samba - Mar 2019 - getent not working after installing firewall

Solution is really simple. 
Since this server is dual-homed ( 2 nic's ), i suggest setup advanced
routing tables.

The short version of howto setup.

edit /etc/iproute2/rt_tables and Add :
10 OfficeLan
20 InternetWan

Lookup the routing tables:
ip route show table OfficeLan
ip route show table InternetWan

The default gateway's is to the internet.  ( change ethX to you network
interface name )

ip route add default via internet_IP_HERE dev eth0 table InternetWan
ip route add default via lan_IP_HERE dev eth1 table OfficeLan

Check it : 
ip route show table main 

Add lan routing rules. 
ip rule add from lan_IP_HERE/24 lookup OfficeLan prio 900
ip rule add to lan_IP_HERE/24 lookup OfficeLan prio 900

ip rule 

Add Wan routing rules.
ip rule add from  internet_IP_HERE lookup OfficeLan prio 1000
ip rule add to internet_IP_HERE lookup OfficeLan prio 1000

If you want this in the network interface setup.
# The primary network interface ETH0 ( LAN )
allow-hotplug eth0
iface eth0 inet static
        address 192.168.0.236/24
		# 192.168.0.1 = Gateway IP LAN ( in this example an other server ) 
		post-up ip route add 192.168.0.1 dev eth0 src 192.168.0.236 table OfficeLan 
		# extra subnet examplle# post-up ip route add 10.12.0.0/16 via 192.168.0.1 dev
eth0
		post-up ip route add default via 192.168.0.1 table OfficeLan 
		post-up ip rule add from 192.168.0.236 table OfficeLan 
		post-up ip route add 127.0.0.0/8 dev lo table OfficeLan 
		post-down ip rule del from 192.168.0.236 table OfficeLan 

# The secondary network interface ETH1 ( WAN ) 
allow-hotplug eth1
iface eth1 inet static
        address internet_IP_HERE/xx
        post-up ip route add internet_IP_HERE/XX dev eth1 src
internet_GATEWAYIP_HERE table InternetWan
        post-up ip route add default via internet_GATEWAYIP_HERE table
InternetWan
        post-up ip rule add from internet_IP_HERE/XX table InternetWan
        post-up ip route add 127.0.0.0/8 dev lo table InternetWan
        post-down ip rule del from internet_IP_HERE table InternetWan
        post-up ip route add default scope global nexthop via
internet_GATEWAYIP_HERE dev eth1


Or google "advanced routing tables" 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Peter Milesson via samba
> Verzonden: dinsdag 5 maart 2019 8:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] getent not working after installing firewall
> 
> 
> 
> On 05.03.2019 7:14, Mark Foley via samba wrote:
> > On Tue, 5 Mar 2019 06:17:59 +0100 Reindl Harald 
> <h.reindl at thelounge.net> wrote:
> >> Am 05.03.19 um 00:22 schrieb Mark Foley via samba:
> >>> /etc/resolv.conf:
> >>> nameserver 192.168.0.2
> >>> nameserver 209.18.47.62
> >>>
> >>> /etc/hosts:
> >>> 127.0.0.1               localhost
> >>> 192.168.0.60            ccarter
> >>>
> >>> So, the gateway is the Sonicwall firewall, 192.168.0.1. 
> Nameservers are the DC (192.168.0.2)
> >>> and one of the ISP name servers. The IP is static and is 
> set in /etc/hosts. At this point,
> >>> there should be no issues or questions with respect to 
> which gateway or DHCP usage (DHCP is not
> >>> being used)
> >> besides that oyu really could strip your quotes why in the 
> world are you
> >> doing that? there is no point except asking for troubles 
> when you mix
> >> your DC and a external nameserver
> > Personally, I like the quotes. It gives me, and hopefully 
> other, a clearer picture of the
> > problem and what has been tried. A reader can always skip 
> to the bottom.
> >
> > ANYWAY, Standby! I may have the problem solved. I need to 
> do a bit more experimentation with a
> > couple of components, but I think it might be fixed. I'll 
> post again later when I've confirmed.
> >
> > --Mark
> >
> Hi folks,
> 
> I'll poke a stick into this, due to recent experiences.
> 
> Essentially, it's not a Samba problem. It's a network problem.
First,
> make sure your devices and configurations are in order. Then 
> it may, or 
> may not work anyway.
> 
> For different reasons, I had to make a slight network 
> topology change. I 
> removed the previous gateway/router, and is now using a Cisco ASA as 
> firewall/router. The Cisco people are very explicit in 
> stating that the 
> ASA is a firewall, not a router. It's possible to configure 
> and use it 
> as a router anyway (though you need a PhD in Cisco ASA 
> configuration). 
> The Cisco ASA was given the previous gateway IP.
> 
> Behind the firewall router are 7 different subnets/VLANs. In the main 
> LAN are a bunch of Windows servers in a AD domain. One of the VLANs 
> contains a Samba ADDC, a Samba fileserver, and Windows clients. The 
> Samba domain machines may connect to the Windows domain, but not the 
> other way around. The Windows VLAN, and the Samba VLAN have 
> got internet 
> access. The main DNS servers are in the Windows AD DC, and the backup 
> Windows AD DC. There is one single time source for the main 
> LAN and VLANs.
> 
> After making the changes, I made a very thorough check that 
> everything 
> is working. After 4 days I get a call, that 2 clients in the Samba 
> domain cannot contact the mail server, which is in the 
> Windows domain. 
> Also, those 2 clients cannot connect to a specific printer in the 
> Windows domain. Also, the printer seems to be jibbering, transmitting 
> garbage about 10 times/sec. All other clients in the Samba domain can 
> connect to the mail server without any problems. Testing, retesting, 
> checking firewall rules, checking DNS responses, restarting 
> computers, 
> again, again, again. Everything is OK. But still it does not work.
> 
> Comes after hours, then I make a complete, total reset of all network 
> devices, all servers, and turning off client computers. It's a small 
> network, so it was manageable during a long evening. After that, 
> everything working flawlessly. Even the printer stopped jibbering.
> 
> My only conclusion here is that something very stale was still cached 
> somewhere. I'm exclusively using HP equipment for switching, 
> so there's 
> no no-name, undocumented cheapo stuff in the network. But nobody is 
> perfect...
> 
> Hope that my experiences can give you some input and help.
> 
> Best regards,
> 
> Peter
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Am 05.03.19 um 09:18 schrieb L.P.H. van Belle via samba:
> Solution is really simple. 
> Since this server is dual-homed ( 2 nic's ), i suggest setup advanced
routing tables.
> 
> The short version of howto setup.
> 
> edit /etc/iproute2/rt_tables and Add :
> 10 OfficeLan
> 20 InternetWan
> 
> Lookup the routing tables:
> ip route show table OfficeLan
> ip route show table InternetWan
> 
> The default gateway's is to the internet.  ( change ethX to you network
interface name )
well, what is the point of multihoming an internal server at all?

that's the job of the firewall/router/gateway but on your LAN you just
have a 192.168.x.x network with no non-default routes and just the
gateway which only is part of the game when a machine want to talk to
something not in the own LAN

every other traffic stays in the LAN and don't touch the
router/gateway/firewall, even not multicast on a proper device with
"multicast off allmulticast off" since there is no point dealing with
multicast packets on the firewall

Hai Harald, 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Reindl Harald via samba
> Verzonden: dinsdag 5 maart 2019 13:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] getent not working after installing firewall
> 
> 
> 
> Am 05.03.19 um 09:18 schrieb L.P.H. van Belle via samba:
> > Solution is really simple. 
> > Since this server is dual-homed ( 2 nic's ), i suggest 
> setup advanced routing tables. 
> > 
> > The short version of howto setup.
> > 
> > edit /etc/iproute2/rt_tables and Add :
> > 10 OfficeLan
> > 20 InternetWan
> > 
> > Lookup the routing tables:
> > ip route show table OfficeLan
> > ip route show table InternetWan
> > 
> > The default gateway's is to the internet.  ( change ethX to 
> you network interface name ) 
> 
> well, what is the point of multihoming an internal server at all?
>
That all depends on you needs sure, most people dont need a multihomed setup. 

My default gw is/are my core switches, where i'm intervlanning. 
5 endpoints to differnet locations, Mail splitted up over 2 locations.
Webserver with 2 internet locations but accesible through 3 locations +lan
And 6 subnets (in vlans.) 

Sounds all complex, wha.. Yes maybe, but things like that is why 'i'
need multihoming.
Can this be improved, sure yes but im not questioning the T.P. its setup, 
im showing a solution for his problem.  Nothing more, nothing less. 

You are questioning my solution thats good, now i think..
> 
> that's the job of the firewall/router/gateway but on your LAN you just
> have a 192.168.x.x network with no non-default routes and just the
> gateway which only is part of the game when a machine want to talk to
> something not in the own LAN
This suggests, for you a firewall, router and gateway are the same? For me not. 
This might be 1,2 or 3 devices. 
> 
> every other traffic stays in the LAN and don't touch the
> router/gateway/firewall, even not multicast on a proper device with
> "multicast off allmulticast off" since there is no point dealing
with
> multicast packets on the firewall
No? Why im i reading different things here. 
https://tools.ietf.org/html/rfc2588 chap5. 

 In short, a firewall must do three things in order to handle
   multicast:

      1/ Support the chosen multicast security policy (which establishes
         particular multicast groups as being candidates to be relayed),
      2/ Determine (dynamically) when each candidate group should be
         relayed, and
      3/ Relay each candidate group's data across the firewall (and then
         re-multicast it at the far end).

Or 
https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn974068(v=vs.85)
Make Web Services on Devices (WSD) printers visible to Windows 10 via Multicast
DNS (mDNS) and DNS Service Discovery (DNS-SD).

Or  https://tools.ietf.org/html/rfc4795 
The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the
Domain Name System (DNS)
 packet format that allows both IPv4 and IPv6 hosts to perform name resolution
for hosts on the same local link.

So i dont totaly agree on you statement :
"there is no point dealing with multicast packets on the firewall"

Again this all is highly subjected to you needs, 90% of the users wont need it..
On that i agree with you. 

On the samba list we do have beginners and very advanced users. 
So thats why i do show things.. 

And i do appriciate you input Harald. 
Things like this wil only make samba better and resulting setup's will be
better.


Greetz, 

Louis

Am 05.03.19 um 14:32 schrieb L.P.H. van Belle via samba:
>> well, what is the point of multihoming an internal server at all?
>>
> That all depends on you needs sure, most people dont need a multihomed
setup.
> 
> My default gw is/are my core switches, where i'm intervlanning. 
> 5 endpoints to differnet locations, Mail splitted up over 2 locations.
> Webserver with 2 internet locations but accesible through 3 locations +lan
> And 6 subnets (in vlans.) 
> 
> Sounds all complex, wha.. Yes maybe, but things like that is why
'i' need multihoming.
my point is that the multihoming should happen on a device dealing with
routing/internet traffic and not on a samba machine so that it's
completly transparent to the LAN
> Can this be improved, sure yes but im not questioning the T.P. its setup, 
> im showing a solution for his problem.  Nothing more, nothing less. 
> 
> You are questioning my solution thats good, now i think.. 
>>
>> that's the job of the firewall/router/gateway but on your LAN you
just
>> have a 192.168.x.x network with no non-default routes and just the
>> gateway which only is part of the game when a machine want to talk to
>> something not in the own LAN
> 
> This suggests, for you a firewall, router and gateway are the same? For me
not.
> This might be 1,2 or 3 devices. 
it might be 3 devices, but none of them should be your Samba DC
> Or  https://tools.ietf.org/html/rfc4795 
> The Link-Local Multicast Name Resolution (LLMNR) is a protocol based on the
Domain Name System (DNS)
>  packet format that allows both IPv4 and IPv6 hosts to perform name
resolution for hosts on the same local link.
the point here is local link
> So i dont totaly agree on you statement :
> "there is no point dealing with multicast packets on the
firewall"
not when the firewall seperate your LAN with the internet,
mdns/broadcasts belong to the LAN
> Again this all is highly subjected to you needs, 90% of the users wont need
it..
> On that i agree with you. 
> 
> On the samba list we do have beginners and very advanced users. 
> So thats why i do show things.. 
> 
> And i do appriciate you input Harald. 
> Things like this wil only make samba better and resulting setup's will
be better
the point i made is that i question the OP's setup in general where
internal hosts are aware of routing, multihoming and so at all

look at the first rules below

INBOUND:  that chain deals with packets from the internet
OUTBOUND: that chain deals with packets to the internet
INTERNAL: that chain deals with VPN traffic and "loopback"

"wan" is in fact a multihomed bridge running HSRP between the uplinks
but that's still a different layer and so in the firewall rules it don't
matter, the virtual gateway stays the same and for inbound traffic ou
don't need to care over which line it enters the gateway and ruleset

the LAN interface and the network including switches and servers don't
need to know anything about that

when replacing the openvpn machine with wireguard most likely there will
be a new chain for the wireguard-interfaces and the decision if a packet
targets INTERNAL/WIREGUARD is made by the routing before, still
completly transparent to the LAN

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
 destination
1     320M  302G ACCEPT     all  --  *      *       0.0.0.0/0
 0.0.0.0/0            ctstate RELATED,ESTABLISHED
2      12M  703M INBOUND    all  --  wan    lan     0.0.0.0/0
 0.0.0.0/0            ctstate NEW ! match-set EXCLUDES src
3    6480K  526M OUTBOUND   all  --  lan    wan     192.168.196.0/24
      0.0.0.0/0            ctstate NEW
4     4128  277K INTERNAL   all  --  lan    lan     0.0.0.0/0
 0.0.0.0/0            ctstate NEW

> 
> my point is that the multihoming should happen on a device dealing with
> routing/internet traffic and not on a samba machine so that it's
> completly transparent to the LAN
And for that, you could use advanced routing. 
Which is an option, nothing more. 
You setup is also a good option. nothing more. 
> This might be 1,2 or 3 devices. 
> 
> it might be 3 devices, but none of them should be your Samba DC.
Again this depends on you needs, sometimes you must. 

A Samba DC could be used but is not adviced. 
Same as, Samba Member is using Winbind and not SSSD, but it could be used. 
> 
> > Or  https://tools.ietf.org/html/rfc4795 
> > The Link-Local Multicast Name Resolution (LLMNR) is a 
> protocol based on the Domain Name System (DNS)
> >  packet format that allows both IPv4 and IPv6 hosts to 
> perform name resolution for hosts on the same local link.
> 
> the point here is local link
Yep, and i'll add: for Ipv4

IPv6 is a bit different here, but lets not discuss that. 
I still have some work todo here. ;-) 
> 
> > So i dont totaly agree on you statement :
> > "there is no point dealing with multicast packets on the
firewall"
> 
> not when the firewall seperate your LAN with the internet, mdns/broadcasts
belong to the LAN.
> 
> > Again this all is highly subjected to you needs, 90% of the users wont
need it..
> > On that i agree with you. 
> > 
> > On the samba list we do have beginners and very advanced users. 
> > So thats why i do show things.. 
> > 
> > And i do appriciate you input Harald. 
> > Things like this wil only make samba better and resulting setup's
will be better
> 
> the point i made is that i question the OP's setup in general where
> internal hosts are aware of routing, multihoming and so at all
> 
> look at the first rules below
> 
> INBOUND:  that chain deals with packets from the internet
> OUTBOUND: that chain deals with packets to the internet
> INTERNAL: that chain deals with VPN traffic and "loopback"
> 
> "wan" is in fact a multihomed bridge running HSRP between the
uplinks
> but that's still a different layer and so in the firewall 
> rules it don't
> matter, the virtual gateway stays the same and for inbound traffic ou
> don't need to care over which line it enters the gateway and ruleset
> 
> the LAN interface and the network including switches and servers don't
> need to know anything about that
> 
> when replacing the openvpn machine with wireguard most likely 
> there will
> be a new chain for the wireguard-interfaces and the decision 
> if a packet
> targets INTERNAL/WIREGUARD is made by the routing before, still
> completly transparent to the LAN
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source
>  destination
> 1     320M  302G ACCEPT     all  --  *      *       0.0.0.0/0
>  0.0.0.0/0            ctstate RELATED,ESTABLISHED
> 2      12M  703M INBOUND    all  --  wan    lan     0.0.0.0/0
>  0.0.0.0/0            ctstate NEW ! match-set EXCLUDES src
> 3    6480K  526M OUTBOUND   all  --  lan    wan     192.168.196.0/24
>       0.0.0.0/0            ctstate NEW
> 4     4128  277K INTERNAL   all  --  lan    lan     0.0.0.0/0
>  0.0.0.0/0            ctstate NEW
Yes, this also a good option. 

You know, MS is responce on a multihomed AD-DC and problems :-) hihi...   :-P 
This behavior is by design.  ( kb272294 ) 

Thank you for your input Harald, we have same thoughts, but 2 different
solutions.


Greetz, 

Louis