wpa_supplicant) use NetworkManager rather than Netifrc. (Actually, my desktop machines also use NetworkManager even though they are always connected to the same network.) NetworkManager has worked with wired and wireless networking on these laptops without any issues for over five years now. This post summarises how it is installed and configured.

I installed the package with the following USE flags enabled:

bluetooth dhclient elogind introspection modemmanager ncurses nss policykit ppp wext wifi

and the following USE flags disabled:

audit connection-sharing dhcpcd gnutls iwd json ofono ovs resolvconf selinux systemd teamd test vala

The precise status can be seen in the output of the eix command on my main laptop that uses Gentoo Stable:

root # eix -I net-misc/networkmanager
[I] net-misc/networkmanager
     Available versions:  [M]~1.22.10-r12^t 1.26.4^t ~1.26.6^t ~1.28.0-r1^t {audit bluetooth +concheck connection-sharing debug (+)dhclient dhcpcd elogind examples (+)gnutls gtk-doc (+)introspection iwd json libpsl lto (+)modemmanager ncurses (+)nss ofono ovs (+)policykit (+)ppp resolvconf selinux syslog systemd teamd test +tools vala (+)wext +wifi ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32" KERNEL="linux"}
     Installed versions:  1.26.4^t(00:33:18 02/01/21)(bluetooth dhclient elogind introspection modemmanager ncurses nss policykit ppp wext wifi -audit -connection-sharing -dhcpcd -gnutls -iwd -json -ofono -ovs -resolvconf -selinux -systemd -teamd -test -vala ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" KERNEL="linux")
     Homepage:            https://wiki.gnome.org/Projects/NetworkManager
     Description:         A set of co-operative tools that make networking simple and straightforward

I use network file systems, so I also configured the netmount service to run, and specified that NetworkManager is the network manager:

root # grep -v "^#\|^$" /etc/conf.d/netmount
rc_need="NetworkManager"

The network-related services that I configured to be started at boot are as follows:

root # rc-update show -v | grep -i net
       NetworkManager |      default
                local |      default nonetwork
           net-online |
         net.enp4s0f1 |
               net.lo |
             netmount |      default

(It is correct that net-online, net.enp4s0f1 and net.lo are not in any runlevel.)

Neither dhcpd nor dhcpcd services must be started at boot, as they would interfere with NetworkManager:

root # rc-update show -v | grep -i dhcp
               dhcpcd |   
                dhcpd |

By the way, if the output of the command ‘rc-update show -v‘ incudes non-existent physical interfaces not shown in the output of the ‘ifconfig‘ or ‘ip a‘ commands, you can delete the corresponding symlinks. For example, the only physical interfaces listed by the ifconfig command on my older laptop running Gentoo Linux Testing (~amd64) are eth0 and wlan0, but the ‘rc-update show -v‘ command originally showed many other interfaces, so I deleted them as follows:

root # cd /etc/init.d/
root # rm net.aol
root # rm net.ra*
root # rm net.ath*
root # rm net.eth[1,2,3,4,5,6,7,8]
root # rm net.ppp*
root # rm net.wlan[1,2,3]

The installation on that laptop is left with the correct symlinks:

root # ls -la /etc/init.d/net.*
lrwxrwxrwx 1 root root     6 Mar 30  2010 /etc/init.d/net.eth0 -> net.lo
-rwxr-xr-x 1 root root 19861 Feb 15 01:05 /etc/init.d/net.lo
lrwxrwxrwx 1 root root     6 Mar 30  2010 /etc/init.d/net.wlan0 -> net.lo

Anyway, coming back to my main laptop, all the services running in Gentoo Linux on it are shown below, for information:

root # rc-status
Runlevel: default
 dbus                                                       [  started  ]
 NetworkManager                                             [  started  ]
 netmount                                                   [  started  ]
 syslog-ng                                                  [  started  ]
 cupsd                                                      [  started  ]
 samba                                                      [  started  ]
 cronie                                                     [  started  ]
 clamd                                                      [  started  ]
 bluetooth                                                  [  started  ]
 xdm                                                        [  started  ]
 wsdd                                                       [  started  ]
 cups-browsed                                               [  started  ]
 sshd                                                       [  started  ]
 local                                                      [  started  ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
 xdm-setup                                                  [  started  ]
 avahi-daemon                                               [  started  ]
Dynamic Runlevel: manual

I specified the laptop’s hostname in /etc/hosts, /etc/conf.d/hostname, /etc/hostname and /etc/dhcp/dhclient.conf:

root # grep -v "^#\|^$" /etc/hosts
127.0.0.1       clevow230ss     localhost
::1             clevow230ss     localhost
root # cat /etc/conf.d/hostname
# Set to the hostname of this machine
hostname="clevow230ss"
root # cat /etc/hostname
clevow230ss
root # grep -v "^#\|^$" /etc/dhcp/dhclient.conf
send host-name "clevow230ss";
supersede host-name "clevow230ss";

The purpose of the ‘supersede‘ statement in dhclient.conf is explained in man dhclient.conf(5):

supersede [ option declaration ] ;

If for some option the client should always use a locally-configured value or values rather than whatever is supplied by the server, these values can be defined in the supersede statement.

In other words, I do not want the hostname to be specified by a dhcp server (as this has caused problems for me in the past when connected to some networks).

I edited the configuration file /etc/NetworkManager/NetworkManager.conf to contain the following:

[main]
plugins=keyfile
rc-manager=none
dhcp=dhclient
no-auto-default=*

[keyfile]
hostname=clevow230ss

In earlier days it was necessary to specify the hostname in /etc/NetworkManager/NetworkManager.conf but that is no longer required. According to NetworkManager.conf(5) man page: ‘This key is deprecated and has no effect since the hostname is now stored in /etc/hostname or other system configuration files according to build options.’ I just left it in the file because it does no harm.

NetworkManager’s configuration files for your wired and wireless connections are normally created and edited by using the GUI network configuration tool (a.k.a. ‘front end’) in the Desktop Environment, such as plasma-nm and nm-applet, but can also be created/edited manually. For example, the NetworkManager file for my home Wi-Fi connection contains the following:

root # cat /etc/NetworkManager/system-connections/BT-5DF82T.nmconnection
[connection]
id=BT-5DF82T
uuid=3190e9d6-961f-38ab-fb90-1d323e6f35d2
type=wifi
autoconnect=false
permissions=

[wifi]
mac-address-blacklist=
mode=infrastructure
ssid=BT-5DF82T

[wifi-security]
key-mgmt=wpa-psk
psk-flags=1

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

NetworkManager generates the UUID automatically, but it could be generated manually (I have never bothered to do that):

The UUID values in the config files must be unique. You can use uuidgen command line tool to generate such values. Alternatively, you can leave out UUID entirely. In that case NetworkManager will generate a UUID based on the file name.

iwd (iNet Wireless Daemon)

Note that NetworkManager can be used with iwd instead of wpa_supplicant, although I have never bothered to try iwd, as NetworkManager with wpa_supplicant works fine on my laptops. If you want to try iwd instead of wpa_supplicant, NetworkManager will have to be installed with the iwd and introspection USE flags enabled, and you may have to make sure iwd is running before NetworkManager — see the following for further details:

Updating the Powerline adapters in my home network

I have blogged previously about a couple of problems with using Powerline adapters in my home network:

As my NETGEAR XAV1301 (200 Mbps) Powerline adapters bought in 2012 apparently do not fully support IPv6, and as my NETGEAR XAV5221 (500 Mbps) adapters bought in 2016 are no longer manufactured either, I decided to invest in some new Powerline adapters that would guarantee IPv6 support. My Web searches did not confirm that the current models of NETGEAR Powerline adapters support IPv6, so I decided to try TP-Link Powerline adapters because the TP-Link Web site states that all current TP-Link Powerline adapters support IPv6. I wanted Powerline adapters for five devices (router, smart TV and three computers), plus the ability to use a mains plug on at least two of those (i.e. so-called ‘pass-through’ adapters). I also wanted to avoid buying different models, in order to minimise the possibility of any problems. TP-Link have a range of 600 Mbps adapters under the name ‘AV600’, so I plumped for two TP-PL4010 adapters (single Ethernet port per adapter), one TP-PL4010P adapter (single Ethernet port and one mains pass-through socket) and one TP-PL4020P (two Ethernet ports and one mains pass-through socket). These all use the Qualcomm Atheros QCA7420 Powerline chipset (which happens to be the same chipset used in my old NETGEAR XAV5221 500 Mbps adapters).

Like NETGEAR, TP-Link does not have a Powerline utility program for Linux, so I had to install TP-Link’s tpPLC utility program in Windows 10 running in a VM (virtual machine) in order to configure the four TP-Link adapters and set the ‘Powerline network name’ to avoid crosstalk with my neighbour’s Powerline adapters that use the factory default network name (‘HomePlugAV’).

Anyway, I got everything set up and working, but soon noticed that there were quite frequent dropouts of the connection to my router and the Internet. Some dropouts did occur when I was using the old NETGEAR Powerline adapters, but I was surprised to find that the performance of the new TP-Link adapters was much worse. The dropouts typically lasted a minute or two. This was annoying, to say the least.

I started searching the Web, and ‘TP-Link’ and ‘dropout’ occur together a lot. I had already disabled Power Saving Mode in the adapters, so knew that was not the cause. I happen to know someone who also uses TP-Link adapters, and he mentioned that he also experienced frequent dropouts. In addition to turning off Power Saving Mode, he had implemented a shell script on his machines to ping an Internet site periodically to try and keep the connection from dropping out, but this did not appear to make any difference. I wrote the script below to try the same thing, and it did not cure the dropouts either:

#!/bin/bash
#
# Script to try to keep the Powerline adapter connected to this machine
# from dropping the connection to the router
#
FIRSTPASS=1
PREVIOUS=2
while true
do
    ping -W 2 -c 1 8.8.8.8 >>/dev/null 2>&1
    STATUS=$?
    if [ $PREVIOUS -ne 0 ] && [ $STATUS -eq 0 ]; then
        logger "Ping successful: connection to Internet is up."
#        echo "Ping successful: connection to Internet is up."
    elif [ $PREVIOUS -eq 0 ] && [ $STATUS -ne 0 ]; then
        logger "Ping unsuccessful: connection to Internet may be down."
#        echo "Ping unsuccessful: connection to Internet may be down."
    elif [ $FIRSTPASS -eq 1 ] && [ $STATUS -ne 0 ]; then
        logger "Ping unsuccessful: connection to Internet may be down."
#        echo "Ping unsuccessful: connection to Internet may be down."
    fi
    PREVIOUS=$STATUS
    FIRSTPASS=0
    sleep 10
done

In my Web searches I came across a a thread in the TP-Link SOHO Community forums with a URL for a new version of firmware for TP-Link Powerline adapters that use the Qualcomm Atheros QCA7420 chipset. I learned from the TP-Link forums that the firmware in NVM (Non-Volatile Memory) depends on the chipset manufacturer’s chipset, not on the Powerline manufacturer’s adapter model, whereas the adapter’s PIB (Parameter Information Block) does change depending on the model (including the country). So I started searching online for a PIB file for the three models of TP-Link adapter that I am using, but I could not find them. However, the Linux open-plc-tools command ‘plctool‘ enabled me to read the PIB from each adapter and store it as a file:

user $ sudo plctool -i eth0 -p TL-PA4010P.pib <MAC address printed on the adapter>
user $ sudo plctool -i eth0 -p TL-PA4010_TV.pib <MAC address printed on the adapter>
user $ sudo plctool -i eth0 -p TL-PA4010_HOME-HUB.pib <MAC address printed on the adapter>
user $ sudo plctool -i eth0 -p TL-PA4020P.pib <MAC address printed on the adapter>

The Ethernet interface in the computer I used is named ‘eth0′, so change it accordingly. You can give any name to the PIB files.

It is also easy to find out the adapters’ MAC addresses and current firmware by using another open-plc-tools command:

user $ plcstat -t -i eth0

The TP-Link tpPLC utility for Windows also shows the firmware version. I was surprised to see that the firmware version was different in the three models I had just bought:

  • TL-PA4010P firmware version: 1.4.0.20-00_401115_191120_901
  • TL-PA4010 firmware version: 1.3.1.2141-00_401013_171025_901
  • TL-PA4020P firmware version: 1.4.0.20-00_402114_191120_901

The command to update the firmware in an adapter using the NVM file I downloaded from the URL in the above-mentioned TP-Link Community forum thread and the PIB file read from the relevant adapter, is as follows:

user $ sudo plctool -i <interface> -P <PIB file> -N <NVM file> -R <MAC address of adapter>

For example:

user $ sudo plctool -i eth0 -P TL-PA4010P.pib -N FW-QCA7420-1.5.0.0026-02-CS-20200114.nvm -R 15:B3:D2:D8:5F:BA

I am fortunate in that the three models of TP-Link Powerline adapter I bought all use the Qualcomm Atheros QCA7420 chipset, so I could use the same NVM file for all four adapters that I bought. I only needed to repeat the command with a different PIB file for each adapter model. The plcstat command can be used to check that the firmware version is different from the factory original version:

user $ plcstat -t -i eth0

Actually, the tpPLC utility in Windows 10 also has the ability to upload an NVM file and a PIB file to an adapter, so, as I have tpPLC installed in a VM, I can use that instead to update firmware in my TP-Link Powerline adapters.

And what difference did upgrading the firmware in my new TP-Link adapters make? A big difference. There are no more dropouts; the connection is now stable and I no longer get interruptions while browsing the Internet. It’s a pity that TP-Link does not supply every chipset’s latest firmware file and every model’s PIB file on their support Web site so that users can update their Powerline adapters.

A Linux command-line utility to discover and list WSD-enabled computers and printers on a home network

In an earlier post I covered the installation and use of wsdd, a WS-Discovery (WSD) daemon that can run on Linux machines and enable machines running Microsoft Windows 10 to discover Linux machines in File Explorer now that Windows 10 has dropped Computer Browser, NetBIOS and SMBv1. All my Linux machines in my home network have wsdd running alongside NetBIOS broadcast name resolution, SMBv2 (used by my Android phone) and SMBv3 (used by my Linux machines). If any visitors to my house happen to bring a laptop running Windows 10, they will be able to discover my SMB shares in File Explorer, which I have always been able to do in Linux and in earlier Windows releases that supported NetBIOS and Computer Browser.

As I pointed out in a comment to another of my earlier posts, a downside of not using the (insecure) SMBv1 protocol is that the Samba utility smbtree incorrectly returns nothing if you enter the command smbtree when using SMBv2 or SMBv3. As all the Linux machines in my home network are running the wsdd daemon in addition to NetBIOS, SMBv2 and SMBv3 — and any visitors’ laptops could be running Windows 10 — it would be nice to have a command-line utility that would discover all machines. Well, here is a stab at such a utility, written by a close relative of mine as a learning exercise in WSD and Python, and is provided here as-is without any warranty or support. It consists of the following five files:

wsd-discover.sh

#!/bin/bash

function del-tmp-files() {
   if ls /tmp/wsd-*.txt 1> /dev/null 2>&1; then
      rm /tmp/wsd-*
   fi
return 0
}

# Delete pre-existing temporary work files.

del-tmp-files

# Get the V5 UUID of this machine
UUID=$(python3 $HOME/discover/wsd-gen-uuid.py)

# Send a multicast probe to all WSD capable devices and store the XML output in wsd-probe1.txt
echo
echo "Please wait.....sending multicast discovery probe and waiting 2 seconds for responses"
echo
python3 $HOME/discover/wsd-mcast-probe.py > /tmp/wsd-probe1.txt

# Iterate through the XML until the UUID to IPv4 mappings are obtained in wsd-probe9.txt
more /tmp/wsd-probe1.txt | grep Computer | awk -F "<wsa:Address>" '{print $2}' > /tmp/wsd-probe2.txt

sort -u /tmp/wsd-probe2.txt > /tmp/wsd-probe3.txt

more /tmp/wsd-probe3.txt | awk -F "uuid:" '{print $2}' > /tmp/wsd-probe4.txt

more /tmp/wsd-probe4.txt | awk -F "</wsa:Address>" '{print $1,"******",$2}' > /tmp/wsd-probe5.txt

more /tmp/wsd-probe5.txt | awk -F "from" '{print $1,"******",$2}' > /tmp/wsd-probe6.txt

more /tmp/wsd-probe6.txt | awk -F "******" '{print $1 $3}' > /tmp/wsd-probe7.txt

more /tmp/wsd-probe7.txt | awk -F "\\\('" '{print $1 $2}' > /tmp/wsd-probe8.txt

more /tmp/wsd-probe8.txt | awk -F "'" '{print $1}' > /tmp/wsd-probe9.txt

# Read the UUID to IPv4 mappings until end of file and send XML requests to each WSD host

while read RECORD; do

	URN=$(echo $RECORD | cut -d" " -f1)
	IPA=$(echo $RECORD | cut -d" " -f2)

	# Generate the HTTP/XML request file from the template
	cat $HOME/discover/wsd-template.xml | sed 's/XXXXXXXXXX/'$URN'/g' > /tmp/wsd-request.txt
	cat /tmp/wsd-request.txt | sed -i 's/YYYYYYYYYY/'$UUID'/g' /tmp/wsd-request.txt

	# Send the XML/SOAP request to the target machine
	curl -s -A wsd --header "Accept-Encoding: identity" --header "Connection: Close" \
	--header "Content-Type: application/soap+xml" --header "User-Agent: wsd" \
	--data @/tmp/wsd-request.txt http://$IPA:5357/$URN > /tmp/wsd-response-$IPA.txt

	# Extract, format and display the information returned
	echo
	echo "Device IP : $IPA"
	echo "==========================="
	echo -n "Name         :";cat /tmp/wsd-response-$IPA.txt | awk -F "FriendlyName" '{print $2}' | awk -F "<" '{print $1}' | cut -d">" -f2
	echo -n "Manufacturer :";cat /tmp/wsd-response-$IPA.txt | awk -F "Manufacturer" '{print $2}' | awk -F "<" '{print $1}' | cut -d">" -f2
	echo -n "Model        :";cat /tmp/wsd-response-$IPA.txt | awk -F "ModelName" '{print $2}' | awk -F "<" '{print $1}' | cut -d">" -f2
	echo -n "Category     :";cat /tmp/wsd-response-$IPA.txt | awk -F "DeviceCategory" '{print $2}' | awk -F "<" '{print $1}' | cut -d">" -f2
	echo -n "URN          :";cat /tmp/wsd-response-$IPA.txt | awk -F "Address" '{print $2}' | awk -F "<" '{print $1}' | cut -d">" -f2
	echo -n "Type         :";cat /tmp/wsd-response-$IPA.txt | awk -F "Types" '{print $2}' | awk -F "<" '{print $1}' | cut -d">" -f2
	echo -n "Workgroup    :";cat /tmp/wsd-response-$IPA.txt | awk -F "<pub:Computer" '{print $2}' | awk -F "<" '{print $1}' | cut -d">" -f2
	echo

done < /tmp/wsd-probe9.txt

# This next bit is just a bit of fluff to display printers. The formatting is inconsistent because every printer
# has a different web page. Printer manufacturers are listed in the file $HOME/discover/printers.txt. If the printer
# is not in this file it won't be found in the HTTP information

# Check whether the original multicast response contains any printer information
cat /tmp/wsd-probe1.txt | grep -q -A2 Print

if [[ $? -eq 0 ]]; then # A printer of some sort has been found

   # Get the line that contains 'Print' and the two lines after it (one of which contains the printer IP and URL)
   more /tmp/wsd-probe1.txt | grep -A2 Print > /tmp/wsd-probe10.txt

   # Remove any duplicate entries
   sort -u /tmp/wsd-probe10.txt > /tmp/wsd-probe11.txt

   # Isolate the printer IP and URL information
   cat /tmp/wsd-probe11.txt | awk -F"XAddrs>" '{print $2}' | awk -F"/wsd" '{print $1}' > /tmp/wsd-probe12.txt

   # Remove blank lines to clean up the file
   sed '/^$/d' /tmp/wsd-probe12.txt > /tmp/wsd-probe13.txt

   # Read each line of the file containing the printer URLs and contact the printers in turn
   while read RECORD; do

	echo "Printers"
	echo "==========================="
	URL=$RECORD
	# Try to get the printer's HTML page
        curl -s $URL/index.html > /tmp/wsd-printer.txt
	if [[ $? -ne 0 ]]; then
           echo "Couldn't get HTML info from $URL"
	else
	   # Read each line of the printers.txt file and try to get the Make and Model from the HTML
           while read PRT; do
		 grep -q $PRT /tmp/wsd-printer.txt
		 if [[ $? -eq 0 ]]; then # Printer in the list is contained in the returned HTML
		    # Extract the Make and the following word hoping it's the Model
		    TYP=$(grep $PRT /tmp/wsd-printer.txt | awk -v a=$PRT '{for(i=1;i<=NF;i++) if ($i==a) print $i,$(i+1)}')
		    echo "URL   : $URL"
                    echo "Make  : $TYP"
		 fi
	   done < $HOME/discover/printers.txt
	fi

   done < /tmp/wsd-probe13.txt

fi

echo

#
# Delete the latest temporary work files.
#
del-tmp-files

wsd-gen-uuid.py

import uuid
import socket

hostName = (socket.gethostname())

# nameSpaces = [uuid.NAMESPACE_DNS, uuid.NAMESPACE_URL, uuid.NAMESPACE_OID, uuid.NAMESPACE_X500]
nameSpaces = [uuid.NAMESPACE_DNS]

for namespace in nameSpaces:

    print (uuid.uuid5(namespace, hostName))

wsd-mcast-probe.py

import socket
import struct
import sys
import uuid

# Create a V1 UUID for the MessageID based on the host address and current time
# The MessageID must be unique but it isn't necessary to have anything other than a V1 UUID
uuid1 = uuid.uuid1()
myuuid = str(uuid1)
print ("Generating UUID for MessageID")
print(myuuid)

# The string 'message' is a template WSD probe that is multicast to group 239.255.255.250 port 3702
# The template should not change unless there is a major change to the WSD specifications
# Escape double quotation marks within the message string (but not the outer double quotation marks)
message = "<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:pnpx=\"http://schemas.microsoft.com/windows/pnpx/2005/10\" xmlns:pub=\"http://schemas.microsoft.com/windows/pub/2005/07\" xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:wsd=\"http://schemas.xmlsoap.org/ws/2005/04/discovery\" xmlns:wsdp=\"http://schemas.xmlsoap.org/ws/2006/02/devprof\" xmlns:wsx=\"http://schemas.xmlsoap.org/ws/2004/09/mex\"><soap:Header><wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To><wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</wsa:Action><wsa:MessageID>urn:uuid:" + myuuid + "</wsa:MessageID></soap:Header><soap:Body><wsd:Probe><wsd:Types>wsdp:Device</wsd:Types></wsd:Probe></soap:Body></soap:Envelope>"

# Convert the message to a UTF-8 byte string
bytstr = message.encode('utf-8')

# Define a variable for the multicast group and multicast destination port
multicast_group = ('239.255.255.250', 3702)
multicast_address = '239.255.255.250'

# Cheeky way to get the Internet facing Ethernet IP address for use further down
# Create a socket, pretend to use it to connect to an Internet service. Nothing is actually sent
# but the IP address of the Internet facing interface is returned 
def get_ip_address():
    sock1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock1.connect(("8.8.8.8", 80))
    return sock1.getsockname()[0]

# Create datagram socket 1 for multicasts and allow the IP address and port to be reused in case something
# else is using them e.g. the WSD service
sock1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock1.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock1.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)

IPADDR = (get_ip_address())

# Set the multicasts TTL to 1 so they stay on the local segment
sock1.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 1)

# Set a timeout so the socket stops listening if no data is received within the timeout
# This prevents it from locking up
sock1.settimeout(2.0)

# Bind the socket to the IP and port that we wish to use as the source IP and port of datagrams we transmit
# AND the destination IP and port of datagrams that we receive
sock1.bind ((IPADDR, 3702))

# Join the 239.255.255.250 multicast group. This isn't necessary if this script is being run on a machine
# that is also running the wsdd daemon. Joining the multicast group allows the script to be run on any
# machine regardless

mreq = struct.pack("4sl", socket.inet_aton(multicast_address), socket.INADDR_ANY)
sock1.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)

try:

    # Send the WSD probe (bytstr) to the multicast group and port
    # print ('\nsending "%s"' % bytstr)
    sent = sock1.sendto(bytstr, multicast_group)

    # Listen for up to 4096 byte responses from all responders to the multicast message
    while True:
       print ('\nwaiting to receive responses')
       try:
           data, addr = sock1.recvfrom(4096)

           # We could use the format below to split 'addr' into its component IP and port fields but is isn't necessary
           # data, (ip, port) = sock1.recvfrom (4096)

       except:
           # This exception only occurs if no data is received on socket for the timeout period
           print ('\ntimed out, no more responses socket1')
           break
       else:
           # This is the response data that the bash script writes out to the wsd-probe1.txt file
           print ('\nreceived %s from %s' % (data.decode('utf-8'), addr))

finally:
    print ('\nsocket closed\n')

wsd-template.xml

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope
      xmlns:pnpx="http://schemas.microsoft.com/windows/pnpx/2005/10"
      xmlns:pub="http://schemas.microsoft.com/windows/pub/2005/07"
      xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
      xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
      xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"
      xmlns:wsdp="http://schemas.xmlsoap.org/ws/2006/02/devprof"
      xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
      <soap:Header>
            <wsa:To>urn:uuid:XXXXXXXXXX</wsa:To>
            <wsa:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/Get</wsa:Action>
            <wsa:MessageID>urn:uuid:fe11d044-bc13-11ea-b98c-2c56dc778d37</wsa:MessageID>
            <wsa:ReplyTo>
                 <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
            </wsa:ReplyTo>
            <wsa:From>
                 <wsa:Address>urn:uuid:YYYYYYYYYY</wsa:Address>
            </wsa:From>
      </soap:Header>
      <soap:Body />
</soap:Envelope>

printers.txt

Brother
Canon
Epson
HP
Kodak
Lexmark

How to install

user $ mkdir $HOME/discover

Use a text editor to create the five files listed above in the directory $HOME/discover/.

Make the Bash script and the Python scripts executable:

user $ chmod u+x $HOME/discover/*.sh $HOME/discover/*.py

How to use

user $ $HOME/discover/wsd-discover.sh

The script will list discovered devices (see the caveat in the Description section below). For example:

user $ $HOME/discover/wsd-discover.sh

Please wait.....sending multicast discovery probe and waiting 2 seconds for responses


Device IP : 192.168.1.121
===========================
Name         :WSD Device tutankhamun
Manufacturer :wsdd
Model        :wsdd
Category     :Computers
URN          :urn:uuid:ff03f853-8a45-5ad9-b75b-fe4f632c8c5b
Type         :pub:Computer
Workgroup    :TUTANKHAMUN/Workgroup:HOME


Device IP : 192.168.1.10
===========================
Name         :WSD Device akhanaten
Manufacturer :wsdd
Model        :wsdd
Category     :Computers
URN          :urn:uuid:ad8fedfb-a22c-5551-92b4-653aae69f379
Type         :pub:Computer
Workgroup    :AKHANATEN/Workgroup:HOME


Device IP : 192.168.1.74
===========================
Name         :WSD Device thutmoseiii
Manufacturer :wsdd
Model        :wsdd
Category     :Computers
URN          :urn:uuid:9bf49ac3-e58d-57a4-87ea-7c0d5ef02234
Type         :pub:Computer
Workgroup    :THUTMOSEIII/Workgroup:HOME

Printers
===========================
URL   : http://192.168.1.78:80
Make  : Canon MP560


The example output above was for a network of three Linux machines running the wsdd daemon, connected via Ethernet, plus a printer connected via Wi-Fi.

