Web lists-archives.com

Re: [Samba] getent not working after installing firewall




On Mon, 04 Mar 2019 12:58:17 -0500
Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Mon, 4 Mar 2019 17:18:31 +0000 Rowland Penny wrote:
> >
> > On Mon, 04 Mar 2019 11:48:00 -0500
> > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
> > > >
> > > > On Mon, 04 Mar 2019 09:15:12 -0500
> > > > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > >
> > > > > I have a rather strange and urgent problem. Last evening I
> > > > > installed a Sonicwall firewall between the Internet and office
> > > > > LAN. The only change that I know of for the LAN workstations
> > > > > was that the gateway is now 192.168.0.1 instead of
> > > > > 192.168.0.2. All workstations: Windows, Linux and Mac use
> > > > > DHCP and the AD/DC is the DHCP server, so I wouldn't think
> > > > > that mattered.
> > > > > 
> > > > > All Windows workstations work fine, I didn't even have to
> > > > > reboot them.  Windows Users can log in, they have their
> > > > > redirected folders, etc. 
> > > > > 
> > > > > Having a problem on Linux. When I run 'getent passwd' it
> > > > > returns only the list of users in /etc/passwd on the AD/DC.
> > > > > No domain users are returned. 'getent passwd <domainuser>'
> > > > > return status 2.
> > > > > 
> > > > > The domain user can log on to Linux.
> > > > > 
> > > > > Any idea what's up with this? I use getent on Linux for
> > > > > various things.
> > > > > 
> > > > > Thanks, Mark
> > > > > 
> > > > > Samba 4.8.2
> > > > > 
> > > >
> > > > Lets see if I have this correct, you have installed a firewall
> > > > on something between the original gateway and your LAN, you
> > > > have not touched anything else, except to point your computers
> > > > to the new firewall as the gateway (presumably by DHCP). Is
> > > > this correct ?
> > > >
> > > > You have logged into a DC and run:
> > > >
> > > > getent passwd username
> > > >
> > > > Which produces no output, where previously it did.
> > > >
> > > > Is the DC using itself as the nameserver ?
> > > > Is the DC using the correct gateway ?
> > > >
> > > > Rowland
> > > 
> > > Partially correct.  Before installing the firewall, the Gateway on
> > > the AD/DC was configured as the ISP's gateway (98.102.63.105).  I
> > > changed the gateway to be 192.168.0.1 (the Sonicwall).  I believe
> > > that's all I did.  I did reboot the AD/DC.  The AD/DC is also the
> > > DHCP server. 
> > > 
> > > I've testing with stopping the firewall on the AD/DC as well.
> > > Didn't help.
> > > 
> > > On the AD/DC 'getent passwd' does work.
> > > 
> > > $ getent passwd mark
> > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > 
> > > On the Linux domain member workstation it does not. 
> > > 
> > > $ getent passwd mark; echo $?
> > > 2
> > > 
> > > However, the user of that workstation is able to log in using
> > > domain credentials, ntlm_auth also works:
> > > 
> > > $ ntlm_auth --username=mark --password='mypass'
> > > NT_STATUS_OK: Success (0x0)
> > > 
> > > BTW - The MAC workstations cannot now authenticate with domain
> > > credentials.  I tried to unbind and rebind one of the
> > > workstations, but when trying to unbind I got the message,
> > > "Unable to access domain controller".  It can see the domain
> > > controller:
> > > 
> > > $ host mail
> > > mail.hprs.local has address 192.168.0.2
> > > 
> > > However, this is possibly an additional/separate (though related)
> > > issue.  I don't want to complicate the original question.  I can
> > > deal with the Macs later and perhaps solving the Linux issue will
> > > magically solve the Mac issue.  I've including the Mac
> > > information in case it provides additional clues. 
> > > 
> > > As I said, no problems whatsoever with the Windows 7 domain
> > > members.
> > > 
> > > --Mark
> > > 
> >
> > OK, just a thought, is there a dhcp server running on your
> > sonicwall ?
> 
> No. I configured the Sonicwall with the tech last night and I'm sure
> it's not running the DHCP server. The AD/DC (Mail) is running dhcpd.
> (but I'll double-check)
> 
> > What does running 'route' show (you will probably have to do this as
> > root or via sudo). It should show your sonicwall as the gateway.
> > try running these:
> 
> Yes, shows Sonicwall On the AD/DC:
> 
> $ route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
> Use Iface default         192.168.0.1     0.0.0.0         UG
> 1      0        0 eth1 loopback        *
> 255.0.0.0       U     0      0        0 lo 192.168.0.0
> *               255.255.255.0   U     0      0        0 eth1
> 
> On the domain members, shows the AD/DC as the gateway:

It shouldn't, you normally only have one gateway, it is by definition
the 'gateway' to the WAN & internet, so I would use the same one on all
your machines.

> 
> # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
> Use Iface default         mail.hprs.local 0.0.0.0         UG
> 202    0        0 eth0 loopback        *
> 255.0.0.0       U     0      0        0 lo 192.168.0.0
> *               255.255.255.0   U     202    0        0 eth0
> 
> > hostname -s
> > hostname -d
> > hostname -i
> > hostname -I
> >
> > Do they show what you expect ?
> 
> On the domain member (labrat):
> 
> $ hostname -s
> labrat
> 
> $ hostname -d
> hprs.local
> 
> $ hostname -i
> 127.0.0.1 
> 
> $ hostname -I
> hostname: invalid option -- 'I'
> 
> I believe these show as expected (except for -I). Agreed?

Sorry, but no, '127.0.0.1' is the ipaddress for 'localhost', it should
the actual ipaddress of the computer. What is in /etc/hosts ?

> 
> > What is in /etc/resolv.conf
> 
> On AD/DC (MAIL 192.168.0.2, is the LAN DNS server):
> 
> domain hprs.local
> search hprs.local
> nameserver 192.168.0.2

What do you mean 'LAN DNS server' ? is 192.168.0.2 not the DC's
ipaddress ?

> 
> On Domain Member (labrat)
> 
> # Generated by dhcpcd from eth0.dhcp
> # /etc/resolv.conf.head can replace this line
> domain hprs.local
> nameserver 192.168.0.2
> nameserver 192.168.0.3
> # /etc/resolv.conf.tail can replace this line

It should be 'search' not 'domain'
I will be honest, I am not a fan of dhcpcd, I cannot really see a need
for it.
 
> 
> None of the host have problem resolving internal or external
> hostnames.
> 
> --Mark
> 

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba