Microsoft clients logon

Microsoft clients logon

[Mogens Valentin]

After rewriting an ipchains firewall to iptables, I've got problems
having M$ clients logon to an w2k server; that is,  I do not administer
that server, so it actually might not be my firewalling.

The w2k server is on a dedicated internal serversegment, clients are on
three other segments. Problem clients are winxp.
It takes a looong tme to logon (I'm told upto nearly half an hour),
other traffic no problem; it' only the login procedure.

So far, I forward M$ related tcp/udp ports 137:139, 445, 135, ldap,
kerberos in both directions between server and client segments.
Tcpdump shows traffic on these ports in both directions, leading me to
believe it should work.

Port 135 is "DCE endpoint resolution", which is an rpc service, and
AFAIK very basic for M$ networking.
Googling for DCE endpoint resolution reveals that others have  had
problems here. What I found didn't really tell if those writing about it
really understood what's going on, neither what kind of firewall were
used.

-- 
Kind regards / venlig hilsen,
Mogens Valentin, Mr Dev

IT Networking, Security, Server Setup
www.danbbs.dk/~monz   mrdev@danbbs.dk

RE: Microsoft clients logon

[Daniel Chemko]

I can't say for sure what the problem is, but the best advice I can give
is to LOG all traffic to that server that is not on those ports. You may
see a very blatant pattern about what you aren't sending through.

PS: you also need udp/tcp 53 DNS, or active directory gets fcked up.
Maybe even WINS (tcp 42) is good if you have some legacy stuff.