Can't access network shares on domain (firewall or dns issue)



  • I just switched to pfSense from Smoothwall. So far I am really impressed with pfSense, but I ran into a small problem which I can't resolve and so I am hoping that someone here can help me.

    Basically, I am planning to use pfSense as my main DNS server, but I do understand that machines have to be registered on the domain server's DNS and so I activated domain forwarding and DHCP registration forwarding in pfSense. Somehow, I was under the impression that this is all I would have to do. I mean everything seems to work great. All local addresses get resolved properly, but a closer look shows me that workstation aren't properly authenticated against the domain server which results in local workstations not having access to any existing file shares on the domain server.

    How can I fix this?

    Thanks,
    Jens



  • @jstraten:

    but a closer look shows me that workstation aren't properly authenticated against the domain server which results in local workstations not having access to any existing file shares on the domain server.

    What is 'authentication against the domain server'?



  • Hi Eugene,

    Thank you for getting back to me.

    Well, I am running a Windows 7 R2 server and the workstation is running Windows 7. It let's me logon to windows using my domain user name and password. However, I noticed that the Network and Sharing Center shows the connection to my domain as "unauthenticated". I am not sure what that means, but I do see updated dynamic DNS registry entries on the domain server for that workstation. I was under the impression that this is all that is needed, but apparently Windows 7 R2 server thinks differently… I also see some Event ID 4625 for the same workstation. However, the description claims a wrong user id or password which is not the case...

    Everything works flawless if I go directly (change primary DNS on workstation to IP of server) against the domain server which also serves as my local DNS server for my domain. It seems that the forwarder changes something or there is a hidden security feature in Windows 7 R2...

    Any ideas?

    Best regards,
    Jens



  • Are your server and workstation in the same broadcast domain or on different subnets of your pfSense?



  • They are on the same subnet.

    My configuration is as follows:

    • Windows 7 R2 Server on static address at 192.168.1.x
    • pfSense on static address at 192.168.1.y
    • DHCP server runs on pfSense providing addresses for 192.168.1.a to 192.168.1.b
    • DNS forwarder is enabled and configured to forward DHCP leases to DNS forwarder
    • Entire domain is forwarded to a local domain server running on 192.168.1.x (see above) in the DNS forwarder configuration
    • General Setup is configured to use external forwarders
    • Local workstation gets DHCP lease and resolves local addresses (including static ones residing on 192.168.1.x) correctly

    Here is what I can see:

    • I can ping all local machines in both directions
    • Workstations using DHCP can't access any domain file shares

    I did not do any port forwarding for local addresses, but I am guessing that something gets blocked on the local network. Another option would be that the server knows that this is a forwarded address and that there is some kind of new security feature in Windows that blocks this can kind of access.

    As I said before I can see that local machines show the domain network as "unauthenticated" in the Network and Sharing Center of Windows 7, but it doesn't tell me why.

    Thanks,
    Jens



  • No port forwarding is required as they're all on the same subnet.

    I've just checked a few machines where I have pfSense as the DHCP server.

    Where "domain.local" is configured under "Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain.", I don't have ANY where "Register DHCP leases in DNS forwarder" is enabled. I don't know if that's right but it works. I've never had any problems so I've never experimented with ticking the box.

    HTH



  • @jstraten:

    • I can ping all local machines in both directions

    by IP or name?

    @jstraten:

    • Workstations using DHCP can't access any domain file shares

    I'm missing some knowledge here so it's just guesswork:
    How does Win7 resolve this - still by WINS? Did you configure your W2k8 server with a WINS server as well that is promoted to the clients?



  • @jahonix:

    I'm missing some knowledge here so it's just guesswork:
    How does Win7 resolve this - still by WINS? Did you configure your W2k8 server with a WINS server as well that is promoted to the clients?

    Active Directory relies on DNS. Most installations use a domain of the form "domain.local". If the XP (?) clients are configured correctly, they should be domain members with hostnames such as pc1.domain.local, pc2.domain.local and so on. The most important aspect of this is that the domain controller MUST be the authoritative DNS server for "domain.local", which is why you specify it at the DNS forwarder in pfSense.

    You should be able to do all the domain PC<->server stuff, especially F+P, without WINS enabled anywhere.



  • I can ping from the server to the workstation and from the workstation to the server by name and ip.

    • Server is Windows Server R2 (Windows 2008 Server)
    • Workstation is Windows 7 Ultimate (a second workstation uses XP, but it has the same issue)
    • workstation is named <workstation_name>.<domain_name>.com

    I could setup WINS, but I never had to use it before…

    One thing I noticed is that I am not sure if the DNS forwarder works properly. The DNS server on the server shows a date of 8/2 for the workstation IP. I think that's the day when I installed pfSense which would mean that it got never renewed since then...

    Is anybody here using this successfully on the OS specified above?

    I normally used to setup the DNS server on my firewall (smoothwall) as a secondary, but I was assuming that the forwarder functionality does something similar.

    Hopefully, somebody can help me. Wife is getting upset with me for not being able to access her files any longer... ;)

    Thanks,
    Jens</domain_name></workstation_name>



  • @jstraten:

    • workstation is named <workstation_name>.<domain_name>.com</domain_name></workstation_name>

    That'll come back to haunt you, I suspect.

    @jstraten:

    One thing I noticed is that I am not sure if the DNS forwarder works properly. The DNS server on the server shows a date of 8/2 for the workstation IP. I think that's the day when I installed pfSense which would mean that it got never renewed since then…

    Are you getting DHCP and DNS mixed up here? When you say "DNS server on the server", which physical server are you referring to? My Server 2003 machine doesn't have a "date" column in DNS. I would expect to see the same IP address issued to a specific PC via multiple DHCP renewals.



  • @Bern:

    @jstraten:

    • workstation is named <workstation_name>.<domain_name>.com</domain_name></workstation_name>

    That'll come back to haunt you, I suspect.

    I understand that this wouldn't be the best option for a corporate environment, but this is just for home usage.

    @Bern:

    @jstraten:

    One thing I noticed is that I am not sure if the DNS forwarder works properly. The DNS server on the server shows a date of 8/2 for the workstation IP. I think that's the day when I installed pfSense which would mean that it got never renewed since then…

    Are you getting DHCP and DNS mixed up here? When you say "DNS server on the server", which physical server are you referring to? My Server 2003 machine doesn't have a "date" column in DNS. I would expect to see the same IP address issued to a specific PC via multiple DHCP renewals.

    Well, on a 2008 Server you actually get a time stamp for dynamic DNS entries which allows you to see when an entry was created. But I noticed that you are right about getting the same address. As long as I turn on the workstation within the expiration time of the DHCP it simply keeps the same address.

    The local DNS server runs on my Windows 2008 Server.

    No progress so far. I spent some time again, but I am simply stunned that it doesn't work right. It somehow seems to know that the request comes from a forwarder and not from the actual machine…

    Any windows gurus here? I can't believe that I am the only one testing Windows 2008 Server. It is kind of like Windows 7. Lots of stuff to like there... Well, I should say better than Vista I guess... ;)

    Thanks,
    Jens



  • It turns out that something got messed up in the network configuration of the server. I have two network adapters and one of them is used for Hyper V. I eventually became suspicious about Hyper V and so I simply deleted and re-created the virtual adapter linked to my second adapter. While doing so I got an error message, but eventually things went back to normal (involved a few resets) and everything works just great again. Not sure what has caused it. I know for sure that nothing got changed on the server since I installed pfSense…

    Anyhow, I am happy and everything works just great now!

    Thanks,
    Jens



  • How possibly can you be happy with Windows? ???



  • I am not and I already try to avoid using it whenever possible. My laptop is a mac! :)

    However, on the server side I just don't see too many other options. I mean I know I could some stuff in Linux, but it would require me much more time to get into it…

    What are you using?

    Thanks,
    Jens



  • However, on the server side I just don't see too many other options. I mean I know I could some stuff in Linux, but it would require me much more time to get into it…

    What are you using?

    It always depends on what your requirements are. If you only need a file server, FreeNAS will do the job nicely. File + Print? ClarkConnect.



  • It turns out that I only resolved part of the problem. I can now access my file shares again, but the local workstation still shows as "unauthenticated". However, I am starting to wonder if this is a bug in Windows 7 since it doesn't seem to have an impact on anything…

    Bern, I am running a web server, a mail server and a database on my windows server. I know that I can probably do the same on Linux, but my knowledge in Linux isn't the greatest and so I feel that I would just set myself up for trouble... ;)

    On the plus side I also have trixbox which runs on linux in my environment as well. However, that also gives me more than enough trouble at times... ;)

    I figured I should update my findings here in case somebody else runs into the same problem.

    Thanks again to everybody trying to help!

    Cheers,
    Jens


Log in to reply