?
Solved

cant connect to samba domain controller through remote network vpn connection

Posted on 2005-03-24
9
Medium Priority
?
361 Views
Last Modified: 2008-01-09
I'm trying to setup a remote office using IPCop based firewalls and a samba domain controller.

The setup is as follows

Samba <--> LAN <--> IPCop1 <--> VPN <--> Internet <--> VPN <--> IPCop2 <--> Remote LAN <--> XP Client
Samba: 172.16.100.2
LAN: 172.16.100.0/24
Remote LAN: 172.16.101.0/24
XP Client: 172.16.101.2

Samba is running in domain mode and XP and 2k workstations are login to its 'domain' from LAN with no problem.  From the XP Client on the remote LAN, I get an error when I try to login to the domain at bootup, "The system could not log you on because the domain controller DOMAIN1 is not available"  So instead I login as administrator to the local machine.  Once I'm in on that machine, I can ping across the VPN to the remote network, and do anything, it even seems to use my local username/password to authenticate on the remote server, but not login when the system boots up.

Other services work fine, From the Remote LAN i can use the terminal application thats run here, based off a server on LAN.  From the Remote LAN i can send and recieve email thats authenticated through the same machine as Samba.

It seems to me that something is wrong with my samba config thats prevening the remote network from authenticating.

in smb.conf i modified the line:
[IPC$]
     path = /tmp
     hosts allow = 172.16.100.0/24, 172.16.101.0/24       <-- i added the 2nd one and restarted smb

There are other networks and other remote sites on this network that are working fine.  Just the new one is broken.  Ive tried turning off iptables as well with no luck.
0
Comment
Question by:tommyh5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 15

Expert Comment

by:veedar
ID: 13626816
I smell a firewall. Can you do a port scan? Ports 137-139 need to be open for samba.
0
 

Author Comment

by:tommyh5
ID: 13626871
with or without iptables running only 139 is open (as far as i can tell using angry ip scanner).  Other than software firewalls (iptables), there shouldnt be anything blocking any of the traffic through the VPN.

i am able to login to the server, it does authenticate me, and i can get to files and whatnot, just not login to the domain at bootup.
0
 
LVL 15

Expert Comment

by:veedar
ID: 13626913
Do  your samba log files show anything? Look in /var/log/samba
Or even /var/log/messages
0
Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

 

Author Comment

by:tommyh5
ID: 13627095
i show a bunch of log files in /var/log/samba which are formated like this:  log.172.16.100.2  one for each ip address that has accessed the server, each of these log files are empty.  smbd.log just shows version info.  I noticed this line in nmbd.log

  Samba name server SERVER1 is now a local master browser for workgroup DOMAIN1 on subnet 172.16.100.2

is it supposed to list more than one subnet here? or does it only list the subnet that the server is directly attached to?


did a grep for 172.16.104 on that log folder and got:   (172.16.104.0 is the real remote subnet)

[root@server1 samba]# grep 172.16.104 *
log.sacramento1:  sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30435)
log.sacramento1:  sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 30435)
log.sacramento1:  sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento1:  sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1:  Denied connection from  (172.16.104.96)
log.sacramento1:  sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30441)
log.sacramento1:  Denied connection from  (172.16.104.96)
log.sacramento1:  sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30441)
log.sacramento1:  sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1:  sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1:  sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 6779)
log.sacramento1:  sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento1:  sacramento1 (172.16.104.96) connect to service Projects initially as user root (uid=0, gid=0) (pid 6790)
log.sacramento1:  sacramento1 (172.16.104.96) closed connection to service Projects
log.sacramento1:  sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 7247)
log.sacramento1:  sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento2:  sacramento2 (172.16.104.97) connect to service Departments initially as user root (uid=0, gid=0) (pid 30446)
log.sacramento2:  sacramento2 (172.16.104.97) closed connection to service Departments
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  sacramento2 (172.16.104.97) connect to service root initially as user root (uid=0, gid=600) (pid 30448)
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  sacramento2 (172.16.104.97) connect to service root initially as user root (uid=0, gid=600) (pid 30448)
log.sacramento2:  sacramento2 (172.16.104.97) closed connection to service root
log.sacramento2:  sacramento2 (172.16.104.97) closed connection to service root
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  Denied connection from  (172.16.104.97)
log.sacramento2:  sacramento2 (172.16.104.97) connect to service Departments initially as user root (uid=0, gid=0) (pid 6821)
log.sacramento2:  sacramento2 (172.16.104.97) connect to service Projects initially as user root (uid=0, gid=0) (pid 6821)
log.sacramento2:  sacramento2 (172.16.104.97) closed connection to service Departments
log.sacramento2:  sacramento2 (172.16.104.97) closed connection to service Projects
log.sacramento4:  Denied connection from  (172.16.104.99)
log.sacramento4:  sacramento4 (172.16.104.99) connect to service root initially as user root (uid=0, gid=600) (pid 30594)
log.sacramento4:  sacramento4 (172.16.104.99) closed connection to service root
log.tomlap:  Denied connection from  (172.16.104.95)
log.tomlap:  Denied connection from  (172.16.104.95)
log.tomlap:  Denied connection from  (172.16.104.95)
[root@server1 samba]#