Description

The scripts are non-intrusive and discover WSD-enabled devices in multicast group 239.255.255.250 port 3702, namely a) Windows 10 and b) other Linux machines running the WSD daemon wsdd or other WSD software. It runs over Ethernet and Wi-Fi. The script joins the multicast group (with a reusable socket) and sends out a WSD Probe. The responses contain the UUID-to-IP address mappings of the devices it discovers. Each discovered device is then contacted individually on its IP address TCP port 5357 to retrieve basic information.

If you run the script on Linux with the WSD Daemon (wsdd) also running (see earlier post), the script discovers itself as well as other devices. If you run the script on a machine that is not running the WSD Daemon it still discovers other devices, but not itself.

The script also discovers any WSD-enabled printers that listen for multicasts on UPnP / SSDP group 239.255.255.250 but don’t care about what UDP port is being used. If a WSD-enabled printer is detected, the script attempts to retrieve the make and model of the printer using HTTP. To detect different printer makes, add the manufacturer e.g. Canon, Epson, Lexmark etc. to the file ‘printers.txt‘. The script reports on the printer make and tries to extract the model type. It may not always format the output 100% accurately.

The main thing to bear in mind is that the scripts do not maintain state i.e. a single discovery probe is transmitted. Multicast is fundamentally unreliable and only devices that respond are reported. If the probe is lost or an end device doesn’t respond, for whatever reason, it doesn’t get reported. You can run the script a few times to ensure that it picks up as many of the devices as it possibly can.

Powerline adapters and IPv6

My home network includes a number of devices connected via Powerline (HomePlug) adapters. Back in 2015 I blogged about ‘crosstalk’ between my and my neighbour’s home networks, both of which use Powerline adapters (see my post ‘Waiting for 192.168.1.254…’ (Why I could not access a home hub’s management page)), which I was able to resolve by changing the encryption key so that it is different to the default key used by my neighbour. Since then the Powerline adapters have worked well. However, an unrelated network problem recently highlighted another problem with my Powerline adapters…

In November last year there was an external fault with the broadband service to my house, so I had to contact my ISP (the company BT) to fix the problem. BT does not use highly-skilled field personnel to diagnose broadband problems; they tend to use a ‘shotgun’ approach to problem solving. Their first attempt was to replace my router, a BT Home Hub 5, which I knew was actually working perfectly. I was not going to argue, though, because they replaced the router with the newest model, a BT Smart Hub 2. Unlike the Home Hub 5, the Smart Hub 2 fully supports IPv6. BT’s broadband network has supported IPv6 for several years (see ISPreview – UPDATE All BT Broadband Lines Now Support IPv6 Internet Addresses) so I was expecting the computers on my home network to be assigned IPv6 addresses, but ‘ifconfig‘ and ‘ip address‘ showed they were not being assigned IPv6 addresses when connected via the Powerline adapters, only when connected to the Smart Hub 2 via Wi-Fi.

All my computers have IPv6 enabled:

$ sudo sysctl -a | grep disable_ipv6
[sudo] password for fitzcarraldo: 
sysctl: net.ipv6.conf.all.disable_ipv6 = 0
reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.disable_ipv6 = 0
sysctl: reading key "net.ipv6.conf.eno1.stable_secret"
net.ipv6.conf.eno1.disable_ipv6 = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.disable_ipv6 = 0
sysctl: net.ipv6.conf.wlp2s0.disable_ipv6 = 0
reading key "net.ipv6.conf.wlp2s0.stable_secret"
$ test -f /proc/net/if_inet6 && echo "IPv6 supported" || echo "IPv6 not supported"
IPv6 supported

The fact that the computers on the home network were allocated an IPv6 address when connected to the Smart Hub 2 via Wi-Fi, and that WhatIsMyIPAddress.com confirmed the BT broadband public network was also allocating an IPv6 address, made me suspect the problem of no IPv6 via the wired network was due to the Powerline adapters.

As more machines were added to my home network over the years, I had to buy more Powerline adapters. In 2014 I bought some NETGEAR XAVB5221 (500 Mbps) Powerline adapters to supplement the superseded model NETGEAR XAVB1301 (200 Mbps) Powerline adapters I bought in 2012. Powerline adapters conforming to the HomePlug AV standard work together, so these had no problem communicating. A schematic diagram of my home network is shown below. To keep things simple, only some of the devices are shown. As you can in the diagram, a NETGEAR XAVB1301 adapter was used to connect the BT Smart Hub 2 to the network; some of the computers were connected via NETGEAR XAVB5221 adapters, and others via NETGEAR XAVB1301 adapters.

Simplified schematic diagram of my original home network

I could find no mention of IPv6 for its Powerline adapters in NETGEAR’s documentation and on the NETGEAR Web site. The NETGEAR user manual for the XAV1301 is dated ‘September 2011’ and it lists, under SPECIFICATIONS, compliance with IEEE 802.3 and IEEE 802.3u. The data sheet (no user manual available) for the XAVB5221 is dated ‘2014’ and it lists, under SPECIFICATIONS, compliance with IEEE 1901 and IEEE 802.3.

The Wikipedia page for IEEE 1901-2010 mentions IPv6, so support for IPv6 is relevant to the protocol:

“An IETF RFC Draft address the higher layers of the protocol, namely the specifics of passing IPv6 packets over the PHY and MAC layers of PLC [power-line communication] systems like IEEE 1901.”

I think the following draft Internet Engineering Task Force (IETF) document must be the latest version of the IETF Draft mentioned on the above-mentioned Wikipedia page for IEEE 1901:

Transmission of IPv6 Packets over PLC Networks

Anyway, all this lead me to wonder if the NETGEAR XAVB1301 does not fully comply with IEEE 1901 and does not support IPv6. So I decided to try connecting the BT Smart Hub 2 to the network via a NETGEAR XAVB5221 adapter instead of the older model XAVB1301, as shown in the schematic diagram below.

Simplified schematic diagram of my latest home network

What I then found was that any computer connected to the network via a NETGEAR XAVB5221 adapter was assigned an IPv6 address in addition to an IPv4 address, and WhatIsMyIPAddress.com showed public IPv6 and IPv4 addresses in a Web browser on the device. However, any computer connected to the network via a NETGEAR XAVB1301 adapter was assigned an IPv6 address in addition to an IPv4 address but WhatIsMyIPAddress.com displayed ‘IPv6 not detected’ in a Web browser. So it transpired that NETGEAR XAVB5221 adapters can handle IPv6 but the older XAVB1301 model cannot.

Although not essential, I toyed with the idea of replacing the older NETGEAR XAVB1301 adapters with XAVB5221 adapters, but that model is no longer on sale. The latest available Powerline adapter model from NETGEAR for wired networking is the PL1000 (1000 Mbps). However, its documentation does not mention IPv6 or IEEE 1901, and the following question on the Amazon UK Web site about IPv6 support for the PL1000, and NETGEAR’s answer on 5 May 2020 makes it clear that the PL1000 does not support IPv6:

Question: Does this model support ipv6? netgear xav1301 adapters only support ipv4. my router & pcs support ipv6 but can’t use ipv6 with my xav1301 adapters.

Answer: Thank you for your interest in the NETGEAR PL1000.

The PL1000 supports IPv4.

If you have any questions, you can also check out our NETGEAR Community at any time.

Best regards,
NETGEAR Amazon UK

Unlike NETGEAR, the TP-Link Web site makes it clear that all TP-Link Powerline adapters currently on sale support IPv6:

Most frequently asked questions about TP-Link powerline devices – Part3: Other questions about Powerline Device

Q3.12: Can TP-Link Powerline devices transfer IPv6 packets?

A: Yes, all the on sale TP-Link powerline devices can transfer IPv6 packets. Kindly note this is supported by default and does not require any configuration, our powerline products do not have setting entries for IPv6 either.

I also asked someone I know who uses TP-Link Powerline adapters and a BT Smart Hub 2, and he confirmed that the TP-Link adapters can handle IPv6.

Therefore, the bottom line is: if you want to use Powerline adapters and IPv6, avoid buying NETGEAR Powerline adapters and look at other manufacturers’ adapters instead. I have only investigated TP-Link’s adapters, which do support IPv6. A number of other companies also manufacture Powerline adapters, but you would need to check if they support IPv6; if necessary contact the manufacturer to be sure.

Firewall zones (profiles) in Linux, and how to switch them automatically if you use UFW

Firstly, a note on terminology: UFW (Uncomplicated Firewall) and its two GUI front-ends Gufw and UFW Frontends use the term ‘application profile’ to refer to a pre-configured set of rules specified in a file. Files containing UFW application profiles are placed in the directory /etc/ufw/applications.d/. An application profile for SMB, for example, enables the root user to use the UFW command ‘ufw allow Samba‘ (‘ufw allow CIFS‘ in Gentoo Linux) rather than having to enter UFW commands specifying the precise ports and network protocols that SMB uses. However, this blog post is not about UFW’s application profiles; it is about what Gufw calls ‘profiles’ and firewalld calls ‘zones’.

In essence a profile/zone is a collection of firewall policies and rules. Both Gufw and firewalld include the concept of a ‘zone’, although Gufw uses the term ‘profile’ rather than ‘zone’. UFW Frontends does not have the concept of a ‘zone’; rules entered via UFW Frontends apply to any network to which you connect your laptop. The ability to define different zones for different networks is handy. For example, you can have certain policies and rules when your laptop is connected to your home network, and different policies and rules when your laptop is connected to the network in a café, hotel, airport or other public place.

An attractive feature of firewalld when used in conjunction with NetworkManager and KDE Plasma is that it is possible to use the desktop environment’s network management module (‘System Settings’ > ‘Connections’) to specify a particular firewalld zone for a particular network connection. For example, let’s say you used firewalld to specify certain policies and rules for a zone you named ‘office’, and you then specified in the System Settings – Connections GUI that a connection named ‘ACM’ should use the zone ‘office’. Thereafter, whenever you connect your laptop to the network named ‘ACM’, firewalld will use the policies and rules you previously configured for the zone ‘office’.

Unlike firewalld, Gufw does not have the ability to switch profiles automatically according to which network the laptop is connected. You have to select manually the profile you wish to use. You would launch Gufw prior to connecting to, for example, your office’s network, select the profile ‘Office’ (or whatever you have named it), then connect your laptop to that network.

I think many people would be satisfied with the functionality currently provided by Gufw. I could use the Gufw GUI to create Gufw profiles with names such as ‘Home’, ‘HomeDave’, ‘Public’, ‘HQoffice’, ‘USoffice’, ‘PestanaRio’ and so on, and specify the different policies and rules I want for each profile. At home I would launch Gufw on my laptop and select the Home profile then connect to my home network; in the office at work I would launch Gufw on my laptop and select the HQoffice profile then connect to the office network; at my friend Dave’s house I would launch Gufw on my laptop and select the HomeDave profile then connect to the house network; and so on. Nevertheless I do see the attraction of automated zone switching, as provided by firewalld in conjunction with NetworkManager and KDE. It would be handy if my laptop could switch automatically to the Home profile when my laptop connected to the network at my home with the name ‘BTHub5-8EUQ’, automatically switch to the HQoffice profile when my laptop connected to the network named ‘HQ-Office2’ in the office, and so on.

I use UFW on my two laptops running Gentoo Linux. The package ufw-frontends is also installed but normally I use UFW directly via the command line. However I wanted to learn about zones/profiles while using UFW, and I also wanted to see if I could automate the switching of zones without resorting to installing firewalld. NetworkManager has the ability to launch ‘hook’ scripts when certain things happen — when a network connection changes, for example — and this seemed to me to be a way of switching profiles automatically.

I had not used Gufw before, so I decided to install it. A package is available in many Linux distributions but there is no ebuild for Gufw in Gentoo’s main Portage tree and I could not find an up-to-date ebuild for it in any Portage overlays. Therefore I created the ebuild for net-firewall/gufw-19.10.0 shown below. It probably needs improving, but it does install a working Gufw in Gentoo Linux.

# Copyright 1999-2019 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

EAPI=7
PYTHON_COMPAT=( python3_{5,6,7} )
DISTUTILS_IN_SOURCE_BUILD=1

inherit distutils-r1

MY_PN="gui-ufw"
MY_PV="$(ver_cut 1-2)"

DESCRIPTION="GUI frontend for managing ufw."
HOMEPAGE="https://gufw.org/"
SRC_URI="https://launchpad.net/${MY_PN}/trunk/${MY_PV}/+download/${MY_PN}-${PV}.tar.gz"

LICENSE="GPL-3"
SLOT="0"
KEYWORDS="~amd64"
IUSE=""

DEPEND="dev-python/python-distutils-extra"
RDEPEND="net-firewall/ufw
	dev-python/netifaces
	dev-python/pygobject:3
	net-libs/webkit-gtk[introspection]
	sys-auth/elogind
	sys-auth/polkit
	x11-libs/gtk+:3[introspection]
	x11-themes/gnome-icon-theme-symbolic
"
S=${WORKDIR}/${MY_PN}-${PV}

pkg_postinst() {
	sed '/dist-packages/d' -i /usr/bin/gufw-pkexec
	sed -E '/\/share\//d' -i /usr/bin/gufw-pkexec
	local PYTHONVERSION="$(python -c 'import sys; print("{}.{}".format(sys.version_info.major, sys.version_info.minor))')"
	sed -E "s|python3\.[0-9]|python${PYTHONVERSION}|g" -i /usr/bin/gufw-pkexec
	sed -E 's|\/lib\/|\/lib64\/|g' -i /usr/bin/gufw-pkexec
}

How To Set Up a Firewall with GUFW on Linux‘ is a good tutorial on Gufw.

