Web lists-archives.com

Re: [Samba] getent not working after installing firewall




On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
>
> On Mon, 04 Mar 2019 09:15:12 -0500
> Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > I have a rather strange and urgent problem. Last evening I installed
> > a Sonicwall firewall between the Internet and office LAN. The only
> > change that I know of for the LAN workstations was that the gateway
> > is now 192.168.0.1 instead of 192.168.0.2. All workstations: Windows,
> > Linux and Mac use DHCP and the AD/DC is the DHCP server, so I
> > wouldn't think that mattered.
> > 
> > All Windows workstations work fine, I didn't even have to reboot
> > them.  Windows Users can log in, they have their redirected folders,
> > etc. 
> > 
> > Having a problem on Linux. When I run 'getent passwd' it returns only
> > the list of users in /etc/passwd on the AD/DC. No domain users are
> > returned. 'getent passwd <domainuser>' return status 2.
> > 
> > The domain user can log on to Linux.
> > 
> > Any idea what's up with this? I use getent on Linux for various
> > things.
> > 
> > Thanks, Mark
> > 
> > Samba 4.8.2
> > 
>
> Lets see if I have this correct, you have installed a firewall on
> something between the original gateway and your LAN, you have not
> touched anything else, except to point your computers to the new
> firewall as the gateway (presumably by DHCP). Is this correct ?
>
> You have logged into a DC and run:
>
> getent passwd username
>
> Which produces no output, where previously it did.
>
> Is the DC using itself as the nameserver ?
> Is the DC using the correct gateway ?
>
> Rowland

Partially correct.  Before installing the firewall, the Gateway on the AD/DC was configured as
the ISP's gateway (98.102.63.105).  I changed the gateway to be 192.168.0.1 (the Sonicwall).  I
believe that's all I did.  I did reboot the AD/DC.  The AD/DC is also the DHCP server. 

I've testing with stopping the firewall on the AD/DC as well. Didn't help.

On the AD/DC 'getent passwd' does work.

$ getent passwd mark
mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

On the Linux domain member workstation it does not. 

$ getent passwd mark; echo $?
2

However, the user of that workstation is able to log in using domain credentials, ntlm_auth
also works:

$ ntlm_auth --username=mark --password='mypass'
NT_STATUS_OK: Success (0x0)

BTW - The MAC workstations cannot now authenticate with domain credentials.  I tried to unbind
and rebind one of the workstations, but when trying to unbind I got the message, "Unable to
access domain controller".  It can see the domain controller:

$ host mail
mail.hprs.local has address 192.168.0.2

However, this is possibly an additional/separate (though related) issue.  I don't want to
complicate the original question.  I can deal with the Macs later and perhaps solving the Linux
issue will magically solve the Mac issue.  I've including the Mac information in case it
provides additional clues. 

As I said, no problems whatsoever with the Windows 7 domain members.

--Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba