[Samba] Cross-subnet authentication & firewall
misty at borkholder.com
misty at borkholder.com
Tue Jul 1 04:30:24 GMT 2008
> I've got two subnets joined by an OpenVPN bridge. I used to have my PDC
> on
> the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to
> it.
>
> Now, for security and other reasons I have put my PDC behind a firewall.
> The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1
> and
> 192.168.2.128.
>
> In the router's iptables rules, I have added the following:
> iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
> 192.168.1.3
> iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to
> 192.168.1.3
>
> iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
> 192.168.1.3
> iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to
> 192.168.1.3
>
> (tap0 is the 192.168.2.128 interface)
>
> In the DMS's smb.conf. I have the following:
>
> [global]
> workgroup = CORP
> netbios name = FURNSRV
> server string = Furniture File Server
> security = domain
> password server = 192.168.1.3
> wins server = 192.168.1.3
> wins support = no
> wins proxy = no
> name resolve order = wins
> dns proxy = no
> local master = yes
> domain master = no
> preferred master = yes
> os level = 65
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> SO_BROADCAST
> printing = cups
> printcap = cups
> remote browse sync = 192.168.1.3
>
> When I start Samba on the DMB, I can do 'net join' just fine. I can ping
> the PDC. I can list shares on the PDC. I can't list shares on the
> client!
>
> root at honk:/etc/samba# smbclient -L localhost
> Password:
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>
> I'm a little befuddled here. Is there something I've forgotten in
> iptables?
> Is something else missing? I'm not sure exactly what to debug. I have
> done
> tcpdump on the PDC and I can see requests and responses, but I'm not 100%
> clear what to look for.
>
> I appreciate any help at all!
>
> Thanks,
> Misty
>
Here is some more info. When I try to authenticate to see the DMB's
shares, I get different results on the DMB and the PDC.
PDC:
[2008/07/01 00:25:42, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: sam authentication for user [root] succeeded
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2008/07/01 00:25:42, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2008/07/01 00:25:42, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded
DMB:
[2008/07/01 00:25:49, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: "CORPSRV, 192.168.1.3"
[2008/07/01 00:25:49, 3] libsmb/namequery_dc.c:rpc_dc_name(117)
rpc_dc_name: Returning DC CORPSRV (192.168.1.3) for domain CORP
[2008/07/01 00:25:49, 3] libsmb/cliconnect.c:cli_start_connection(1426)
Connecting to host=CORPSRV
[2008/07/01 00:25:49, 3] lib/util_sock.c:open_socket_out(874)
Connecting to 192.168.1.3 at port 445
[2008/07/01 00:25:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bb bind
request returned ok.
[2008/07/01 00:25:51, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bc bind
request returned ok.
[2008/07/01 00:25:51, 0] auth/auth_domain.c:domain_client_validate(246)
domain_client_validate: unable to validate password for user root in
domain CORP to Domain controller CORPSRV. Error was
NT_STATUS_UNSUCCESSFUL.
[2008/07/01 00:25:51, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [root] -> [root] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2008/07/01 00:25:51, 3] smbd/error.c:error_packet(146)
error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX)
NT_STATUS_NO_LOGON_SERVERS
[2008/07/01 00:25:51, 3] smbd/process.c:timeout_processing(1359)
WHY would the DMB say that it failed when the PDC said it succeeded???
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list