PDC on external network
Sanjeev Ananth
san_133 at hotmail.com
Wed Mar 10 00:50:16 GMT 1999
Thanks Steve,
I enabled forwarding to the PDC and masquerading to the rest and it
seems to work.
I guess it has to do with masquerading but what is still unclear.
Sanjeev
>From: Steve Langasek <vorlon at dodds.net>
>To: Sanjeev Ananth <san_133 at hotmail.com>
>CC: Multiple recipients of list <samba-technical at samba.org>
>Subject: Re: PDC on external network
>Date: Fri, 5 Mar 1999 10:38:42 -0600 (EST)
>
>On Fri, 5 Mar 1999, Sanjeev Ananth wrote:
>
>> I am running a linux server (Red Hat 5.1) with 2 network interfaces ,
>> one connecting to the internet and the other to the internal network.
>
>> Using IPfwadm all hosts on the internal network access the internet.
>> The only config statements in rc.firewall are
>
>> ipfwadm -F -p deny
>> ipfwadm -F -a m -S 10.0.0.0/8 -D 0.0.0.0/0
>
>> Using this have no problem to access anywhere from the internal
network
>> and no reason for the external network to access the internal until
now.
>
>> I have connected an NT Server 4.0 on the external network which is a
>> PDC. From an NT workstation on the internal network when I try to
>> connect to the NT domain - I get a 'The domain controller for this
>> domain cannot be located' message.
>
>> Can anyone tell me what 'ipfwadm' needs to allow authentication?
>
>I don't know specifically what's going to be failing here, not having
looked
>at this part of the SMB protocol, but there are a couple of problems
you're
>likely to run into. If the PDC has to send data back to the
workstation on a
>different port than the one data was being received from, IP Masq will
fail to
>catch it; if the PDC expects the src addr in the IP header to match an
IP it
>has on record, or that is contained in the packet data itself, you'll
also see
>a failure. Perhaps the PDC is picking up multiple machines behind the
>firewall all coming from the same IP (the masqing box), and this is
causing a
>problem somehow... I don't know. I don't think it's a simple problem
with
>WINS resolution, since in my experience WINS works through masqing
firewalls
>just fine, but beyond that I have no idea.
>
>Someone here may be able to tell you easily what parts of the protocol
are
>failing, and it may be something that can be fixed w/ the kernel port
>auto-forwarding stuff or with the addition of a kernel masqing module
(like
>ip_masq_ftp). You might also try sniffing some of the traffic from the
>firewall box, to see what's being sent where.
>
>If it can't be fixed with a firewall rule or kernel module--and this is
quite
>possible, since the workstation is registering with WINS using the IP
it
>knows, a private IP that's inaccessible from the network--the other
option
>would be to set up an SMB masqing proxy daemon on the firewall machine
that
>would take the SMB traffic from inside the firewall and translate it
for use
>outside. I've been vaguely entertaining the notion of writing such a
program,
>since I have some masqueraded networks of my own that I'd like to link
>together, but I don't have time to do any serious work on it right now,
and
>probably won't for a couple months to come.
>
>I'm always willing to donate some time as a debugger, tho. ;)
>
>-Steve Langasek
>
>
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
More information about the samba-technical
mailing list