tommyh5
asked on
cant connect to samba domain controller through remote network vpn connection
I'm trying to setup a remote office using IPCop based firewalls and a samba domain controller.
The setup is as follows
Samba <--> LAN <--> IPCop1 <--> VPN <--> Internet <--> VPN <--> IPCop2 <--> Remote LAN <--> XP Client
Samba: 172.16.100.2
LAN: 172.16.100.0/24
Remote LAN: 172.16.101.0/24
XP Client: 172.16.101.2
Samba is running in domain mode and XP and 2k workstations are login to its 'domain' from LAN with no problem. From the XP Client on the remote LAN, I get an error when I try to login to the domain at bootup, "The system could not log you on because the domain controller DOMAIN1 is not available" So instead I login as administrator to the local machine. Once I'm in on that machine, I can ping across the VPN to the remote network, and do anything, it even seems to use my local username/password to authenticate on the remote server, but not login when the system boots up.
Other services work fine, From the Remote LAN i can use the terminal application thats run here, based off a server on LAN. From the Remote LAN i can send and recieve email thats authenticated through the same machine as Samba.
It seems to me that something is wrong with my samba config thats prevening the remote network from authenticating.
in smb.conf i modified the line:
[IPC$]
path = /tmp
hosts allow = 172.16.100.0/24, 172.16.101.0/24 <-- i added the 2nd one and restarted smb
There are other networks and other remote sites on this network that are working fine. Just the new one is broken. Ive tried turning off iptables as well with no luck.
The setup is as follows
Samba <--> LAN <--> IPCop1 <--> VPN <--> Internet <--> VPN <--> IPCop2 <--> Remote LAN <--> XP Client
Samba: 172.16.100.2
LAN: 172.16.100.0/24
Remote LAN: 172.16.101.0/24
XP Client: 172.16.101.2
Samba is running in domain mode and XP and 2k workstations are login to its 'domain' from LAN with no problem. From the XP Client on the remote LAN, I get an error when I try to login to the domain at bootup, "The system could not log you on because the domain controller DOMAIN1 is not available" So instead I login as administrator to the local machine. Once I'm in on that machine, I can ping across the VPN to the remote network, and do anything, it even seems to use my local username/password to authenticate on the remote server, but not login when the system boots up.
Other services work fine, From the Remote LAN i can use the terminal application thats run here, based off a server on LAN. From the Remote LAN i can send and recieve email thats authenticated through the same machine as Samba.
It seems to me that something is wrong with my samba config thats prevening the remote network from authenticating.
in smb.conf i modified the line:
[IPC$]
path = /tmp
hosts allow = 172.16.100.0/24, 172.16.101.0/24 <-- i added the 2nd one and restarted smb
There are other networks and other remote sites on this network that are working fine. Just the new one is broken. Ive tried turning off iptables as well with no luck.
veedar
I smell a firewall. Can you do a port scan? Ports 137-139 need to be open for samba.
ASKER
with or without iptables running only 139 is open (as far as i can tell using angry ip scanner). Other than software firewalls (iptables), there shouldnt be anything blocking any of the traffic through the VPN.
i am able to login to the server, it does authenticate me, and i can get to files and whatnot, just not login to the domain at bootup.
i am able to login to the server, it does authenticate me, and i can get to files and whatnot, just not login to the domain at bootup.
Do your samba log files show anything? Look in /var/log/samba
Or even /var/log/messages
Or even /var/log/messages
ASKER
i show a bunch of log files in /var/log/samba which are formated like this: log.172.16.100.2 one for each ip address that has accessed the server, each of these log files are empty. smbd.log just shows version info. I noticed this line in nmbd.log
Samba name server SERVER1 is now a local master browser for workgroup DOMAIN1 on subnet 172.16.100.2
is it supposed to list more than one subnet here? or does it only list the subnet that the server is directly attached to?
did a grep for 172.16.104 on that log folder and got: (172.16.104.0 is the real remote subnet)
[root@server1 samba]# grep 172.16.104 *
log.sacramento1: sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30435)
log.sacramento1: sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 30435)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1: Denied connection from (172.16.104.96)
log.sacramento1: sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30441)
log.sacramento1: Denied connection from (172.16.104.96)
log.sacramento1: sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30441)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1: sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 6779)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento1: sacramento1 (172.16.104.96) connect to service Projects initially as user root (uid=0, gid=0) (pid 6790)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Projects
log.sacramento1: sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 7247)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento2: sacramento2 (172.16.104.97) connect to service Departments initially as user root (uid=0, gid=0) (pid 30446)
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service Departments
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: sacramento2 (172.16.104.97) connect to service root initially as user root (uid=0, gid=600) (pid 30448)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: sacramento2 (172.16.104.97) connect to service root initially as user root (uid=0, gid=600) (pid 30448)
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service root
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service root
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: sacramento2 (172.16.104.97) connect to service Departments initially as user root (uid=0, gid=0) (pid 6821)
log.sacramento2: sacramento2 (172.16.104.97) connect to service Projects initially as user root (uid=0, gid=0) (pid 6821)
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service Departments
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service Projects
