Web lists-archives.com

Re: [Samba] getent not working after installing firewall




On Mon, 4 Mar 2019 18:31:07 +0000 From: Rowland Penny wrote:
>
> On Mon, 04 Mar 2019 12:58:17 -0500
> Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > On Mon, 4 Mar 2019 17:18:31 +0000 Rowland Penny wrote:
> > >
> > > On Mon, 04 Mar 2019 11:48:00 -0500
> > > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > > On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
> > > > >
> > > > > On Mon, 04 Mar 2019 09:15:12 -0500
> > > > > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > > I have a rather strange and urgent problem. Last evening I
> > > > > > installed a Sonicwall firewall between the Internet and office
> > > > > > LAN. The only change that I know of for the LAN workstations
> > > > > > was that the gateway is now 192.168.0.1 instead of
> > > > > > 192.168.0.2. All workstations: Windows, Linux and Mac use
> > > > > > DHCP and the AD/DC is the DHCP server, so I wouldn't think
> > > > > > that mattered.
> > > > > > 
> > > > > > All Windows workstations work fine, I didn't even have to
> > > > > > reboot them.  Windows Users can log in, they have their
> > > > > > redirected folders, etc. 
> > > > > > 
> > > > > > Having a problem on Linux. When I run 'getent passwd' it
> > > > > > returns only the list of users in /etc/passwd on the AD/DC.
> > > > > > No domain users are returned. 'getent passwd <domainuser>'
> > > > > > return status 2.
> > > > > > 
> > > > > > The domain user can log on to Linux.
> > > > > > 
> > > > > > Any idea what's up with this? I use getent on Linux for
> > > > > > various things.
> > > > > > 
> > > > > > Thanks, Mark
> > > > > > 
> > > > > > Samba 4.8.2
> > > > > > 
> > > > >
> > > > > Lets see if I have this correct, you have installed a firewall
> > > > > on something between the original gateway and your LAN, you
> > > > > have not touched anything else, except to point your computers
> > > > > to the new firewall as the gateway (presumably by DHCP). Is
> > > > > this correct ?
> > > > >
> > > > > You have logged into a DC and run:
> > > > >
> > > > > getent passwd username
> > > > >
> > > > > Which produces no output, where previously it did.
> > > > >
> > > > > Is the DC using itself as the nameserver ?
> > > > > Is the DC using the correct gateway ?
> > > > >
> > > > > Rowland
> > > > 
> > > > Partially correct.  Before installing the firewall, the Gateway on
> > > > the AD/DC was configured as the ISP's gateway (98.102.63.105).  I
> > > > changed the gateway to be 192.168.0.1 (the Sonicwall).  I believe
> > > > that's all I did.  I did reboot the AD/DC.  The AD/DC is also the
> > > > DHCP server. 
> > > > 
> > > > I've testing with stopping the firewall on the AD/DC as well.
> > > > Didn't help.
> > > > 
> > > > On the AD/DC 'getent passwd' does work.
> > > > 
> > > > $ getent passwd mark
> > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > > 
> > > > On the Linux domain member workstation it does not. 
> > > > 
> > > > $ getent passwd mark; echo $?
> > > > 2
> > > > 
> > > > However, the user of that workstation is able to log in using
> > > > domain credentials, ntlm_auth also works:
> > > > 
> > > > $ ntlm_auth --username=mark --password='mypass'
> > > > NT_STATUS_OK: Success (0x0)
> > > > 
> > > > BTW - The MAC workstations cannot now authenticate with domain
> > > > credentials.  I tried to unbind and rebind one of the
> > > > workstations, but when trying to unbind I got the message,
> > > > "Unable to access domain controller".  It can see the domain
> > > > controller:
> > > > 
> > > > $ host mail
> > > > mail.hprs.local has address 192.168.0.2
> > > > 
> > > > However, this is possibly an additional/separate (though related)
> > > > issue.  I don't want to complicate the original question.  I can
> > > > deal with the Macs later and perhaps solving the Linux issue will
> > > > magically solve the Mac issue.  I've including the Mac
> > > > information in case it provides additional clues. 
> > > > 
> > > > As I said, no problems whatsoever with the Windows 7 domain
> > > > members.
> > > > 
> > > > --Mark
> > > > 
> > >
> > > OK, just a thought, is there a dhcp server running on your
> > > sonicwall ?
> > 
> > No. I configured the Sonicwall with the tech last night and I'm sure
> > it's not running the DHCP server. The AD/DC (Mail) is running dhcpd.
> > (but I'll double-check)
> > 
> > > What does running 'route' show (you will probably have to do this as
> > > root or via sudo). It should show your sonicwall as the gateway.
> > > try running these:
> > 
> > Yes, shows Sonicwall On the AD/DC:
> > 
> > $ route
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref
> > Use Iface default         192.168.0.1     0.0.0.0         UG
> > 1      0        0 eth1 loopback        *
> > 255.0.0.0       U     0      0        0 lo 192.168.0.0
> > *               255.255.255.0   U     0      0        0 eth1
> > 
> > On the domain members, shows the AD/DC as the gateway:
>
> It shouldn't, you normally only have one gateway, it is by definition
> the 'gateway' to the WAN & internet, so I would use the same one on all
> your machines.

