[Samba] Cross-subnet authentication & firewall
Misty Stanley-Jones
misty at borkholder.com
Tue Jul 1 00:01:42 GMT 2008
I've got two subnets joined by an OpenVPN bridge. I used to have my PDC on
the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to
it.
Now, for security and other reasons I have put my PDC behind a firewall.
The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1 and
192.168.2.128.
In the router's iptables rules, I have added the following:
iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
192.168.1.3
iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to
192.168.1.3
iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
192.168.1.3
iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to
192.168.1.3
(tap0 is the 192.168.2.128 interface)
In the DMS's smb.conf. I have the following:
[global]
workgroup = CORP
netbios name = FURNSRV
server string = Furniture File Server
security = domain
password server = 192.168.1.3
wins server = 192.168.1.3
wins support = no
wins proxy = no
name resolve order = wins
dns proxy = no
local master = yes
domain master = no
preferred master = yes
os level = 65
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_BROADCAST
printing = cups
printcap = cups
remote browse sync = 192.168.1.3
When I start Samba on the DMB, I can do 'net join' just fine. I can ping
the PDC. I can list shares on the PDC. I can't list shares on the client!
root at honk:/etc/samba# smbclient -L localhost
Password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS
I'm a little befuddled here. Is there something I've forgotten in iptables?
Is something else missing? I'm not sure exactly what to debug. I have done
tcpdump on the PDC and I can see requests and responses, but I'm not 100%
clear what to look for.
I appreciate any help at all!
Thanks,
Misty
More information about the samba
mailing list