[Samba] Domain logons and client IP broadcasts -- Resolved

Sherwood Botsford sbotsford at sjsa.ab.ca
Thu Feb 8 17:50:36 GMT 2007


I originally posted that I wanted to reduce broadcast traffic on my 
network so that
a rogue machine got as little information as possible about other 
machines on my network.

To do this I undertook 3 steps.
1.  Turned off file and printer sharing in the network config.
2.  Using a firewall with packet filtering capability blocked all 
traffic between clients.
3.  Adding a rule that blocked all traffic too/from the broadcast address.
4.  Through my dhcp server told all clients to use WINS, mode 2 
(unicast) and put in the IP address of  my samba PDC as the server. 
5.  On the PDC verified that wins support was set to yes.
6.  Made sure that my local DNS server had an entry for the domain name, 
and that it
pointed to the PDC.

#3 caused some problems.  If a cached roaming profile existed on the system
logins proceeded normally.  If the profile was not cached, a message, 
"You can't log in because the SJSA domain is not available.

This struck me as curious:  Why would the only problem be with logins.  
All network mapping seemed to be fine.

Next change I did was to put an entry in the local machine lmhosts file
for the PDC, with the options #PRE #DOM:sjsa
and on networking -> TCP/IP->Advaced, fill the check box for 'use lmhosts'.

This works, but I still don't understand why blocking broadcasts prevented
non-cached domain logins to fail.  This work-a-round suggests that 
broadcasts are an essential part of discovering who your domain 
controller is.

My best guess at this point is that my broadcast stomping is interfering 
with the election process.

More information about the samba mailing list