Web lists-archives.com

Re: [Samba] getent not working after installing firewall




On Mon, 04 Mar 2019 15:18:31 -0500
Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Mon, 4 Mar 2019 18:31:07 +0000 From: Rowland Penny wrote:
> >
> > On Mon, 04 Mar 2019 12:58:17 -0500
> > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > On Mon, 4 Mar 2019 17:18:31 +0000 Rowland Penny wrote:
> > > >
> > > > On Mon, 04 Mar 2019 11:48:00 -0500
> > > > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > >
> > > > > On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
> > > > > >
> > > > > > On Mon, 04 Mar 2019 09:15:12 -0500
> > > > > > Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > > > >
> > > > > > > I have a rather strange and urgent problem. Last evening I
> > > > > > > installed a Sonicwall firewall between the Internet and
> > > > > > > office LAN. The only change that I know of for the LAN
> > > > > > > workstations was that the gateway is now 192.168.0.1
> > > > > > > instead of 192.168.0.2. All workstations: Windows, Linux
> > > > > > > and Mac use DHCP and the AD/DC is the DHCP server, so I
> > > > > > > wouldn't think that mattered.
> > > > > > > 
> > > > > > > All Windows workstations work fine, I didn't even have to
> > > > > > > reboot them.  Windows Users can log in, they have their
> > > > > > > redirected folders, etc. 
> > > > > > > 
> > > > > > > Having a problem on Linux. When I run 'getent passwd' it
> > > > > > > returns only the list of users in /etc/passwd on the
> > > > > > > AD/DC. No domain users are returned. 'getent passwd
> > > > > > > <domainuser>' return status 2.
> > > > > > > 
> > > > > > > The domain user can log on to Linux.
> > > > > > > 
> > > > > > > Any idea what's up with this? I use getent on Linux for
> > > > > > > various things.
> > > > > > > 
> > > > > > > Thanks, Mark
> > > > > > > 
> > > > > > > Samba 4.8.2
> > > > > > > 
> > > > > >
> > > > > > Lets see if I have this correct, you have installed a
> > > > > > firewall on something between the original gateway and your
> > > > > > LAN, you have not touched anything else, except to point
> > > > > > your computers to the new firewall as the gateway
> > > > > > (presumably by DHCP). Is this correct ?
> > > > > >
> > > > > > You have logged into a DC and run:
> > > > > >
> > > > > > getent passwd username
> > > > > >
> > > > > > Which produces no output, where previously it did.
> > > > > >
> > > > > > Is the DC using itself as the nameserver ?
> > > > > > Is the DC using the correct gateway ?
> > > > > >
> > > > > > Rowland
> > > > > 
> > > > > Partially correct.  Before installing the firewall, the
> > > > > Gateway on the AD/DC was configured as the ISP's gateway
> > > > > (98.102.63.105).  I changed the gateway to be 192.168.0.1
> > > > > (the Sonicwall).  I believe that's all I did.  I did reboot
> > > > > the AD/DC.  The AD/DC is also the DHCP server. 
> > > > > 
> > > > > I've testing with stopping the firewall on the AD/DC as well.
> > > > > Didn't help.
> > > > > 
> > > > > On the AD/DC 'getent passwd' does work.
> > > > > 
> > > > > $ getent passwd mark
> > > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > > > 
> > > > > On the Linux domain member workstation it does not. 
> > > > > 
> > > > > $ getent passwd mark; echo $?
> > > > > 2
> > > > > 
> > > > > However, the user of that workstation is able to log in using
> > > > > domain credentials, ntlm_auth also works:
> > > > > 
> > > > > $ ntlm_auth --username=mark --password='mypass'
> > > > > NT_STATUS_OK: Success (0x0)
> > > > > 
> > > > > BTW - The MAC workstations cannot now authenticate with domain
> > > > > credentials.  I tried to unbind and rebind one of the
> > > > > workstations, but when trying to unbind I got the message,
> > > > > "Unable to access domain controller".  It can see the domain
> > > > > controller:
> > > > > 
> > > > > $ host mail
> > > > > mail.hprs.local has address 192.168.0.2
> > > > > 
> > > > > However, this is possibly an additional/separate (though
> > > > > related) issue.  I don't want to complicate the original
> > > > > question.  I can deal with the Macs later and perhaps solving
> > > > > the Linux issue will magically solve the Mac issue.  I've
> > > > > including the Mac information in case it provides additional
> > > > > clues. 
> > > > > 
> > > > > As I said, no problems whatsoever with the Windows 7 domain
> > > > > members.
> > > > > 
> > > > > --Mark
> > > > > 
> > > >
> > > > OK, just a thought, is there a dhcp server running on your
> > > > sonicwall ?
> > > 
> > > No. I configured the Sonicwall with the tech last night and I'm
> > > sure it's not running the DHCP server. The AD/DC (Mail) is
> > > running dhcpd. (but I'll double-check)
> > > 
> > > > What does running 'route' show (you will probably have to do
> > > > this as root or via sudo). It should show your sonicwall as the
> > > > gateway. try running these:
> > > 
> > > Yes, shows Sonicwall On the AD/DC:
> > > 
> > > $ route
> > > Kernel IP routing table
> > > Destination     Gateway         Genmask         Flags Metric Ref
> > > Use Iface default         192.168.0.1     0.0.0.0         UG
> > > 1      0        0 eth1 loopback        *
> > > 255.0.0.0       U     0      0        0 lo 192.168.0.0
> > > *               255.255.255.0   U     0      0        0 eth1
> > > 
> > > On the domain members, shows the AD/DC as the gateway:
> >
> > It shouldn't, you normally only have one gateway, it is by
> > definition the 'gateway' to the WAN & internet, so I would use the
> > same one on all your machines.
> 
> The LAN host gateways are assiged by the dhcpd server.  Unless I
> hard-code static IP's I can't really change that.  The Windows
> computers likewise show the AD/DC (192.168.0.1) as the gateway and
> they all work fine. 
> 
> > > # route
> > > Kernel IP routing table
> > > Destination     Gateway         Genmask         Flags Metric Ref
> > > Use Iface default         mail.hprs.local 0.0.0.0         UG
> > > 202    0        0 eth0 loopback        *
> > > 255.0.0.0       U     0      0        0 lo 192.168.0.0
> > > *               255.255.255.0   U     202    0        0 eth0
> > > 
> > > > hostname -s
> > > > hostname -d
> > > > hostname -i
> > > > hostname -I
> > > >
> > > > Do they show what you expect ?
> > > 
> > > On the domain member (labrat):
> > > 
> > > $ hostname -s
> > > labrat
> > > 
> > > $ hostname -d
> > > hprs.local
> > > 
> > > $ hostname -i
> > > 127.0.0.1 
> > > 
> > > $ hostname -I
> > > hostname: invalid option -- 'I'
> > > 
> > > I believe these show as expected (except for -I). Agreed?
> >
> > Sorry, but no, '127.0.0.1' is the ipaddress for 'localhost', it
> > should the actual ipaddress of the computer. What is in /etc/hosts ?
> 
> /etc/hosts:
> 127.0.0.1               localhost
> 127.0.0.1               labrat.hprs.local labrat
> 
> The IP of the computer is assigned by DHCP, so it won't be
> in /etc/hosts. There was a reason to have the /etc/hosts IP as
> 127.0.0.1, but I can't remember. I'll see if I can find my notes.
> Meanwhile, I've removed that entry from /etc/hosts. Now I have:
> 
> # hostname -i
> 192.168.0.99
> 
> Which is the correct IP for labrat.
> 
> > > > What is in /etc/resolv.conf
> > > 
> > > On AD/DC (MAIL 192.168.0.2, is the LAN DNS server):
> > > 
> > > domain hprs.local
> > > search hprs.local
> > > nameserver 192.168.0.2
> >
> > What do you mean 'LAN DNS server' ? is 192.168.0.2 not the DC's
> > ipaddress ?
> 
> The DC is the local DNS server and DHCP server -- as I assumed was
> required for a AD/DC. The DC has been running Samba4 for Active
> Directory for about 4 years and has always done DNS serving for the
> LAN (domain) and DHCP.
> 
> > > On Domain Member (labrat)
> > > 
> > > # Generated by dhcpcd from eth0.dhcp
> > > # /etc/resolv.conf.head can replace this line
> > > domain hprs.local
> > > nameserver 192.168.0.2
> > > nameserver 192.168.0.3
> > > # /etc/resolv.conf.tail can replace this line
> >
> > It should be 'search' not 'domain'
> 
> Well, as it says, the domain member's resolv.conf is generated by
> dhcpcd.  This also has remained unchanged for years. 
> 
> > I will be honest, I am not a fan of dhcpcd, I cannot really see a
> > need for it.
> 
> Otherwise I'd have to configure IP, Gateway, Netmask and nameservers
> for each host on the network, which is quite a few. 
> 
> > > None of the hosts have problem resolving internal or external
> > > hostnames.
> 
> This doesn't seem like a gateway or name resolution issue. All domain
> members can resolve internal and external host and domain names. The
> Linux domain members can authenticate and log in with domain
> credentials; ntlm_auth works. Just getent is not working on the Linux
> domain members. getent's return status is 2 which is, "One or more
> supplied key could not be found in the database", get ntlm_auth
> works ... ?
> 
> I'll modify the gateway on a linux domain member to point the the
> Sonicwall, but I'm skeptical that will fix getent. I'll report back.
> 
> *******************************
>      MORE INFO!
> *******************************
> MEANWHILE, after more testing I've refined the problem statement.  On
> labrat (domain member), I can:
> 
> $ getent passwd mark
> mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> 
> Yeah! But, just 'getent passwd' returns only DC:/etc/passwd entries,
> no domain users.  Also, I cannot 'getent passwd' for any other domain
> user on labrat, just 'mark'. If I log onto another Linux workstation,
> ccarter, I can:
> 
> $ getent passwd charlie
> charlie:*:10003:10000:Charlie Carter:/home/HPRS/charlie:/bin/bash
> 
> but I cannot 'getent passwd mark' on this computer. 
> 
> So, it seems that if a domain user was previously logged on to a
> Linux domain member, he/she can do a getent for him/herself only.  A
> getent cannot be done for any other domain user. 
> 
> Kerberos issue?
> 
> --Mark
> 

Something strange going on here, If you use dhcp to set your IP info,
you only need this in /etc/hosts:

rowland@devstation:~$ cat /etc/hosts
127.0.0.1	localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Which if you then run the commands I asked you to run, you get these:

rowland@devstation:~$ hostname -s
devstation
rowland@devstation:~$ hostname -d
samdom.example.com
rowland@devstation:~$ hostname -f
devstation.samdom.example.com
rowland@devstation:~$ hostname -i
192.168.0.88

and getent returns this:

rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

I do not use dhcpcd, I just use the isc-dhcp-client.

I repeat, I do not see the point of dhcpcd, it is just another layer in
the dhcp stack and, in my opinion, an unnecessary layer.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba