Web lists-archives.com

Re: [Samba] getent not working after installing firewall




Solution is really simple. 
Since this server is dual-homed ( 2 nic's ), i suggest setup advanced routing tables. 

The short version of howto setup.

edit /etc/iproute2/rt_tables and Add :
10 OfficeLan
20 InternetWan

Lookup the routing tables:
ip route show table OfficeLan
ip route show table InternetWan

The default gateway's is to the internet.  ( change ethX to you network interface name ) 

ip route add default via internet_IP_HERE dev eth0 table InternetWan
ip route add default via lan_IP_HERE dev eth1 table OfficeLan

Check it : 
ip route show table main 

Add lan routing rules. 
ip rule add from lan_IP_HERE/24 lookup OfficeLan prio 900
ip rule add to lan_IP_HERE/24 lookup OfficeLan prio 900

ip rule 

Add Wan routing rules.
ip rule add from  internet_IP_HERE lookup OfficeLan prio 1000
ip rule add to internet_IP_HERE lookup OfficeLan prio 1000

If you want this in the network interface setup.
# The primary network interface ETH0 ( LAN )
allow-hotplug eth0
iface eth0 inet static
        address 192.168.0.236/24
		# 192.168.0.1 = Gateway IP LAN ( in this example an other server ) 
		post-up ip route add 192.168.0.1 dev eth0 src 192.168.0.236 table OfficeLan 
		# extra subnet examplle# post-up ip route add 10.12.0.0/16 via 192.168.0.1 dev eth0
		post-up ip route add default via 192.168.0.1 table OfficeLan 
		post-up ip rule add from 192.168.0.236 table OfficeLan 
		post-up ip route add 127.0.0.0/8 dev lo table OfficeLan 
		post-down ip rule del from 192.168.0.236 table OfficeLan 

# The secondary network interface ETH1 ( WAN ) 
allow-hotplug eth1
iface eth1 inet static
        address internet_IP_HERE/xx
        post-up ip route add internet_IP_HERE/XX dev eth1 src internet_GATEWAYIP_HERE table InternetWan
        post-up ip route add default via internet_GATEWAYIP_HERE table InternetWan
        post-up ip rule add from internet_IP_HERE/XX table InternetWan
        post-up ip route add 127.0.0.0/8 dev lo table InternetWan
        post-down ip rule del from internet_IP_HERE table InternetWan
        post-up ip route add default scope global nexthop via internet_GATEWAYIP_HERE dev eth1


Or google "advanced routing tables" 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Peter Milesson via samba
> Verzonden: dinsdag 5 maart 2019 8:39
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] getent not working after installing firewall
> 
> 
> 
> On 05.03.2019 7:14, Mark Foley via samba wrote:
> > On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald 
> <h.reindl@xxxxxxxxxxxxx> wrote:
> >> Am 05.03.19 um 00:22 schrieb Mark Foley via samba:
> >>> /etc/resolv.conf:
> >>> nameserver 192.168.0.2
> >>> nameserver 209.18.47.62
> >>>
> >>> /etc/hosts:
> >>> 127.0.0.1               localhost
> >>> 192.168.0.60            ccarter
> >>>
> >>> So, the gateway is the Sonicwall firewall, 192.168.0.1. 
> Nameservers are the DC (192.168.0.2)
> >>> and one of the ISP name servers. The IP is static and is 
> set in /etc/hosts. At this point,
> >>> there should be no issues or questions with respect to 
> which gateway or DHCP usage (DHCP is not
> >>> being used)
> >> besides that oyu really could strip your quotes why in the 
> world are you
> >> doing that? there is no point except asking for troubles 
> when you mix
> >> your DC and a external nameserver
> > Personally, I like the quotes. It gives me, and hopefully 
> other, a clearer picture of the
> > problem and what has been tried. A reader can always skip 
> to the bottom.
> >
> > ANYWAY, Standby! I may have the problem solved. I need to 
> do a bit more experimentation with a
> > couple of components, but I think it might be fixed. I'll 
> post again later when I've confirmed.
> >
> > --Mark
> >
> Hi folks,
> 
> I'll poke a stick into this, due to recent experiences.
> 
> Essentially, it's not a Samba problem. It's a network problem. First, 
> make sure your devices and configurations are in order. Then 
> it may, or 
> may not work anyway.
> 
> For different reasons, I had to make a slight network 
> topology change. I 
> removed the previous gateway/router, and is now using a Cisco ASA as 
> firewall/router. The Cisco people are very explicit in 
> stating that the 
> ASA is a firewall, not a router. It's possible to configure 
> and use it 
> as a router anyway (though you need a PhD in Cisco ASA 
> configuration). 
> The Cisco ASA was given the previous gateway IP.
> 
> Behind the firewall router are 7 different subnets/VLANs. In the main 
> LAN are a bunch of Windows servers in a AD domain. One of the VLANs 
> contains a Samba ADDC, a Samba fileserver, and Windows clients. The 
> Samba domain machines may connect to the Windows domain, but not the 
> other way around. The Windows VLAN, and the Samba VLAN have 
> got internet 
> access. The main DNS servers are in the Windows AD DC, and the backup 
> Windows AD DC. There is one single time source for the main 
> LAN and VLANs.
> 
> After making the changes, I made a very thorough check that 
> everything 
> is working. After 4 days I get a call, that 2 clients in the Samba 
> domain cannot contact the mail server, which is in the 
> Windows domain. 
> Also, those 2 clients cannot connect to a specific printer in the 
> Windows domain. Also, the printer seems to be jibbering, transmitting 
> garbage about 10 times/sec. All other clients in the Samba domain can 
> connect to the mail server without any problems. Testing, retesting, 
> checking firewall rules, checking DNS responses, restarting 
> computers, 
> again, again, again. Everything is OK. But still it does not work.
> 
> Comes after hours, then I make a complete, total reset of all network 
> devices, all servers, and turning off client computers. It's a small 
> network, so it was manageable during a long evening. After that, 
> everything working flawlessly. Even the printer stopped jibbering.
> 
> My only conclusion here is that something very stale was still cached 
> somewhere. I'm exclusively using HP equipment for switching, 
> so there's 
> no no-name, undocumented cheapo stuff in the network. But nobody is 
> perfect...
> 
> Hope that my experiences can give you some input and help.
> 
> Best regards,
> 
> Peter
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba