Host list: connection timed out

alh

@Wayne-Workman I send you the mail address.

Regarding our little issue I added to firewall rules to our Win7 clients:

• Allow incoming ICMPv4
• Allow incoming for FOGService

I can ping the clients by hostname from the FOG server but they still show up as Connection timed out. in the host list.
And isn’t port 445 already used by a lot of system services like Netlogon, File and Printer Sharing, Remote Service Management, etc.?

Wayne Workman

@alh the FOG Ping service does not do a traditional ping, it uses port 445.

justeverything

@Tom-Elliott Is this the same port for linux, like ubuntu 16.04 or debian 8? I also have the connection time out issue in the host menue.

If i enable the ufw firewall on ubutu and allow the port 445, the status changes from “connection timeout” to “connection refused”

I allowed these ports. (22 for ssh, 445 for the fog ping)

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere                  
445                        ALLOW IN    Anywhere                                  
22 (v6)                    ALLOW IN    Anywhere (v6)             
445 (v6)                   ALLOW IN    Anywhere (v6) ```

Tom Elliott

@justeverything FOG uses port 445 to do ping.

Yes, it’s the same port number regardless of OS. How that port responds on different OS’ I cannot say.

justeverything

@Tom-Elliott do you have any idea what I can try to fix this except opening the port on the host?

Quazz

@justeverything If the port isn’t open on the host then it can’t communicate, simple as that, to be honest. It’s like trying to call someone who put everyone on a blocklist.

Tom Elliott

Or more accurately, it’s like calling a number that’s been removed from use. You could re-apply it relatively easily, but if you’re shying away from keeping it available for whatever reason, NO ONE will be able to call it to begin with.

george1421

@Tom-Elliott So to be clear here, this isn’t a traditional ICMP ping which is on the OSI layer 3 (IP) but instead a layer 4 port level connection test.

That is interesting idea. It would also be interesting to know how a linux or any other non-windows box would respond (assuming that samba was not loaded on a windows machine). To the connect request to port 445. I could see the device sending a nak back to the FOG server. Which I would guess is also a success response too.

Tom Elliott

@george1421 It’s a NetBIOS port (number 445) by default. As for if it’s usable or not on linux, well I don’t know. To be fair, I followed what was already in place, just neatened up the code base.

george1421

@Tom-Elliott Not throwing shade as the young folks would say on this. Its just a different concept and something we should be aware of if we are expecting an icmp ping. I just did a quick check at my office and I have linux machines that have samba and no samba installed so I can confirm / test if they respond as a windows machine does to a port level ping.

I have a meeting in a few minutes and will test afterwards.

Tom Elliott

If you don’t want to enable the port, you don’t have to. Understand the “ping” status is just a nicety and has no bearing on actual availability of a machine or any functionality of how FOG will operate.

justeverything

@Tom-Elliott yes, I can confirm this - I don’t have to enable the ports, but I want to. I like this feature very much and it would be sad If I won’t be able to use it.

The problem with my setup is that it says “connection refused” although I enabled the port 445 both on the server and the host via ufw firewall.

Server OS is the latest debian 8 and Client OS is the latest Ubuntu 16.04 Maybe anyone has some ideas. Thanks in advance. :))

Tom Elliott

@justeverything You could try this:

https://unix.stackexchange.com/questions/183317/resolving-netbios-names-from-linux

george1421

@justeverything I guess I would ask the question" If you open a command prompt on the linux server can you ping (icmp) the windows computer by is short name (or the name registered in fog)?

george1421

@george1421

during testing I did find that the udp probe to hosts would aways return a success, even if the host didn’t exist (not a very successful test). This was using the netcat [nc] utility. The command used was nc -zuvv <ip_addr> 445

When I changed to use the tcp port then the answers were more in line with an icmp ping.
command use nc -zvv <ip_addr> 445

1. For a windows host answer was: Connection to <ip_addr> 445 port [tcp/microsoft-ds] succedded!
2. For a linux host with samba installed: Connection to <ip_addr> 445 port [tcp/microsoft-ds] succedded!
3. For a linux host without samba or anything listening on port 445: Connection to <ip_addr> 445 port (tcp) failed: No route to host.
   For a host that doesn’t exist: Connection to <ip_addr> 445 port (tcp) failed: No route to host. (after about 5 sec timeout)

Does the selecting port ping work, yes as long as its a tcp connection attempt.

Why was that selected over an icmp ping, only the programmers of the past know.

justeverything

@george1421 I don’t have any windows computers in my network. but i can ping (normal ping, not icmp) the ubuntu clients over the terminal of the fog host by the short name “pool-05” or by the IP, both successfull.

if I ping a pool pc from the server using “nc -zvv <ip_addr> 445” I also get connection refused.

root@fog:/home/admin# nc -zvv IP 445
pool-14.domain [IP] 445 (microsoft-ds) : Connection refused
 sent 0, rcvd 0

Does your testing mean, that, if I install samba at my hosts, the ping would work?

I testet it installing samba and libnss-winbind and configured the file /etc/nsswitch.conf
from

hosts:      files mdns4_minimal [NOTFOUND=return] dns 

to

hosts:      files wins mdns4_minimal [NOTFOUND=return] dns 

now the output looks like this:

root@fog:/home/admin# nc -zvv IP 445
pool-14.domain [IP] 445 (microsoft-ds) open
 sent 0, rcvd 0

but the hosts list still returns an error “connection timed out”

Maybe, in a new version of fog, maybe the process of pinging using icmp can be changed to a normal ping to be more variable for linux hosts? that would be great.

I will also try the steps postet by @Tom-Elliott and write back if anything changes.

alh

We solved by doing the following:

On the FOG-Server install Winbind:

sudo apt-get install -y winbind libnss-winbind

Edit the Samba config:

# /etc/samba/smb.conf

[global]
    ...
    workgroup = <domain/workgroup>
    ...
    wins server = <ipofyourwinsserver>
    ...

Edit the nsswitch config:

# /etc/nsswitch.conf

hosts: files dns wins

Reboot your server.

On the Windows 7 clients we had to add the following firewall rule:

netsh advfirewall firewall add rule name="FOG Service" dir=in action=allow remoteip=<ipofyourFOGserver> protocol=tcp localport=445

That worked for us.