CentOS firewall blocks Windwos10 RSAT DNS manager from accessing Samba AD DC dns server

[StariBrko]

I recently set VM with CentOS7.3 in minimal configuration (then updated it to CetOS7.9.2009)
Then I downloaded Samba-4.19.4 from the official Samba site and made Samba Active Directory DC.
The whole process of Samba configuration and installation passed smoothly without errors.
Samba AD DC works just fine.
I created additional firewall zone (privateDNS) and made it active and default and opened ports needed for Samba AD DC services

Code: Select all

privateDNS
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dns ldap mdns samba samba-client ssh
  ports: 123/udp 3268-3269/tcp 636/tcp 464/tcp 464/udp 389/tcp 389/udp 445/tcp 137-138/udp 139/tcp 135/tcp 88/tcp 88/udp 53/tcp 53/udp 636/udp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

(initially, there were only mdns, samba-client and ssh services set. I just added samba, dns and ldap a bit afterwards, because netstat wasn't showing connection to port 53 though it was definitelly opened)

What bothers me is the fact that I can use RSAT AD Users&Computers all the time from the very begginig, but RSAT DNS Manager works only when firewall is stopped. Those tools I run from Windows10

netstat found all above ports listening on 0.0.0.0
So I configured smb.conf with "interfaces=..."

Code: Select all

[global]
        dns forwarder = XXX.XXX.XXX.XXX
        netbios name = C7-DC1
        realm = MY.domain
        server role = active directory domain controller
        workgroup = MY
        idmap_ldb:use rfc2307 = Yes
        interfaces = 192.168.0.6/24
        bind interfaces only = Yes
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/my.domain/scripts
        read only = No

And now all ports (apart from 22-ssh and 123-ntp) listen on 192.168.0.6

In my opinion, it is clearly a firewall issue, since my client applications work as a charm when firewall is down, but as soon as I start it, DNS manager stops responding.

I would appreciate it if someone could give me a hint how to solve this problem.

thanx

[jlehtone]

I created additional firewall zone (privateDNS) and made it active and default

Please show firewall-cmd --get-active-zones


PS. Why CentOS 7 now, when it has under half a year of lifetime left?

[StariBrko]

jlehtone, thanx for your reply.

Here is a result you asked for:

Code: Select all

[root@C7-DC1 ~]# firewall-cmd --get-active-zones
privateDNS
  interfaces: ens160

I forgot to mention:
It worked exactly the same way while it was in Public zone with the same settings.

-----

PS. Why CentOS 7 now, when it has under half a year of lifetime left?

Honestly, when I saw the "Stream" word, it somehow brought to my mind a horrid idea of Microsoft concept with everyday updates and all that... (Yes, I use Windows 10 as workstation even I don't like it a bit, but it is a company policy to use Microsoft products. I did convince management to use CentOS servers though, but that was an easy step. Guess why! Will give you three shots )
So, since I used C7 for quite a while, and though I couldn't find myself even as an advanced user - let alone an expert, I find it so to say, somewhat cozy. Also, knowing that C8 expires at the same time as C7, plus the fact that I didn't like it anyway, C7 it was.
It is a nice OS really, C7. Besides, this VM will serve just as a Samba AD DC. No big deal. With latest update I think it could work well long after C7 EOL (I just burried one VM that run final version of CentOS 6.8 a few days ago).

Nevertheless, I read FAQ from https://www.redhat.com/en/blog/faq-cent ... am-updates and will definitely give a try to Stream versions

cheers

[jlehtone]

My normal (but not necessarily "professional") way to debug is:
* Look at the actual firewall rules:

Code: Select all

# CentOS 7
iptables -t filter -S
iptables -t nat -S
iptables -t mangle -S
# EL8 and EL9 distros
nft list ruleset

Yes, the things that firewalld writes there can be daunting at first.

* Check which processes do listen: ss -tulpn
* Listen on the traffic: tcpdump -vv -nn -i ens160 port 53
I don't understand most of the tcpdump output, but if say "router" sees packet on incoming port, but not on outgoing, then I have something to focus on.

will definitely give a try to Stream versions

Not so hasty

CentOS Linux has aimed to be a bug-for-bug compatible with corresponding RHEL version. It is "downstream" of RHEL.

When Red Hat did announce the end of CentOS Linux there was much ado. Two new communities did quickly form to build distros just like CentOS Linux used to: AlmaLinux OS and Rocky Linux. Furthermore, there was already other similar distros, like Oracle Linux, and Red Hat did adjust their RHEL subscription policy to allow small setups free of charge for production.

Last Summer Red Hat further tuned (down) how RHEL sources can be accessed and now AlmaLinux is only "binary compatible", while Rocky chose to remain "bug-for-bug" by some means.

Any of the distros mentioned above should be as good "for production" as CentOS Linux used to be. (Red Hat never admitted that CentOS would be "ok" for production -- they have RHEL to sell.)


CentOS Stream is not one of those distros. It is not for production. It is "upstream" from RHEL. It is the main development branch for RHEL from which a branch for each RHEL point update version starts from. It is a "preview" into what might be in the next (or following) RHEL point update.