On 05.03.2019 7:14, Mark Foley via samba wrote:> On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald <h.reindl at thelounge.net> wrote: >> Am 05.03.19 um 00:22 schrieb Mark Foley via samba: >>> /etc/resolv.conf: >>> nameserver 192.168.0.2 >>> nameserver 209.18.47.62 >>> >>> /etc/hosts: >>> 127.0.0.1 localhost >>> 192.168.0.60 ccarter >>> >>> So, the gateway is the Sonicwall firewall, 192.168.0.1. Nameservers are the DC (192.168.0.2) >>> and one of the ISP name servers. The IP is static and is set in /etc/hosts. At this point, >>> there should be no issues or questions with respect to which gateway or DHCP usage (DHCP is not >>> being used) >> besides that oyu really could strip your quotes why in the world are you >> doing that? there is no point except asking for troubles when you mix >> your DC and a external nameserver > Personally, I like the quotes. It gives me, and hopefully other, a clearer picture of the > problem and what has been tried. A reader can always skip to the bottom. > > ANYWAY, Standby! I may have the problem solved. I need to do a bit more experimentation with a > couple of components, but I think it might be fixed. I'll post again later when I've confirmed. > > --Mark >Hi folks, I'll poke a stick into this, due to recent experiences. Essentially, it's not a Samba problem. It's a network problem. First, make sure your devices and configurations are in order. Then it may, or may not work anyway. For different reasons, I had to make a slight network topology change. I removed the previous gateway/router, and is now using a Cisco ASA as firewall/router. The Cisco people are very explicit in stating that the ASA is a firewall, not a router. It's possible to configure and use it as a router anyway (though you need a PhD in Cisco ASA configuration). The Cisco ASA was given the previous gateway IP. Behind the firewall router are 7 different subnets/VLANs. In the main LAN are a bunch of Windows servers in a AD domain. One of the VLANs contains a Samba ADDC, a Samba fileserver, and Windows clients. The Samba domain machines may connect to the Windows domain, but not the other way around. The Windows VLAN, and the Samba VLAN have got internet access. The main DNS servers are in the Windows AD DC, and the backup Windows AD DC. There is one single time source for the main LAN and VLANs. After making the changes, I made a very thorough check that everything is working. After 4 days I get a call, that 2 clients in the Samba domain cannot contact the mail server, which is in the Windows domain. Also, those 2 clients cannot connect to a specific printer in the Windows domain. Also, the printer seems to be jibbering, transmitting garbage about 10 times/sec. All other clients in the Samba domain can connect to the mail server without any problems. Testing, retesting, checking firewall rules, checking DNS responses, restarting computers, again, again, again. Everything is OK. But still it does not work. Comes after hours, then I make a complete, total reset of all network devices, all servers, and turning off client computers. It's a small network, so it was manageable during a long evening. After that, everything working flawlessly. Even the printer stopped jibbering. My only conclusion here is that something very stale was still cached somewhere. I'm exclusively using HP equipment for switching, so there's no no-name, undocumented cheapo stuff in the network. But nobody is perfect... Hope that my experiences can give you some input and help. Best regards, Peter
On Tue, 5 Mar 2019 08:39:23 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 05.03.2019 7:14, Mark Foley via samba wrote: > > On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald > > <h.reindl at thelounge.net> wrote: > >> Am 05.03.19 um 00:22 schrieb Mark Foley via samba: > >>> /etc/resolv.conf: > >>> nameserver 192.168.0.2 > >>> nameserver 209.18.47.62 > >>> > >>> /etc/hosts: > >>> 127.0.0.1 localhost > >>> 192.168.0.60 ccarter > >>> > >>> So, the gateway is the Sonicwall firewall, 192.168.0.1. > >>> Nameservers are the DC (192.168.0.2) and one of the ISP name > >>> servers. The IP is static and is set in /etc/hosts. At this > >>> point, there should be no issues or questions with respect to > >>> which gateway or DHCP usage (DHCP is not being used) > >> besides that oyu really could strip your quotes why in the world > >> are you doing that? there is no point except asking for troubles > >> when you mix your DC and a external nameserver > > Personally, I like the quotes. It gives me, and hopefully other, a > > clearer picture of the problem and what has been tried. A reader > > can always skip to the bottom. > > > > ANYWAY, Standby! I may have the problem solved. I need to do a bit > > more experimentation with a couple of components, but I think it > > might be fixed. I'll post again later when I've confirmed. > > > > --Mark > > > Hi folks, > > I'll poke a stick into this, due to recent experiences. > > Essentially, it's not a Samba problem. It's a network problem. First, > make sure your devices and configurations are in order. Then it may, > or may not work anyway. > > For different reasons, I had to make a slight network topology > change. I removed the previous gateway/router, and is now using a > Cisco ASA as firewall/router. The Cisco people are very explicit in > stating that the ASA is a firewall, not a router. It's possible to > configure and use it as a router anyway (though you need a PhD in > Cisco ASA configuration). The Cisco ASA was given the previous > gateway IP. > > Behind the firewall router are 7 different subnets/VLANs. In the main > LAN are a bunch of Windows servers in a AD domain. One of the VLANs > contains a Samba ADDC, a Samba fileserver, and Windows clients. The > Samba domain machines may connect to the Windows domain, but not the > other way around. The Windows VLAN, and the Samba VLAN have got > internet access. The main DNS servers are in the Windows AD DC, and > the backup Windows AD DC. There is one single time source for the > main LAN and VLANs. > > After making the changes, I made a very thorough check that > everything is working. After 4 days I get a call, that 2 clients in > the Samba domain cannot contact the mail server, which is in the > Windows domain. Also, those 2 clients cannot connect to a specific > printer in the Windows domain. Also, the printer seems to be > jibbering, transmitting garbage about 10 times/sec. All other clients > in the Samba domain can connect to the mail server without any > problems. Testing, retesting, checking firewall rules, checking DNS > responses, restarting computers, again, again, again. Everything is > OK. But still it does not work. > > Comes after hours, then I make a complete, total reset of all network > devices, all servers, and turning off client computers. It's a small > network, so it was manageable during a long evening. After that, > everything working flawlessly. Even the printer stopped jibbering. > > My only conclusion here is that something very stale was still cached > somewhere. I'm exclusively using HP equipment for switching, so > there's no no-name, undocumented cheapo stuff in the network. But > nobody is perfect... > > Hope that my experiences can give you some input and help. > > Best regards, > > Peter > >This is just my opinion: From what I have seen, these expensive firewall type boxes are not worth the money. Problems are regularly posted on here, that turn out to be the 'firewall boxes' fault. If you are installing something at the gateway of your LAN, it better be a router as well or you are just asking for trouble. There are numerous open source firewalls available (pfsense, smoothwall, etc), so why pay through the nose for one ? Rowland
On 05.03.2019 9:13, Rowland Penny via samba wrote:> On Tue, 5 Mar 2019 08:39:23 +0100 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> On 05.03.2019 7:14, Mark Foley via samba wrote: >>> On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald >>> <h.reindl at thelounge.net> wrote: >>>> Am 05.03.19 um 00:22 schrieb Mark Foley via samba: >>>>> /etc/resolv.conf: >>>>> nameserver 192.168.0.2 >>>>> nameserver 209.18.47.62 >>>>> >>>>> /etc/hosts: >>>>> 127.0.0.1 localhost >>>>> 192.168.0.60 ccarter >>>>> >>>>> So, the gateway is the Sonicwall firewall, 192.168.0.1. >>>>> Nameservers are the DC (192.168.0.2) and one of the ISP name >>>>> servers. The IP is static and is set in /etc/hosts. At this >>>>> point, there should be no issues or questions with respect to >>>>> which gateway or DHCP usage (DHCP is not being used) >>>> besides that oyu really could strip your quotes why in the world >>>> are you doing that? there is no point except asking for troubles >>>> when you mix your DC and a external nameserver >>> Personally, I like the quotes. It gives me, and hopefully other, a >>> clearer picture of the problem and what has been tried. A reader >>> can always skip to the bottom. >>> >>> ANYWAY, Standby! I may have the problem solved. I need to do a bit >>> more experimentation with a couple of components, but I think it >>> might be fixed. I'll post again later when I've confirmed. >>> >>> --Mark >>> >> Hi folks, >> >> I'll poke a stick into this, due to recent experiences. >> >> Essentially, it's not a Samba problem. It's a network problem. First, >> make sure your devices and configurations are in order. Then it may, >> or may not work anyway. >> >> For different reasons, I had to make a slight network topology >> change. I removed the previous gateway/router, and is now using a >> Cisco ASA as firewall/router. The Cisco people are very explicit in >> stating that the ASA is a firewall, not a router. It's possible to >> configure and use it as a router anyway (though you need a PhD in >> Cisco ASA configuration). The Cisco ASA was given the previous >> gateway IP. >> >> Behind the firewall router are 7 different subnets/VLANs. In the main >> LAN are a bunch of Windows servers in a AD domain. One of the VLANs >> contains a Samba ADDC, a Samba fileserver, and Windows clients. The >> Samba domain machines may connect to the Windows domain, but not the >> other way around. The Windows VLAN, and the Samba VLAN have got >> internet access. The main DNS servers are in the Windows AD DC, and >> the backup Windows AD DC. There is one single time source for the >> main LAN and VLANs. >> >> After making the changes, I made a very thorough check that >> everything is working. After 4 days I get a call, that 2 clients in >> the Samba domain cannot contact the mail server, which is in the >> Windows domain. Also, those 2 clients cannot connect to a specific >> printer in the Windows domain. Also, the printer seems to be >> jibbering, transmitting garbage about 10 times/sec. All other clients >> in the Samba domain can connect to the mail server without any >> problems. Testing, retesting, checking firewall rules, checking DNS >> responses, restarting computers, again, again, again. Everything is >> OK. But still it does not work. >> >> Comes after hours, then I make a complete, total reset of all network >> devices, all servers, and turning off client computers. It's a small >> network, so it was manageable during a long evening. After that, >> everything working flawlessly. Even the printer stopped jibbering. >> >> My only conclusion here is that something very stale was still cached >> somewhere. I'm exclusively using HP equipment for switching, so >> there's no no-name, undocumented cheapo stuff in the network. But >> nobody is perfect... >> >> Hope that my experiences can give you some input and help. >> >> Best regards, >> >> Peter >> >> > This is just my opinion: > > From what I have seen, these expensive firewall type boxes are not > worth the money. Problems are regularly posted on here, that turn out > to be the 'firewall boxes' fault. > If you are installing something at the gateway of your LAN, it better > be a router as well or you are just asking for trouble. > > There are numerous open source firewalls available (pfsense, > smoothwall, etc), so why pay through the nose for one ? > > Rowland >Hi Rowland, You are right about firewall boxes. At least Cisco ASA is a terribly (over) complicated device. People who are not Cisco pros should be warned. Stay away, you will just waste your time, get frustrated, and get sleepless nights. I don't blame the Cisco ASA here. In my case, I hadn't much choice. The management wants network connection with Apple stuff. The only reasonable solution I found was Cisco AnyConnect. Just recently, I found that OpenVPN works with Apple devices at the moment (no guarantee for the future, seems to be an on/off type relationship between Apple and OpenVPN). So I've ordered a Linux based router/firewall with OpenVPN to replace the Cisco stuff. Hope the ON-relationship stays for the next few iOS updates... Best regards, Peter
L.P.H. van Belle
2019-Mar-05 09:03 UTC
[Samba] getent not working after installing firewall
Hai Peter, Chipping in here.> > > Hi Rowland, > > You are right about firewall boxes. At least Cisco ASA is a terribly > (over) complicated device. People who are not Cisco pros should be > warned. Stay away, you will just waste your time, get frustrated, and > get sleepless nights. > > I don't blame the Cisco ASA here. In my case, I hadn't much > choice. The > management wants network connection with Apple stuff. The only > reasonable solution I found was Cisco AnyConnect. Just > recently, I found > that OpenVPN works with Apple devices at the moment (no guarantee for > the future, seems to be an on/off type relationship between Apple and > OpenVPN). So I've ordered a Linux based router/firewall with > OpenVPN to > replace the Cisco stuff. Hope the ON-relationship stays for > the next few > iOS updates... > > Best regards, > > Peter >I totaly get this.. I "also" did have 1 Cisco ASA, but, after 1 year, i removed it and put in shelve. Why, yes, the Cisco has a great future set, but for every future you need get set contracts. And I dont like all the Cisco contracts, (and backdoors...) After 1 year, i could not even get a new firmware, because i did not have a support contract. ... WHAT.. No firmware because i dont want a support contract.. Hell no.. so bye bye cisco.. Never ever ever a Cisco for me.. If you want simple but good, look at draytek. More advanced, juniper, opensouce pfsence What you want is Strongswan + openvpn. I've a strongswan roadwarrior setup, compatible with win7-10/IOS/Android use strongswan app All the client OS are native supporting the vpn setup. And openvpn as backup, for network not supporting ipsec passthrough. Or, install pfsence, does the same as the cisco and probley more. You want apple stuff.. Install avahi on every server, samba/cups etc, should work out of the box. Airprinting through cups works fine here, that needs some work, but im running it about 2 years now. If you want info about above just pm me, no problem. Greetz, Louis
Mark Foley
2019-Mar-05 23:21 UTC
[Samba] getent not working after installing firewall (SOLVED)
On Tue, 5 Mar 2019 08:39:23 +0100 Peter Milesson wrote:> > On 05.03.2019 7:14, Mark Foley via samba wrote: > > On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald <h.reindl at thelounge.net> wrote: > >> Am 05.03.19 um 00:22 schrieb Mark Foley via samba: > >>> /etc/resolv.conf: > >>> nameserver 192.168.0.2 > >>> nameserver 209.18.47.62 > >>> > >>> /etc/hosts: > >>> 127.0.0.1 localhost > >>> 192.168.0.60 ccarter > >>> > >>> So, the gateway is the Sonicwall firewall, 192.168.0.1. Nameservers are the DC (192.168.0.2) > >>> and one of the ISP name servers. The IP is static and is set in /etc/hosts. At this point, > >>> there should be no issues or questions with respect to which gateway or DHCP usage (DHCP is not > >>> being used) > >> besides that oyu really could strip your quotes why in the world are you > >> doing that? there is no point except asking for troubles when you mix > >> your DC and a external nameserver > > Personally, I like the quotes. It gives me, and hopefully other, a clearer picture of the > > problem and what has been tried. A reader can always skip to the bottom. > > > > ANYWAY, Standby! I may have the problem solved. I need to do a bit more experimentation with a > > couple of components, but I think it might be fixed. I'll post again later when I've confirmed. > > > > --Mark > > > Hi folks, > > I'll poke a stick into this, due to recent experiences. > > Essentially, it's not a Samba problem. It's a network problem. First, > make sure your devices and configurations are in order. Then it may, or > may not work anyway. > > For different reasons, I had to make a slight network topology change. I > removed the previous gateway/router, and is now using a Cisco ASA as > firewall/router. The Cisco people are very explicit in stating that the > ASA is a firewall, not a router. It's possible to configure and use it > as a router anyway (though you need a PhD in Cisco ASA configuration). > The Cisco ASA was given the previous gateway IP. > > Behind the firewall router are 7 different subnets/VLANs. In the main > LAN are a bunch of Windows servers in a AD domain. One of the VLANs > contains a Samba ADDC, a Samba fileserver, and Windows clients. The > Samba domain machines may connect to the Windows domain, but not the > other way around. The Windows VLAN, and the Samba VLAN have got internet > access. The main DNS servers are in the Windows AD DC, and the