log.sacramento4: Denied connection from (172.16.104.99)
log.sacramento4: sacramento4 (172.16.104.99) connect to service root initially as user root (uid=0, gid=600) (pid 30594)
log.sacramento4: sacramento4 (172.16.104.99) closed connection to service root
log.tomlap: Denied connection from (172.16.104.95)
log.tomlap: Denied connection from (172.16.104.95)
log.tomlap: Denied connection from (172.16.104.95)
[root@server1 samba]#
and then a grep for the same in /var/log/messages
messages:Mar 23 15:38:28 acme1 smbd[29633]: Denied connection from (172.16.104.95)
messages:Mar 23 15:38:37 acme1 smbd[29634]: Denied connection from (172.16.104.95)
messages:Mar 23 15:38:40 acme1 smbd[29635]: Denied connection from (172.16.104.95)
messages:Mar 23 17:54:51 acme1 smbd[30440]: Denied connection from (172.16.104.96)
messages:Mar 23 17:54:54 acme1 smbd[30441]: Denied connection from (172.16.104.96)
messages:Mar 23 17:56:14 acme1 smbd[30447]: Denied connection from (172.16.104.97)
messages:Mar 23 17:56:14 acme1 smbd[30448]: Denied connection from (172.16.104.97)
messages:Mar 23 18:06:07 acme1 smbd[30594]: Denied connection from (172.16.104.99)
messages:Mar 24 10:47:33 acme1 smbd[4684]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4685]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4686]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4686]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:45 acme1 smbd[4688]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:59 acme1 smbd[4691]: Denied connection from (172.16.104.97)
also get a few kernel messages in the same file
messages:Mar 24 16:55:58 acme1 kernel: IN=eth0 OUT= MAC=00:06:5b:fd:2f:19:00:9
messages:Mar 24 16:55:58 acme1 kernel: IN=eth0 OUT= MAC=00:06:5b:fd:2f:19:00:9
Samba name server SERVER1 is now a local master browser for workgroup DOMAIN1 on subnet 172.16.100.2
is it supposed to list more than one subnet here? or does it only list the subnet that the server is directly attached to?
did a grep for 172.16.104 on that log folder and got: (172.16.104.0 is the real remote subnet)
[root@server1 samba]# grep 172.16.104 *
log.sacramento1: sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30435)
log.sacramento1: sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 30435)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1: Denied connection from (172.16.104.96)
log.sacramento1: sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30441)
log.sacramento1: Denied connection from (172.16.104.96)
log.sacramento1: sacramento1 (172.16.104.96) connect to service root initially as user root (uid=0, gid=600) (pid 30441)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service root
log.sacramento1: sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 6779)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento1: sacramento1 (172.16.104.96) connect to service Projects initially as user root (uid=0, gid=0) (pid 6790)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Projects
log.sacramento1: sacramento1 (172.16.104.96) connect to service Departments initially as user root (uid=0, gid=0) (pid 7247)
log.sacramento1: sacramento1 (172.16.104.96) closed connection to service Departments
log.sacramento2: sacramento2 (172.16.104.97) connect to service Departments initially as user root (uid=0, gid=0) (pid 30446)
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service Departments
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: sacramento2 (172.16.104.97) connect to service root initially as user root (uid=0, gid=600) (pid 30448)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: sacramento2 (172.16.104.97) connect to service root initially as user root (uid=0, gid=600) (pid 30448)
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service root
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service root
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: Denied connection from (172.16.104.97)
log.sacramento2: sacramento2 (172.16.104.97) connect to service Departments initially as user root (uid=0, gid=0) (pid 6821)
log.sacramento2: sacramento2 (172.16.104.97) connect to service Projects initially as user root (uid=0, gid=0) (pid 6821)
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service Departments
log.sacramento2: sacramento2 (172.16.104.97) closed connection to service Projects
log.sacramento4: Denied connection from (172.16.104.99)
log.sacramento4: sacramento4 (172.16.104.99) connect to service root initially as user root (uid=0, gid=600) (pid 30594)
log.sacramento4: sacramento4 (172.16.104.99) closed connection to service root
log.tomlap: Denied connection from (172.16.104.95)
log.tomlap: Denied connection from (172.16.104.95)
log.tomlap: Denied connection from (172.16.104.95)
[root@server1 samba]#
and then a grep for the same in /var/log/messages
messages:Mar 23 15:38:28 acme1 smbd[29633]: Denied connection from (172.16.104.95)
messages:Mar 23 15:38:37 acme1 smbd[29634]: Denied connection from (172.16.104.95)
messages:Mar 23 15:38:40 acme1 smbd[29635]: Denied connection from (172.16.104.95)
messages:Mar 23 17:54:51 acme1 smbd[30440]: Denied connection from (172.16.104.96)
messages:Mar 23 17:54:54 acme1 smbd[30441]: Denied connection from (172.16.104.96)
messages:Mar 23 17:56:14 acme1 smbd[30447]: Denied connection from (172.16.104.97)
messages:Mar 23 17:56:14 acme1 smbd[30448]: Denied connection from (172.16.104.97)
messages:Mar 23 18:06:07 acme1 smbd[30594]: Denied connection from (172.16.104.99)
messages:Mar 24 10:47:33 acme1 smbd[4684]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4685]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4686]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:33 acme1 smbd[4686]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:45 acme1 smbd[4688]: Denied connection from (172.16.104.97)
messages:Mar 24 10:47:59 acme1 smbd[4691]: Denied connection from (172.16.104.97)
also get a few kernel messages in the same file
messages:Mar 24 16:55:58 acme1 kernel: IN=eth0 OUT= MAC=00:06:5b:fd:2f:19:00:9
messages:Mar 24 16:55:58 acme1 kernel: IN=eth0 OUT= MAC=00:06:5b:fd:2f:19:00:9
ASKER
acme1 is the server at 172.16.100.2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks like for remote network Domain Logins you have to specify a WINS server. Specifying the remote WINS server solved my problem.