[Samba] Domain logons and client IP broadcasts

[Sherwood Botsford]

Ok, I'm stumped.
Last week domain logons worked.
Now when I try to logon, I get a message, "You could not logon 
because the SJSA domain is not available.


I've had this happen before when the trust account between the 
client and server was out of sync (restored a disk image that had 
a different trust account password)

To fix this, it has been sufficient to quit the domain, reset the 
password for the machine account, and rejoin the domain.
If I do this, I get a new message:
"The specified domain either does not exist or could not be 
contacted"

If I log in as a local user, I can map network shares with no 
problem.

***

Had an idea to test, and now have some more info.

I've recently had problems with a network worm.  Part of my
plan is to minimize broadcast traffic, and create a situation 
where the clients can't see each other at all.

To this effect I used f-secure to block all tcp traffic to 
192.168.1.2 to 192.168.1.239, which corresponds to my client 
space.  This part seems to work.

The rule that got me was I tried to block 192.168.1.255 -- the 
broadcast address, thinking that if the clients couldn't do 
broadcasts, they wouldn't be able to find each other.

My server is set up with wins support = yes
with name resolution order of lmhosts (which has the names of my 
servers) dns hosts, but no broadcast.

At first I thought that without broadcast, it couldn't send arp 
requests, but arps are ether broadcasts, not tcp.  And if the 
profile was cached, then logons worked, and browsing worked.

So finally my questions:

1.  Why does stopping ip broadcasts break domain logons, but not 
browsing shares?

2.  What changes can I make to my setup to further inhibit client 
to client communication?