Bug 3500 - nmbd binds to all interfaces even with "bind interfaces only = yes"
Summary: nmbd binds to all interfaces even with "bind interfaces only = yes"
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: nmbd (show other bugs)
Version: 3.0.21b
Hardware: x86 FreeBSD
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-02-11 17:31 UTC by yoitsmeremember
Modified: 2009-01-25 12:43 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description yoitsmeremember 2006-02-11 17:31:50 UTC
I have Samba 3.0.21b compiled from source on FreeBSD 6.1-Beta, with the following options in the global configuration (taken almost strait from the FAQ on securing samba):

interfaces = dc0
bind interfaces only = yes

dc0 is one of the two ethernet adapters on my machine.

However, when running nmbd, I see the following with netstat ( is the address assigned to dc0):

udp4       0      0 *.*
udp4       0      0 *.*
udp4       0      0  *.netbios-dgm          *.*
udp4       0      0  *.netbios-ns           *.*

smbd (correctly) only binds to (dc0), thus this appears to be a bug in nmbd only.
Comment 1 Jeremy Allison 2006-02-11 19:03:35 UTC
This is by design.
Comment 2 yoitsmeremember 2006-02-11 20:09:05 UTC
(In reply to comment #1)
> This is by design.
> Jeremy.

May I ask why?  I see no reason to be listening on *, especially since anything coming in on the other interface on those ports is, in my case, blocked by the firewall.  I don't know about other people's situations, but it seems to me that if you're going to restrict to an interface (or interfaces), it should do it on both nmbd and smbd.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-02-19 06:49:41 UTC
Jeremy's right.  This is by design.  You can however is the 
current SAMBA_3_0 use the 'socket address' option to restrict 
this IIRC.
Comment 4 Debian samba package maintainers (PUBLIC MAILING LIST) 2009-01-25 12:41:32 UTC
This bug should really be closed: "socket address" does the job
Comment 5 Volker Lendecke 2009-01-25 12:43:54 UTC