Web lists-archives.com

Re: [Samba] getent not working after installing firewall






On 05.03.2019 9:13, Rowland Penny via samba wrote:
On Tue, 5 Mar 2019 08:39:23 +0100
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:


On 05.03.2019 7:14, Mark Foley via samba wrote:
On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald
<h.reindl@xxxxxxxxxxxxx> wrote:
Am 05.03.19 um 00:22 schrieb Mark Foley via samba:
/etc/resolv.conf:
nameserver 192.168.0.2
nameserver 209.18.47.62

/etc/hosts:
127.0.0.1               localhost
192.168.0.60            ccarter

So, the gateway is the Sonicwall firewall, 192.168.0.1.
Nameservers are the DC (192.168.0.2) and one of the ISP name
servers. The IP is static and is set in /etc/hosts. At this
point, there should be no issues or questions with respect to
which gateway or DHCP usage (DHCP is not being used)
besides that oyu really could strip your quotes why in the world
are you doing that? there is no point except asking for troubles
when you mix your DC and a external nameserver
Personally, I like the quotes. It gives me, and hopefully other, a
clearer picture of the problem and what has been tried. A reader
can always skip to the bottom.

ANYWAY, Standby! I may have the problem solved. I need to do a bit
more experimentation with a couple of components, but I think it
might be fixed. I'll post again later when I've confirmed.

--Mark

Hi folks,

I'll poke a stick into this, due to recent experiences.

Essentially, it's not a Samba problem. It's a network problem. First,
make sure your devices and configurations are in order. Then it may,
or may not work anyway.

For different reasons, I had to make a slight network topology
change. I removed the previous gateway/router, and is now using a
Cisco ASA as firewall/router. The Cisco people are very explicit in
stating that the ASA is a firewall, not a router. It's possible to
configure and use it as a router anyway (though you need a PhD in
Cisco ASA configuration). The Cisco ASA was given the previous
gateway IP.

Behind the firewall router are 7 different subnets/VLANs. In the main
LAN are a bunch of Windows servers in a AD domain. One of the VLANs
contains a Samba ADDC, a Samba fileserver, and Windows clients. The
Samba domain machines may connect to the Windows domain, but not the
other way around. The Windows VLAN, and the Samba VLAN have got
internet access. The main DNS servers are in the Windows AD DC, and
the backup Windows AD DC. There is one single time source for the
main LAN and VLANs.

After making the changes, I made a very thorough check that
everything is working. After 4 days I get a call, that 2 clients in
the Samba domain cannot contact the mail server, which is in the
Windows domain. Also, those 2 clients cannot connect to a specific
printer in the Windows domain. Also, the printer seems to be
jibbering, transmitting garbage about 10 times/sec. All other clients
in the Samba domain can connect to the mail server without any
problems. Testing, retesting, checking firewall rules, checking DNS
responses, restarting computers, again, again, again. Everything is
OK. But still it does not work.

Comes after hours, then I make a complete, total reset of all network
devices, all servers, and turning off client computers. It's a small
network, so it was manageable during a long evening. After that,
everything working flawlessly. Even the printer stopped jibbering.

My only conclusion here is that something very stale was still cached
somewhere. I'm exclusively using HP equipment for switching, so
there's no no-name, undocumented cheapo stuff in the network. But
nobody is perfect...

Hope that my experiences can give you some input and help.

Best regards,

Peter


This is just my opinion:

 From what I have seen, these expensive firewall type boxes are not
worth the money. Problems are regularly posted on here, that turn out
to be the 'firewall boxes' fault.
If you are installing something at the gateway of your LAN, it better
be a router as well or you are just asking for trouble.

There are numerous open source firewalls available (pfsense,
smoothwall, etc), so why pay through the nose for one ?

Rowland

Hi Rowland,

You are right about firewall boxes. At least Cisco ASA is a terribly (over) complicated device. People who are not Cisco pros should be warned. Stay away, you will just waste your time, get frustrated, and get sleepless nights.

I don't blame the Cisco ASA here. In my case, I hadn't much choice. The management wants network connection with Apple stuff. The only reasonable solution I found was Cisco AnyConnect. Just recently, I found that OpenVPN works with Apple devices at the moment (no guarantee for the future, seems to be an on/off type relationship between Apple and OpenVPN). So I've ordered a Linux based router/firewall with OpenVPN to replace the Cisco stuff. Hope the ON-relationship stays for the next few iOS updates...

Best regards,

Peter


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba