> I've got two subnets joined by an OpenVPN bridge. I used to have my PDC > on > the router 192.168.2.128, and the DMS 192.168.2.1 happily authenticated to > it. > > Now, for security and other reasons I have put my PDC behind a firewall. > The PDC now lives at 192.168.1.3, and my router is still on 192.168.1.1 > and > 192.168.2.128. > > In the router's iptables rules, I have added the following: > iptables -t nat -A PREROUTING -p tcp --dport 137:139 -i tap0 -j DNAT --to > 192.168.1.3 > iptables -t nat -A PREROUTING -p tcp --dport 445 -i tap0 -j DNAT --to > 192.168.1.3 > > iptables -t nat -A PREROUTING -p udp --dport 137:139 -i tap0 -j DNAT --to > 192.168.1.3 > iptables -t nat -A PREROUTING -p udp --dport 445 -i tap0 -j DNAT --to > 192.168.1.3 > > (tap0 is the 192.168.2.128 interface) > > In the DMS's smb.conf. I have the following: > > [global] > workgroup = CORP > netbios name = FURNSRV > server string = Furniture File Server > security = domain > password server = 192.168.1.3 > wins server = 192.168.1.3 > wins support = no > wins proxy = no > name resolve order = wins > dns proxy = no > local master = yes > domain master = no > preferred master = yes > os level = 65 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > SO_BROADCAST > printing = cups > printcap = cups > remote browse sync = 192.168.1.3 > > When I start Samba on the DMB, I can do 'net join' just fine. I can ping > the PDC. I can list shares on the PDC. I can't list shares on the > client! > > [EMAIL PROTECTED]:/etc/samba# smbclient -L localhost > Password: > session setup failed: NT_STATUS_NO_LOGON_SERVERS > > I'm a little befuddled here. Is there something I've forgotten in > iptables? > Is something else missing? I'm not sure exactly what to debug. I have > done > tcpdump on the PDC and I can see requests and responses, but I'm not 100% > clear what to look for. > > I appreciate any help at all! > > Thanks, > Misty >
Here is some more info. When I try to authenticate to see the DMB's shares, I get different results on the DMB and the PDC. PDC: [2008/07/01 00:25:42, 3] auth/auth.c:check_ntlm_password(270) check_ntlm_password: sam authentication for user [root] succeeded [2008/07/01 00:25:42, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2008/07/01 00:25:42, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2008/07/01 00:25:42, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/07/01 00:25:42, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2008/07/01 00:25:42, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded DMB: [2008/07/01 00:25:49, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: "CORPSRV, 192.168.1.3" [2008/07/01 00:25:49, 3] libsmb/namequery_dc.c:rpc_dc_name(117) rpc_dc_name: Returning DC CORPSRV (192.168.1.3) for domain CORP [2008/07/01 00:25:49, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host=CORPSRV [2008/07/01 00:25:49, 3] lib/util_sock.c:open_socket_out(874) Connecting to 192.168.1.3 at port 445 [2008/07/01 00:25:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bb bind request returned ok. [2008/07/01 00:25:51, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine CORPSRV pipe \NETLOGON fnum 0x70bc bind request returned ok. [2008/07/01 00:25:51, 0] auth/auth_domain.c:domain_client_validate(246) domain_client_validate: unable to validate password for user root in domain CORP to Domain controller CORPSRV. Error was NT_STATUS_UNSUCCESSFUL. [2008/07/01 00:25:51, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] -> [root] FAILED with error NT_STATUS_NO_LOGON_SERVERS [2008/07/01 00:25:51, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_NO_LOGON_SERVERS [2008/07/01 00:25:51, 3] smbd/process.c:timeout_processing(1359) WHY would the DMB say that it failed when the PDC said it succeeded??? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
