Tom, Thanks for your swift reply. I changed my rules file and the etc/shorewall/action.Drop and action.Reject files as mentioned in http://www.shorewall.net/samba.htm. But unfortunately I cannot find any logging of SMB traffic between both zones. The only logging with the relevant IP addresses in /var/log/messages is from yesterday, before I changed anything:
Mar 12 15:39:13 omilia kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=192.168.6.13 DST=192.168.0.12 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=54555 DF PROTO=UDP SPT=32889 DPT=53 LEN=57 Mar 12 15:39:23 omilia kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=192.168.6.13 DST=192.168.0.12 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=54556 DF PROTO=UDP SPT=32889 DPT=53 LEN=57 The only relevant logging from today is this one: Mar 13 08:59:43 omilia kernel: Shorewall:all2all:REJECT:IN= OUT=eth2 SRC=192.168.0.254 DST=192.168.0.12 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=7733 DF PROTO=UDP SPT=32772 DPT=53 LEN=51 But this looks like a DNS query from the firewall itself (0.254) to my domain controller (0.12). Nothing Samba about that. I'm lost... Wouter -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Tom Eastep Verzonden: woensdag 12 maart 2008 17:20 Aan: Shorewall Users Onderwerp: Re: [Shorewall-users] Shorewall & Samba domain join Götz Reinicke wrote: > Wouter Amsterdam schrieb: >> L.S., >> >> >> >> I'm having difficulties joining a Fedora Core 7 Samba server to a >> Windows 2000 Domain Controller. Both servers are located in a >> separate subnet which are connected via shorewall (4.0.6). I have >> configured the policy file to accept all traffic form both subnets >> and vice versa. This Samba server also runs a Postfix / Dovecot >> mailserver which succesfully authenticate users on the W2K DC. If I >> move the Samba server to the same subnet as the W2K DC, joining seems >> no problem. But when I move the server back to its original subnet >> and issue the command "net rpc testjoin", the response is "unable to >> find a suitable server". If I point the command directly to the DC >> with "net rpc testjoin –S myserver.mydomain.local ", the full output is: >> >> >> >> [2008/03/12 16:47:04, 0] utils/net_rpc_join.c:net_rpc_join_ok(70) >> >> net_rpc_join_ok: failed to get schannel session key from server >> myserver.mydomain.local for domain MYDOMAIN. Error was >> NT_STATUS_INVALID_COMPUTER_NAME >> >> Join to domain 'MYDOMAIN' is not valid >> >> >> >> At first is was tempted the blame Samba, but since switching the >> server between subnets (and so bypassing shorewall) I believe I have >> misconfigured shorewall. Could shorewall be blocking some >> broadcasting traffic needed to perform the joining to the domain? > > What happens, if you disable shorewall? > > What is in the logs? Any blocked packages? Shorewall doesn't log any of the Microsoft Networking noise that it drops or rejects. It did that originally, and we had 100's of newbies frantically reporting that they were under attack by their own Windows systems. See http://www.shorewall.net/samba.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
