[Samba] Domain logons and client IP broadcasts
Sherwood Botsford
sbotsford at sjsa.ab.ca
Tue Jan 30 20:14:26 GMT 2007
Ok, I'm stumped.
Last week domain logons worked.
Now when I try to logon, I get a message, "You could not logon
because the SJSA domain is not available.
I've had this happen before when the trust account between the
client and server was out of sync (restored a disk image that had
a different trust account password)
To fix this, it has been sufficient to quit the domain, reset the
password for the machine account, and rejoin the domain.
If I do this, I get a new message:
"The specified domain either does not exist or could not be
contacted"
If I log in as a local user, I can map network shares with no
problem.
***
Had an idea to test, and now have some more info.
I've recently had problems with a network worm. Part of my
plan is to minimize broadcast traffic, and create a situation
where the clients can't see each other at all.
To this effect I used f-secure to block all tcp traffic to
192.168.1.2 to 192.168.1.239, which corresponds to my client
space. This part seems to work.
The rule that got me was I tried to block 192.168.1.255 -- the
broadcast address, thinking that if the clients couldn't do
broadcasts, they wouldn't be able to find each other.
My server is set up with wins support = yes
with name resolution order of lmhosts (which has the names of my
servers) dns hosts, but no broadcast.
At first I thought that without broadcast, it couldn't send arp
requests, but arps are ether broadcasts, not tcp. And if the
profile was cached, then logons worked, and browsing worked.
So finally my questions:
1. Why does stopping ip broadcasts break domain logons, but not
browsing shares?
2. What changes can I make to my setup to further inhibit client
to client communication?
More information about the samba
mailing list