As I had not used Gufw previously, I had to play around with it to understand better its functional design. I found that if I configure rules directly via UFW on the command line without using Gufw, Gufw does not allow me to edit those rules (but does allow me to delete them) and those rules exist whichever Gufw profile is selected in the Gufw GUI. Gufw profiles are stored in files named ‘/etc/gufw/*.profile‘ (e.g. /etc/gufw/Home.profile) and these files will not include UFW rules entered via the command line. On the other hand, UFW rules created via the Gufw GUI apply solely to the currently-selected Gufw profile, which is what I would have expected. In other words, I can create a different set of policies and rules in each Gufw profile. Therefore I believe Gufw profiles (as distinct from UFW application profiles) are basically analogous to firewalld’s zones. It also appears to me that Gufw maintains configuration files specifying policies and rules independently of UFW, which Gufw then applies to UFW. In other words, if you are a Gufw user you should not use UFW directly to configure policies and rules, otherwise Gufw’s configuration files will not include what you did directly using UFW. To reiterate, use only Gufw or only UFW, not both.

The current Gufw profile’s name is listed in the file /etc/gufw/gufw.cfg. For example, I currently have the Home profile selected in the Gufw GUI, and the file gufw.cfg contains the following:

[GufwConfiguration]
profile = Home
windowwidth = 542
windowheight = 530
confirmdetelerule = yes

If I examine the contents of the file /etc/gufw/Home.profle I see that it contains the UFW policies and rules I specified for the Gufw Home profile:

[fwBasic]
status = enabled
incoming = deny
outgoing = allow
routed = disabled

[Rule0]
ufw_rule = 137,138/udp ALLOW IN 192.168.1.0/24
description = Samba
command = /usr/sbin/ufw allow in proto udp from 192.168.1.0/24 to any port 137,138
policy = allow
direction = in
protocol = 
from_ip = 192.168.1.0/24
from_port = 
to_ip = 
to_port = 137,138/udp
iface = 
routed = 
logging = 

[Rule1]
ufw_rule = 139,445/tcp ALLOW IN 192.168.1.0/24
description = Samba
command = /usr/sbin/ufw allow in proto tcp from 192.168.1.0/24 to any port 139,445
policy = allow
direction = in
protocol = 
from_ip = 192.168.1.0/24
from_port = 
to_ip = 
to_port = 139,445/tcp
iface = 
routed = 
logging =

I also notice that the other Gufw profiles can differ. For example, my Office.profile file contains the following:

[fwBasic]
status = enabled
incoming = deny
outgoing = allow
routed = allow

The profile name listed in gufw.cfg gets changed when the user changes the profile using the Gufw GUI. It appears to me that only at the point in time when the user selects a certain Gufw profile in the Gufw GUI does Gufw parse the applicable *.profile file and issue commands to UFW to implement the policies and rules specified in the *.profile file.

Initially I tried to automate the process of changing the Gufw profile by doing the following:

  1. I created a NetworkManager Dispatcher hook script to:

    1. detect when the laptop connects to a network;

    2. determine whether the network is at my home, at my workplace or in a public place (café, airport or wherever) by looking at the connection name;

    3. edit gufw.cfg to change the name of the Gufw profile according to the network connected.
  2. I configured KDE to launch Gufw automatically at login, hoping that would implement the Gufw profile specified in gufw.cfg.

When I connected the laptop to various networks, Gufw did indeed show the name of the profile selected by the NetworkManager Dispatcher hook script, but the associated Gufw profile’s rules had not been applied. They were only applied if I clicked on the ‘Profile’ pull-down menu in Gufw, selected a different Gufw profile, then re-selected the desired Gufw profile. Therefore driving Gufw from a NetworkManager Dispatcher hook script is not possible. This is a pity, as Gufw is an easy way to manage UFW from a GUI; it allows the user to create, delete and edit zones (Gufw profiles) and to select them manually. What Gufw doesn’t do is enable the user to associate those zones with connection names, nor trigger specific zone automatically based on the selected network connection. firewalld, on the other hand, does enable the user to do both those things.

As my attempt at automating the switching of zones in Gufw had failed, I decided to create a NetworkManager Dispatcher hook script to switch zones automatically by using UFW commands. Initially I though about creating a bespoke UFW application profile for each zone and allowing/denying those in the script, but it is actually easier to use the fundamental UFW commands in the script, especially as UFW commands are relatively easy to understand. Also, this approach means everything is in a single file, which facilitates configuration. I can simply edit the script in order to: a) add or delete a zone; b) change a zone’s name; c) change policies and rules for a zone; d) add or delete a connection; e) change the name of a connection; f) change the zone a connection uses. Granted, editing a script is not as user-friendly as using the firewalld GUI to configure a zone and then using KDE Plasma’s system settings module Connections to specify that zone for a specific connection, but my script is not particularly difficult to understand and edit. And by using such a script I can continue to use UFW rather than installing firewalld and having to learn how to use it.

My NetworkManager Dispatcher hook script /etc/NetworkManager/dispatcher.d/20_ufw-zones is listed below. In the main body of the script I define the zone I wish to use for each connection, and in the function select_zone I define the policies and rules I want each zone to use.

#!/bin/bash
INTERFACE=$1
STATUS=$2
WIRED=enp4s0f1
WIFI=wlp3s0

CT_helper_rule() {
    echo "# The following is needed to enable Samba commands to" >> /etc/ufw/before.rules
    echo "# work properly for broadcast NetBIOS name resolution" >> /etc/ufw/before.rules
    echo "#"  >> /etc/ufw/before.rules
    echo "# raw table rules" >> /etc/ufw/before.rules
    echo "*raw" >> /etc/ufw/before.rules
    echo ":OUTPUT ACCEPT [0:0]" >> /etc/ufw/before.rules
    echo "-F OUTPUT" >> /etc/ufw/before.rules
    echo "-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns" >> /etc/ufw/before.rules
    echo "COMMIT" >> /etc/ufw/before.rules
}
 
select_zone() {
    ufw --force reset
    ufw --force enable
    ZONE=$1
    case "$ZONE" in
    'Home')
        ufw default deny incoming
        ufw default allow outgoing
        #
        # Rules for SMB
        ufw allow from 192.168.1.0/24 to any port 137,138 proto udp
        ufw allow from 192.168.1.0/24 to any port 139,445 proto tcp
        CT_helper_rule
        #
        # Rules for KDEConnect
        ufw allow from 192.168.1.0/24 to any port 1714:1764 proto udp
        ufw allow from 192.168.1.0/24 to any port 1714:1764 proto tcp
    ;;
    'Office')
        ufw default deny incoming
        ufw default allow outgoing
    ;;
    'Public')
        ufw default reject incoming
        ufw default allow outgoing
    ;;
    'JohnsHouse')
        ufw default deny incoming
        ufw default allow outgoing
        #
        # Rules for SMB
        ufw allow from 192.168.42.0/24 to any port 137,138 proto udp
        ufw allow from 192.168.42.0/24 to any port 139,445 proto tcp
        CT_helper_rule
        #
        # Rules for KDEConnect
        ufw allow from 192.168.42.0/24 to any port 1714:1764 proto udp
        ufw allow from 192.168.42.0/24 to any port 1714:1764 proto tcp
    ;;
    esac
    ufw --force reload
    rm /etc/ufw/*.rules.20* # Delete backups of *.rules files ufw makes every time it is reset
    echo -n `date +"[%F %T %Z]"` >> /var/log/ufw-zones.log
    echo " Zone $ZONE selected for connection $ACTIVE on interface $INTERFACE." >> /var/log/ufw-zones.log
}
 
# Check if either the wired or wireless interface is up
if [ "$INTERFACE" = "$WIRED" -o "$INTERFACE" = "$WIFI" ] && [ "$STATUS" = "up" ]; then
 
    # Check if a single connection is active
    if [ `nmcli c | grep -v "\-\-" | grep -v "NAME.*UUID.*TYPE.*DEVICE" | wc -l` -eq 1 ]; then
 
        # Ascertain the name of the active connection
        ACTIVE=`nmcli c | grep -v "\-\-" | grep -v "NAME.*UUID.*TYPE.*DEVICE" | awk -F' ' '{print $1}'`
 
        case "$ACTIVE" in
 
        'eth0')
            ZONE="Home"
        ;;
        'POR1-wired')
            ZONE="Office"
        ;;
        'BTHub5-8EUQ')
            ZONE="Home"
        ;;
        'BTHub5-8EUQ-5GHz')
            ZONE="Home"
        ;;
        'John1')
            ZONE="JohnsHouse"
        ;;
        'GRAND MERCURE')
            ZONE="Public"
        ;;
        *)
            # If connection name is not in above list
            ZONE="Public"
        ;;

        esac

        select_zone $ZONE
        exit $?

    fi
fi

The log file that the script uses contains a chronological record of the connections made and the zones selected:

$ cat /var/log/ufw-zones.log 
[2019-09-30 20:13:52 BST] Zone Home selected for connection eth0 on interface enp4s0f1.
[2019-10-01 22:59:18 BST] Zone Home selected for connection BTHub5-8EUQ-5GHz on interface wlp3s0.
[2019-10-02 17:59:23 EDT] Zone Public selected for connection loganwifi on interface wlp3s0.
[2019-10-03 10:12:46 EDT] Zone Office selected for connection POR1-wired on interface enp4s0f1.

Prevent Linux firewalls interfering with Samba commands in a home network that uses broadcast NetBIOS name resolution

Or “How come devices in a home network can browse SMB shares but Linux Samba commands and Windows nbtstat commands do not work properly?”

Introduction

In a previous post I explained how it is possible to browse SMB shares when using broadcast NetBIOS name resolution in a home network consisting of machines running Linux, Windows and other operating systems. Browsing SMB/Samba shares will work as expected, but Samba commands such as ‘smbtree‘, ‘smbclient‘ and ‘nmblookup‘ will not work properly if the Linux machines use a firewall that has not been configured for broadcast NetBIOS name resolution. This post is to explain how to do that.

If broadcast NetBIOS name resolution is being used and none of the Linux machines has a firewall enabled, or if their firewalls have been correctly configured, the output of e.g. the ‘smbtree‘ command on one of those machines would look something like the example below.

anne@akhanaten:~$ smbtree
Enter anne's password: 
HOME
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\TUTANKHAMUN                   Samba 4.5.10
                \\TUTANKHAMUN\Samsung_Xpress_C460FW     Samsung Xpress C460FW
                \\TUTANKHAMUN\Canon_MP560_Printer       Canon PIXMA MP560
                \\TUTANKHAMUN\Canon_MP510_Printer       Canon PIXMA MP510
                \\TUTANKHAMUN\Virtual_PDF_Printer       Virtual PDF Printer
                \\TUTANKHAMUN\IPC$              IPC Service (Samba 4.2.11)
                \\TUTANKHAMUN\Public
                \\TUTANKHAMUN\anne-share
                \\TUTANKHAMUN\print$
                \\TUTANKHAMUN\netlogon          Network Logon Service
        \\BTHUB5                        BT Home Hub 5.0A File Server
                \\BTHUB5\IPC$                   IPC Service (BT Home Hub 5.0A File Server)
        \\THUTMOSEIII                   Windows 10 computer

If Linux firewalls have not been correctly configured, the output would be missing some information about other machines in the network. For example, compare the output above with the output below from the same network, this time with the Linux firewalls configured using typical rules for Samba specified in Web articles, blog posts and forums.

anne@akhanaten:~$ smbtree
Enter anne's password: 
HOME
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\TUTANKHAMUN                   Samba 4.5.10
        \\BTHUB5                        BT Home Hub 5.0A File Server
        \\THUTMOSEIII                   Windows 10 computer

To avoid this problem you need to add a further Linux firewall rule to the set of rules usually used for Samba. Below I first list the usual firewall rules for Samba, then I give the additional rule necessary if using broadcast NetBIOS name resolution. In each case I give the applicable rules for a pure IPTABLES firewall and for UFW (Uncomplicated Firewall). The rules listed here assume the IP address range of the home network is 192.168.1.0/24, so change the range to suit the specific network.

Firewall rules typically specified for machines using Samba

IPTABLES

The rules listed below assume the machine uses interface eth0, so change the interface to suit the specific machine.

# NetBIOS Name Service (name resolution)
iptables -A INPUT -i eth0 -p udp --dport 137 -s 192.168.1.0/24 -j ACCEPT

# NetBIOS Datagram Service (BROWSER service)
iptables -A INPUT -i eth0 -p udp --dport 138 -s 192.168.1.0/24 -j ACCEPT

# NetBIOS Session Service (data transfer legacy SMB/NetBIOS/TCP)
iptables -A INPUT -i eth0 -p tcp --dport 139 -s 192.168.1.0/24 -j ACCEPT

# Microsoft Directory Service (data transfer SMB/TCP)
iptables -A INPUT -i eth0 -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT

UFW

In some Linux distributions the ufw application allows a single command to add Samba support, such as:

user $ sudo ufw allow Samba

or

user $ sudo ufw allow CIFS

These ‘application profiles’ are specified in files in the directory /etc/ufw/applications.d/, so you could add application profiles or modify existing ones if you wish. In one of my installations the file /etc/ufw/applications.d/ufw-fileserver includes the following application profile for Samba, for example:

[CIFS]
title=SMB/CIFS server
description=SMB/CIFS server
ports=137,138/udp|139,445/tcp

If such an application profile does not exist in your installation, typical Samba rules can be added in UFW using the following two commands:

user $ sudo ufw allow from 192.168.1.0/24 to any port 137,138 proto udp
user $ sudo ufw allow from 192.168.1.0/24 to any port 139,445 proto tcp

The correct addition of the rules can be checked using the following command:

user $ sudo ufw status verbose
Password:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
137,138/udp (CIFS)         ALLOW IN    192.168.1.0/24
139,445/tcp (CIFS)         ALLOW IN    192.168.1.0/24

The extra rule required when using broadcast NetBIOS name resolution

The reason why an extra rule is required when using broadcast NetBIOS name resolution is because UFW (which is based on IPTABLES) is ‘stateful’, as is a purely IPTABLES firewall (unless explicitly configured not to be stateful). The firewall does not consider packets it receives in response to its broadcast to be ESTABLISHED or RELATED, and therefore drops those packets. So, despite the IPTABLES and UFW rules listed above including a rule to accept incoming UDP packets on Port 137, any UDP packets received on Port 137 that do not constitute a one-to-one, two-way communication flow are dropped by the firewall. The extra rule below overrules this and makes the firewall accept packets coming from other devices’ Port 137 in response to broadcast NetBIOS Name Service packets. To do this, the extra rule uses a CT (Connection Tracking) helper named ‘netbios-ns‘ (obviously meaning ‘NetBIOS Name Service’). In order to use this rule the kernel must have been configured to use the IPTABLES ‘raw‘ table and to use CT (see the section ‘Kernel configuration’ further on).

IPTABLES

# All NetBIOS clients must have the netbios-ns helper enabled for broadcast name resolution to work
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

By the way, in addition to flushing the usual tables, flush the ‘raw‘ table too when you restart the firewall:

iptables -t raw -F OUTPUT

UFW

Add the following lines to the end of the file /etc/ufw/before.rules

# The following is needed to enable Samba commands to
# work properly for broadcast NetBIOS name resolution
#
# raw table rules
*raw
:OUTPUT ACCEPT [0:0]
-F OUTPUT
-A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
COMMIT

Note that the output of the command ‘ufw status verbose‘ will not include the above rule. This is not a bug.

Kernel configuration

If you are using a binary-based distribution such as Ubuntu Linux, the kernel will probably have been configured to include the needed modules (CONFIG_IP_NF_RAW=m, CONFIG_IP6_NF_RAW=m and CONFIG_NETFILTER_XT_TARGET_CT=m), and the installation configured to load the modules automatically. However, if you are using a source-based distribution such as Gentoo Linux make sure the kernel configuration includes these three options before you build the kernel, and also add the module names ‘iptable_raw‘ and ‘xt_CT‘ to the module list in the file /etc/conf.d/modules as shown in the example below, so that the modules are loaded at boot:

modules="r8169 nvidia agpgart fuse bnep rfcomm hidp uvcvideo cifs mmc_block rtsx_pci snd-seq-midi vboxdrv vboxnetadp vboxnetflt iptable_raw xt_CT"

You can use the following two commands to check if the two modules are loaded:

user $ sudo lsmod | grep iptable_raw
user $ sudo lsmod | grep xt_CT

How to check the additional rule is active

You can use the command below whether you are using pure IPTABLES or UFW.

user $ sudo iptables -nvL -t raw
Password: 
Chain PREROUTING (policy ACCEPT 2613 packets, 1115K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2773 packets, 475K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   16  1248 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 CT helper netbios-ns

The packet and byte counts will increase whenever you use a Samba command.

Bibliography

  1. The netfilter.org "iptables" project
  2. Iptables Tutorial
  3. Introduction to IPTables
  4. Gentoo Wiki : iptables
  5. Arch Linux Wiki : Samba : "Browsing" network fails with "Failed to retrieve share list from server"
  6. Ubuntu : Manpage : ufw-framework
  7. Gentoo Wiki : UFW

A correct method of configuring Samba for browsing SMB shares in a home network

SMB
SMB (Server Message Block) is the underlying protocol that Microsoft Windows computers use to connect to resources, such as file shares and printers, and to transfer information when the connections are established. Samba is the Linux implementation of SMB that allows file and printer information to be transferred between Windows and Linux computers. An early variant of the SMB protocol is known as ‘CIFS’ (Common Internet File System). CIFS is actually obsolete, so the correct term to use these days is ‘SMB’ (see the blog post Why You Should Never Again Utter The Word, "CIFS"), although ‘CIFS’ is still used sometimes when referring to SMB.

Terminology
You are likely to come across several terms when reading about Samba, such as NetBIOS, Active Directory (AD), Lightweight Directory Access Protocol (LDAP), Kerberos, Windows Internet Name Service (WINS) and Winbind, to name but a few. Most are used in larger corporate or enterprise networks but you can ignore most of them – only broadcast NetBIOS name resolution or WINS are necessary to configure Samba in small home networks. For example, my home network uses broadcast NetBIOS name resolution and sometimes has up to 15 devices connected (Linux, Windows 7/10, macOS, Android and iOS), all of which can browse file shares using SMB/Samba.

Note: You should not use Broadcast NetBIOS Name Resolution and WINS at the same time.

To explain the terminology – Active Directory is a central database of user accounts and passwords used primarily in Windows networks to authenticate users, and LDAP is the protocol that clients and servers use to access the Active Directory database. Kerberos is a separate encrypted authentication mechanism used for client-server applications, such as computers that access a specific file or web server, or SQL database. WINS is a mechanism for storing Windows computer name to IP address mappings on a central server – the WINS Server. Computers in a LAN interrogate the WINS server to obtain the IP addresses of other computers. It’s a bit like DNS except that the WINS Server stores Windows computer names rather than URLs or domain names. Winbind is a Unix/Linux mechanism that allows Windows NT accounts to look like a Unix service to Unix/Linux machines.

NetBIOS
How is NetBIOS relevant to Samba? Samba uses NetBIOS in three different ways:

  1. NetBIOS over UDP Port 137 to advertise Windows computer names for name to IP address resolution;

  2. NetBIOS over UDP Port 138 to advertise services that the computer offers and to elect a ‘Master Browser’ (explained below);

  3. SMB over NetBIOS over TCP/IP Port 139 to connect to file shares or printers. Once connected, the computers may negotiate using SMB direct over TCP/IP Port 445 to improve efficiency of the connection.

NetBIOS over UDP (Port 137) is a connectionless broadcast protocol that Windows machines use to advertise over the LAN their names and corresponding IP addresses. Other computers receive the broadcasts and cache the names and IP addresses in a name to IP address mapping table.

NetBIOS over UDP (Port 138) is a connectionless broadcast protocol that Windows machines use to advertise their eligibility to become the Master Browser or Backup Browser for a Windows Workgroup in the LAN. An automatic election process elects only one machine in a Workgroup to become the Master Browser for that workgroup, and elects one or more ‘Backup Browsers’ in the Workgroup. The Master Browser and Backup Browser(s) collate a list of all the computers in the Workgroup and the services that they offer. It is more efficient for a single computer to assume the master role and to collate the information than it is for the information to remain distributed. When you click on ‘Network’ in File Explorer’s ‘Network Neighbourhood’ window, your computer interrogates the Master Browser(s) to obtain a list of the Windows Workgroups in the LAN, the members of the Workgroup(s) and the file and printer services that each Workgroup member offers. If the Master Browser fails or is disconnected, a re-election takes place and a new Master Browser is elected from the list of Backup Browsers in that Workgroup. The same process occurs if you are using a Linux file manager (Dolphin in KDE, Nautilus in GNOME, etc.) with Samba. You can configure the ‘priority’ of the Samba server in each machine in the Workgroup so that it is either more likely or less likely to be elected the Master Browser for the Workgroup. You could even configure Samba on a Linux machine so that it will never be a Master Browser. (It is also possible to configure a Windows machine so that it will never be a Master Browser.)

     Renamed ‘Entire Network’ in some versions of Windows.
     Renamed ‘My Network Places’ or simply ‘Network’ in some versions of Windows.

SMB over NetBIOS over TCP/IP (Port 139) is a connection orientated protocol that Windows computers use to connect to file shares and printers, to retrieve directory listings and to transfer files. Having obtained a list of computers and file shares from the Master Browser, if you click on a particular file share to connect to it, your computer looks up the name of the target computer in the local name table, obtains the target computer’s IP address and initiates a SMB over NetBIOS over TCP/IP connection to it. The target computer then issues a username and password prompt for you to complete the connection. If authentication is successful, the SMB protocol is used to transfer a directory listing of the contents of the share. If you drag and drop a file from the share to your local machine, or vice-versa, SMB is used to transfer the file. Behind the scenes, during the initial connection set-up, your computer and the target carry out a negotiation. If both machines support SMB direct over TCP/IP, the directory listing and subsequent file transfer are transported using SMB over TCP/IP Port 445. This is much more efficient because it eliminates completely the NetBIOS overhead.

When you install and configure Samba on a Linux computer, the ‘smbd‘ and ‘nmbd‘ daemons enable all of the functionality above. In a small network you do not need to enable or use AD, LDAP, Kerberos, WINS, Winbind or anything else for that matter. Samba and its built-in NetBIOS mechanisms will allow you to participate in a Windows Workgroup environment to share and use folders, files and printers.

Workgroups
The majority of Windows computers running in home networks are configured, by default, in a single Workgroup. A Workgroup is a simple way for computers in small networks to advertise and share resources, such as folders and printers, with other members of the same group. You can configure multiple Workgroups in the same LAN but each computer can belong to only one Workgroup. The theory is that different computers can share different resources within their group.

Please Note: A Windows Workgroup is not the same thing as a Windows HomeGroup. The latter concept was introduced in Windows 7 and is an ‘evolution’ of the Workgroup concept, in which you share folders and files but specify a pre-determined group password. All computers wishing to join the HomeGroup specify the same password to connect to the resources in that group. Samba does not participate in Windows HomeGroups because the latter is a Windows-only feature.

Configuring Samba
Firstly, install Samba on the Linux computer. Use Samba 4 and avoid Samba 3, which is obsolete. I have several laptops and a Network Addressable Storage (NAS) server, all running Linux with various releases of Samba 4. I also have a desktop computer running Windows 10 for family use. In addition, family and friends connect various laptops running Windows 7 and Windows 10 to my home network, as well as tablets and smartphones (see How to Access Shared Windows Folders on Android, iPad, and iPhone). This NAS runs 24/7 so I could have configured Samba to always make it the Master Browser but this is not necessary as the remaining computers in the network will elect a new Master Browser should the NAS fail.

Below is a summary of the steps to configure Samba in a Windows Workgroup:

  1. Configure the same Workgroup name on all of the Windows computers (for example, How to Change Workgroup in Windows 10). The default Windows 10 Workgroup is called ‘WORKGROUP‘. In the example further down I used the Windows GUI to change the Workgroup name to ‘GREENGABLES‘. There is plenty of information on the Internet about how to configure Windows file sharing so I won’t repeat any of it here (for example, How to Enable Network Discovery and Configure Sharing Options in Windows 10 and How to set up file sharing on Windows 10 (Share files using File Explorer)).

  2. Configure Samba on the Linux machines by editing the file ‘/etc/samba/smb.conf‘ on each. The contents of the file ‘smb.conf‘ are shown below for a Linux NAS and two Linux laptops. The NetBIOS name of the NAS is ‘akhanaten‘ and the laptops are ‘tutankhamun‘ and ‘smenkhkare‘. You can use either of the smb.conf files of the two laptops as a template for the smb.conf file of any Linux computer in your own home network. You can ignore the smb.conf file of the NAS if you simply want to be able to browse SMB/Samba shares on other computers in your home network.

  3. Use the command ‘pdbedit‘ on each Linux machine to define and configure the Samba users on that machine. The command ‘smbpasswd‘ is an alternative to ‘pdbedit‘ but I recommend you use the latter, as ‘smbpasswd‘ is deprecated. Each Samba user must exist as a Linux user because it is the Linux users who own the shares and are used for authentication.

  4. The NAS has Linux users ‘anne‘, ‘marilla‘, ‘matthew‘ and ‘guest‘, whereas each of the laptops has a Linux user ‘anne‘. The user name does not have to be the same on different computers.

  5. The purpose of each variable in ‘smb.conf‘ is explained on the applicable Samba manual page (enter the command ‘man smb.conf‘ in a terminal window) and the Samba documentation page for smb.conf on the Web.

