PDC on external network

Sanjeev Ananth san_133 at hotmail.com
Wed Mar 10 00:50:16 GMT 1999

Thanks Steve,

I enabled forwarding to the PDC and masquerading to the rest and it 
seems to work.

I guess it has to do with masquerading but what is still unclear.


>From: Steve Langasek <vorlon at dodds.net>
>To: Sanjeev Ananth <san_133 at hotmail.com>
>CC: Multiple recipients of list <samba-technical at samba.org>
>Subject: Re: PDC on external network
>Date: Fri, 5 Mar 1999 10:38:42 -0600 (EST)
>On Fri, 5 Mar 1999, Sanjeev Ananth wrote:
>> I am running a linux server (Red Hat 5.1) with 2 network interfaces , 
>> one connecting to the internet and the other to the internal network.
>> Using IPfwadm all hosts on the internal network access the internet.  
>> The only config statements  in rc.firewall are
>> ipfwadm -F -p deny
>> ipfwadm -F -a m -S   -D
>> Using this have no problem to access anywhere from the internal 
>> and no reason for the external network to access the internal until 
>> I have connected an NT Server 4.0 on the external network which is a 
>> PDC.  From an NT workstation on the internal network when I try to 
>> connect to the NT domain - I get a 'The domain controller for this 
>> domain cannot be located' message.
>> Can anyone tell me what 'ipfwadm' needs to allow authentication?
>I don't know specifically what's going to be failing here, not having 
>at this part of the SMB protocol, but there are a couple of problems 
>likely to run into.  If the PDC has to send data back to the 
workstation on a
>different port than the one data was being received from, IP Masq will 
fail to
>catch it; if the PDC expects the src addr in the IP header to match an 
IP it
>has on record, or that is contained in the packet data itself, you'll 
also see
>a failure.  Perhaps the PDC is picking up multiple machines behind the
>firewall all coming from the same IP (the masqing box), and this is 
causing a
>problem somehow...  I don't know.  I don't think it's a simple problem 
>WINS resolution, since in my experience WINS works through masqing 
>just fine, but beyond that I have no idea.
>Someone here may be able to tell you easily what parts of the protocol 
>failing, and it may be something that can be fixed w/ the kernel port
>auto-forwarding stuff or with the addition of a kernel masqing module 
>ip_masq_ftp).  You might also try sniffing some of the traffic from the
>firewall box, to see what's being sent where.
>If it can't be fixed with a firewall rule or kernel module--and this is 
>possible, since the workstation is registering with WINS using the IP 
>knows, a private IP that's inaccessible from the network--the other 
>would be to set up an SMB masqing proxy daemon on the firewall machine 
>would take the SMB traffic from inside the firewall and translate it 
for use
>outside.  I've been vaguely entertaining the notion of writing such a 
>since I have some masqueraded networks of my own that I'd like to link
>together, but I don't have time to do any serious work on it right now, 
>probably won't for a couple months to come.
>I'm always willing to donate some time as a debugger, tho. ;)
>-Steve Langasek

Get Your Private, Free Email at http://www.hotmail.com

More information about the samba-technical mailing list