backup > Windows AD DC. There is one single time source for the main LAN and VLANs. > > After making the changes, I made a very thorough check that everything > is working. After 4 days I get a call, that 2 clients in the Samba > domain cannot contact the mail server, which is in the Windows domain. > Also, those 2 clients cannot connect to a specific printer in the > Windows domain. Also, the printer seems to be jibbering, transmitting > garbage about 10 times/sec. All other clients in the Samba domain can > connect to the mail server without any problems. Testing, retesting, > checking firewall rules, checking DNS responses, restarting computers, > again, again, again. Everything is OK. But still it does not work. > > Comes after hours, then I make a complete, total reset of all network > devices, all servers, and turning off client computers. It's a small > network, so it was manageable during a long evening. After that, > everything working flawlessly. Even the printer stopped jibbering. > > My only conclusion here is that something very stale was still cached > somewhere. I'm exclusively using HP equipment for switching, so there's > no no-name, undocumented cheapo stuff in the network. But nobody is > perfect... > > Hope that my experiences can give you some input and help. > > Best regards, > > PeterPeter - yes! That's exactly why I said "Standby" in my previous message. It turns out that my testing by setting a single workstation to the correct gateway (192.168.0.1) was insufficient. I found the place to change the setting in dhcpd.conf: "routers = 192.168.0.1", then I restarted dhcpd on the DHCP server (AD/DC), and then reset the network cards, or rebooted several of the workstations. The workstations did get the correct gateway, but then I could connect to nothing! Not even the NAS which requires AD authentication. So, I cleared caches on the DC and rebooted EVERYTHING: AD/DC, all workstations. When things came back up, everything was working!!! Similar to your experience. I've been working on this for three days. First of all, everyone who's been telling me that it had something to do with the gateway setting was correct. Apparently this setting is entangled in lots of other things and simply having the AD/DC's gateway and a domain member's gateway set correctly is not enough. Rebooting everything, with the correct gateway configured in dhcpd.conf, propigates the correct settings throughout. Thanks all for your patience and feedback. With respect to the continued thread about firewalls and devices, I quite agree with the critiques about their expense and complexity. I have been doing just fine for years using iptables in my Internet-facing servers. I've tried Sonicwall in the past, found it a pain to configure, and returned it. I just got off the phone with the Sonicwall tech who helped me through the labyrinthine process of simply port-forwarding. But, orders are orders! --Mark
Reindl Harald
2019-Mar-05 23:33 UTC
[Samba] getent not working after installing firewall (SOLVED)
Am 06.03.19 um 00:21 schrieb Mark Foley via samba:> Peter - yes! That's exactly why I said "Standby" in my previous message. It turns out that my > testing by setting a single workstation to the correct gateway (192.168.0.1) was insufficient. > I found the place to change the setting in dhcpd.conf: "routers = 192.168.0.1", then I > restarted dhcpd on the DHCP server (AD/DC), and then reset the network cards, or rebooted > several of the workstations. The workstations did get the correct gateway, but then I could > connect to nothing! Not even the NAS which requires AD authentication. > > So, I cleared caches on the DC and rebooted EVERYTHING: AD/DC, all workstations. When things > came back up, everything was working!!! Similar to your experience. I've been working on this > for three days.in other words parts of your network where not aware that the network has changed - that's expected when you even don't refresh your dhcpd to spit out the changed gateway to clients asking for it
Apparently Analagous Threads
- getent not working after installing firewall
- state of IPSec VPN on CentOS 7: Openswan, strongSwan, RPM packages
- state of IPSec VPN on CentOS 7: Openswan, strongSwan, RPM packages
- Teo En Ming's Learning Achievements on 14 August 2020 Friday
- state of IPSec VPN on CentOS 7: Openswan, strongSwan, RPM packages