[Samba] getent not working after installing firewall

Reindl Harald h.reindl at thelounge.net
Tue Mar 5 14:01:20 UTC 2019

Am 05.03.19 um 14:32 schrieb L.P.H. van Belle via samba:
>> well, what is the point of multihoming an internal server at all?
> That all depends on you needs sure, most people dont need a multihomed setup. 
> My default gw is/are my core switches, where i'm intervlanning. 
> 5 endpoints to differnet locations, Mail splitted up over 2 locations.
> Webserver with 2 internet locations but accesible through 3 locations +lan
> And 6 subnets (in vlans.) 
> Sounds all complex, wha.. Yes maybe, but things like that is why 'i' need multihoming. 

my point is that the multihoming should happen on a device dealing with
routing/internet traffic and not on a samba machine so that it's
completly transparent to the LAN

> Can this be improved, sure yes but im not questioning the T.P. its setup, 
> im showing a solution for his problem.  Nothing more, nothing less. 
> You are questioning my solution thats good, now i think.. 
>> that's the job of the firewall/router/gateway but on your LAN you just
>> have a 192.168.x.x network with no non-default routes and just the
>> gateway which only is part of the game when a machine want to talk to
>> something not in the own LAN
> This suggests, for you a firewall, router and gateway are the same? For me not. 
> This might be 1,2 or 3 devices. 

it might be 3 devices, but none of them should be your Samba DC

> Or  https://tools.ietf.org/html/rfc4795 
> The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS)
>  packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.

the point here is local link

> So i dont totaly agree on you statement :
> "there is no point dealing with multicast packets on the firewall"

not when the firewall seperate your LAN with the internet,
mdns/broadcasts belong to the LAN

> Again this all is highly subjected to you needs, 90% of the users wont need it.. 
> On that i agree with you. 
> On the samba list we do have beginners and very advanced users. 
> So thats why i do show things.. 
> And i do appriciate you input Harald. 
> Things like this wil only make samba better and resulting setup's will be better

the point i made is that i question the OP's setup in general where
internal hosts are aware of routing, multihoming and so at all

look at the first rules below

INBOUND:  that chain deals with packets from the internet
OUTBOUND: that chain deals with packets to the internet
INTERNAL: that chain deals with VPN traffic and "loopback"

"wan" is in fact a multihomed bridge running HSRP between the uplinks
but that's still a different layer and so in the firewall rules it don't
matter, the virtual gateway stays the same and for inbound traffic ou
don't need to care over which line it enters the gateway and ruleset

the LAN interface and the network including switches and servers don't
need to know anything about that

when replacing the openvpn machine with wireguard most likely there will
be a new chain for the wireguard-interfaces and the decision if a packet
targets INTERNAL/WIREGUARD is made by the routing before, still
completly transparent to the LAN

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
1     320M  302G ACCEPT     all  --  *      *            ctstate RELATED,ESTABLISHED
2      12M  703M INBOUND    all  --  wan    lan            ctstate NEW ! match-set EXCLUDES src
3    6480K  526M OUTBOUND   all  --  lan    wan            ctstate NEW
4     4128  277K INTERNAL   all  --  lan    lan            ctstate NEW

More information about the samba mailing list