Re: [Samba] getent not working after installing firewall
- Date: Tue, 5 Mar 2019 09:18:28 +0100
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] getent not working after installing firewall
Solution is really simple.
Since this server is dual-homed ( 2 nic's ), i suggest setup advanced routing tables.
The short version of howto setup.
edit /etc/iproute2/rt_tables and Add :
Lookup the routing tables:
ip route show table OfficeLan
ip route show table InternetWan
The default gateway's is to the internet. ( change ethX to you network interface name )
ip route add default via internet_IP_HERE dev eth0 table InternetWan
ip route add default via lan_IP_HERE dev eth1 table OfficeLan
Check it :
ip route show table main
Add lan routing rules.
ip rule add from lan_IP_HERE/24 lookup OfficeLan prio 900
ip rule add to lan_IP_HERE/24 lookup OfficeLan prio 900
Add Wan routing rules.
ip rule add from internet_IP_HERE lookup OfficeLan prio 1000
ip rule add to internet_IP_HERE lookup OfficeLan prio 1000
If you want this in the network interface setup.
# The primary network interface ETH0 ( LAN )
iface eth0 inet static
# 192.168.0.1 = Gateway IP LAN ( in this example an other server )
post-up ip route add 192.168.0.1 dev eth0 src 192.168.0.236 table OfficeLan
# extra subnet examplle# post-up ip route add 10.12.0.0/16 via 192.168.0.1 dev eth0
post-up ip route add default via 192.168.0.1 table OfficeLan
post-up ip rule add from 192.168.0.236 table OfficeLan
post-up ip route add 127.0.0.0/8 dev lo table OfficeLan
post-down ip rule del from 192.168.0.236 table OfficeLan
# The secondary network interface ETH1 ( WAN )
iface eth1 inet static
post-up ip route add internet_IP_HERE/XX dev eth1 src internet_GATEWAYIP_HERE table InternetWan
post-up ip route add default via internet_GATEWAYIP_HERE table InternetWan
post-up ip rule add from internet_IP_HERE/XX table InternetWan
post-up ip route add 127.0.0.0/8 dev lo table InternetWan
post-down ip rule del from internet_IP_HERE table InternetWan
post-up ip route add default scope global nexthop via internet_GATEWAYIP_HERE dev eth1
Or google "advanced routing tables"
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Peter Milesson via samba
> Verzonden: dinsdag 5 maart 2019 8:39
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] getent not working after installing firewall
> On 05.03.2019 7:14, Mark Foley via samba wrote:
> > On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald
> <h.reindl@xxxxxxxxxxxxx> wrote:
> >> Am 05.03.19 um 00:22 schrieb Mark Foley via samba:
> >>> /etc/resolv.conf:
> >>> nameserver 192.168.0.2
> >>> nameserver 126.96.36.199
> >>> /etc/hosts:
> >>> 127.0.0.1 localhost
> >>> 192.168.0.60 ccarter
> >>> So, the gateway is the Sonicwall firewall, 192.168.0.1.
> Nameservers are the DC (192.168.0.2)
> >>> and one of the ISP name servers. The IP is static and is
> set in /etc/hosts. At this point,
> >>> there should be no issues or questions with respect to
> which gateway or DHCP usage (DHCP is not
> >>> being used)
> >> besides that oyu really could strip your quotes why in the
> world are you
> >> doing that? there is no point except asking for troubles
> when you mix
> >> your DC and a external nameserver
> > Personally, I like the quotes. It gives me, and hopefully
> other, a clearer picture of the
> > problem and what has been tried. A reader can always skip
> to the bottom.
> > ANYWAY, Standby! I may have the problem solved. I need to
> do a bit more experimentation with a
> > couple of components, but I think it might be fixed. I'll
> post again later when I've confirmed.
> > --Mark
> Hi folks,
> I'll poke a stick into this, due to recent experiences.
> Essentially, it's not a Samba problem. It's a network problem. First,
> make sure your devices and configurations are in order. Then
> it may, or
> may not work anyway.
> For different reasons, I had to make a slight network
> topology change. I
> removed the previous gateway/router, and is now using a Cisco ASA as
> firewall/router. The Cisco people are very explicit in
> stating that the
> ASA is a firewall, not a router. It's possible to configure
> and use it
> as a router anyway (though you need a PhD in Cisco ASA
> The Cisco ASA was given the previous gateway IP.
> Behind the firewall router are 7 different subnets/VLANs. In the main
> LAN are a bunch of Windows servers in a AD domain. One of the VLANs
> contains a Samba ADDC, a Samba fileserver, and Windows clients. The
> Samba domain machines may connect to the Windows domain, but not the
> other way around. The Windows VLAN, and the Samba VLAN have
> got internet
> access. The main DNS servers are in the Windows AD DC, and the backup
> Windows AD DC. There is one single time source for the main
> LAN and VLANs.
> After making the changes, I made a very thorough check that
> is working. After 4 days I get a call, that 2 clients in the Samba
> domain cannot contact the mail server, which is in the
> Windows domain.
> Also, those 2 clients cannot connect to a specific printer in the
> Windows domain. Also, the printer seems to be jibbering, transmitting
> garbage about 10 times/sec. All other clients in the Samba domain can
> connect to the mail server without any problems. Testing, retesting,
> checking firewall rules, checking DNS responses, restarting
> again, again, again. Everything is OK. But still it does not work.
> Comes after hours, then I make a complete, total reset of all network
> devices, all servers, and turning off client computers. It's a small
> network, so it was manageable during a long evening. After that,
> everything working flawlessly. Even the printer stopped jibbering.
> My only conclusion here is that something very stale was still cached
> somewhere. I'm exclusively using HP equipment for switching,
> so there's
> no no-name, undocumented cheapo stuff in the network. But nobody is
> Hope that my experiences can give you some input and help.
> Best regards,
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the