The LAN host gateways are assiged by the dhcpd server.  Unless I hard-code static IP's I can't
really change that.  The Windows computers likewise show the AD/DC (192.168.0.1) as the gateway
and they all work fine. 

> > # route
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags Metric Ref
> > Use Iface default         mail.hprs.local 0.0.0.0         UG
> > 202    0        0 eth0 loopback        *
> > 255.0.0.0       U     0      0        0 lo 192.168.0.0
> > *               255.255.255.0   U     202    0        0 eth0
> > 
> > > hostname -s
> > > hostname -d
> > > hostname -i
> > > hostname -I
> > >
> > > Do they show what you expect ?
> > 
> > On the domain member (labrat):
> > 
> > $ hostname -s
> > labrat
> > 
> > $ hostname -d
> > hprs.local
> > 
> > $ hostname -i
> > 127.0.0.1 
> > 
> > $ hostname -I
> > hostname: invalid option -- 'I'
> > 
> > I believe these show as expected (except for -I). Agreed?
>
> Sorry, but no, '127.0.0.1' is the ipaddress for 'localhost', it should
> the actual ipaddress of the computer. What is in /etc/hosts ?

/etc/hosts:
127.0.0.1               localhost
127.0.0.1               labrat.hprs.local labrat

The IP of the computer is assigned by DHCP, so it won't be in /etc/hosts. There was a reason to
have the /etc/hosts IP as 127.0.0.1, but I can't remember. I'll see if I can find my notes.
Meanwhile, I've removed that entry from /etc/hosts. Now I have:

# hostname -i
192.168.0.99

Which is the correct IP for labrat.

> > > What is in /etc/resolv.conf
> > 
> > On AD/DC (MAIL 192.168.0.2, is the LAN DNS server):
> > 
> > domain hprs.local
> > search hprs.local
> > nameserver 192.168.0.2
>
> What do you mean 'LAN DNS server' ? is 192.168.0.2 not the DC's
> ipaddress ?

The DC is the local DNS server and DHCP server -- as I assumed was required for a AD/DC.
The DC has been running Samba4 for Active Directory for about 4 years and has always done DNS
serving for the LAN (domain) and DHCP.

> > On Domain Member (labrat)
> > 
> > # Generated by dhcpcd from eth0.dhcp
> > # /etc/resolv.conf.head can replace this line
> > domain hprs.local
> > nameserver 192.168.0.2
> > nameserver 192.168.0.3
> > # /etc/resolv.conf.tail can replace this line
>
> It should be 'search' not 'domain'

Well, as it says, the domain member's resolv.conf is generated by dhcpcd.  This also has
remained unchanged for years. 

> I will be honest, I am not a fan of dhcpcd, I cannot really see a need
> for it.

Otherwise I'd have to configure IP, Gateway, Netmask and nameservers for each host on the
network, which is quite a few. 

> > None of the hosts have problem resolving internal or external
> > hostnames.

This doesn't seem like a gateway or name resolution issue. All domain members can resolve
internal and external host and domain names. The Linux domain members can authenticate and log
in with domain credentials; ntlm_auth works. Just getent is not working on the Linux domain
members. getent's return status is 2 which is, "One or more supplied key could not be found in
the database", get ntlm_auth works ... ?

I'll modify the gateway on a linux domain member to point the the Sonicwall, but I'm skeptical
that will fix getent. I'll report back.

*******************************
     MORE INFO!
*******************************
MEANWHILE, after more testing I've refined the problem statement.  On labrat (domain member), I
can:

$ getent passwd mark
mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

Yeah! But, just 'getent passwd' returns only DC:/etc/passwd entries, no domain users.  Also, I
cannot 'getent passwd' for any other domain user on labrat, just 'mark'. If I log onto another
Linux workstation, ccarter, I can:

$ getent passwd charlie
charlie:*:10003:10000:Charlie Carter:/home/HPRS/charlie:/bin/bash

but I cannot 'getent passwd mark' on this computer. 

So, it seems that if a domain user was previously logged on to a Linux domain member, he/she
can do a getent for him/herself only.  A getent cannot be done for any other domain user. 

Kerberos issue?

--Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba