Windows Clients can't find Domain to join to, if Zentyal is behind a router

[sgalan]

Hello,

We are stuck with Zentyal PDC configuration and can't find hints at several forums; ours seems to be an unusual setup (surprisinly).


We're installing the last version of Zentyal. Managed to set a LDAP master and several slaves. The Slaves are supposed be PDC servers and Share Files, and Windows Clients must join their domains, and they actually do, ... except for the PDC Server which is inside the DMZ, behind a Firewall.

We can make Windows Clientes join a real Windows 2003/2008 Sever Domain with no problem through that firewall.
We have also discarded Firewall filtering, casuse we reproduced the failing scenario using a single non-filtering router.

Our last diagnostic is the following:
Windows Clients will find a "real" Windows Domain Server through  different but connected networks, but they won't find a Zentyal Domain Server in the same circumstances.

We tried all kind of DNS setup. Client pings Server perfectly, and Server pings Client too. We can even access Web Zentyal Control Panel from the Windows Client,... but it still cannot find the Domain to join to.

Which  protocol/port/NAT/service/thing!  is lacking through routed networks?

It's important for us to have Windows Clients joined to our Domain Controller without extracting the server from the DMZ. And we're stuck with the task.
I don't know which config files can be attached or commented here, the setup is the most common, we haven't tweaked any file, non-routed servers do work perfectly for their subnets (so at least we are supposed to understand the basics ),... 

Any hint will be highly appreciated. Ask me for files/configs or anything if they may help. (Even if it sounds like "that's impossible for Zentyal to serve a Windows Domain through routed networks, buddy"). 

Regards.
- Sgalan -

[philmills]

IMO Zentyal's assumption that Zentyal will act as gateway, is bad security practice, and it seems to have a domino effect, which it looks like you're experiencing.
My zentyal server is PDC and therefore I don't want it to be a gateway for security reasons.
We have pfsense router/firewall which provides internet/nat/dhcp, so I didn't want my zentyal server providing those services, especially as pfsense rocks ;P

In this scenario I found that I was unable to join PCs to the domain without tweaking samba.
It might be that you need to do the same...

check this thread: http://forum.zentyal.org/index.php/topic,6333.0.html

Hope it helps

[christian]

IMO Zentyal's assumption that Zentyal will act as gateway, is bad security practice, and it seems to have a domino effect, which it looks like you're experiencing.

Could you please elaborate on this?
Even if this is the default implementation in case you set up Zentyal with multiple interfaces, you can easily change it (I mean firewall behaver) using admin interface. Why would this be bad in term of security?

My zentyal server is PDC and therefore I don't want it to be a gateway for security reasons.

This one is a valid point: is it safe to set up on same server internet gateway services like HTTP proxy and firewall and office services like file sharing or MDA?

We have pfsense router/firewall which provides internet/nat/dhcp, so I didn't want my zentyal server providing those services, especially as pfsense rocks ;P

You are not obliged to do so with Zentyal. But if you push this logic further, why would you deploy Zentyal if all what you need is Samba? 

Back to sgalan's problem, solution you suggest might be the right one...
This might also depends on DNS and way domain controllers are declared.
Drawing is very clear but I'm surprised to see so many PDC which would mean one domain per PDC. Are these BDC instead?

Anyway, Windows client is using DNS _SRV record to discover PDC (kerberos and ldap) then may use broadcast (if I'm correct) which would explain, depending on what your DNS contains, why you can find local Zentyal and remote "true" PDC but not remote Zentyal.

[c4rdinal]

Did you try to adjust the os level to a higher value in Samba global settings?

Just a thought.

[philmills]

Could you please elaborate on this?
Even if this is the default implementation in case you set up Zentyal with multiple interfaces, you can easily change it (I mean firewall behaver) using admin interface. Why would this be bad in term of security?

I guess I'm actualy assuming that "most" people (like me) have discovered zentyal while looking for a viable alternative to windows servers, be they PDC, BDC, file server, web server etc. In that respect, How many people would use a windows server as a gateway? Not many I think.  That would give a single point of failure in any security breach. Not good. Hence my statement:

My zentyal server is PDC and therefore I don't want it to be a gateway for security reasons.

why would you deploy Zentyal if all what you need is Samba? 

