samba - Jan 2007 - Domain logons and client IP broadcasts

Ok, I'm stumped.
Last week domain logons worked.
Now when I try to logon, I get a message, "You could not logon 
because the SJSA domain is not available.


I've had this happen before when the trust account between the 
client and server was out of sync (restored a disk image that had 
a different trust account password)

To fix this, it has been sufficient to quit the domain, reset the 
password for the machine account, and rejoin the domain.
If I do this, I get a new message:
"The specified domain either does not exist or could not be 
contacted"

If I log in as a local user, I can map network shares with no 
problem.

***

Had an idea to test, and now have some more info.

I've recently had problems with a network worm.  Part of my
plan is to minimize broadcast traffic, and create a situation 
where the clients can't see each other at all.

To this effect I used f-secure to block all tcp traffic to 
192.168.1.2 to 192.168.1.239, which corresponds to my client 
space.  This part seems to work.

The rule that got me was I tried to block 192.168.1.255 -- the 
broadcast address, thinking that if the clients couldn't do 
broadcasts, they wouldn't be able to find each other.

My server is set up with wins support = yes
with name resolution order of lmhosts (which has the names of my 
servers) dns hosts, but no broadcast.

At first I thought that without broadcast, it couldn't send arp 
requests, but arps are ether broadcasts, not tcp.  And if the 
profile was cached, then logons worked, and browsing worked.

So finally my questions:

1.  Why does stopping ip broadcasts break domain logons, but not 
browsing shares?

2.  What changes can I make to my setup to further inhibit client 
to client communication?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/30/2007 06:14 PM, Sherwood Botsford wrote:
[...]
> So finally my questions:
> 
> 1.  Why does stopping ip broadcasts break domain logons, but not
> browsing shares?
	Windows clients won't get a package from the Domain Server.
If you are talking about browsing a specific machine, that works
because you contact the target machine, but you could have strange
results while browsing the network.

> 2.  What changes can I make to my setup to further inhibit 
> client to client communication?
	A few days ago we had a thread with some details on that
topic and a few people reporting success stories.


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFwIUFCj65ZxU4gPQRAivIAJ91ou00+8K4Qxi5UBtG3uRAuTxP6ACeOvA6
7Xp7lGU0MvoYEbeoOpTDXYk=oYcl
-----END PGP SIGNATURE-----

Am Dienstag, 30. Januar 2007 schrieb Sherwood Botsford:
> Why does stopping ip broadcasts break domain logons, but not
> browsing shares?
Did you specify a WINS server for all clients (pointing to your PDC)?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20070131/c22d1be1/attachment.bin

I had a very similar problem (without the worm) not too long ago.

My current setup has the following in the dhcp server:

option netbios-node-type 2;
option netbios-name-servers a.b.c.d;

(where a.b.c.d  is the actually IP address of my PDC).

This tells the windows clients to use peer-peer mode (only uses WINS,  
doesn't use broadcast)  and tells them where the WINS server is. This  
is working quite well, and previously unknown (and uncached)  users  
have no problems logging onto the workstations.

You also need to have wins support = yes in your smb.conf, of course.  
(Which, I notice, you say you already have).

I did have a couple of teething problems with this setup still  
exhibiting the same problems, but they went away. I think you might  
need to be sure that the samba server is, indeed the master browser -  
by starting it up before any other clients on the windows network,  
but that's just a wild guess.

Hope this helps.

On 31/01/2007, at 7:14 AM, Sherwood Botsford wrote:
>
> Ok, I'm stumped.
> Last week domain logons worked.
> Now when I try to logon, I get a message, "You could not logon  
> because the SJSA domain is not available.
>
>
> I've had this happen before when the trust account between the  
> client and server was out of sync (restored a disk image that had a  
> different trust account password)
>
> To fix this, it has been sufficient to quit the domain, reset the  
> password for the machine account, and rejoin the domain.
> If I do this, I get a new message:
> "The specified domain either does not exist or could not be
contacted"
>
> If I log in as a local user, I can map network shares with no problem.
>
> ***
>
> Had an idea to test, and now have some more info.
>
> I've recently had problems with a network worm.  Part of my
> plan is to minimize broadcast traffic, and create a situation where  
> the clients can't see each other at all.
>
> To this effect I used f-secure to block all tcp traffic to  
> 192.168.1.2 to 192.168.1.239, which corresponds to my client  
> space.  This part seems to work.
>
> The rule that got me was I tried to block 192.168.1.255 -- the  
> broadcast address, thinking that if the clients couldn't do  
> broadcasts, they wouldn't be able to find each other.
>
> My server is set up with wins support = yes
> with name resolution order of lmhosts (which has the names of my  
> servers) dns hosts, but no broadcast.
>
> At first I thought that without broadcast, it couldn't send arp  
> requests, but arps are ether broadcasts, not tcp.  And if the  
> profile was cached, then logons worked, and browsing worked.
>
> So finally my questions:
>
> 1.  Why does stopping ip broadcasts break domain logons, but not  
> browsing shares?
>
> 2.  What changes can I make to my setup to further inhibit client  
> to client communication?
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

--
Matt Skerritt
matt.skerritt@agrav.net

I'm sorry, but I don't know the cause.
You should make sure, that Lab-119 actually uses DHCP.
Have a look at the blocked packets of the firewall and compare with Lab-101.
I had the same error "domain not available", but a different
scenario... I
think it was solved, by joining the PDC to itself - but seems not be related 
to your problem.

If Lab-119 is a windows machine, I would recommend a reinstall - most times 
this work quite well ;)

kind regards,
Sebastian

Am Dienstag, 6. Februar 2007 schrieb Postmaster:
> Sebastian Held wrote:
> > Am Donnerstag, 1. Februar 2007 schrieb Sherwood Botsford:
> >> dhcp server options
> >>         netbios-node-type =2
> >>         netbios-name-sever = PDC IP
> >>    samba
> >>         wins support = yes
> >>         # wins server
> >> -> Domain logins don't work
> >
> > Did you try to set:
> > name resolve order = wins lmhosts
> > on your Samba PDC?
> > Is Samba a local and domain master browser?
> > Have a look at the browse data:
> > nmblookup -R -U <winsServer> -S <nameToLookUp>
> >
> > kind regards,
> > Sebastian
>
> Firstly, thanks for your help in this , Sebastion.  You have been amazingly
> patient.
>
> OK:  More data:
> Lab-101 is set with a firewall that permits broadcasts, and allows
> domain logins.
>
> Lab-119 is set with a firewall that blocks broadcasts.  From it i get a
> 'domain not available'
> message, but if I log in with a cached roaming profile, network shares
> work.
>
> Conan is the PDC of my domain, SJSA and is the master browser.  I have a
> single
> network, so it is also the local master.
>
> conan# nmblookup -R -U sjsa -S lab-118
> querying lab-101 on 192.168.1.241
> 192.168.1.101 lab-101<00>
> Looking up status of 192.168.1.118
>         LAB-101        <00> -         M <ACTIVE>
>         SJSA            <00> - <GROUP> M <ACTIVE>
>         SJSA            <1e> - <GROUP> M <ACTIVE>
>
> conan# nmblookup -R -U sjsa -S lab-119
> querying lab-119 on 192.168.1.241
> 192.168.1.119 lab-119<00>
> Looking up status of 192.168.1.119
>         LAB-119         <00> -         M <ACTIVE>
>         SJSA            <00> - <GROUP> M <ACTIVE>
>         SJSA            <1e> - <GROUP> M <ACTIVE>
>
> *** No effective difference between the two types.
>
> Relevent chunks of smb.conf
>    workgroup = SJSA
>    netbios name = CONAN
>    server string = Conan the Librarian
>    security = DOMAIN
> **********************************************
>
> Excerpt from nmbd -d2
> Samba server CONAN is now a domain master browser for workgroup SJSA on
> subnet 192.168.1.241
> *****
> announce_local_master_browser_to_domain_master_browser:
> We are both a domain and a local master browser for workgroup SJSA.  Do
> not announce to ourselves
>
> *********************************
> Runing findsmb from a workstation not running nmbd shows that
> Conan is a master and local browse master, and postie is a local browse
> master.
>
>
> If I log in from lab-101 the following shows up in the nmbd log file.
> process_logon_packet: Logon from 192.168.1.101: code = 0x12
> process_logon_packet: Logon from 192.168.1.101: code = 0x12
> process_logon_packet: Logon from 192.168.1.101: code = 0x12
> process_logon_packet: Logon from 192.168.1.101: code = 0x12
>
> and the logon is succesful.
>
> If I log on from lab-119 no lines show up, and the attempt fails.
>
> If  I run tcpdump -vvv host 192.168.1.119 during a login there are no
> packets at all.  However there is sporadic traffic between lab-119 and
> Conan.
> e.g: arp packets and the following:
>
> 11:08:29.891131 lab-119.sjsa.internal.net.netbios-ns >
> conan.sjsa.internal.net.n
>
> etbios-ns:
>  >>> NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST
>
> TrnID=0x9965
> OpCode=8
> NmFlags=0x0
> Rcode=0
> QueryCount=1
> AnswerCount=0
> AuthorityCount=0
> AddressRecCount=1
> QuestionRecords:
> Name=LAB-119         NameType=0x00 (Workstation)
> QuestionType=0x20
> QuestionClass=0x1
>
> ResourceRecords:
> Name=LAB-119         NameType=0x00 (Workstation)
> ResType=0x20
> ResClass=0x6C70
> TTL=499435589 (0x1dc4c845)
> ResourceLength=33945
> ResourceData> [000] 0D 00 60 00 00 00                                
..`...
>
>  (ttl 128, id 54446, len 96)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20070207/bb6937c0/attachment.bin