AW: [suse-security] SuSEFirewall2 - Primary Domain Controller
I guess its the same Problem i have with W2K-Server and an NT4 PDC, when they are in the same subnet, all is ok. But when they are in different subnets, they get no securityinfo from the PDC. I can access the shares, ping it by name. When i try to join the Domain, it gives an Error. When i'm in the same subnet and join domain, everythings ok. When i then change the subnet back, then W2K only gets the S-Numbers instead of the names from Users. I haven't found a fix for this Problem yet. My solution was a second Network only for the Servers, to connect W2K with NT4 in the same subnet. Andreas Kreiter -----Ursprüngliche Nachricht----- Von: mario ohnewald [mailto:mario.ohnewald@gmx.de] Gesendet am: Donnerstag, 16. Mai 2002 09:59 An: suse-security@suse.com Betreff: Re: [suse-security] SuSEFirewall2 - Primary Domain Controller doooh! Well, not really solved yet ;( Working with names works now, but my w2k Client still cant find my PDC (when i wanna join my domain), but it can ping it "ping pdc". do i have to enable some ports for internal routing? Protect from Internal is off. Any Ideas? Cheers, Mario
Ahhh, now it works! Thanks a LOT!
Mario
Yes, i did that. I can reach all the ips in each net, so the routing seems to work, i can just not work with Names.
Mario
So put the ip of the pdc as wins-server in the settings of your clients in the other subnet :O)
Yours Michael Appeldorn
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
There is a file called lmhosts where you can define pdc and domains by ips Did it to call user-managment from y2k to a nt-pdc in another subnet Try this and call back wether suceed or not Michael Appeldorn
I guess its the same Problem i have with W2K-Server and an NT4 PDC, when they are in the same subnet, all is ok. But when they are in different subnets, they get no securityinfo from the PDC. I can access the shares, ping it by name. When i try to join the Domain, it gives an Error. When i'm in the same subnet and join domain, everythings ok. When i then change the subnet back, then W2K only gets the S-Numbers instead of the names from Users. I haven't found a fix for this Problem yet. My solution was a second Network only for the Servers, to connect W2K with NT4 in the same subnet.
Andreas Kreiter
-----Ursprüngliche Nachricht----- Von: mario ohnewald [mailto:mario.ohnewald@gmx.de] Gesendet am: Donnerstag, 16. Mai 2002 09:59 An: suse-security@suse.com Betreff: Re: [suse-security] SuSEFirewall2 - Primary Domain Controller
doooh! Well, not really solved yet ;( Working with names works now, but my w2k Client still cant find my PDC (when i wanna join my domain), but it can ping it "ping pdc". do i have to enable some ports for internal routing? Protect from Internal is off.
Any Ideas?
Cheers, Mario
Ahhh, now it works! Thanks a LOT!
Mario
Yes, i did that. I can reach all the ips in each net, so the routing seems to work, i can just not work with Names.
Mario
So put the ip of the pdc as wins-server in the settings of your clients in the other subnet :O)
Yours Michael Appeldorn
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi! I can not even accecc a Machine like that: \\machinename thought my router. # Common: ssh smtp domain FW_SERVICES_INT_TCP="netbios-ssn 1046 name 134:139 domain ssh www pop3 smtp ftp" # Common: domain syslog FW_SERVICES_INT_UDP="netbios-ssn 1046 name domain 134:139" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP="" thats what i have in my firewall config file. Is anything missing? Mario Ohnewald
There is a file called lmhosts where you can define pdc and domains by ips
Did it to call user-managment from y2k to a nt-pdc in another subnet
?? sorry, what do u meant with that?
Try this and call back wether suceed or not
Michael Appeldorn
I guess its the same Problem i have with W2K-Server and an NT4 PDC, when they are in the same subnet, all is ok. But when they are in different subnets, they get no securityinfo from the PDC. I can access the shares, ping it by name. When i try to join the Domain, it gives an Error. When i'm in the same subnet and join domain, everythings ok. When i then change the subnet back, then W2K only gets the S-Numbers
instead
of the names from Users. I haven't found a fix for this Problem yet. My solution was a second Network only for the Servers, to connect W2K with NT4 in the same subnet.
Andreas Kreiter
doooh! Well, not really solved yet ;( Working with names works now, but my w2k Client still cant find my PDC (when i wanna join my domain), but it can ping it "ping pdc". do i have to enable some ports for internal routing? Protect from Internal is off.
Any Ideas?
Cheers, Mario
Ahhh, now it works! Thanks a LOT!
Mario
Yes, i did that. I can reach all the ips in each net, so the routing seems to work, i can just not work with Names.
Mario
So put the ip of the pdc as wins-server in the settings of your clients in the other subnet :O)
Yours Michael Appeldorn
Hiho
mario ohnewald wrote:
I can not even accecc a Machine like that: \\machinename thought my
router.