Furthermore, make sure the Winbind daemon is not running. If Winbind is installed, make sure the service is not running and is disabled.

smb.conf of NAS running Ubuntu Server Edition:

[global]
# SMB uses ports 139 & 445, as explained in this blog post
smb ports = 139 445
netbios name = akhanaten
workgroup = greengables

# Use either NetBIOS broadcast for name resolution or entries in the /etc/hosts file
name resolve order = bcast host

# Don't care if the workgroup name is upper or lower case
case sensitive = no

# User authentication is used to access the shares
security = user
map to guest = bad user
guest account = guest

# Don't allow the use of root for network shares
invalid users = root

# Domain master only applies to LANs that are inter-connected across a WAN
domain master = no

# This machine is eligible to be a Master Browser and its priority is 4
# (the higher the os level, the more preferred to be Master Browser)
# (the maximum allowable value for os level is 255)
preferred master = yes
os level = 4
dns proxy = no

# Always advertise the shares automatically
auto services = global

# Interfaces on which to listen for NetBIOS broadcasts and to allow SMB connections
# Include "lo" because it is the internal interface
# em1 is the name of the Ethernet interface, found using the ifconfig command
interfaces = lo em1
bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes

# Don't synchronise the Linux and Samba user passwords - they can be different
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

# This Samba configuration does not advertise any printers
load printers = no

# File to map long usernames to shorter Unix usernames, if necessary
username map = /etc/samba/smbusers

# Allow guest user access if specified in the shares
guest ok = yes

# First user share is called "anne" - only user "anne" specified below can connect to the share
[anne]
comment = "anne share"
path = /nas/shares/anne
writeable = yes
valid users = anne

# Second user share is called "marilla" - only user "marilla" specified below can connect to the share
[marilla]
comment = "marilla share"
path = /nas/shares/marilla
writeable = yes
valid users = marilla

# Third user share is called "matthew" - only user "matthew" specified below can connect to the share
[matthew]
comment = "matthew share"
path = /nas/shares/matthew
writeable = yes
valid users = matthew

# Fourth user share is called "guest" - any user can connect to the share
[guest]
comment = "guest account"
path = /nas/shares/guest
writeable = yes
guest ok = yes
valid users = guest anne marilla matthew

smb.conf of laptop #1 running Gentoo Linux:

[global]
;no need to specify 'smb ports' as ports 139 & 445 used by default
workgroup = GREENGABLES
netbios name = tutankhamun
case sensitive = no
browseable = yes

;If this machine becomes a Master Browser, the following parameter allows it to hold the browse list
browse list = yes

printcap name = cups
printing = cups

log file = /var/log/samba/log.%m
max log size = 50

security = user
map to guest = bad user

encrypt passwords = yes
passdb backend = tdbsam

domain master = no
local master = yes
preferred master = yes
; os level = 6 on the other laptop, so I have made it 5 on this laptop.
os level = 5
name resolve order = bcast
wins support = no
dns proxy = no

;Listen for NetBIOS on Ethernet and Wireless interfaces
;Names of the interfaces found using ifconfig command
interfaces = enp4s0f1 wlp3s0

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = yes
printable = yes
create mask = 0700

[print$]
path = /var/lib/samba/printers
write list = @adm root
guest ok = yes

[anne-share]
path = /home/anne/anne-share/
guest ok = yes
;read only = no
writeable = yes
browseable = yes
valid users = anne

[Public]
path = /home/anne/Public/
guest ok = yes
;read only = no
writeable = yes
browseable = yes

smb.conf of laptop #2 running Gentoo Linux:

[global]
;no need to specify 'smb ports' as ports 139 & 445 used by default
workgroup = GREENGABLES
netbios name = smenkhkare
case sensitive = no
browseable = yes

;If this machine becomes a Master Browser, the following parameter allows it to hold the browse list
browse list = yes

printcap name = cups
printing = cups

log file = /var/log/samba/log.%m
max log size = 50

security = user
map to guest = bad user

encrypt passwords = yes
passdb backend = tdbsam

domain master = no
local master = yes
preferred master = yes
; os level = 5 on the other laptop so I have made it 6 on this laptop
os level = 6
name resolve order = bcast
wins support = no
dns proxy = no

;Listen for NetBIOS on Ethernet and Wireless interfaces
;Names of the interfaces found using ifconfig command
interfaces = eth0 wlan0

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = yes
printable = yes
create mask = 0700

[print$]
path = /var/lib/samba/printers
write list = @adm root
guest ok = yes

[anne-share]
path = /home/anne/share-share/
guest ok = yes
;read only = no
writeable = yes
browseable = yes
valid users = anne

[Public]
path = /home/anne/Public/
guest ok = yes
;read only = no
writeable = yes
browseable = yes

Samba Commands
The following are Samba commands you can use on any of the Linux computers to find information on the Samba shares.

The ‘smbtree‘ command lists the computers currently using SMB in the local network:

user $ smbtree
GREENGABLES
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\SMENKHKARE                    Samba 4.2.14
                \\SMENKHKARE\Samsung_CLX-8385ND Samsung CLX-8385ND
                \\SMENKHKARE\Canon_MP510_Printer        Canon MP510 Printer
                \\SMENKHKARE\Virtual_PDF_Printer        Virtual PDF Printer
                \\SMENKHKARE\Canon_MP560_WiFi   Canon MP560 WiFi
                \\SMENKHKARE\IPC$               IPC Service (Samba 4.2.14)
                \\SMENKHKARE\Public         
                \\SMENKHKARE\anne-share     
                \\SMENKHKARE\print$         
                \\SMENKHKARE\netlogon           Network Logon Service
        \\TUTANKHAMUN                   Samba 4.2.11
                \\TUTANKHAMUN\Samsung_Xpress_C460FW     Samsung Xpress C460FW
                \\TUTANKHAMUN\Canon_MP560_Printer       Canon PIXMA MP560
                \\TUTANKHAMUN\Canon_MP510_Printer       Canon PIXMA MP510
                \\TUTANKHAMUN\Virtual_PDF_Printer       Virtual PDF Printer
                \\TUTANKHAMUN\IPC$              IPC Service (Samba 4.2.11)
                \\TUTANKHAMUN\Public
                \\TUTANKHAMUN\anne-share
                \\TUTANKHAMUN\print$
                \\TUTANKHAMUN\netlogon          Network Logon Service
HOME
        \\BTHUB5                        BT Home Hub 5.0A File Server
                \\BTHUB5\IPC$                   IPC Service (BT Home Hub 5.0A File Server)

BTHUB5‘ is a BT Home Hub 5 (a network router and broadband modem). Notice that it is configured by default to be in a Windows Workgroup named ‘HOME‘. The BT Home Hub 5 has a USB port to which an external USB HDD could be attached, so I assume computers in the home network could have been configured to use the HOME Workgroup instead of GREENGABLES and hence access that USB HDD, i.e. use it as a NAS. However, no HDD is attached to the BT Home Hub 5, so just ignore the BTHUB5 device and the HOME Workgroup.

The ‘nmblookup‘ command is used to see which services each computer offers. The strings ‘..__MSBROWSE__.‘ and ‘<1d>‘ in the output indicate that the computer is currently the Master Browser (see the Microsoft TechNet article NetBIOS Over TCP/IP for details):

user $ nmblookup akhanaten
192.168.1.70 akhanaten<00>

user $ nmblookup -A 192.168.1.70
Looking up status of 192.168.1.70
        AKHANATEN       <00> -         B <ACTIVE>
        AKHANATEN       <03> -         B <ACTIVE>
        AKHANATEN       <20> -         B <ACTIVE>
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

user $ nmblookup tutankhamun
192.168.1.79 tutankhamun<00>

user $ nmblookup -A 192.168.1.79
Looking up status of 192.168.1.79
        TUTANKHAMUN     <00> -         B <ACTIVE>
        TUTANKHAMUN     <03> -         B <ACTIVE>
        TUTANKHAMUN     <20> -         B <ACTIVE>
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

user $ nmblookup smenkhkare
192.168.1.90 smenkhkare<00>

user $ nmblookup -A 192.168.1.90
Looking up status of 192.168.1.90
        SMENKHKARE      <00> -         B <ACTIVE>
        SMENKHKARE      <03> -         B <ACTIVE>
        SMENKHKARE      <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> 
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1d> -         B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

..__MSBROWSE__.‘ and ‘<1d>‘ in the above output indicates that the laptop named smenkhkare is currently the Master Browser of the Workgroup named GREENGABLES. See the Microsoft TechNet article NetBIOS Over TCP/IP to interpret the output.

Now let’s look at what happens when thutmoseiii, the Windows 10 desktop connected to this home network, is powered up:

user $ smbtree
GREENGABLES
        \\AKHANATEN                     Samba 4.3.11-Ubuntu
                \\AKHANATEN\IPC$                IPC Service (Samba 4.3.11-Ubuntu)
                \\AKHANATEN\guest               guest account
                \\AKHANATEN\matthew             matthew share
                \\AKHANATEN\marilla             marilla share
                \\AKHANATEN\anne                anne share
        \\SMENKHKARE                    Samba 4.2.14
                \\SMENKHKARE\Samsung_CLX-8385ND Samsung CLX-8385ND
                \\SMENKHKARE\Canon_MP510_Printer        Canon MP510 Printer
                \\SMENKHKARE\Virtual_PDF_Printer        Virtual PDF Printer
                \\SMENKHKARE\Canon_MP560_WiFi   Canon MP560 WiFi
                \\SMENKHKARE\IPC$               IPC Service (Samba 4.2.14)
                \\SMENKHKARE\Public
                \\SMENKHKARE\anne-share
                \\SMENKHKARE\print$
                \\SMENKHKARE\netlogon           Network Logon Service
        \\TUTANKHAMUN                   Samba 4.2.11
                \\TUTANKHAMUN\Samsung_Xpress_C460FW     Samsung Xpress C460FW
                \\TUTANKHAMUN\Canon_MP560_Printer       Canon PIXMA MP560
                \\TUTANKHAMUN\Canon_MP510_Printer       Canon PIXMA MP510
                \\TUTANKHAMUN\Virtual_PDF_Printer       Virtual PDF Printer
                \\TUTANKHAMUN\IPC$              IPC Service (Samba 4.2.11)
                \\TUTANKHAMUN\Public
                \\TUTANKHAMUN\anne-share
                \\TUTANKHAMUN\print$
                \\TUTANKHAMUN\netlogon          Network Logon Service
        \\THUTMOSEIII                   Lounge Computer
HOME
        \\BTHUB5                        BT Home Hub 5.0A File Server
                \\BTHUB5\IPC$                   IPC Service (BT Home Hub 5.0A File Server)

user $ nmblookup thutmoseiii
192.168.1.74 thutmoseiii<00>
192.168.56.1 thutmoseiii<00>

user $ nmblookup -A 192.168.1.74
Looking up status of 192.168.1.74
        THUTMOSEIII     <20> -         B <ACTIVE> 
        THUTMOSEIII     <00> -         B <ACTIVE> 
        GREENGABLES     <00> - <GROUP> B <ACTIVE> 
        GREENGABLES     <1e> - <GROUP> B <ACTIVE> 

        MAC Address = AA-BB-CC-DD-EE-FF (anonymised by me)

So Linux computer smenkhkare remained the Master Browser. This is because the Windows 10 computer has its Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList set to ‘Auto‘, and also there is no subkey \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster so implicitly its value is False (i.e. the computer is not a Preferred Master Browser). See Microsoft TechNet article Specifying Browser Computers for details.

By the way, notice that two IP addresses are listed for thutmoseiii. This is because thutmoseiii is connected to two network adapters: 192.168.1.74 is the IP address of thutmoseiii in the home network, and 192.168.56.1 is the IP address of the virtual network interface for the virtual computers in VirtualBox installed on thutmoseiii.

If the Samba service on smenkhkare is now stopped from the command line, Windows 10 computer thutmoseiii is elected Master Browser after more than a minute has elapsed:

user $ nmblookup -A 192.168.1.74
Looking up status of 192.168.1.74
        THUTMOSEIII     <20> -         B <ACTIVE> 
        THUTMOSEIII     <00> -         B <ACTIVE> 
        GREENGABLES     <00> - <GROUP> B <ACTIVE> 
        GREENGABLES     <1e> - <GROUP> B <ACTIVE> 
        GREENGABLES     <1d> -         B <ACTIVE> 
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>

        MAC Address = AA-BB-CC-DD-EE-FF (anonymised by me)

If the Samba service on smenkhkare is then restarted from the command line and the Windows 10 computer is allowed to go to sleep, the laptop named smenkhkare becomes the Master Brower again as expected.

NetBIOS Commands in Windows
Now let’s look at some NetBIOS equivalent commands on the Windows 10 computer (Windows computer name: thutmoseiii).

First let’s see which remote computers thutmoseiii detects:

C:\WINDOWS\system32>nbtstat -c

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    No names in cache

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    AKHANATEN      <20>  UNIQUE          192.168.1.70        381
    TUTANKHAMUN    <20>  UNIQUE          192.168.1.79        407
    SMENKHKARE     <20>  UNIQUE          192.168.1.90        416

WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Four adapters are listed in the above output: ‘VirtualBox Host-Only Network 2‘, ‘Ethernet‘, ‘WiFi‘ and ‘Local Area Connection* 11‘. Let’s look at why they are listed:

  • The first adapter listed exists because VirtualBox is installed on thutmoseiii and has a virtual network adapter to enable virtual computers to be networked together (see What Is A Oracle VM VirtualBox Host-Only Network Adapter? if you don’t know what is a VirtualBox Host-Only Network Adapter).

  • The second adapter listed is the computer’s Ethernet adapter. thutmoseiii is connected to the home network via this interface, and the above output shows that thutmoseiii has correctly detected the three other computers connected to the home network.

  • The third adapter listed is the computer’s wireless adapter. thutmoseiii also has a Wi-Fi interface, currently disabled in Windows, hence no active wireless connection is listed.

  • The fourth adapter is a ‘Microsoft Wi-Fi Direct Virtual Adapter’ according to the output of the ipconfig/all command. As the Wi-Fi interface is currently disabled in Windows, no active connection is listed here either.

Now let’s see what thutmoseiii reports about itself:

C:\WINDOWS\system32>nbtstat -n

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

The above is correct: thutmoseiii is the Master Browser in the Windows Workgroup of VirtualBox Host-Only Network 2, but not a Master Browser in the GREENGABLES Workgroup to which thutmoseiii is connected by Ethernet cable. As the Wi-Fi interface in thutmoseiii is currently disabled, no active wireless connection is listed.

Now let’s take a look at what thutmoseiii reports about akhanaten:

C:\WINDOWS\system32>nbtstat -a akhanaten

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    AKHANATEN      <00>  UNIQUE      Registered
    AKHANATEN      <03>  UNIQUE      Registered
    AKHANATEN      <20>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

The above is also correct, as akhanaten is indeed not a Master Browser.

Now let’s have a look at what thutmoseiii reports about tutankhamun:

C:\WINDOWS\system32>nbtstat -a tutankhamun

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    TUTANKHAMUN    <00>  UNIQUE      Registered
    TUTANKHAMUN    <03>  UNIQUE      Registered
    TUTANKHAMUN    <20>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

The above is also correct, as tutankhamun is indeed not a Master Browser.

Now let’s have a look at what thutmoseiii reports about smenkhkare:

C:\WINDOWS\system32>nbtstat -a smenkhkare

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    SMENKHKARE     <00>  UNIQUE      Registered
    SMENKHKARE     <03>  UNIQUE      Registered
    SMENKHKARE     <20>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

The above is also correct, as smenkhkare is indeed the Master Browser (notice the ‘☺☻__MSBROWSE__☻‘ and ‘<1D>‘).

Q.E.D.
So there you have it; Browser Elections take place and the Master Browser is any one of the Linux or Windows computers in the home network, thus enabling SMB browsing to take place. No WINS, no LDAP, no AD, no Kerberos. All SMB communication is carried out using NetBIOS over TCP/IP and Broadcast NetBIOS Name Resolution, as shown by the output of the command ‘nbtstat -r‘ on thutmoseiii:

C:\WINDOWS\system32>nbtstat -r

    NetBIOS Names Resolution and Registration Statistics
    ----------------------------------------------------

    Resolved By Broadcast     = 65
    Resolved By Name Server   = 0

    Registered By Broadcast   = 233
    Registered By Name Server = 0

    NetBIOS Names Resolved By Broadcast
---------------------------------------------
           BTHUB5         <00>
           呂啈㕂†††††䱃噅坏㌲匰⁓†
           TUTANKHAMUN    <00>
           AKHANATEN      <00>
           SMENKHKARE     <00>

I assume the line of Chinese and other characters is because of some deficiency in NBTSTAT.EXE, CMD.EXE or Windows 10 generally — despite having entered ‘CHCP 65001‘ and chosen a Unicode TrueType font in CMD.EXE — but the important point is that the statistics listed by the ‘nbtstat -r‘ command clearly show that only broadcasts are used for NetBIOS Name resolution, as promised. NetBIOS name resolution works fine in the home network and all the sharing-enabled computers in the home network can browse SMB shares on other sharing-enabled computers, whether they are running Windows, Linux, macOS, Android or iOS. I reiterate that this is for a typical home network.

Command to find Master Browsers
In Linux you can use the ‘nmblookup‘ command as follows to find out which machine in the home network is currently the Master Browser in each Workgroup:

user $ nmblookup -M -- -
192.168.1.254 __MSBROWSE__
192.168.1.90 __MSBROWSE__
192.168.56.1 __MSBROWSE__

You can see above that there are currently three Master Browsers in this home network. Let’s check the details for these three Master Browsers:

user $ nmblookup -A 192.168.1.254
Looking up status of 192.168.1.254
        BTHUB5          <00> -         B <ACTIVE>
        BTHUB5          <03> -         B <ACTIVE>
        BTHUB5          <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        HOME            <1d> -         B <ACTIVE>
        HOME            <1e> - <GROUP> B <ACTIVE>
        HOME            <00> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

You can see above that the machine BTHUB5 (which is actually the home network’s router) is the Master Browser in the Workgroup named HOME (see earlier).

user $ nmblookup -A 192.168.1.90
Looking up status of 192.168.1.90
        SMENKHKARE      <00> -         B <ACTIVE>
        SMENKHKARE      <03> -         B <ACTIVE>
        SMENKHKARE      <20> -         B <ACTIVE>
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>
        GREENGABLES     <00> - <GROUP> B <ACTIVE>
        GREENGABLES     <1d> -         B <ACTIVE>
        GREENGABLES     <1e> - <GROUP> B <ACTIVE>

        MAC Address = 00-00-00-00-00-00

You can see above that computer SMENKHKARE is currently the Master Browser in the Workgroup named GREENGABLES.

user $ nmblookup -A 192.168.56.1
Looking up status of 192.168.56.1
No reply from 192.168.56.1

You can see above that the network node 192.168.56.1 is inactive, which is not surprising considering that it is a node on a VirtualBox virtual subnet on the Windows 10 computer thutmoseiii (see earlier) and VirtualBox is not running at the moment on that computer.

On a Windows machine it is not quite so easy to find out which machines are currently Master Browsers. However, on the face of it the third-party utility lanscan.exe can do it (see How to Determine the Master Browser in a Windows Workgroup):

C:\WINDOWS\system32>lanscan

LANscanner v1.67 - ScottiesTech.Info

Scanning LAN...

Scanning workgroup: HOME...

Scanning workgroup: GREENGABLES...

BTHUB5            192.168.1.254    11-11-11-11-11-11  HOME         MASTER
THUTMOSEIII       192.168.56.1     22-22-22-22-22-22  GREENGABLES  MASTER
SMENKHKARE        192.168.1.90     aa-bb-cc-dd-ee-ff  GREENGABLES  MASTER
TUTANKHAMUN       192.168.1.79     33-33-33-33-33-33  GREENGABLES
AKHANATEN         192.168.1.70     55-55-55-55-55-55  GREENGABLES

Press any key to exit...

(MAC addresses anonymised by me.)

Notice above that lanscan.exe listed the VirtualBox virtual subnet node 192.168.56.1 in Windows 10 computer thutmoseiii (see earlier) but omitted to list the node 192.168.1.74 (also thutmoseiii) in the real network. Now, in this particular case thutmoseiii on 192.168.1.74 is not a Master Browser. Nevertheless, as lanscan.exe is supposed to list all nodes, its failure to list the node 192.168.1.74 is a shortcoming.

And what happens if thutmoseiii on node 192.168.1.74 becomes a Master Browser? In that case lanscan.exe still omits the node from the list and, in addition, wrongly shows tutankhamun as a Master Browser:

C:\WINDOWS\system32>nbtstat -n

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

                NetBIOS Local Name Table

       Name               Type         Status
    ---------------------------------------------
    THUTMOSEIII    <20>  UNIQUE      Registered
    THUTMOSEIII    <00>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered
    GREENGABLES    <1D>  UNIQUE      Registered
    ☺☻__MSBROWSE__☻<01>  GROUP       Registered

WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    No names in cache

C:\WINDOWS\system32>nbtstat -A 192.168.1.79

VirtualBox Host-Only Network 2:
Node IpAddress: [192.168.56.1] Scope Id: []

    Host not found.

Ethernet:
Node IpAddress: [192.168.1.74] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    TUTANKHAMUN    <00>  UNIQUE      Registered
    TUTANKHAMUN    <03>  UNIQUE      Registered
    TUTANKHAMUN    <20>  UNIQUE      Registered
    GREENGABLES    <00>  GROUP       Registered
    GREENGABLES    <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00


WiFi:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

Local Area Connection* 11:
Node IpAddress: [0.0.0.0] Scope Id: []

    Host not found.

C:\WINDOWS\system32>lanscan

LANscanner v1.67 - ScottiesTech.Info

Scanning LAN...

Scanning workgroup: HOME...

Scanning workgroup: GREENGABLES...

BTHUB5            192.168.1.254    11-11-11-11-11-11  HOME         MASTER
THUTMOSEIII       192.168.56.1     22-22-22-22-22-22  GREENGABLES  MASTER
TUTANKHAMUN       192.168.1.79     33-33-33-33-33-33  GREENGABLES  MASTER
SMENKHKARE        192.168.1.90     aa-bb-cc-dd-ee-ff  GREENGABLES
AKHANATEN         192.168.1.70     55-55-55-55-55-55  GREENGABLES

Press any key to exit...

(MAC addresses anonymised by me.)

Linux appears to have the edge on Windows in this respect, as the Samba command ‘nmblookup -M -- -‘ detects all the Master Browsers correctly in the above situation:

user $ nmblookup -M -- -
192.168.1.254 __MSBROWSE__
192.168.1.74 __MSBROWSE__
192.168.56.1 __MSBROWSE__

So it appears that, from a Windows computer, the only sure way to find all Master Browsers is to use the command ‘nbtstat -a <computer name>‘ to check each remote machine in the home network, plus the command ‘nbtstat -n‘ to check the Windows computer you are using.

Footnote
The ebuild of the current Gentoo Stable Branch package net-fs/samba-4.2.11 (and probably the ebuild of the Testing Branch package net-fs/samba-4.2.14 as well) is not entirely correct, as it pulls in unnecessary dependencies (see Gentoo Bug Report No. 579088 – net-fs/samba-4.x has many hard dependencies, make some optional). For example, Kerberos is not required at all if you are not using LDAP, AD, etc. and are just using NETBIOS Name Resolution by Broadcast in a Windows Workgroup (like most home users). However, the Gentoo samba ebuild forces the user to install Kerberos (either the MIT implementation app-crypt/mit-krb5 or the Heimdal implementation app-crypt/heimdal) even if you specify that Samba should be built without support for LDAP, AD, etc. This does not cause any harm, but it is unnecessary.

user $ eix -I samba
[I] net-fs/samba
     Available versions:  3.6.25^t 4.2.11 ~4.2.14 [M]~4.3.11 [M]~4.4.5 [M]~4.4.6 [M]~4.5.0 {acl addc addns ads (+)aio avahi caps (+)client cluster cups debug dmapi doc examples fam gnutls iprint ldap ldb +netapi pam quota +readline selinux +server +smbclient smbsharemodes swat syslog +system-mitkrb5 systemd test (+)winbind zeroconf ABI_MIPS="n32 n64 o32" ABI_PPC="32 64" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_TARGETS="python2_7"}
     Installed versions:  4.2.11(19:40:03 16/09/16)(avahi client cups fam gnutls pam -acl -addc -addns -ads -aio -cluster -dmapi -iprint -ldap -quota -selinux -syslog -system-mitkrb5 -systemd -test -winbind ABI_MIPS="-n32 -n64 -o32" ABI_PPC="-32 -64" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" PYTHON_TARGETS="python2_7")
     Homepage:            http://www.samba.org/
     Description:         Samba Suite Version 4

If you are a Gentoo Linux user, you can merge the package net-fs/samba with the same USE flags shown above (obviously change “-systemd” to “systemd” if you use systemd instead of OpenRC), and use the laptops’ smb.conf files shown in this post as templates, and you will be able to share files and printers using Samba and NetBIOS name resolution. Don’t forget to use pdbedit to define the Samba users, and don’t forget to stop and disable winbindd if it is already installed.

Further reading

ADDENDUM (October 30, 2016): You probably already use the Public folder in Windows. If not, you can find a brief explanation in the article Simple Questions: What is the Public Folder & How to Use it?. There are a number of default sub-folders in C:\Users\Public\ on a Windows machine. There are some differences depending on the version of Windows, but in Windows 10 (Anniversary Update) these sub-folders are named:

C:\Public\Libraries
C:\Public\Public Account Pictures
C:\Public\Public Desktop
C:\Public\Public Documents
C:\Public\Public Downloads
C:\Public\Public Music
C:\Public\Public Pictures
C:\Public\Public Videos

These predefined sub-folders are not ordinary folders, and I have noticed a surmountable minor limitation when accessing them from a Linux machine using Samba, as explained below.

If I enable Public Folder Sharing on a Windows machine (‘Turn on sharing so that anyone with network access can read and write files in the Public folders’) and configure the security permissions of the Public folder for Everyone, from another Windows machine in the Workgroup I can copy files to the first machine’s Public folder and default sub-folders. From a Linux machine in the Workgroup I can copy files to the Public folder on Windows machines in the Workgroup but I cannot copy files to the default sub-folders (the Dolphin file manager displays the error message ‘Access denied. Could not write to .‘). However, this is not a big deal because I can copy files into the Public folder itself and into manually created sub-folders in the Public folder.

ADDENDUM (February 13, 2018): Windows 10 Version 1709 and later have the SMBv1/CIFS protocol disabled by default, so the Lanscan utility will no longer work in Windows 10 Version 1709. That is not a big deal if you also have Linux machines on your home network; just use the Samba commands from one of those Linux machines instead. If you have devices on your home network that only support SMBv1/CIFS protocol and they cannot be configured to use the SMBv3 protocol, your only option is to configure Windows 10 Version 1709 to use the SMBv1 protocol, which is less secure than the later SMB protocols. See e.g. the article Cannot browse network neighborhood under Windows 10 Fall Creators update 1709 and newer for how to configure Windows 10 Version 1709 to use the SMBv1 protocol. In my case, all my Linux machines using Samba can be configured via the smb.conf file to use a newer version of the SMB protocol (see ‘server min protocol’ and ‘server max protocol’ in the Samba documentation for smb.conf).

NetworkManager: Failed to activate – The name org.freedesktop.NetworkManager was not provided by any .service files

Because I need to connect quickly and easily to numerous wired and wireless networks (DHCP or static IP addressing), I use NetworkManager in my Gentoo Linux amd64 installation running OpenRC and KDE 4. My Clevo W230SS laptop has an Intel Dual Band Wireless-AC 7260 Plus Bluetooth adapter card, and my installation uses the iwlwifi module:

# lspci -knn | grep Net -A2
03:00.0 Network controller [0280]: Intel Corporation Wireless 7260 [8086:08b1] (rev bb)
        Subsystem: Intel Corporation Dual Band Wireless-AC 7260 [8086:4070]
        Kernel driver in use: iwlwifi
# lsmod | grep iwl
iwlmvm                143919  0
iwlwifi                75747  1 iwlmvm

As I am using NetworkManager instead of netifrc, in accordance with the instructions in the Gentoo Wiki article on NetworkManager I do not have any net.* services enabled (not even net.lo):

# rc-update show -v
       NetworkManager |      default                 
                acpid |                              
            alsasound |                              
         avahi-daemon |                              
       avahi-dnsconfd |                              
               binfmt | boot                         
            bluetooth |      default                 
             bootmisc | boot                         
         busybox-ntpd |                              
     busybox-watchdog |                              
                clamd |                              
          consolefont |                              
           consolekit |      default                 
               cronie |      default                 
         cups-browsed |      default                 
                cupsd |      default                 
                 dbus |      default                 
                devfs |                       sysinit
               dhcpcd |                              
                dhcpd |                              
             dhcrelay |                              
            dhcrelay6 |                              
                dmesg |                       sysinit
              dropbox |                              
           fancontrol |                              
                 fsck | boot                         
                 fuse |                              
           git-daemon |                              
                  gpm |                              
              hddtemp |                              
             hostname | boot                         
              hwclock | boot                         
            ip6tables |                              
             iptables |                              
              keymaps | boot                         
            killprocs |              shutdown        
    kmod-static-nodes |                       sysinit
           lm_sensors |                              
                local |      default                 
           localmount | boot                         
             loopback | boot                         
      mit-krb5kadmind |                              
          mit-krb5kdc |                              
       mit-krb5kpropd |                              
              modules | boot                         
             mount-ro |              shutdown        
                 mtab | boot                         
                mysql |                              
                  nas |                              
         net.enp4s0f1 |                              
               net.lo |                              
             netmount |      default                 
           ntp-client |                              
                 ntpd |                              
           nullmailer |                              
              numlock |                              
  nvidia-persistenced |                              
           nvidia-smi |                              
              osclock |                              
              pciparm |                              
               procfs | boot                         
              pwcheck |                              
            pydoc-2.7 |                              
            pydoc-3.4 |                              
               rfcomm |                              
                 root | boot                         
               rsyncd |                              
            s6-svscan |                              
                samba |      default                 
                saned |                              
            saslauthd |                              
            savecache |              shutdown        
                 sntp |                              
                 sshd |      default                 
             svnserve |                              
                 swap | boot                         
            swapfiles | boot                         
              swclock |                              
               sysctl | boot                         
                sysfs |                       sysinit
            syslog-ng |      default                 
        teamviewerd10 |                              
         termencoding | boot                         
             timidity |                              
         tmpfiles.dev |                       sysinit
       tmpfiles.setup | boot                         
               twistd |                              
                 udev |                       sysinit
                  ufw | boot                         
              urandom | boot                         
       wpa_supplicant |                              
                  xdm |      default                 
            xdm-setup |

I have left the netmount service enabled in case I want to use network-attached file shares at home or in one of the various office locations where I work.

Networking works fine on my laptop with the many wired and wireless networks I have used except for one particular public wireless network (it is in an airport, has multiple Access Points, and its Access Points only support 802.11a/b/g, which may or may not be relevant) for which the following message would usually appear in a pop-up window when I tried to connect to the network from the KDE network management GUI after start-up:

Failed to activate
The name org.freedesktop.NetworkManager was not provided by any .service files

Error message displayed by KDE when trying to connect to one specific network

Error message displayed by KDE when trying to connect to one specific network


This occurred with both networkmanager-1.0.2-r1 and networkmanager-1.0.6, the two Stable Branch releases of NetworkManager currently available in Gentoo Linux.

The wireless network is not the only network at that particular location, and the ‘Failed to activate’ message occurred whichever network (wireless or wired) I tried to access at that location. When this problem occurred, it transpired that the NetworkManager service was not running (it had crashed):

$ nmcli d
Error: NetworkManager is not running.
$ rc-status
Runlevel: default
 dbus                   [  started  ]
 NetworkManager         [  crashed  ]
 netmount               [  started  ]
 syslog-ng              [  started  ]
 cupsd                  [  started  ]
 samba                  [  crashed  ]
 consolekit             [  started  ]
 cronie                 [  started  ]
 bluetooth              [  started  ]
 xdm                    [  started  ]
 cups-browsed           [  started  ]
 sshd                   [  started  ]
 local                  [  started  ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed
 xdm-setup              [  started  ]
 avahi-daemon           [  started  ]
Dynamic Runlevel: manual

(I am not bothered that Samba crashes in that particular location. It crashes even if a connection is established, because the public wireless network does not provide network file systems. Samba works fine when I connect the laptop to an office network or to my home network.)

Even if the ‘Failed to activate’ message occurred, sometimes (but not always) the laptop could still connect to networks after I restarted the NetworkManager service (albeit sometimes it was necessary to restart it more than once):

# /etc/init.d/NetworkManager restart

When it is possible to connect to networks, the NetworkManager service is of course running:

$ nmcli d
DEVICE    TYPE      STATE        CONNECTION           
sit0      sit       connected    sit0                 
wlp3s0    wifi      connected    Free_Airport_Internet
enp4s0f1  ethernet  unavailable  --                   
lo        loopback  unmanaged    --        
$ rc-status
Runlevel: default
 dbus                   [  started  ]
 NetworkManager         [  started  ]
 netmount               [  started  ]
 syslog-ng              [  started  ]
 cupsd                  [  started  ]
 samba                  [  crashed  ]
 consolekit             [  started  ]
 cronie                 [  started  ]
 bluetooth              [  started  ]
 xdm                    [  started  ]
 cups-browsed           [  started  ]
 sshd                   [  started  ]
 local                  [  started  ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed
 xdm-setup              [  started  ]
 avahi-daemon           [  started  ]
Dynamic Runlevel: manual

I searched the Web for the error message and, based on a recommendation on the Web page ‘nm-applet gives errors‘ claiming the problem is due to the iwlwifi driver when used with an Intel 7260 controller, I created a file /etc/modprobe.d/iwlwifi.conf containing the following line, and rebooted:

options iwlwifi power_save=0

However, the error message still occurred. So I changed the iwlwifi module options line to the following, as also recommended on that page, and rebooted:

options iwlwifi 11n_disable=1 power_save=0

However, the error message still occurred.

The default value for OpenRC’s rc_depend_strict variable is YES if rc_depend_strict is not declared in the file /etc/rc.conf, but I do not think that is the cause of the problem:

# Do we allow any started service in the runlevel to satisfy the dependency
# or do we want all of them regardless of state? For example, if net.eth0
# and net.eth1 are in the default runlevel then with rc_depend_strict="NO"
# both will be started, but services that depend on 'net' will work if either
# one comes up. With rc_depend_strict="YES" we would require them both to
# come up.
#rc_depend_strict="YES"

As already mentioned, sometimes just restarting the NetworkManager service once or more did enable the laptop to connect to the network. This made me wonder whether the problem had something to do either with the timing of the launch of the NetworkManager service or with the timing of the service establishing a connection. As netmount is the only other network-related service enabled at start-up, I checked the netmount service’s configuration file /etc/conf.d/netmount to see what it contained (it’s the same in both the latest stable openrc-0.17 and the latest testing openrc-0.18.2):

# You will need to set the dependencies in the netmount script to match
# the network configuration tools you are using. This should be done in
# this file by following the examples below, and not by changing the
# service script itself.
#
# Each of these examples is meant to be used separately. So, for
# example, do not set rc_need to something like "net.eth0 dhcpcd".
#
# If you are using newnet and configuring your interfaces with static
# addresses with the network script, you  should use this setting.
#
#rc_need="network"
#
# If you are using oldnet, you must list the specific net.* services you
# need.
#
# This example assumes all of your netmounts can be reached on
# eth0.
#
#rc_need="net.eth0"
#
# This example assumes some of your netmounts are on eth1 and some
# are on eth2.
#
#rc_need="net.eth1 net.eth2"
#
# If you are using a dynamic network management tool like
# networkmanager, dhcpcd in standalone mode, wicd, badvpn-ncd, etc, to
# manage the network interfaces with the routes to your netmounts, you
# should list that tool.
#
#rc_need="networkmanager"
#rc_need="dhcpcd"
#rc_need="wicd"
#
# The default setting is designed to be backward compatible with our
# current setup, but you are highly discouraged from using this. In
# other words, please change it to be more suited to your system.
#
rc_need="net"

As I am using NetworkManager rather than netifrc, I followed the instructions in the file’s comments and changed the file’s contents from:

rc_need="net"

to:

rc_need="networkmanager"

After making the above change, the console messages at boot-up included a new message:

* ERROR: netmount needs service(s) networkmanager

That message made sense: rc_need had been set to "networkmanager" and, obviously, netmount can only do its job if NetworkManager is running (AND a network connection has been established). However, notice that the name of the NetworkManager service initscript is /etc/init.d/NetworkManager, not /etc/init.d/networkmanager. In other words, the instructions in /etc/conf.d/netmount are wrong: the name of the service is actually ‘NetworkManager‘, not ‘networkmanager‘. So I changed /etc/conf.d/netmount to contain rc_need="NetworkManager" instead of rc_need="networkmanager" and, unsurprisingly, the above-mentioned error message no longer occurs. I have filed Gentoo Bugzilla Bug Report No. 564846 requesting that the comment in the configuration file be changed.

Nevertheless, the ‘Failed to activate’ message still occurred when I tried to connect to any network at that location by using the DE’s network management GUI, and therefore I still needed to restart the NetworkManager service manually in order to be able to connect to any network there. Although I am not yet sure of the root cause and solution, I have found a work-around which avoids me having to manually restart the NetworkManager service, as explained below.

Although OpenRC correctly launches the NetworkManager service, that service remains inactive until it actually establishes a network connection. This is not a bug, it is the way OpenRC and NetworkManager work (see the explanation in the Gentoo Forums thread NetworkManager has started, but is inactive). This is why the following console message appears during boot-up:

* WARNING: NetworkManager has already started, but is inactive

If you did not configure NetworkManager to connect automatically to a network, after logging-in to the DE you will need to use the DE’s network management GUI (plasma-nm in the case if KDE, nm-applet in the case of e.g. Xfce) to tell NetworkManager to connect to the desired network. However, I found that waiting that long before trying to connect is too late to avoid the ‘Failed to activate’ problem, i.e. NetworkManager crashes after a while. I do not know why this happens, but it usually happens only when I am at the location covered by one specific wireless network (which is why I wonder if the problem is a result of that network only supporting 802.11a/b/g). By configuring NetworkManager to connect automatically to the wireless network which seemed to trigger the problem, the NetworkManager service tries to connect earlier. It is possible to configure NetworkManager to do this either by using the DE network GUI and ticking ‘Automatically connect to this network when it is available’ for the relevant network connection, or by directly editing the relevant connection’s file in the directory /etc/NetworkManager/system-connections/.

Of the various wired and wireless connections I had configured on the laptop, I had named the problematic wireless network’s connection ‘Free_Airport_Internet’. So I edited the file /etc/NetworkManager/system-connections/Free_Airport_Internet and deleted the line ‘autoconnect=false‘ in the [connections] section of the file (the default value of the autoconnect variable is TRUE – see man nm-settings). I could instead have done this by using the DE’s network manager GUI and ticking ‘Automatically connect to this network when it is available’ for that network connection. Now, when the laptop boots, NetworkManager tries to connect to that network and the ‘Failed to activate’ problem is avoided. This works with or without the iwlwifi driver options I mentioned above, so, despite the claim on the Web page I referenced above, the root cause of the problem does not appear to be the iwlwifi driver. What I don’t understand is why the problem only seems to occur with one particular network (a public wireless network which happens to only support 802.11a/b/g), i.e. even if none of the NetworkManager connection files in my installation have been configured to try to establish a connection automatically, with all the other wireless networks I have used in other locations (I believe those all support at least 802.11a/b/g/n) I have been able to establish a connection manually by using the DE’s network management GUI.

The bottom line

If your installation uses NetworkManager and you experience the ‘Failed to activate’ message when trying to connect to networks from the DE’s network management GUI, check if the NetworkManager service is running. You can check by using the command ‘nmcli d‘ in a console. If it is not running, try to restart the NetworkManager service from the command line. If the connection is not already configured to start automatically, configure it to start automatically in order to try to make NetworkManager become active at an early stage.

POSTSCRIPT (November 6, 2015)

The two links below are to old bug reports regarding earlier versions of NetworkManager having trouble using wireless networks with multiple Access Points. I wonder if the problem I saw with NetworkManager crashing when not configured to connect automatically to the specific network I mentioned above is somehow related to those problems:

background scanning causes drivers to disassociate – WiFi roaming causes NetworkManager to lose routing

network-manager roams to (none) ((none)) – background scanning

Roaming to BSSID “(none)” certainly happens with this particular network too, as shown by the messages in the laptop’s system log from yesterday when I was using the laptop with that network (the laptop was stationary the whole time):

# cat /var/log/messages | grep "Nov  5 11" | grep NetworkManager | grep \(none\)
Nov  5 11:01:22 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID 04:C5:A4:C3:F9:EE (Free_Airport_Internet) to (none) ((none))
Nov  5 11:01:22 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID (none) ((none)) to B8:BE:BF:69:89:6E (Free_Airport_Internet)
Nov  5 11:13:23 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID B8:BE:BF:69:89:6E (Free_Airport_Internet) to (none) ((none))
Nov  5 11:13:23 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID (none) ((none)) to 04:C5:A4:C3:F9:EE (Free_Airport_Internet)
Nov  5 11:15:23 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID 04:C5:A4:C3:F9:EE (Free_Airport_Internet) to (none) ((none))
Nov  5 11:15:23 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID (none) ((none)) to B8:BE:BF:69:89:6E (Free_Airport_Internet)
Nov  5 11:19:22 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID B8:BE:BF:69:89:6E (Free_Airport_Internet) to (none) ((none))
Nov  5 11:19:23 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID (none) ((none)) to B8:BE:BF:69:89:6E (Free_Airport_Internet)
Nov  5 11:49:50 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID B8:BE:BF:69:89:6E (Free_Airport_Internet) to (none) ((none))
Nov  5 11:49:50 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID (none) ((none)) to 68:BC:0C:A1:3C:DE (Free_Airport_Internet)
Nov  5 11:51:51 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID 68:BC:0C:A1:3C:DE (Free_Airport_Internet) to (none) ((none))
Nov  5 11:51:51 clevow230ss NetworkManager[2459]:   (wlp3s0): roamed from BSSID (none) ((none)) to B8:BE:BF:69:89:6E (Free_Airport_Internet)

Today I’m using a hotel network in my hotel room, and that does not roam to BSSID “(none)”, but I don’t know if my room is within range of more than one Access Point:

# cat /var/log/messages | grep "Nov  6" | grep NetworkManager | grep \(none\)
#

Anyway, with the work-around described in this post I have not had any further trouble accessing the particular network, but it would be interesting to know the root cause.