Hi! Here is my next problem (I hope this is the last:). Firewall is OK. But now there is our ftp-server with Samba before the firewall. It means we have to past it before we contact the Samba. I got many solutions from the web but the problem is still here. They doesn''t work. The Samba is set to syncronice its passwords with nt server (PDC), which is behind the fw. If somebody knows a working solution, please let me know! Best Regards, Janek
Hi! I made security = domain and password server = * to the smb.conf. Maybe the word "syncronice" is not the best term I wrote. But my point is - before the fw our users just entered the domain logon password. And that was all, the Samba shares was mapped "automatically". If I now run: \\server_ip_aadress\public, it asks me password. Janek.> hello, > > how do you syncronice the user db from the NT server to samba? > > or do you make a simple lookup on the NT server, security=domain or > security=user ?? > > best regards > Wolfgang > > Hi! > Here is my next problem (I hope this is the last:). Firewall is OK. Butnow> there is our ftp-server with Samba before the firewall. It means we haveto> past it before we contact the Samba. I got many solutions from the web but > the problem is still here. They doesn''t work. The Samba is set tosyncronice> its passwords with nt server (PDC), which is behind the fw. If somebody > knows a working solution, please let me know! > Best Regards, > Janek > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > >
i think you need to forward this ports to the pdc: 139/tcp 137/udp 138/udp of cource only the samba server should reach the pdc. maybe with DNAT? DNAT net loc:(pdc ip) tcp 139 DNAT net loc:(pdc ip) udp 137 DNAT net loc:(pdc ip) udp 138 but how to allow only the samba server to reach the pdc? best regards Wolfgang -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net]Im Auftrag von Janek Jüssi Gesendet: Freitag, 20. September 2002 13:12 An: shorewall-users@shorewall.net Betreff: [Shorewall-users] Shorewall and Samba Hi! I made security = domain and password server = * to the smb.conf. Maybe the word "syncronice" is not the best term I wrote. But my point is - before the fw our users just entered the domain logon password. And that was all, the Samba shares was mapped "automatically". If I now run: \\server_ip_aadress\public, it asks me password. Janek.> hello, > > how do you syncronice the user db from the NT server to samba? > > or do you make a simple lookup on the NT server, security=domain or > security=user ?? > > best regards > Wolfgang > > Hi! > Here is my next problem (I hope this is the last:). Firewall is OK. Butnow> there is our ftp-server with Samba before the firewall. It means we haveto> past it before we contact the Samba. I got many solutions from the web but > the problem is still here. They doesn''t work. The Samba is set tosyncronice> its passwords with nt server (PDC), which is behind the fw. If somebody > knows a working solution, please let me know! > Best Regards, > Janek > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > >_______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
sorry, same problem! This DNAT to pdc was something new and hopeful for me. Maybe wrong ports? Janek.> i think you need to forward this ports to the pdc: > > 139/tcp > 137/udp > 138/udp > > of cource only the samba server should reach the pdc. > > maybe with DNAT? > > DNAT net loc:(pdc ip) tcp 139 > DNAT net loc:(pdc ip) udp 137 > DNAT net loc:(pdc ip) udp 138 > > but how to allow only the samba server to reach the pdc? > > best regards > Wolfgang > > > -----Ursprüngliche Nachricht----- > Von: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net]Im Auftrag von Janek Jüssi > Gesendet: Freitag, 20. September 2002 13:12 > An: shorewall-users@shorewall.net > Betreff: [Shorewall-users] Shorewall and Samba > > > Hi! > I made security = domain > and > password server = * > to the smb.conf. > Maybe the word "syncronice" is not the best term I wrote. But my pointis -> before the fw our users just entered the domain logon password. And thatwas> all, the Samba