PDC on external network

Sanjeev Ananth san_133 at hotmail.com
Wed Mar 10 00:50:16 GMT 1999 

Thanks Steve,

I enabled forwarding to the PDC and masquerading to the rest and it 
seems to work.

I guess it has to do with masquerading but what is still unclear.

Sanjeev




>From: Steve Langasek <vorlon at dodds.net>
>To: Sanjeev Ananth <san_133 at hotmail.com>
>CC: Multiple recipients of list <samba-technical at samba.org>
>Subject: Re: PDC on external network
>Date: Fri, 5 Mar 1999 10:38:42 -0600 (EST)
>
>On Fri, 5 Mar 1999, Sanjeev Ananth wrote:
>
>> I am running a linux server (Red Hat 5.1) with 2 network interfaces , 
>> one connecting to the internet and the other to the internal network.
>
>> Using IPfwadm all hosts on the internal network access the internet.  
>> The only config statements  in rc.firewall are
>
>> ipfwadm -F -p deny
>> ipfwadm -F -a m -S 10.0.0.0/8   -D 0.0.0.0/0
>
>> Using this have no problem to access anywhere from the internal 
network 
>> and no reason for the external network to access the internal until 
now.  
>
>> I have connected an NT Server 4.0 on the external network which is a 
>> PDC.  From an NT workstation on the internal network when I try to 
>> connect to the NT domain - I get a 'The domain controller for this 
>> domain cannot be located' message.
>
>> Can anyone tell me what 'ipfwadm' needs to allow authentication?
>
>I don't know specifically what's going to be failing here, not having 
looked
>at this part of the SMB protocol, but there are a couple of problems 
you're
>likely to run into.  If the PDC has to send data back to the 
workstation on a
>different port than the one data was being received from, IP Masq will 
fail to
>catch it; if the PDC expects the src addr in the IP header to match an 
IP it
>has on record, or that is contained in the packet data itself, you'll 
also see
>a failure.  Perhaps the PDC is picking up multiple machines behind the
>firewall all coming from the same IP (the masqing box), and this is 
causing a
>problem somehow...  I don't know.  I don't think it's a simple problem 
with
>WINS resolution, since in my experience WINS works through masqing 
firewalls
>just fine, but beyond that I have no idea.
>
>Someone here may be able to tell you easily what parts of the protocol 
are
>failing, and it may be something that can be fixed w/ the kernel port
>auto-forwarding stuff or with the addition of a kernel masqing module 
(like
>ip_masq_ftp).  You might also try sniffing some of the traffic from the
>firewall box, to see what's being sent where.
>
>If it can't be fixed with a firewall rule or kernel module--and this is 
quite
>possible, since the workstation is registering with WINS using the IP 
it
>knows, a private IP that's inaccessible from the network--the other 
option
>would be to set up an SMB masqing proxy daemon on the firewall machine 
that
>would take the SMB traffic from inside the firewall and translate it 
for use
>outside.  I've been vaguely entertaining the notion of writing such a 
program,
>since I have some masqueraded networks of my own that I'd like to link
>together, but I don't have time to do any serious work on it right now, 
and
>probably won't for a couple months to come.
>
>I'm always willing to donate some time as a debugger, tho. ;)
>
>-Steve Langasek
>
>


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

More information about the samba-technical mailing list