After having firewall ports opened to access a UNC path, I ran into an issue where I could not access the share using the fully qualified domain name. When accessing the site, I received the below error.
My initial thought was that the name was not resolving, but the error would seem to indicate a connection was being made. I decided to remove host name resolution by adding the entry to the hosts file on the client system. When I tried the connection again, I received the same message.
Diagnosis:
At this point, I decided to look at what was occurring, so I fired up WireShark. I used the following following filter to view only what I thought interesting.
ip.addr == x.x.x.x || dns || kerberos || cldap
Where x.x.x.x is the ip of the server where the share was created.
Now, I won’t list the packet data here, I don’t want to leak any information :-), however, below is a screenshot of the protocols and a bit of the information. Take a look and we will go through it below.
Wireshark_Auth_Data
The first three packets are the TCP handshake between my client and the server hosting the share.
Following are two SMB protocol packets where the client and server are determining the authentication mechanisms supported and negotiating which to use.
Then comes the KRB5 packets. There are 10 of them.
the first 4 are obtaining a TGT from the KDC and are not relevant to the issue here, just know that I was able to obtain a TGT from the KDC.
The remaining 6 KRB5 packets are three request response pairs. The response is the important part. Each one adds a piece of the servers windows domain. In my case I have a domain of company.com and two subdomain. So to determine the domain to which i need to authenticate, it takes three passes each returning more of the domain.
company.com
subdomain.company.com
sub1.subdomain.com
once we have the domain to which we need to authenticate, we look it up via DNS. The 6 DNS packets are the traversal of the Microsoft DNS tree determining a domain controller in the servers domain for authentication purposes.
After resolving the DNS name of the DC in the servers domain, we issue a RootDSE query for the Netlogon attribute.
I blocked out irrelevant packets and if you look at the bottom of the graphic, you will notice that there are three (3) RootDSE query requests.
If you were not aware, most applications will try a request three times before abandoning the connection. This means the likely culprit in this case is that the CLDAP protocol UDP port 389 needs to be opened between my client pc and the domain controllers for sub1.subdomain.com.
Solution:
Open port 389 between the source computer and the domain controllers in the domain to which the destination server resides.
This procedure will illustrate how to add a database using the ISPConfig3 interface. Although this can, and sometimes must, be done using phpMyAdmin, or a console client, I use the ISPConfig3 interface first if possible.
Logon to the ISPConfig3 admin interface.
Select the Sites tab.
Select Databases from the menu on the left.
Select the Add new Database button.
Select the Site from the dropdown.
This is the site for which the database is being created.
Enter the Database name.
Note that the Database name field is prefixed with c[CLIENTID]d[DOMAINID] making each one uniq and allowing for the remaining portion of the name to be the same.
Select the Database user from the dropdown.
If you do not have a database user, once can be assigned later. Until then only admin will be able to access the database. To create one now, follow the ISPConfig — Add Database User procedure.
When database access is desired, database users are created. These users are then considered the owner’s of the databases they create.
Logon to the ISPConfig3 admin interface.
Select the Sites tab
Select Database Users from the menu on the left.
Select the Add new User button.
Select the appropriate client from the Client dropdown.
Enter the Database user name in the field.
Note the c[CLIENTID] portion ofthe database user field? This ensures each client has a uniq name. As one database user can own multiple databases, for multiple sites, you do not need to create a uniq id for each domain.
Enter the Password for the user, or select the Generate Password button.
Confirm the password by entering it again in the Repeat Password area.
I have been “playing around” with ISPConfig3 for a while now, learning some of the in’s and out’s, and now it is time to build my first production, hopefully, system.
This document illustrate the process, mainly to keep track of what is being done.
I am essentially following the documents on HowtoForge for a CentOS 7.3 Minimal Server and The Perfect Server for the ISPConfig3 portion. By default, these documents build everything on one server and we won’t change that either.
ispconfig3 amavisd: Error in config file “/etc/amavisd/amavisd.conf”: Error in config file “/etc/amavisd/60-dkim”: Can’t open PEM file /var/lib/amavis/dkim/quantumleaps.com.private: Permission denied at /usr/sbin/amavisd line 637.
I ran into this issue a couple of times, so i figured I would write it down.
This post illustrates how to create a new mailbox for an existing mail domain. If you haven’t created an email domain, see ISPConfig — Setup Email Domain and then return.