Do you know already that backslashes (\) are special characters on unix shells? In combination with smbclient you can use forward slashes (//machine).
yes, i did know that, but i have tried that on a w2k client anyway. ;o)
Peter
Mario
Hi! I can not even accecc a Machine like that: \\machinename thought my router.
# Common: ssh smtp domain FW_SERVICES_INT_TCP="netbios-ssn 1046 name 134:139 domain ssh www pop3 smtp ftp" # Common: domain syslog FW_SERVICES_INT_UDP="netbios-ssn 1046 name domain 134:139" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP=""
thats what i have in my firewall config file. Is anything missing?
You need to enable class routing in your firewallscript add the ip of the server as wins-server allow the w2k netbios port - 445 smb/nbt port 139 (older windows) cifs/tcp port 445 (w2k) Yours Michael Appeldorn
Hi, its me again ;oP
Hi! I can not even accecc a Machine like that: \\machinename thought my router.
# Common: ssh smtp domain FW_SERVICES_INT_TCP="netbios-ssn 1046 name 134:139 domain ssh www pop3 smtp ftp" # Common: domain syslog FW_SERVICES_INT_UDP="netbios-ssn 1046 name domain 134:139" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP=""
thats what i have in my firewall config file. Is anything missing?
You need to
enable class routing in your firewallscript
yes, i did. (plus routing)
add the ip of the server as wins-server
yes, i did, too.
allow the w2k netbios port - 445
# Common: ssh smtp domain FW_SERVICES_INT_TCP="445 netbios-ssn 1046 name 134:139 domain ssh www pop3 smtp ftp" # Common: domain syslog FW_SERVICES_INT_UDP="445 netbios-ssn 1046 name domain 134:139" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP=""
smb/nbt port 139 (older windows) cifs/tcp port 445 (w2k)
Yours
Michael Appeldorn
thanks a lot for your help! But it still does not work :( a \\pdc on the w2k client doesnt work. I did a tcpdump, maybe you can see something which i cant?: 13:01:10.438279 tuxwall.lansin.netbios-ssn > 192.168.2.5.1043: R 0:0(0) ack 1518 13:01:10.927423 192.168.2.5.1043 > tuxwall.lansin.netbios-ssn: S 1518151819:1518 13:01:10.927777 tuxwall.lansin.netbios-ssn > 192.168.2.5.1043: R 0:0(0) ack 1 wi 13:01:11.428327 192.168.2.5.1043 > tuxwall.lansin.netbios-ssn: S 1518151819:1518 13:01:11.428734 tuxwall.lansin.netbios-ssn > 192.168.2.5.1043: R 0:0(0) ack 1 wi 13:01:11.430131 192.168.2.5.netbios-ns > 192.168.1.40.netbios-ns:
NBT UDP PACKET(137): QUERY; REQUEST; UNICAST 13:01:11.430677 192.168.1.40.netbios-ns > 192.168.2.5.netbios-ns: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST (DF)
192.168.2.5 --> w2k client tuxwall = router/firewall with my 3NICS I recorded the packests when i did \\pdc in a loop on the w2k client. Cheers, Mario
Am 16.05.2002 15:06:46, schrieb "mario ohnewald"
Hi, its me again ;oP
Hi! I can not even accecc a Machine like that: \\machinename thought my router.
# Common: ssh smtp domain FW_SERVICES_INT_TCP="netbios-ssn 1046 name 134:139 domain ssh www pop3 smtp ftp" # Common: domain syslog FW_SERVICES_INT_UDP="netbios-ssn 1046 name domain 134:139" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP=""
thats what i have in my firewall config file. Is anything missing?
You need to
enable class routing in your firewallscript
thanks a lot for your help! But it still does not work :(
What about the service packs you installed on both machines PDC should be 6.0a W2k should be 2 saw already pdc probs with a blank w2k without any service pack and spoke your /var/log any thing if you contacting pdc and FW_SERVICES_INT_TCP="netbios-ssn 1046 name 134:139 domain ssh www pop3 if i think about enabled these port on firewall if such services running on it and not depends on routing - correct me if iam wrong Your Michael that is testing the game now with his w2k and a nt4 pdc on other subnet across a firewall like yours
thanks a lot for your help! But it still does not work :(
a \\pdc on the w2k client doesnt work.
ok, i checked the situation on my setup numbers changed :O) 1 w2k client in subnet 192.168.1.0 1 pdc server in subnet 192.168.2.0 1 SuSEfirewall subnets can ping each other subnets can nmap each other with correct results the only i'd to do was to write a c:\lmhost.import with 192.168.2.123 servername #PRE #DOM:domainname and to import it via systemcontrol->network->lan-connection[right click]->properties-> tc-ip properties->extended->wins-import lmhost and i could ping servername \\servername and finally join domain think about the service packs and check the whole situation like i did Yours Michael Appeldorn
participants (4)
-
kreiter@jic.at -
mario ohnewald -
Michael Appeldorn -
Peter Wiersig