Web lists-archives.com

Re: [Samba] getent not working after installing firewall




On Mon, 04 Mar 2019 15:47:23 -0500
Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Mon, 4 Mar 2019 21:28:19 +0100 Reindl Harald
> <h.reindl@xxxxxxxxxxxxx> wrote:
> >
> > Am 04.03.19 um 21:18 schrieb Mark Foley via samba:
> > >> It shouldn't, you normally only have one gateway, it is by
> > >> definition the 'gateway' to the WAN & internet, so I would use
> > >> the same one on all your machines.
> > > 
> > > The LAN host gateways are assiged by the dhcpd server.  Unless I
> > > hard-code static IP's I can't really change that.  The Windows
> > > computers likewise show the AD/DC (192.168.0.2) as the gateway
> > > and they all work fine. 
> > how does that matter?
> 
> No sure what you mean by "how does that matter?"
> 
> > your gateway is only part of the game when you try to reach an IP
> > outside your LAN
> >
> > you said "Last evening I installed a Sonicwall firewall between the
> > Internet and office LAN. The only change that I know of for the LAN
> > workstations was that the gateway is now 192.168.0.1 instead of
> > 192.168.0.2" but above you said "The Windows computers likewise
> > show the AD/DC (192.168.0.2) as the gateway"
> >
> > so hell, what is the IP of your "Sonicwall firewall between the
> > Internet and office LAN" and if it's 192.168.0.1 that don't match
> > "The Windows computers likewise show the AD/DC (192.168.0.2) as the
> > gateway"
> 
> Well, I figured someone might catch that, but I didn't want to muddy
> things further by posting a follow-up. But, since you've noticed ...
> To clarify:
> 
> Without the Sonicwall, host 192.168.0.2 (DC) had the ISP's gateway
> 98.102.63.105 configured. 

The ISP's gateway ? is this the ipaddress of the 'whatever it
is' (router ?) inside your premises or is it actually one of your ISP's
nameservers or your ISP's gateway ?
Your LAN appears to be using the 192.168.0/0/24 address range and I
would have expected your gateway to be 192.168.0.1 or similar.

>All the LAN workstations had 192.168.0.2
> (DC) set as the gateway (route command output).  The dhcpcd client
> sets the IP, mask, nameserver and gatway so *it* set the DC as the
> gateway, not me directly.  Regardless, this had worked for years.

I am now wondering if we are talking about the same program, there is
'isc-dhcp-client' and then there is 'dhcpcd', which are you using ?

> 
> When I configured the Sonicwall (IP 192.168.0.1), it got configured
> with the ISP gateway.  I configured the DC (192.168.0.2) gateway with
> the Sonicwall's IP: 192.168.0.1.

What is this Sonicwall thing, every firewall device I have had
dealings with, have had at least two network cards, one connected to
the internal network and one connected to the external network. 

> 
> Since the DC is still the DHCP server, it is still passing
> 192.168.0.2 to clients' dhcpcd as the gateway:

Then you need to reconfigure the DHCP server to send the correct
gateway.

> 
> On a domain member:
> 
> # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref
> Use Iface default         mail.hprs.local 0.0.0.0         UG
> 202    0        0 eth0 loopback        *
> 255.0.0.0       U     0      0        0 lo 192.168.0.0
> *               255.255.255.0   U     202    0        0 eth0 1
> 15:45:31 root@labrat:~
> 
> # host mail.hprs.local
> mail.hprs.local has address 192.168.0.2
> 
> > the AD/DC *is not your gateway* - it's the "Sonicwall firewall"
> > connecting your LAN to the internet and nothing else
> 
> Now, I could configure the Linux domain members to hard-code
> 192.168.0.1 (Sonicwall) as the gateway, and I'll try that as an
> experiment, but I'll repeat, none of the client workstation/
> domain-members on the LAN are having any problem resolving names or
> getting outside the LAN. So, I don't think the gateway is the
> problem. 

They wouldn't do, they are asking your DC and as it doesn't know, it
asks the internet through its gateway, the sonicwall thing.

> 
> If you see the message I sent later, I'm only having a problem with
> getent, and only for domain members who had not previously logged
> onto a given Linux workstation. I don't think the gateway is the
> issue with that.
> 
> --Mark
> 

I wouldn't bet on it, especially as the problem only started after you
installed the sonicwall thing.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba