[Samba] Domain logons and client IP broadcasts -- Resolved
Sherwood Botsford
sbotsford at sjsa.ab.ca
Thu Feb 8 17:50:36 GMT 2007
Summary:
I originally posted that I wanted to reduce broadcast traffic on my
network so that
a rogue machine got as little information as possible about other
machines on my network.
To do this I undertook 3 steps.
1. Turned off file and printer sharing in the network config.
2. Using a firewall with packet filtering capability blocked all
traffic between clients.
3. Adding a rule that blocked all traffic too/from the broadcast address.
4. Through my dhcp server told all clients to use WINS, mode 2
(unicast) and put in the IP address of my samba PDC as the server.
5. On the PDC verified that wins support was set to yes.
6. Made sure that my local DNS server had an entry for the domain name,
and that it
pointed to the PDC.
#3 caused some problems. If a cached roaming profile existed on the system
logins proceeded normally. If the profile was not cached, a message,
"You can't log in because the SJSA domain is not available.
This struck me as curious: Why would the only problem be with logins.
All network mapping seemed to be fine.
Next change I did was to put an entry in the local machine lmhosts file
for the PDC, with the options #PRE #DOM:sjsa
and on networking -> TCP/IP->Advaced, fill the check box for 'use lmhosts'.
This works, but I still don't understand why blocking broadcasts prevented
non-cached domain logins to fail. This work-a-round suggests that
broadcasts are an essential part of discovering who your domain
controller is.
My best guess at this point is that my broadcast stomping is interfering
with the election process.
More information about the samba
mailing list