samba - Mar 2019 - getent not working after installing firewall

On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
>
> On Mon, 04 Mar 2019 09:15:12 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I have a rather strange and urgent problem. Last evening I installed
> > a Sonicwall firewall between the Internet and office LAN. The only
> > change that I know of for the LAN workstations was that the gateway
> > is now 192.168.0.1 instead of 192.168.0.2. All workstations: Windows,
> > Linux and Mac use DHCP and the AD/DC is the DHCP server, so I
> > wouldn't think that mattered.
> > 
> > All Windows workstations work fine, I didn't even have to reboot
> > them.  Windows Users can log in, they have their redirected folders,
> > etc. 
> > 
> > Having a problem on Linux. When I run 'getent passwd' it
returns only
> > the list of users in /etc/passwd on the AD/DC. No domain users are
> > returned. 'getent passwd <domainuser>' return status 2.
> > 
> > The domain user can log on to Linux.
> > 
> > Any idea what's up with this? I use getent on Linux for various
> > things.
> > 
> > Thanks, Mark
> > 
> > Samba 4.8.2
> > 
>
> Lets see if I have this correct, you have installed a firewall on
> something between the original gateway and your LAN, you have not
> touched anything else, except to point your computers to the new
> firewall as the gateway (presumably by DHCP). Is this correct ?
>
> You have logged into a DC and run:
>
> getent passwd username
>
> Which produces no output, where previously it did.
>
> Is the DC using itself as the nameserver ?
> Is the DC using the correct gateway ?
>
> Rowland
Partially correct.  Before installing the firewall, the Gateway on the AD/DC was
configured as
the ISP's gateway (98.102.63.105).  I changed the gateway to be 192.168.0.1
(the Sonicwall).  I
believe that's all I did.  I did reboot the AD/DC.  The AD/DC is also the
DHCP server.

I've testing with stopping the firewall on the AD/DC as well. Didn't
help.

On the AD/DC 'getent passwd' does work.

$ getent passwd mark
mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

On the Linux domain member workstation it does not. 

$ getent passwd mark; echo $?
2

However, the user of that workstation is able to log in using domain
credentials, ntlm_auth
also works:

$ ntlm_auth --username=mark --password='mypass'
NT_STATUS_OK: Success (0x0)

BTW - The MAC workstations cannot now authenticate with domain credentials.  I
tried to unbind
and rebind one of the workstations, but when trying to unbind I got the message,
"Unable to
access domain controller".  It can see the domain controller:

$ host mail
mail.hprs.local has address 192.168.0.2

However, this is possibly an additional/separate (though related) issue.  I
don't want to
complicate the original question.  I can deal with the Macs later and perhaps
solving the Linux
issue will magically solve the Mac issue.  I've including the Mac
information in case it
provides additional clues. 

As I said, no problems whatsoever with the Windows 7 domain members.

--Mark

On Mon, 04 Mar 2019 11:48:00 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
> >
> > On Mon, 04 Mar 2019 09:15:12 -0500
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > I have a rather strange and urgent problem. Last evening I
> > > installed a Sonicwall firewall between the Internet and office
> > > LAN. The only change that I know of for the LAN workstations was
> > > that the gateway is now 192.168.0.1 instead of 192.168.0.2. All
> > > workstations: Windows, Linux and Mac use DHCP and the AD/DC is
> > > the DHCP server, so I wouldn't think that mattered.
> > > 
> > > All Windows workstations work fine, I didn't even have to
reboot
> > > them.  Windows Users can log in, they have their redirected
> > > folders, etc. 
> > > 
> > > Having a problem on Linux. When I run 'getent passwd' it
returns
> > > only the list of users in /etc/passwd on the AD/DC. No domain
> > > users are returned. 'getent passwd <domainuser>'
return status 2.
> > > 
> > > The domain user can log on to Linux.
> > > 
> > > Any idea what's up with this? I use getent on Linux for
various
> > > things.
> > > 
> > > Thanks, Mark
> > > 
> > > Samba 4.8.2
> > > 
> >
> > Lets see if I have this correct, you have installed a firewall on
> > something between the original gateway and your LAN, you have not
> > touched anything else, except to point your computers to the new
> > firewall as the gateway (presumably by DHCP). Is this correct ?
> >
> > You have logged into a DC and run:
> >
> > getent passwd username
> >
> > Which produces no output, where previously it did.
> >
> > Is the DC using itself as the nameserver ?
> > Is the DC using the correct gateway ?
> >
> > Rowland
> 
> Partially correct.  Before installing the firewall, the Gateway on
> the AD/DC was configured as the ISP's gateway (98.102.63.105).  I
> changed the gateway to be 192.168.0.1 (the Sonicwall).  I believe
> that's all I did.  I did reboot the AD/DC.  The AD/DC is also the
> DHCP server. 
> 
> I've testing with stopping the firewall on the AD/DC as well.
Didn't
> help.
> 
> On the AD/DC 'getent passwd' does work.
> 
> $ getent passwd mark
> mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> 
> On the Linux domain member workstation it does not. 
> 
> $ getent passwd mark; echo $?
> 2
> 
> However, the user of that workstation is able to log in using domain
> credentials, ntlm_auth also works:
> 
> $ ntlm_auth --username=mark --password='mypass'
> NT_STATUS_OK: Success (0x0)
> 
> BTW - The MAC workstations cannot now authenticate with domain
> credentials.  I tried to unbind and rebind one of the workstations,
> but when trying to unbind I got the message, "Unable to access domain
> controller".  It can see the domain controller:
> 
> $ host mail
> mail.hprs.local has address 192.168.0.2
> 
> However, this is possibly an additional/separate (though related)
> issue.  I don't want to complicate the original question.  I can deal
> with the Macs later and perhaps solving the Linux issue will
> magically solve the Mac issue.  I've including the Mac information in
> case it provides additional clues. 
> 
> As I said, no problems whatsoever with the Windows 7 domain members.
> 
> --Mark
> 
OK, just a thought, is there a dhcp server running on your sonicwall ?
What does running 'route' show (you will probably have to do this as
root or via sudo). It should show your sonicwall as the gateway.
try running these:
hostname -s
hostname -d
hostname -i
hostname -I

Do they show what you expect ?
What is in /etc/resolv.conf

I suppose I should mention that you should do all the above on the Unix
domain member.

Rowland

On Mon, 4 Mar 2019 17:18:31 +0000 Rowland Penny wrote:
>
> On Mon, 04 Mar 2019 11:48:00 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Mon, 4 Mar 2019 14:50:38 +0000 Rowland Penny wrote:
> > >
> > > On Mon, 04 Mar 2019 09:15:12 -0500
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > I have a rather strange and urgent problem. Last evening I
> > > > installed a Sonicwall firewall between the Internet and
office
> > > > LAN. The only change that I know of for the LAN workstations
was
> > > > that the gateway is now 192.168.0.1 instead of 192.168.0.2.
All
> > > > workstations: Windows, Linux and Mac use DHCP and the AD/DC
is
> > > > the DHCP server, so I wouldn't think that mattered.
> > > > 
> > > > All Windows workstations work fine, I didn't even have
to reboot
> > > > them.  Windows Users can log in, they have their redirected
> > > > folders, etc. 
> > > > 
> > > > Having a problem on Linux. When I run 'getent
passwd' it returns
> > > > only the list of users in /etc/passwd on the AD/DC. No
domain
> > > > users are returned. 'getent passwd
<domainuser>' return status 2.
> > > > 
> > > > The domain user can log on to Linux.
> > > > 
> > > > Any idea what's up with this? I use getent on Linux for
various
> > > > things.
> > > > 
> > > > Thanks, Mark
> > > > 
> > > > Samba 4.8.2
> > > > 
> > >
> > > Lets see if I have this correct, you have installed a firewall on
> > > something between the original gateway and your LAN, you have not
> > > touched anything else, except to point your computers to the new
> > > firewall as the gateway (presumably by DHCP). Is this correct ?
> > >
> > > You have logged into a DC and run:
> > >
> > > getent passwd username
> > >
> > > Which produces no output, where previously it did.
> > >
> > > Is the DC using itself as the nameserver ?
> > > Is the DC using the correct gateway ?
> > >
> > > Rowland
> > 
> > Partially correct.  Before installing the firewall, the Gateway on
> > the AD/DC was configured as the ISP's gateway (98.102.63.105).  I
> > changed the gateway to be 192.168.0.1 (the Sonicwall).  I believe
> > that's all I did.  I did reboot the AD/DC.  The AD/DC is also the
> > DHCP server. 
> > 
> > I've testing with stopping the firewall on the AD/DC as well.
Didn't
> > help.
> > 
> > On the AD/DC 'getent passwd' does work.
> > 
> > $ getent passwd mark
> > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > 
> > On the Linux domain member workstation it does not. 
> > 
> > $ getent passwd mark; echo $?
> > 2
> > 
> > However, the user of that workstation is able to log in using domain
> > credentials, ntlm_auth also works:
> > 
> > $ ntlm_auth --username=mark --password='mypass'
> > NT_STATUS_OK: Success (0x0)
> > 
> > BTW - The MAC workstations cannot now authenticate with domain
> > credentials.  I tried to unbind and rebind one of the workstations,
> > but when trying to unbind I got the message, "Unable to access
domain
> > controller".  It can see the domain controller:
> > 
> > $ host mail
> > mail.hprs.local has address 192.168.0.2
> > 
> > However, this is possibly an additional/separate (though related)
> > issue.  I don't want to complicate the original question.  I can
deal
> > with the Macs later and perhaps solving the Linux issue will
> > magically solve the Mac issue.  I've including the Mac information
in
> > case it provides additional clues. 
> > 
> > As I said, no problems whatsoever with the Windows 7 domain members.
> > 
> > --Mark
> > 
>
> OK, just a thought, is there a dhcp server running on your sonicwall ?
No. I configured the Sonicwall with the tech last night and I'm sure
it's not running the DHCP
server. The AD/DC (Mail) is running dhcpd. (but I'll double-check)
> What does running 'route' show (you will probably have to do this
as
> root or via sudo). It should show your sonicwall as the gateway.
> try running these:
Yes, shows Sonicwall On the AD/DC:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    1      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1

On the domain members, shows the AD/DC as the gateway:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         mail.hprs.local 0.0.0.0         UG    202    0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     202    0        0 eth0
> hostname -s
> hostname -d
> hostname -i
> hostname -I
>
> Do they show what you expect ?
On the domain member (labrat):

$ hostname -s
labrat

$ hostname -d
hprs.local

$ hostname -i
127.0.0.1 

$ hostname -I
hostname: invalid option -- 'I'

I believe these show as expected (except for -I). Agreed?
> What is in /etc/resolv.conf
On AD/DC (MAIL 192.168.0.2, is the LAN DNS server):

domain hprs.local
search hprs.local
nameserver 192.168.0.2

On Domain Member (labrat)

# Generated by dhcpcd from eth0.dhcp
# /etc/resolv.conf.head can replace this line
domain hprs.local
nameserver 192.168.0.2
nameserver 192.168.0.3
# /etc/resolv.conf.tail can replace this line

None of the host have problem resolving internal or external hostnames.

--Mark