samba - Mar 2019 - getent not working after installing firewall

I have a rather strange and urgent problem. Last evening I installed a Sonicwall
firewall
between the Internet and office LAN. The only change that I know of for the LAN
workstations
was that the gateway is now 192.168.0.1 instead of 192.168.0.2. All
workstations: Windows,
Linux and Mac use DHCP and the AD/DC is the DHCP server, so I wouldn't think
that mattered.

All Windows workstations work fine, I didn't even have to reboot them. 
Windows Users can log
in, they have their redirected folders, etc. 

Having a problem on Linux. When I run 'getent passwd' it returns only
the list of users in
/etc/passwd on the AD/DC. No domain users are returned. 'getent passwd
<domainuser>' return
status 2.

The domain user can log on to Linux.

Any idea what's up with this? I use getent on Linux for various things.

Thanks, Mark

Samba 4.8.2

On Mon, 04 Mar 2019 09:15:12 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> I have a rather strange and urgent problem. Last evening I installed
> a Sonicwall firewall between the Internet and office LAN. The only
> change that I know of for the LAN workstations was that the gateway
> is now 192.168.0.1 instead of 192.168.0.2. All workstations: Windows,
> Linux and Mac use DHCP and the AD/DC is the DHCP server, so I
> wouldn't think that mattered.
> 
> All Windows workstations work fine, I didn't even have to reboot
> them.  Windows Users can log in, they have their redirected folders,
> etc. 
> 
> Having a problem on Linux. When I run 'getent passwd' it returns
only
> the list of users in /etc/passwd on the AD/DC. No domain users are
> returned. 'getent passwd <domainuser>' return status 2.
> 
> The domain user can log on to Linux.
> 
> Any idea what's up with this? I use getent on Linux for various
> things.
> 
> Thanks, Mark
> 
> Samba 4.8.2
> 
Lets see if I have this correct, you have installed a firewall on
something between the original gateway and your LAN, you have not
touched anything else, except to point your computers to the new
firewall as the gateway (presumably by DHCP). Is this correct ?

You have logged into a DC and run:

getent passwd username

Which produces no output, where previously it did.

Is the DC using itself as the nameserver ?
Is the DC using the correct gateway ?

Rowland

On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
>
> On Mon, 04 Mar 2019 09:15:12 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I have a rather strange and urgent problem. Last evening I installed
> > a Sonicwall firewall between the Internet and office LAN. The only
> > change that I know of for the LAN workstations was that the gateway
> > is now 192.168.0.1 instead of 192.168.0.2. All workstations: Windows,
> > Linux and Mac use DHCP and the AD/DC is the DHCP server, so I
> > wouldn't think that mattered.
> > 
> > All Windows workstations work fine, I didn't even have to reboot
> > them.  Windows Users can log in, they have their redirected folders,
> > etc. 
> > 
> > Having a problem on Linux. When I run 'getent passwd' it
returns only
> > the list of users in /etc/passwd on the AD/DC. No domain users are
> > returned. 'getent passwd <domainuser>' return status 2.
> > 
> > The domain user can log on to Linux.
> > 
> > Any idea what's up with this? I use getent on Linux for various
> > things.
> > 
> > Thanks, Mark
> > 
> > Samba 4.8.2
> > 
>
> Lets see if I have this correct, you have installed a firewall on
> something between the original gateway and your LAN, you have not
> touched anything else, except to point your computers to the new
> firewall as the gateway (presumably by DHCP). Is this correct ?
>
> You have logged into a DC and run:
>
> getent passwd username
>
> Which produces no output, where previously it did.
>
> Is the DC using itself as the nameserver ?
> Is the DC using the correct gateway ?
>
> Rowland
Partially correct.  Before installing the firewall, the Gateway on the AD/DC was
configured as
the ISP's gateway (98.102.63.105).  I changed the gateway to be 192.168.0.1
(the Sonicwall).  I
believe that's all I did.  I did reboot the AD/DC.  The AD/DC is also the
DHCP server.

I've testing with stopping the firewall on the AD/DC as well. Didn't
help.

On the AD/DC 'getent passwd' does work.

$ getent passwd mark
mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

On the Linux domain member workstation it does not. 

$ getent passwd mark; echo $?
2

However, the user of that workstation is able to log in using domain
credentials, ntlm_auth
also works:

$ ntlm_auth --username=mark --password='mypass'
NT_STATUS_OK: Success (0x0)

BTW - The MAC workstations cannot now authenticate with domain credentials.  I
tried to unbind
and rebind one of the workstations, but when trying to unbind I got the message,
"Unable to
access domain controller".  It can see the domain controller:

$ host mail
mail.hprs.local has address 192.168.0.2

However, this is possibly an additional/separate (though related) issue.  I
don't want to
complicate the original question.  I can deal with the Macs later and perhaps
solving the Linux
issue will magically solve the Mac issue.  I've including the Mac
information in case it
provides additional clues. 

As I said, no problems whatsoever with the Windows 7 domain members.

--Mark