[Samba] Cross-subnet authentication & firewall

misty at borkholder.com misty at borkholder.com
Tue Jul 1 04:30:24 GMT 2008 

> I've got two subnets joined by an OpenVPN bridge.  I used to have my PDC
> on
> the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to
> it.
>
> Now, for security and other reasons I have put my PDC behind a firewall.
> The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1
> and
> 192.168.2.128.
>
> In the router's iptables rules, I have added the following:
> iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
> 192.168.1.3
> iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to
> 192.168.1.3
>
> iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
> 192.168.1.3
> iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to
> 192.168.1.3
>
> (tap0 is the 192.168.2.128 interface)
>
> In the DMS's smb.conf. I have the following:
>
> [global]
>     workgroup = CORP
>     netbios name = FURNSRV
>     server string = Furniture File Server
>     security = domain
>     password server = 192.168.1.3
>     wins server = 192.168.1.3
>     wins support = no
>     wins proxy = no
>     name resolve order = wins
>     dns proxy = no
>     local master = yes
>     domain master = no
>     preferred master = yes
>     os level = 65
>     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> SO_BROADCAST
>     printing = cups
>     printcap = cups
>     remote browse sync = 192.168.1.3
>
> When I start Samba on the DMB, I can do 'net join' just fine.  I can ping
> the PDC.  I can list shares on the PDC.  I can't list shares on the
> client!
>
> root at honk:/etc/samba# smbclient -L localhost
> Password:
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>
> I'm a little befuddled here.  Is there something I've forgotten in
> iptables?
> Is something else missing?  I'm not sure exactly what to debug.  I have
> done
> tcpdump on the PDC and I can see requests and responses, but I'm not 100%
> clear what to look for.
>
> I appreciate any help at all!
>
> Thanks,
> Misty
>

Here is some more info.  When I try to authenticate to see the DMB's
shares, I get different results on the DMB and the PDC.

PDC:
[2008/07/01 00:25:42, 3] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: sam authentication for user [root] succeeded
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2008/07/01 00:25:42, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/07/01 00:25:42, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2008/07/01 00:25:42, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root]
succeeded

DMB:
[2008/07/01 00:25:49, 3] libsmb/namequery.c:get_dc_list(1426)
  get_dc_list: preferred server list: "CORPSRV, 192.168.1.3"
[2008/07/01 00:25:49, 3] libsmb/namequery_dc.c:rpc_dc_name(117)
  rpc_dc_name: Returning DC CORPSRV (192.168.1.3) for domain CORP
[2008/07/01 00:25:49, 3] libsmb/cliconnect.c:cli_start_connection(1426)
  Connecting to host=CORPSRV
[2008/07/01 00:25:49, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 192.168.1.3 at port 445
[2008/07/01 00:25:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bb bind
request returned ok.
[2008/07/01 00:25:51, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bc bind
request returned ok.
[2008/07/01 00:25:51, 0] auth/auth_domain.c:domain_client_validate(246)
  domain_client_validate: unable to validate password for user root in
domain CORP to Domain controller CORPSRV. Error was
NT_STATUS_UNSUCCESSFUL.
[2008/07/01 00:25:51, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [root] -> [root] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2008/07/01 00:25:51, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX)
NT_STATUS_NO_LOGON_SERVERS
[2008/07/01 00:25:51, 3] smbd/process.c:timeout_processing(1359)


WHY would the DMB say that it failed when the PDC said it succeeded???


> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list