shares was mapped "automatically". If I now run: > \\server_ip_aadress\public, it asks me password. > Janek. > > > hello, > > > > how do you syncronice the user db from the NT server to samba? > > > > or do you make a simple lookup on the NT server, security=domain or > > security=user ?? > > > > best regards > > Wolfgang > > > > Hi! > > Here is my next problem (I hope this is the last:). Firewall is OK. But > now > > there is our ftp-server with Samba before the firewall. It means wehave> to > > past it before we contact the Samba. I got many solutions from the webbut> > the problem is still here. They doesn''t work. The Samba is set to > syncronice > > its passwords with nt server (PDC), which is behind the fw. If somebody > > knows a working solution, please let me know! > > Best Regards, > > Janek > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Ok. Is your PDC W2K or WNT ? 139/tcp, 137/udp, 138/ucp/tcp are the good port, in fact for asking for auth you only need to open 138 (session). 137 if for name service and 139 for transfert. If it''s W2k, you need to open 445/tcp. ----- Original Message ----- From: "Janek" <janekj@online.ee> To: "Wolfgang Rest" <webmaster@hackenschmiede.com> Cc: <shorewall-users@shorewall.net> Sent: Friday, September 20, 2002 2:16 PM Subject: Re: [Shorewall-users] Shorewall and Samba> sorry, same problem! This DNAT to pdc was something new and hopeful forme.> Maybe wrong ports? > Janek. > > > > i think you need to forward this ports to the pdc: > > > > 139/tcp > > 137/udp > > 138/udp > > > > of cource only the samba server should reach the pdc. > > > > maybe with DNAT? > > > > DNAT net loc:(pdc ip) tcp 139 > > DNAT net loc:(pdc ip) udp 137 > > DNAT net loc:(pdc ip) udp 138 > > > > but how to allow only the samba server to reach the pdc? > > > > best regards > > Wolfgang > > > > > > -----Ursprüngliche Nachricht----- > > Von: shorewall-users-admin@shorewall.net > > [mailto:shorewall-users-admin@shorewall.net]Im Auftrag von Janek Jüssi > > Gesendet: Freitag, 20. September 2002 13:12 > > An: shorewall-users@shorewall.net > > Betreff: [Shorewall-users] Shorewall and Samba > > > > > > Hi! > > I made security = domain > > and > > password server = * > > to the smb.conf. > > Maybe the word "syncronice" is not the best term I wrote. But my point > is - > > before the fw our users just entered the domain logon password. And that > was > > all, the Samba shares was mapped "automatically". If I now run: > > \\server_ip_aadress\public, it asks me password. > > Janek. > > > > > hello, > > > > > > how do you syncronice the user db from the NT server to samba? > > > > > > or do you make a simple lookup on the NT server, security=domain or > > > security=user ?? > > > > > > best regards > > > Wolfgang > > > > > > Hi! > > > Here is my next problem (I hope this is the last:). Firewall is OK.But> > now > > > there is our ftp-server with Samba before the firewall. It means we > have > > to > > > past it before we contact the Samba. I got many solutions from the web > but > > > the problem is still here. They doesn''t work. The Samba is set to > > syncronice > > > its passwords with nt server (PDC), which is behind the fw. Ifsomebody> > > knows a working solution, please let me know! > > > Best Regards, > > > Janek > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@shorewall.net > > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
NT 4.0 SP6 Janek.> Ok. > > Is your PDC W2K or WNT ? > > 139/tcp, 137/udp, 138/ucp/tcp are the good port, > in fact for asking for auth you only need to open 138 (session). > > 137 if for name service and 139 for transfert. > > If it''s W2k, you need to open 445/tcp. > > ----- Original Message ----- > From: "Janek" <janekj@online.ee> > To: "Wolfgang Rest" <webmaster@hackenschmiede.com> > Cc: <shorewall-users@shorewall.net> > Sent: Friday, September 20, 2002 2:16 PM > Subject: Re: [Shorewall-users] Shorewall and Samba > > > > sorry, same problem! This DNAT to pdc was something new and hopeful for > me. > > Maybe wrong ports? > > Janek. > > > > > > > i think you need to forward this ports to the pdc: > > > > > > 139/tcp > > > 137/udp > > > 138/udp > > > > > > of cource only the samba server should reach the pdc. > > > > > > maybe with DNAT? > > > > > > DNAT net loc:(pdc ip) tcp 139 > > > DNAT net loc:(pdc ip) udp 137 > > > DNAT net loc:(pdc ip) udp 138 > > > > > > but how to allow only the samba server to reach the pdc? > > > > > > best regards > > > Wolfgang > > > > > > > > > -----Ursprüngliche Nachricht----- > > > Von: shorewall-users-admin@shorewall.net > > > [mailto:shorewall-users-admin@shorewall.net]Im Auftrag von Janek Jüssi > > > Gesendet: Freitag, 20. September 2002 13:12 > > > An: shorewall-users@shorewall.net > > > Betreff: [Shorewall-users] Shorewall and Samba > > > > > > > > > Hi! > > > I made security = domain > > > and > > > password server = * > > > to the smb.conf. > > > Maybe the word "syncronice" is not the best term I wrote. But my point > > is - > > > before the fw our users just entered the domain logon password. Andthat> > was > > > all, the Samba shares was mapped "automatically". If I now run: > > > \\server_ip_aadress\public, it asks me password. > > > Janek. > > > > > > > hello, > > > > > > > > how do you syncronice the user db from the NT server to samba? > > > > > > > > or do you make a simple lookup on the NT server, security=domain or > > > > security=user ?? > > > > > > > > best regards > > > > Wolfgang > > > > > > > > Hi! > > > > Here is my next problem (I hope this is the last:). Firewall is OK. > But > > > now > > > > there is our ftp-server with Samba before the firewall. It means we > > have > > > to > > > > past it before we contact the Samba. I got many solutions from theweb> > but > > > > the problem is still here. They doesn''t work. The Samba is set to > > > syncronice > > > > its passwords with nt server (PDC), which is behind the fw. If > somebody > > > > knows a working solution, please let me know! > > > > Best Regards, > > > > Janek > > > > > > > > _______________________________________________ > > > > Shorewall-users mailing list > > > > Shorewall-users@shorewall.net > > > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > > > > > > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@shorewall.net > > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Shorewall-users@shorewall.net > > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
> -----Original Message----- > From: Janek J=FCssi [mailto:janek@kruul.ee] > Sent: Friday, September 20, 2002 4:34 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Shorewall and Samba >=20 >=20 > Hi! > Here is my next problem (I hope this is the last:). Firewall=20 > is OK. But now there is our ftp-server with Samba before > the firewall. It means we have to past it before we contact > the Samba. I got many solutions from the web but the > problem is still here. They doesn''t work. The Samba is=20 > set to syncronice its passwords with nt server (PDC), which > is behind the fw. If somebody knows a working solution, > please let me know! > Best Regards, > Janek >=20 >I have a samba server configured to authenticate with my PDC (NT4.0 sp6), but it exists in my DMZ zone, not my NET zone. I had to open up the following ports (see below). I simply added these rules (one by one) by watching the shorewall/iptable logfile entries as this system tried to register with the WINS server and/or I tried to access a share from my LAN. YMMV, but this should get you started in the right direction. Steve Cowles =20 ACCEPT dmz loc tcp netbios-ns ACCEPT dmz loc tcp netbios-dgm ACCEPT dmz loc tcp netbios-ssn ACCEPT dmz loc tcp microsoft-ds ACCEPT dmz loc udp netbios-ns ACCEPT dmz loc udp netbios-dgm ACCEPT loc dmz tcp netbios-ns ACCEPT loc dmz tcp netbios-dgm ACCEPT loc dmz tcp netbios-ssn ACCEPT loc dmz tcp microsoft-ds ACCEPT loc dmz udp netbios-ns ACCEPT loc dmz udp netbios-dgm ACCEPT loc dmz udp netbios-ssn
sorry, which one is in dmz? Janek.> > Hi! > Here is my next problem (I hope this is the last:). Firewall > is OK. But now there is our ftp-server with Samba before > the firewall. It means we have to past it before we contact > the Samba. I got many solutions from the web but the > problem is still here. They doesn''t work. The Samba is > set to syncronice its passwords with nt server (PDC), which > is behind the fw. If somebody knows a working solution, > please let me know! > Best Regards, > Janek > >I have a samba server configured to authenticate with my PDC (NT4.0 sp6), but it exists in my DMZ zone, not my NET zone. I had to open up the following ports (see below). I simply added these rules (one by one) by watching the shorewall/iptable logfile entries as this system tried to register with the WINS server and/or I tried to access a share from my LAN. YMMV, but this should get you started in the right direction. Steve Cowles ACCEPT dmz loc tcp netbios-ns ACCEPT dmz loc tcp netbios-dgm ACCEPT dmz loc tcp netbios-ssn ACCEPT dmz loc tcp microsoft-ds ACCEPT dmz loc udp netbios-ns ACCEPT dmz loc udp netbios-dgm ACCEPT loc dmz tcp netbios-ns ACCEPT loc dmz tcp netbios-dgm ACCEPT loc dmz tcp netbios-ssn ACCEPT loc dmz tcp microsoft-ds ACCEPT loc dmz udp netbios-ns ACCEPT loc dmz udp netbios-dgm ACCEPT loc dmz udp netbios-ssn _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
> -----Original Message----- > From: Janek [mailto:janekj@online.ee] > Sent: Friday, September 20, 2002 8:22 AM > To: Cowles, Steve > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] Shorewall and Samba > > > sorry, which one is in dmz? > Janek. > >Gzzz!!! My PDC is located in my LOC zone, the samba server I referenced in my reply to your post is located in the DMZ. Not the most secure setup, but I did add some smb.conf options to ensure the samba server only responds to requests from my local zone. Steve Cowles
the samba act the same way as nt4.0 server. (it emulates a nt4.0 server) so it makes no different where the nt4.0 or the samba server is located. the samba must talk to the nt4.0 and vice versa you see this in steve´s posting. best regards wolfgang -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net]Im Auftrag von Janek Gesendet: Freitag, 20. September 2002 15:22 An: Cowles, Steve Cc: shorewall-users@shorewall.net Betreff: Re: [Shorewall-users] Shorewall and Samba sorry, which one is in dmz? Janek.> > Hi! > Here is my next problem (I hope this is the last:). Firewall > is OK. But now there is our ftp-server with Samba before > the firewall. It means we have to past it before we contact > the Samba. I got many solutions from the web but the > problem is still here. They doesn''t work. The Samba is > set to syncronice its passwords with nt server (PDC), which > is behind the fw. If somebody knows a working solution, > please let me know! > Best Regards, > Janek > >I have a samba server configured to authenticate with my PDC (NT4.0 sp6), but it exists in my DMZ zone, not my NET zone. I had to open up the following ports (see below). I simply added these rules (one by one) by watching the shorewall/iptable logfile entries as this system tried to register with the WINS server and/or I tried to access a share from my LAN. YMMV, but this should get you started in the right direction. Steve Cowles ACCEPT dmz loc tcp netbios-ns ACCEPT dmz loc tcp netbios-dgm ACCEPT dmz loc tcp netbios-ssn ACCEPT dmz loc tcp microsoft-ds ACCEPT dmz loc udp netbios-ns ACCEPT dmz loc udp netbios-dgm ACCEPT loc dmz tcp netbios-ns ACCEPT loc dmz tcp netbios-dgm ACCEPT loc dmz tcp netbios-ssn ACCEPT loc dmz tcp microsoft-ds ACCEPT loc dmz udp netbios-ns ACCEPT loc dmz udp netbios-dgm ACCEPT loc dmz udp netbios-ssn _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
another question, why do you put your samba server into the net zone? wolfgang
We decided it after many unsuccessful tries to redirect all traffic from old ip (net) to local new. Janek ----- Original Message ----- From: "Wolfgang Rest" <webmaster@hackenschmiede.com> To: <janekj@online.ee> Cc: <shorewall-users@shorewall.net> Sent: Friday, September 20, 2002 5:04 PM Subject: Re: [Shorewall-users] Shorewall and Samba> another question, > > why do you put your samba server into the net zone? > > wolfgang > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >