Web lists-archives.com

Re: [Samba] getent not working after installing firewall




On Mon, 4 Mar 2019 21:28:19 +0100 Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>
> Am 04.03.19 um 21:18 schrieb Mark Foley via samba:
> >> It shouldn't, you normally only have one gateway, it is by definition
> >> the 'gateway' to the WAN & internet, so I would use the same one on all
> >> your machines.
> > 
> > The LAN host gateways are assiged by the dhcpd server.  Unless I hard-code static IP's I can't
> > really change that.  The Windows computers likewise show the AD/DC (192.168.0.2) as the gateway
> > and they all work fine. 
> how does that matter?

No sure what you mean by "how does that matter?"

> your gateway is only part of the game when you try to reach an IP
> outside your LAN
>
> you said "Last evening I installed a Sonicwall firewall between the
> Internet and office LAN. The only change that I know of for the LAN
> workstations was that the gateway is now 192.168.0.1 instead of
> 192.168.0.2" but above you said "The Windows computers likewise show the
> AD/DC (192.168.0.2) as the gateway"
>
> so hell, what is the IP of your "Sonicwall firewall between the Internet
> and office LAN" and if it's 192.168.0.1 that don't match "The Windows
> computers likewise show the AD/DC (192.168.0.2) as the gateway"

Well, I figured someone might catch that, but I didn't want to muddy things further by posting
a follow-up. But, since you've noticed ... To clarify:

Without the Sonicwall, host 192.168.0.2 (DC) had the ISP's gateway 98.102.63.105 configured. 
All the LAN workstations had 192.168.0.2 (DC) set as the gateway (route command output).  The
dhcpcd client sets the IP, mask, nameserver and gatway so *it* set the DC as the gateway, not
me directly.  Regardless, this had worked for years.

When I configured the Sonicwall (IP 192.168.0.1), it got configured with the ISP gateway.  I
configured the DC (192.168.0.2) gateway with the Sonicwall's IP: 192.168.0.1. 

Since the DC is still the DHCP server, it is still passing 192.168.0.2 to clients' dhcpcd as
the gateway:

On a domain member:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         mail.hprs.local 0.0.0.0         UG    202    0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     202    0        0 eth0
1 15:45:31 root@labrat:~

# host mail.hprs.local
mail.hprs.local has address 192.168.0.2

> the AD/DC *is not your gateway* - it's the "Sonicwall firewall"
> connecting your LAN to the internet and nothing else

Now, I could configure the Linux domain members to hard-code 192.168.0.1 (Sonicwall) as the
gateway, and I'll try that as an experiment, but I'll repeat, none of the client workstation/
domain-members on the LAN are having any problem resolving names or getting outside the LAN. 
So, I don't think the gateway is the problem. 

If you see the message I sent later, I'm only having a problem with getent, and only for domain
members who had not previously logged onto a given Linux workstation. I don't think the gateway
is the issue with that.

--Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba