Bluehost.com Web Hosting $6.95

[Samba] Cross-subnet authentication & firewall

This is a discussion on [Samba] Cross-subnet authentication & firewall within the Samba forums, part of the Networking and Network Related category; I've got two subnets joined by an OpenVPN bridge. I used to have my PDC on the router 192....


Go Back   Usenet Forums > Networking and Network Related > Samba

Reload this Page [Samba] Cross-subnet authentication & firewall

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-01-2008
Misty Stanley-Jones
 
Posts: n/a
Default [Samba] Cross-subnet authentication & firewall
I've got two subnets joined by an OpenVPN bridge. I used to have my PDC on
the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to
it.

Now, for security and other reasons I have put my PDC behind a firewall.
The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1 and
192.168.2.128.

In the router's iptables rules, I have added the following:
iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
192.168.1.3
iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to
192.168.1.3

iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
192.168.1.3
iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to
192.168.1.3

(tap0 is the 192.168.2.128 interface)

In the DMS's smb.conf. I have the following:

[global]
workgroup = CORP
netbios name = FURNSRV
server string = Furniture File Server
security = domain
password server = 192.168.1.3
wins server = 192.168.1.3
wins support = no
wins proxy = no
name resolve order = wins
dns proxy = no
local master = yes
domain master = no
preferred master = yes
os level = 65
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_BROADCAST
printing = cups
printcap = cups
remote browse sync = 192.168.1.3

When I start Samba on the DMB, I can do 'net join' just fine. I can ping
the PDC. I can list shares on the PDC. I can't list shares on the client!

root@honk:/etc/samba# smbclient -L localhost
Password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

I'm a little befuddled here. Is there something I've forgotten in iptables?
Is something else missing? I'm not sure exactly what to debug. I have done
tcpdump on the PDC and I can see requests and responses, but I'm not 100%
clear what to look for.

I appreciate any help at all!

Thanks,
Misty

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Reply With Quote
  #2 (permalink)  
Old 07-01-2008
misty@borkholder.com
 
Posts: n/a
Default Re: [Samba] Cross-subnet authentication & firewall
> I've got two subnets joined by an OpenVPN bridge. I used to have my PDC
> on
> the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to
> it.
>
> Now, for security and other reasons I have put my PDC behind a firewall.
> The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1
> and
> 192.168.2.128.
>
> In the router's iptables rules, I have added the following:
> iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
> 192.168.1.3
> iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to
> 192.168.1.3
>
> iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
> 192.168.1.3
> iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to
> 192.168.1.3
>
> (tap0 is the 192.168.2.128 interface)
>
> In the DMS's smb.conf. I have the following:
>
> [global]
> workgroup = CORP
> netbios name = FURNSRV
> server string = Furniture File Server
> security = domain
> password server = 192.168.1.3
> wins server = 192.168.1.3
> wins support = no
> wins proxy = no
> name resolve order = wins
> dns proxy = no
> local master = yes
> domain master = no
> preferred master = yes
> os level = 65
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> SO_BROADCAST
> printing = cups
> printcap = cups
> remote browse sync = 192.168.1.3
>
> When I start Samba on the DMB, I can do 'net join' just fine. I can ping
> the PDC. I can list shares on the PDC. I can't list shares on the
> client!
>
> root@honk:/etc/samba# smbclient -L localhost
> Password:
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>
> I'm a little befuddled here. Is there something I've forgotten in
> iptables?
> Is something else missing? I'm not sure exactly what to debug. I have
> done
> tcpdump on the PDC and I can see requests and responses, but I'm not 100%
> clear what to look for.
>
> I appreciate any help at all!
>
> Thanks,
> Misty
>

Here is some more info. When I try to authenticate to see the DMB's
shares, I get different results on the DMB and the PDC.

PDC:
[2008/07/01 00:25:42, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: sam authentication for user [root] succeeded
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2008/07/01 00:25:42, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2008/07/01 00:25:42, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded

DMB:
[2008/07/01 00:25:49, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: "CORPSRV, 192.168.1.3"
[2008/07/01 00:25:49, 3] libsmb/namequery_dc.c:rpc_dc_name(117)
rpc_dc_name: Returning DC CORPSRV (192.168.1.3) for domain CORP
[2008/07/01 00:25:49, 3] libsmb/cliconnect.c:cli_start_connection(1426)
Connecting to host=CORPSRV
[2008/07/01 00:25:49, 3] lib/util_sock.c:open_socket_out(874)
Connecting to 192.168.1.3 at port 445
[2008/07/01 00:25:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bb bind
request returned ok.
[2008/07/01 00:25:51, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bc bind
request returned ok.
[2008/07/01 00:25:51, 0] auth/auth_domain.c:domain_client_validate(246)
domain_client_validate: unable to validate password for user root in
domain CORP to Domain controller CORPSRV. Error was
NT_STATUS_UNSUCCESSFUL.
[2008/07/01 00:25:51, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [root] -> [root] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2008/07/01 00:25:51, 3] smbd/error.c:error_packet(146)
error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX)
NT_STATUS_NO_LOGON_SERVERS
[2008/07/01 00:25:51, 3] smbd/process.c:timeout_processing(1359)


WHY would the DMB say that it failed when the PDC said it succeeded???


> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 01:12 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0