and then a grep for the same in /var/log/messages


messages:Mar 23 15:38:28 acme1 smbd[29633]:   Denied connection from  (172.16.104.95)
messages:Mar 23 15:38:37 acme1 smbd[29634]:   Denied connection from  (172.16.104.95)
messages:Mar 23 15:38:40 acme1 smbd[29635]:   Denied connection from  (172.16.104.95)
messages:Mar 23 17:54:51 acme1 smbd[30440]:   Denied connection from  (172.16.104.96)
messages:Mar 23 17:54:54 acme1 smbd[30441]:   Denied connection from  (172.16.104.96)
messages:Mar 23 17:56:14 acme1 smbd[30447]:   Denied connection from  (172.16.104.97)
messages:Mar 23 17:56:14 acme1 smbd[30448]:   Denied connection from  (172.16.104.97)
messages:Mar 23 18:06:07 acme1 smbd[30594]:   Denied connection from  (172.16.104.99)
messages:Mar 24 10:47:33 acme1 smbd[4684]:   Denied connection from  (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4685]:   Denied connection from  (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4686]:   Denied connection from  (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4686]:   Denied connection from  (172.16.104.97)
messages:Mar 24 10:47:45 acme1 smbd[4688]:   Denied connection from  (172.16.104.97)
messages:Mar 24 10:47:59 acme1 smbd[4691]:   Denied connection from  (172.16.104.97)

also get a few kernel messages in the same file


messages:Mar 24 16:55:58 acme1 kernel: IN=eth0 OUT= MAC=00:06:5b:fd:2f:19:00:90:27:85:15:a7:08:00 SRC=172.16.104.96 DST=172.16.100.2 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=21643 DF PROTO=TCP SPT=1175 DPT=138 WINDOW=65535 RES=0x00 SYN URGP=0
messages:Mar 24 16:55:58 acme1 kernel: IN=eth0 OUT= MAC=00:06:5b:fd:2f:19:00:90:27:85:15:a7:08:00 SRC=172.16.104.96 DST=172.16.100.2 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=21643 DF PROTO=TCP SPT=1175 DPT=138 WINDOW=65535 RES=0x00 SYN URGP=0
0
 

Author Comment

by:tommyh5
ID: 13627097
acme1 is the server at 172.16.100.2
0
 
LVL 15

Accepted Solution

by:
veedar earned 375 total points
ID: 13627293
Hmmm It looks like smb.conf is the problem
Run the command "testparm" to check  your smb.conf

Here's some random ideas....

You say there are other networks and other remote sites that work.
Have you compared a known working smb.conf  with the broken smb.conf

Portscan a known working system.

On the PC can  you do a...
net view \\acme1

Where you able to join the domain already from the remote PC?

Are you using smbpasswd? Have you setup samba logins?

Try:  hosts allow = 172.16.
It will allow 172.16.*.*

Read...
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html
0
 

Author Comment

by:tommyh5
ID: 13676693
Looks like for remote network Domain Logins you have to specify a WINS server.  Specifying the remote WINS server solved my problem.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question