[Samba] getent not working after installing firewall

Tue Mar 5 07:39:23 UTC 2019

On 05.03.2019 7:14, Mark Foley via samba wrote:
> On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald <h.reindl at thelounge.net> wrote:
>> Am 05.03.19 um 00:22 schrieb Mark Foley via samba:
>>> /etc/resolv.conf:
>>> nameserver 192.168.0.2
>>> nameserver 209.18.47.62
>>>
>>> /etc/hosts:
>>> 127.0.0.1               localhost
>>> 192.168.0.60            ccarter
>>>
>>> So, the gateway is the Sonicwall firewall, 192.168.0.1. Nameservers are the DC (192.168.0.2)
>>> and one of the ISP name servers. The IP is static and is set in /etc/hosts. At this point,
>>> there should be no issues or questions with respect to which gateway or DHCP usage (DHCP is not
>>> being used)
>> besides that oyu really could strip your quotes why in the world are you
>> doing that? there is no point except asking for troubles when you mix
>> your DC and a external nameserver
> Personally, I like the quotes. It gives me, and hopefully other, a clearer picture of the
> problem and what has been tried. A reader can always skip to the bottom.
>
> ANYWAY, Standby! I may have the problem solved. I need to do a bit more experimentation with a
> couple of components, but I think it might be fixed. I'll post again later when I've confirmed.
>
> --Mark
>
Hi folks,

I'll poke a stick into this, due to recent experiences.

Essentially, it's not a Samba problem. It's a network problem. First, 
make sure your devices and configurations are in order. Then it may, or 
may not work anyway.

For different reasons, I had to make a slight network topology change. I 
removed the previous gateway/router, and is now using a Cisco ASA as 
firewall/router. The Cisco people are very explicit in stating that the 
ASA is a firewall, not a router. It's possible to configure and use it 
as a router anyway (though you need a PhD in Cisco ASA configuration). 
The Cisco ASA was given the previous gateway IP.

Behind the firewall router are 7 different subnets/VLANs. In the main 
LAN are a bunch of Windows servers in a AD domain. One of the VLANs 
contains a Samba ADDC, a Samba fileserver, and Windows clients. The 
Samba domain machines may connect to the Windows domain, but not the 
other way around. The Windows VLAN, and the Samba VLAN have got internet 
access. The main DNS servers are in the Windows AD DC, and the backup 
Windows AD DC. There is one single time source for the main LAN and VLANs.

After making the changes, I made a very thorough check that everything 
is working. After 4 days I get a call, that 2 clients in the Samba 
domain cannot contact the mail server, which is in the Windows domain. 
Also, those 2 clients cannot connect to a specific printer in the 
Windows domain. Also, the printer seems to be jibbering, transmitting 
garbage about 10 times/sec. All other clients in the Samba domain can 
connect to the mail server without any problems. Testing, retesting, 
checking firewall rules, checking DNS responses, restarting computers, 
again, again, again. Everything is OK. But still it does not work.

Comes after hours, then I make a complete, total reset of all network 
devices, all servers, and turning off client computers. It's a small 
network, so it was manageable during a long evening. After that, 
everything working flawlessly. Even the printer stopped jibbering.

My only conclusion here is that something very stale was still cached 
somewhere. I'm exclusively using HP equipment for switching, so there's 
no no-name, undocumented cheapo stuff in the network. But nobody is 
perfect...

Hope that my experiences can give you some input and help.

Best regards,

Peter