[Samba] Star mesh IP Inter-site transport question

Ivan Lopez ilopez at enress.gov.ar
Wed Jul 3 15:33:51 UTC 2024 

Hi, people. How are you?. I hope you are doing well.

Could you, please, give us some advice about packets generated by Samba 
DCs that are filtered by our bastions?

Our doubt is as follows:

  * We have 4 sites: SFE, LSFE, ROS, LROS
  * We want synchronization to be done in a star mesh with center in
    SFE. There are 3 IP Inter-site transport: SFE-LSFE, SFE-LROS,
    SFE-ROS.  I mean, there isn't any IP Inter-site transport defined
    for LROS-ROS, for example
  * Actually, there is a full mesh VPN, but we don't want to use some of
    these links for replication and, because of that, we've defined
    Inter-site transport in a star way.
  * There isn't any problem in our domain. At least as far we can see.
  * DCs are replicating well. Running "samba-tool drs showrepl" shows
    DCs on LSFE, ROS and LROS having INBOUND NEIGHBORS in SFE site only.
    And all of them have only one KCC OBJECT involving a DC in SFE site.
    A DNS change in an LROS' DC  , for example, is replicated to DCs in
    SFE site and then, from SFE to LSFE

Even though everything seems to be ok, we are trying to understand why 
we are seeing our packet filters denying this kind of packets:

Jul  2 11:40:04 bros kernel: IPT12-drop-NLO2NRE:02 IN=enp64s0 OUT=enp5s4 
MAC=00:0f:fe:2c:0d:ab:f2:20:47:45:f1:e8:08:00 *SRC=10.100.2.100 
DST=10.100.3.100* LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41937 DF PROTO=TCP 
*SPT=42592 DPT=135* WINDOW=64240 RES=0x00 SYN URGP=0

This example packet, come from ROS packet filter and involves 
10.100.2.100 and 10.100.3.100 which are DCs in ROS and LROS sites. EPMAP 
packets are prohibited between LROS and ROS sites. Something similar can 
be seen in LSFE and LROS packet filters (involving different DCs).

It looks like something running on the ROS' site DC is trying to contact 
EPMAP running on LROS' site DC.  We don't  expect that kind of packets 
exist because there isn't Inter-site transport ROS-LROS.

Could you tell me please if it is a normal behaviour?. May be KCC is 
trying to discover something?. Are we misunderstanding something 
potentially dangerous?

Thanks in advance. Best Regards.

Iván

More information about the samba mailing list