[Samba] Cross-subnet authentication & firewall - Samba

This is a discussion on [Samba] Cross-subnet authentication & firewall - Samba ; I've got two subnets joined by an OpenVPN bridge. I used to have my PDC on the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to it. Now, for security and other reasons I have put my PDC behind a ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] Cross-subnet authentication & firewall

  1. [Samba] Cross-subnet authentication & firewall

    I've got two subnets joined by an OpenVPN bridge. I used to have my PDC on
    the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to
    it.

    Now, for security and other reasons I have put my PDC behind a firewall.
    The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1 and
    192.168.2.128.

    In the router's iptables rules, I have added the following:
    iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
    192.168.1.3
    iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to
    192.168.1.3

    iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
    192.168.1.3
    iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to
    192.168.1.3

    (tap0 is the 192.168.2.128 interface)

    In the DMS's smb.conf. I have the following:

    [global]
    workgroup = CORP
    netbios name = FURNSRV
    server string = Furniture File Server
    security = domain
    password server = 192.168.1.3
    wins server = 192.168.1.3
    wins support = no
    wins proxy = no
    name resolve order = wins
    dns proxy = no
    local master = yes
    domain master = no
    preferred master = yes
    os level = 65
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_BROADCAST
    printing = cups
    printcap = cups
    remote browse sync = 192.168.1.3

    When I start Samba on the DMB, I can do 'net join' just fine. I can ping
    the PDC. I can list shares on the PDC. I can't list shares on the client!

    root@honk:/etc/samba# smbclient -L localhost
    Password:
    session setup failed: NT_STATUS_NO_LOGON_SERVERS

    I'm a little befuddled here. Is there something I've forgotten in iptables?
    Is something else missing? I'm not sure exactly what to debug. I have done
    tcpdump on the PDC and I can see requests and responses, but I'm not 100%
    clear what to look for.

    I appreciate any help at all!

    Thanks,
    Misty

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] Cross-subnet authentication & firewall

    > I've got two subnets joined by an OpenVPN bridge. I used to have my PDC
    > on
    > the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to
    > it.
    >
    > Now, for security and other reasons I have put my PDC behind a firewall.
    > The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1
    > and
    > 192.168.2.128.
    >
    > In the router's iptables rules, I have added the following:
    > iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to
    > 192.168.1.3
    > iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to
    > 192.168.1.3
    >
    > iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to
    > 192.168.1.3
    > iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to
    > 192.168.1.3
    >
    > (tap0 is the 192.168.2.128 interface)
    >
    > In the DMS's smb.conf. I have the following:
    >
    > [global]
    > workgroup = CORP
    > netbios name = FURNSRV
    > server string = Furniture File Server
    > security = domain
    > password server = 192.168.1.3
    > wins server = 192.168.1.3
    > wins support = no
    > wins proxy = no
    > name resolve order = wins
    > dns proxy = no
    > local master = yes
    > domain master = no
    > preferred master = yes
    > os level = 65
    > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    > SO_BROADCAST
    > printing = cups
    > printcap = cups
    > remote browse sync = 192.168.1.3
    >
    > When I start Samba on the DMB, I can do 'net join' just fine. I can ping
    > the PDC. I can list shares on the PDC. I can't list shares on the
    > client!
    >
    > root@honk:/etc/samba# smbclient -L localhost
    > Password:
    > session setup failed: NT_STATUS_NO_LOGON_SERVERS
    >
    > I'm a little befuddled here. Is there something I've forgotten in
    > iptables?
    > Is something else missing? I'm not sure exactly what to debug. I have
    > done
    > tcpdump on the PDC and I can see requests and responses, but I'm not 100%
    > clear what to look for.
    >
    > I appreciate any help at all!
    >
    > Thanks,
    > Misty
    >


    Here is some more info. When I try to authenticate to see the DMB's
    shares, I get different results on the DMB and the PDC.

    PDC:
    [2008/07/01 00:25:42, 3] auth/auth.c:check_ntlm_password(270)
    check_ntlm_password: sam authentication for user [root] succeeded
    [2008/07/01 00:25:42, 3] smbd/sec_ctx.cush_sec_ctx(208)
    push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
    [2008/07/01 00:25:42, 3] smbd/uid.cush_conn_ctx(358)
    push_conn_ctx(100) : conn_ctx_stack_ndx = 0
    [2008/07/01 00:25:42, 3] smbd/sec_ctx.c:set_sec_ctx(241)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2008/07/01 00:25:42, 3] smbd/sec_ctx.cop_sec_ctx(356)
    pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
    [2008/07/01 00:25:42, 2] auth/auth.c:check_ntlm_password(309)
    check_ntlm_password: authentication for user [root] -> [root] -> [root]
    succeeded

    DMB:
    [2008/07/01 00:25:49, 3] libsmb/namequery.c:get_dc_list(1426)
    get_dc_list: preferred server list: "CORPSRV, 192.168.1.3"
    [2008/07/01 00:25:49, 3] libsmb/namequery_dc.c:rpc_dc_name(117)
    rpc_dc_name: Returning DC CORPSRV (192.168.1.3) for domain CORP
    [2008/07/01 00:25:49, 3] libsmb/cliconnect.c:cli_start_connection(1426)
    Connecting to host=CORPSRV
    [2008/07/01 00:25:49, 3] lib/util_sock.cpen_socket_out(874)
    Connecting to 192.168.1.3 at port 445
    [2008/07/01 00:25:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
    rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bb bind
    request returned ok.
    [2008/07/01 00:25:51, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
    rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bc bind
    request returned ok.
    [2008/07/01 00:25:51, 0] auth/auth_domain.c:domain_client_validate(246)
    domain_client_validate: unable to validate password for user root in
    domain CORP to Domain controller CORPSRV. Error was
    NT_STATUS_UNSUCCESSFUL.
    [2008/07/01 00:25:51, 2] auth/auth.c:check_ntlm_password(319)
    check_ntlm_password: Authentication for user [root] -> [root] FAILED
    with error NT_STATUS_NO_LOGON_SERVERS
    [2008/07/01 00:25:51, 3] smbd/error.c:error_packet(146)
    error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX)
    NT_STATUS_NO_LOGON_SERVERS
    [2008/07/01 00:25:51, 3] smbd/process.c:timeout_processing(1359)


    WHY would the DMB say that it failed when the PDC said it succeeded???


    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread