Arch Samba - Windows 2008 Domain

Sniffer · 2010-10-28 11:01:13

I have made the thread bellow thinking i solve my problem giving access on FTMG...but unfortunately nope...

https://bbs.archlinux.org/viewtopic.php?id=107350

My Situation:

3 Servers on Windows 2008 Domain (Example: 192.168.1.1 / 2 / 3)

1.1 - DC

1.2 - Exchange

1.3 - ISA FTMG (Gateway to all servers)

1 Arch Server for Backup (Samba Share PUBLIC) - 192.168.1.4

And my problem is annoying at least, i go to one of my windows 2008 servers and push on explorer \\192.168.1.4\Backup and sometimes fully work without any problem... and another times (let's say 5 minutes after i push again) and:

Network path could not be found

or

xx.xx.xx.xx is not setup to establish a connection on port "File and Print Sharing (SMB)"

BUT FROM THIS WINDOWS 2008 SERVER IT PINGS 192.168.1.4

AND

TRACERT GO DIRECTLY TO 192.168.1.4

And if i try and try eventually it will work again.....can't damn understand what's going on with this.....

On ISA I gave FULL ACCESS to my servers to go where the hell they want and even so......

Thanks in advance for all the help....yep i need it.

Sniff

KimTjik · 2010-10-28 12:30:42

If I understand you correctly then backup only works when you've as a user in the domain explored the shares. I'm not an expert on the technical details, but by experience I've seen the same if a Samba server is to have functions within the Windows' domain but hasn't joined it and hence been accepted by the DC. If it's not joined it will drop out of connection and any automatic backup program, for example on any of the Windows server won't find it.

If you instead choose "domain" as security and then join the DC problem will probably be solved. If joined the DC will keep track of it in the network. To join a domain is pretty straightforward and easy, and I think the Samba entry in the Wiki has it described.

Sniffer · 2010-10-28 18:29:10

KimTjik wrote:

If I understand you correctly then backup only works when you've as a user in the domain explored the shares. I'm not an expert on the technical details, but by experience I've seen the same if a Samba server is to have functions within the Windows' domain but hasn't joined it and hence been accepted by the DC. If it's not joined it will drop out of connection and any automatic backup program, for example on any of the Windows server won't find it.
If you instead choose "domain" as security and then join the DC problem will probably be solved. If joined the DC will keep track of it in the network. To join a domain is pretty straightforward and easy, and I think the Samba entry in the Wiki has it described.

Thanks for the reply, indeed is not added to the domain, could you point me to the wiki? Can't find it in samba wiki.

Even in a public share without user and passwords...sometimes work perfectly, 5 min later can't access..and so on.

Update: Are you talking about this one:

https://wiki.archlinux.org/index.php/Sa … Controller

or this one

https://wiki.archlinux.org/index.php/Ar … ows_domain

Last edited by Sniffer (2010-10-28 18:32:03)

KimTjik · 2010-10-28 19:48:19

I'm sorry I didn't know that this wasn't covered in the Wiki. When I get some time I'll probably add something about. No neither of those links are correct. You already have one DC, a native Windows server, and the second one isn't necessary (you don't need to join the whole Linux workstation to the domain, just the Samba service; the Samba service will with hostname be recognized as a stand-alone server).

In lack of an appropriate Wiki entry Samba's own How-to is better: http://www.samba.org/samba/docs/man/Sam … ember.html

Look for this section: "Joining an NT4-type Domain with Samba-3"

Even that How-to might be confusing since it covers all kinds of configurations at the same time. What you need, as far as I can understand your description, is only what's written in that section.

Start with the strings in smb.conf for domain, password server (in your case probably the DC itself) and security set to domain. Restart samba and the you need to know an administrator account (user and password) and fill it in to the command example shown, e g "net rpc join -S DOMPDC -UAdministrator%password". If everything works you should get confirmation about it. You could also double-check the AD on the DC and see if the Samba server is added.

See if you get this to work.

Sniffer · 2010-12-02 14:48:11

KimTjik wrote:

I'm sorry I didn't know that this wasn't covered in the Wiki. When I get some time I'll probably add something about. No neither of those links are correct. You already have one DC, a native Windows server, and the second one isn't necessary (you don't need to join the whole Linux workstation to the domain, just the Samba service; the Samba service will with hostname be recognized as a stand-alone server).
In lack of an appropriate Wiki entry Samba's own How-to is better: http://www.samba.org/samba/docs/man/Sam … ember.html
Look for this section: "Joining an NT4-type Domain with Samba-3"
Even that How-to might be confusing since it covers all kinds of configurations at the same time. What you need, as far as I can understand your description, is only what's written in that section.
Start with the strings in smb.conf for domain, password server (in your case probably the DC itself) and security set to domain. Restart samba and the you need to know an administrator account (user and password) and fill it in to the command example shown, e g "net rpc join -S DOMPDC -UAdministrator%password". If everything works you should get confirmation about it. You could also double-check the AD on the DC and see if the Samba server is added.
See if you get this to work.

OK, sorry for the delay in my answer but i was traveling and couldn't test the above in the production environment.

I have add the backup server to the domain successfully but that was not the problem.

Now i have full details and maybe you could give your opinion:

FTMG (Forefront Threat Management Gateway)

SWITCH LAYER 3

SERVER BACKUP----------------------SERVERDC---------------------------SERVEREXCHANGE

THE PROBLEM is that if the DC have a share or exchange, everything works ok \\dc or \\exchange, but if you try to connect to the share archserver the connection drop quite often \\archserver

WHY? Because after some trace in FTMG, the microsoft firewall consider that the archserver is doing spoofing, yes is on the same network as all servers, same domain as above help, trusted...etc.

SOLUTION? First i give permissions on the firewall to the archserver (ALLOW ALL /PROTOCOLS ETC), but even so the FTMG was intercepting all the requests to the archserver and still consider him spoofing...odd enough no??!! By the way the FTMG Server control all network, is the gateway to all servers and switching.

Are you thinking to change the gateway to archserver or just don't put any....yep same result, FTMG catch archserver still.

I gave up and come with my actual solution (VLAN or BACKUP NETWORK), all servers with a extra ethernet card dedicated to the backup network or vlan just to backup without the firewall going there to trace anything.

And that's it....

But my question to you all is, everytime that we have a linux server (share) together with FTMG in same network do you have the same result, it seems to me like FTMG have something like: IT'S LINUX / GET BLOCKED.

Thanks for your help and patience regarding my answer.

TD (Sniffer)

Arch Linux

#1 2010-10-28 11:01:13

Arch Samba - Windows 2008 Domain

#2 2010-10-28 12:30:42

Re: Arch Samba - Windows 2008 Domain

#3 2010-10-28 18:29:10

Re: Arch Samba - Windows 2008 Domain

#4 2010-10-28 19:48:19

Re: Arch Samba - Windows 2008 Domain

#5 2010-12-02 14:48:11

Re: Arch Samba - Windows 2008 Domain

Board footer