[Samba] getent not working after installing firewall

[Peter Milesson]

On 05.03.2019 9:13, Rowland Penny via samba wrote:
> On Tue, 5 Mar 2019 08:39:23 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 05.03.2019 7:14, Mark Foley via samba wrote:
>>> On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald
>>> <h.reindl at thelounge.net> wrote:
>>>> Am 05.03.19 um 00:22 schrieb Mark Foley via samba:
>>>>> /etc/resolv.conf:
>>>>> nameserver 192.168.0.2
>>>>> nameserver 209.18.47.62
>>>>>
>>>>> /etc/hosts:
>>>>> 127.0.0.1               localhost
>>>>> 192.168.0.60            ccarter
>>>>>
>>>>> So, the gateway is the Sonicwall firewall, 192.168.0.1.
>>>>> Nameservers are the DC (192.168.0.2) and one of the ISP name
>>>>> servers. The IP is static and is set in /etc/hosts. At this
>>>>> point, there should be no issues or questions with respect to
>>>>> which gateway or DHCP usage (DHCP is not being used)
>>>> besides that oyu really could strip your quotes why in the world
>>>> are you doing that? there is no point except asking for troubles
>>>> when you mix your DC and a external nameserver
>>> Personally, I like the quotes. It gives me, and hopefully other, a
>>> clearer picture of the problem and what has been tried. A reader
>>> can always skip to the bottom.
>>>
>>> ANYWAY, Standby! I may have the problem solved. I need to do a bit
>>> more experimentation with a couple of components, but I think it
>>> might be fixed. I'll post again later when I've confirmed.
>>>
>>> --Mark
>>>
>> Hi folks,
>>
>> I'll poke a stick into this, due to recent experiences.
>>
>> Essentially, it's not a Samba problem. It's a network problem. First,
>> make sure your devices and configurations are in order. Then it may,
>> or may not work anyway.
>>
>> For different reasons, I had to make a slight network topology
>> change. I removed the previous gateway/router, and is now using a
>> Cisco ASA as firewall/router. The Cisco people are very explicit in
>> stating that the ASA is a firewall, not a router. It's possible to
>> configure and use it as a router anyway (though you need a PhD in
>> Cisco ASA configuration). The Cisco ASA was given the previous
>> gateway IP.
>>
>> Behind the firewall router are 7 different subnets/VLANs. In the main
>> LAN are a bunch of Windows servers in a AD domain. One of the VLANs
>> contains a Samba ADDC, a Samba fileserver, and Windows clients. The
>> Samba domain machines may connect to the Windows domain, but not the
>> other way around. The Windows VLAN, and the Samba VLAN have got
>> internet access. The main DNS servers are in the Windows AD DC, and
>> the backup Windows AD DC. There is one single time source for the
>> main LAN and VLANs.
>>
>> After making the changes, I made a very thorough check that
>> everything is working. After 4 days I get a call, that 2 clients in
>> the Samba domain cannot contact the mail server, which is in the
>> Windows domain. Also, those 2 clients cannot connect to a specific
>> printer in the Windows domain. Also, the printer seems to be
>> jibbering, transmitting garbage about 10 times/sec. All other clients
>> in the Samba domain can connect to the mail server without any
>> problems. Testing, retesting, checking firewall rules, checking DNS
>> responses, restarting computers, again, again, again. Everything is
>> OK. But still it does not work.
>>
>> Comes after hours, then I make a complete, total reset of all network
>> devices, all servers, and turning off client computers. It's a small
>> network, so it was manageable during a long evening. After that,
>> everything working flawlessly. Even the printer stopped jibbering.
>>
>> My only conclusion here is that something very stale was still cached
>> somewhere. I'm exclusively using HP equipment for switching, so
>> there's no no-name, undocumented cheapo stuff in the network. But
>> nobody is perfect...
>>
>> Hope that my experiences can give you some input and help.
>>
>> Best regards,
>>
>> Peter
>>
>>
> This is just my opinion:
>
>  From what I have seen, these expensive firewall type boxes are not
> worth the money. Problems are regularly posted on here, that turn out
> to be the 'firewall boxes' fault.
> If you are installing something at the gateway of your LAN, it better
> be a router as well or you are just asking for trouble.
>
> There are numerous open source firewalls available (pfsense,
> smoothwall, etc), so why pay through the nose for one ?
>
> Rowland
>
Hi Rowland,

You are right about firewall boxes. At least Cisco ASA is a terribly 
(over) complicated device. People who are not Cisco pros should be 
warned. Stay away, you will just waste your time, get frustrated, and 
get sleepless nights.

I don't blame the Cisco ASA here. In my case, I hadn't much choice. The 
management wants network connection with Apple stuff. The only 
reasonable solution I found was Cisco AnyConnect. Just recently, I found 
that OpenVPN works with Apple devices at the moment (no guarantee for 
the future, seems to be an on/off type relationship between Apple and 
OpenVPN). So I've ordered a Linux based router/firewall with OpenVPN to 
replace the Cisco stuff. Hope the ON-relationship stays for the next few 
iOS updates...

Best regards,

Peter