Because its a breeze to manage, without needing a pony-tail, greasy hair, sandals, glasses or pale complexion through lack of contact with the outside world.

Pfsense is router software, its very powerful but its not designed to be a server.  I'm a full believer in allowing software to do what it does best. pfsense = router,  zentyal = domain server.  I also think its prudent to have a coherent gui based system for managing my servers, so I'm using Zentyal as a base system whenevr possible. This is especially important when it comes to Zentyal's integrated backup, cloud client services etc.  I can have the same management interface on each server, this makes backups and restores very simple. In a linux domain, thats not something I have found easy to acheive, but Zentyal does it beautifully.

I have however found a number of difficulties relating to using zentyal without it being a DHCP server. I can't remember them well enough to state right now, but 2 or 3 times I have hit hurdles.

[christian]

@philmills: did you ever try to manage Samba using SWAT?
It will be almost as efficient as Zentyal, if not more, for what concerns the only feature you are looking for that PDC emulation, i.e. Samba...
You will even don't need access to CLI 

And do not think that Microsoft is always unsafe while Linux is always safe. You will be surprised with the large number of Microsoft servers exposed to internet but still reasonably secure.
Notice I'm not the one promoting Microsoft but I just want to kill a misunderstanding here.

You are very welcome with any input and feedback about Zentyal without DHCP. To me, Zentyal DHCP implementation was rather on the lower side until they add capability to customize "DHCP options" and is still strange with lease provided out of the DHCP range. And I never faced any problem running Zentyal without DHCP. This said, I'm not using Samba as Zentyal component because I don't like the way account management is done because of LDAP restrictions and constraints. Maybe this is the reason why I do not have DHCP issues, but I really doubt 

[philmills]

@philmills: did you ever try to manage Samba using SWAT?
It will be almost as efficient as Zentyal, if not more, for what concerns the only feature you are looking for that PDC emulation, i.e. Samba...
You will even don't need access to CLI 

Yes I did - it felt like using Windows 3.11, I found it messy, clunky and not really "enterprise ready".  On the other hand I also tried Webmin, which is good, but takes much longer to get results than zentyal, and the backup features were not great. Zentyal, is very clean, logical, and intuitive.

And do not think that Microsoft is always unsafe while Linux is always safe. You will be surprised with the large number of Microsoft servers exposed to internet but still reasonably secure.

Maybe so, but is it good practice?

Regarding DHCP, I recall some issues trying to get VPN to work, and trying to get Jabber to work.  I have a bad memory though.
Agreed that LDAP restrictions can be frustrating especially when trying to allow other services to authenticate against your LDAP etc. Maybe some kind of LDAP extension module would be a worthwhile addition to Zentyal...

[sgalan]

IMO Zentyal's assumption that Zentyal will act as gateway, is bad security practice, and it seems to have a domino effect, which it looks like you're experiencing.
My zentyal server is PDC and therefore I don't want it to be a gateway for security reasons.
We have pfsense router/firewall which provides internet/nat/dhcp, so I didn't want my zentyal server providing those services, especially as pfsense rocks ;P

In this scenario I found that I was unable to join PCs to the domain without tweaking samba.
It might be that you need to do the same...

check this thread: http://forum.zentyal.org/index.php/topic,6333.0.html

Hope it helps

Well, i didn't say that the Firewall is an independent hardware appliance. The Zentyal PDC server acts only as PDC, not gateway.

I'll read your suggested post. Thanks.

[christian]

sgalan, it's pretty clear that your Zentyal box acts as PDC "only" nevertheless, it has network thus firewall, if I'm not wrong... This said, the unique interface is not described as "external" thus communication to Zentyal should be quite "open".
Again, sorry for pushing on this, I would suggest to look at DNS for _SRV records and/or enable UDP helper on your router.
Did you try pushing WINS option via DHCP?