Friday, October 10, 2003
WINS and iptables
We changed the firewall from ipchains to iptables on one of our Samba 2.2 file servers. After several hours, we started seeing permission problems, which cleared up immediately once we brought down the iptable firewall.
Users were authenticating to our NT 4.0 PDC, but when the workstation tired to load their profile, stored on the Samba 2.2 server, they received a "Domain not found" error message.
Logged on to the workstation with the default profile, a user could bring up the fileserver, but a name/password logon window appeared- the symptoms suggested that Samba couldn't confirm the users SID when trying to validate their access to a particular file. Although there were reports that some workstation session were working fine.
This sort of inconsistent problem suggested a WINS/NetBios resolution issue.
Debugging (nmblookup -d) showed that the machine was not finding the Domain Controller when querying it's local nmbd, so we switched the smb.conf to point to our Windows WINS server. Which, incidentally is on another class-d subnet of our flat, three-subnet network.
This didn't solve the problem- we noticed that nmblookup was failing to use the WINS setting, moving on to attempting a broadcast resolution of the DC. But the broadcast probably wasn't reaching all of our subnets, because the ifconfig was using a 255.255.255.0 subnet- we modified it to 255.255.192.0, and the DC resolved. And it looks like this solved the problem.
But two questions remain:
We changed the firewall from ipchains to iptables on one of our Samba 2.2 file servers. After several hours, we started seeing permission problems, which cleared up immediately once we brought down the iptable firewall.
Users were authenticating to our NT 4.0 PDC, but when the workstation tired to load their profile, stored on the Samba 2.2 server, they received a "Domain not found" error message.
Logged on to the workstation with the default profile, a user could bring up the fileserver, but a name/password logon window appeared- the symptoms suggested that Samba couldn't confirm the users SID when trying to validate their access to a particular file. Although there were reports that some workstation session were working fine.
This sort of inconsistent problem suggested a WINS/NetBios resolution issue.
Debugging (nmblookup -d) showed that the machine was not finding the Domain Controller when querying it's local nmbd, so we switched the smb.conf to point to our Windows WINS server. Which, incidentally is on another class-d subnet of our flat, three-subnet network.
This didn't solve the problem- we noticed that nmblookup was failing to use the WINS setting, moving on to attempting a broadcast resolution of the DC. But the broadcast probably wasn't reaching all of our subnets, because the ifconfig was using a 255.255.255.0 subnet- we modified it to 255.255.192.0, and the DC resolved. And it looks like this solved the problem.
But two questions remain:
- Why isn't getting resolve responses from the WINS server?
- Why did moving from ipchains to iptables seem to mess up it's local nmbd? The machine appeared to resolve the DC fine for several hours after the iptables were brought up?
