[Samba] getent not working after installing firewall
Rowland Penny
rpenny at samba.org
Mon Mar 4 17:18:31 UTC 2019
On Mon, 04 Mar 2019 11:48:00 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
> >
> > On Mon, 04 Mar 2019 09:15:12 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > I have a rather strange and urgent problem. Last evening I
> > > installed a Sonicwall firewall between the Internet and office
> > > LAN. The only change that I know of for the LAN workstations was
> > > that the gateway is now 192.168.0.1 instead of 192.168.0.2. All
> > > workstations: Windows, Linux and Mac use DHCP and the AD/DC is
> > > the DHCP server, so I wouldn't think that mattered.
> > >
> > > All Windows workstations work fine, I didn't even have to reboot
> > > them. Windows Users can log in, they have their redirected
> > > folders, etc.
> > >
> > > Having a problem on Linux. When I run 'getent passwd' it returns
> > > only the list of users in /etc/passwd on the AD/DC. No domain
> > > users are returned. 'getent passwd <domainuser>' return status 2.
> > >
> > > The domain user can log on to Linux.
> > >
> > > Any idea what's up with this? I use getent on Linux for various
> > > things.
> > >
> > > Thanks, Mark
> > >
> > > Samba 4.8.2
> > >
> >
> > Lets see if I have this correct, you have installed a firewall on
> > something between the original gateway and your LAN, you have not
> > touched anything else, except to point your computers to the new
> > firewall as the gateway (presumably by DHCP). Is this correct ?
> >
> > You have logged into a DC and run:
> >
> > getent passwd username
> >
> > Which produces no output, where previously it did.
> >
> > Is the DC using itself as the nameserver ?
> > Is the DC using the correct gateway ?
> >
> > Rowland
>
> Partially correct. Before installing the firewall, the Gateway on
> the AD/DC was configured as the ISP's gateway (98.102.63.105). I
> changed the gateway to be 192.168.0.1 (the Sonicwall). I believe
> that's all I did. I did reboot the AD/DC. The AD/DC is also the
> DHCP server.
>
> I've testing with stopping the firewall on the AD/DC as well. Didn't
> help.
>
> On the AD/DC 'getent passwd' does work.
>
> $ getent passwd mark
> mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
>
> On the Linux domain member workstation it does not.
>
> $ getent passwd mark; echo $?
> 2
>
> However, the user of that workstation is able to log in using domain
> credentials, ntlm_auth also works:
>
> $ ntlm_auth --username=mark --password='mypass'
> NT_STATUS_OK: Success (0x0)
>
> BTW - The MAC workstations cannot now authenticate with domain
> credentials. I tried to unbind and rebind one of the workstations,
> but when trying to unbind I got the message, "Unable to access domain
> controller". It can see the domain controller:
>
> $ host mail
> mail.hprs.local has address 192.168.0.2
>
> However, this is possibly an additional/separate (though related)
> issue. I don't want to complicate the original question. I can deal
> with the Macs later and perhaps solving the Linux issue will
> magically solve the Mac issue. I've including the Mac information in
> case it provides additional clues.
>
> As I said, no problems whatsoever with the Windows 7 domain members.
>
> --Mark
>
OK, just a thought, is there a dhcp server running on your sonicwall ?
What does running 'route' show (you will probably have to do this as
root or via sudo). It should show your sonicwall as the gateway.
try running these:
hostname -s
hostname -d
hostname -i
hostname -I
Do they show what you expect ?
What is in /etc/resolv.conf
I suppose I should mention that you should do all the above on the Unix
domain member.
Rowland
More information about the samba
mailing list