Bug 333501

I'm not able to browse th windows domain network, nor I'm able to authenticate against windows NT4 PDC if SuSEFirewall is up.

I have opened the required ports, and I'm able to access shares over the network if i specify the exact IP of the server.

Here are the relevant settings in the firewall (the prots are open, and checked with nmap from another machine on the network):

I have read this article:
<http://wiki.suselinuxsupport.de/wikka.php?wakka=HowToFirewallLinuxHostSamba>

And tried what they have there, no joy.

Also, the standard configuration (not using sysconfig editor, as in
the article, but using the YaST firewall module) I did


eth0 - external interface
Allowed services: SSH, Samba server
No advanced conf.
Selecting the Samba server changed what's in Broadcast: netbios-ns netbios-dgm

This resulted in the following lines in /etc/sysconfig/SuSEfirewall2:
FW_SERVICES_EXT_TCP="22 microsoft-ds netbios-ssn"
FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
FW_ALLOW_FW_BROADCAST_EXT="netbios-ns netbios-dgm"

This does not allow me to browse the network, I do not see any domain
or workgroup, as well as I can not log in as domain user, as it can
not find the domain controller. When I try to browse the network, in
the firewall log I see:
Oct 10 23:16:00 sunsuse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:11:11:4c:87:8a:00:90:27:99:8c:07:08:00 SRC=192.168.2.10
DST=192.168.2.222 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=36328 PROTO=UDP
SPT=137 DPT=1090 LEN=70
Oct 10 23:16:00 sunsuse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:11:11:4c:87:8a:00:0c:29:e6:88:02:08:00 SRC=192.168.2.232
DST=192.168.2.222 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=20868 PROTO=UDP
SPT=137 DPT=1090 LEN=70
Oct 10 23:16:00 sunsuse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT=
MAC=00:11:11:4c:87:8a:00:0c:29:69:00:dc:08:00 SRC=192.168.2.245
DST=192.168.2.222 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=29965 PROTO=UDP
SPT=137 DPT=1090 LEN=70

Where 192.168.2.10 is the PDC, and 192.168.2.232 and 192.168.2.245 are
2 windows machines, which have one and the same workgroup, and are not
part of the domain.

Now, here is what's in the /etc/sysconfig/SuSEfirewall2, when I follow
the advice from the article above, and put everything trough
Yast/sysconfig editor:
FW_DEV_EXT - eth0 (not changed)
FW_SERVICES_EXT_TCP - changed from "22 microsoft-ds netbios-ssn" to "22 135 139"
FW_SERVICES_EXT_UDP - changed from "netbios-dgm netbios-ns" to "137 138"
FW_ALLOW_FW_BROADCAST_EXT - changed from "netbios-ns netbios-dgm" to "yes"

I did not edit anything about trusted networks.

After applying these settings, /etc/sysconfig/SuSEfirewall2 has these
entries (the relevant ones):
FW_SERVICES_EXT_TCP="22 135 139"
FW_SERVICES_EXT_UDP="137 138"
FW_ALLOW_FW_BROADCAST_EXT="yes"

And this does not work as well. Same problem - no network browsing,
and same entries in the firewall log.
And it should be expected, as I would guess that the UI just uses all
the microsoft-xx and netbios-xxx stuff as alliases for the
corresponding ports.

iptables -L shows these relevant entries(I removed the LOG rules):
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:22
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:135
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:139
ACCEPT     udp  --  anywhere             anywhere            udp dpt:137
ACCEPT     udp  --  anywhere             anywhere            udp dpt:138

So, looks like everything is enabled, but it does not work at all. I also added port 445 to TCP and UDP - just in case. Still no success.