NethServer Version: NS8
Module: Samba
Guys, I hope you are all well. Today I installed a secondary node in the cluster and then I added another samba1 provider, but for some reason the provider’s IP became the Wireguard IP address. Is there a way to change this IP to the server’s IP address?
WARNING, this command is only allowed for the first DC in the cluster, see also Change Provider IP from Samba2 - #3 by davidep
It’s explained here:
No, the IP address can be changed only on the first DC of the domain. If I understand correctly you have configured a second DC. In this case remove the second DC and reinstall it.
Be aware that only one DC of the domain can be LAN-facing (Windows Domain Authentication and File Server). We (still) do not support multi-site AD.
When a DC is added you can enable the switch and select a LAN IP
Other DCs will have the switch disabled. They are just local node replicas for cluster applications.
That is a post-NS7 migration step, where it is assumed that there are no DCs, other than the one created by the migration tool. Only for the first DC of a domain, set-ipaddress is allowed.
Thanks @davidep for clarifying.
Would it be possible to switch the first DC by changing the IP to a wireguard IP and making the second DC to the first one by changing it’s IP to a LAN IP?
No, we cannot change the DC IP in a domain with multiple DCs. The DC IP address is replicated in many places and cannot be changed.
To change one DC IP address, remove other DCs from the domain, change its IP and recreate the replica.
I have tried that command. Doesn’t work for me… I get peer_dc error…
Yes, sorry, it would only work for the first DC as @davidep explained, I corrected my post.
Thanks for the clarification. The problem is the following… I intend to use the second Samba installation as a secondary AD server, but I’m being forced to use the VPN IP address, see: “The new provider will be configured on the VPN IP address”, but what happens in this case? Well, the nodes are on separate networks, including physically. These networks communicate via appliances. So far so good, but what’s the problem? The difficulty is that I’m not able to make users on the NODE1 (main) network communicate with the VPN IP of NODE2. I’ve already added routes to the 10.5.4.0/24 network (Wireguard’s internal VPN network). I’ve already checked if net.ipv4.forward is active in sysctl, etc.
That’s not supported yet for client devices in LAN.
It means that the NS8 apps can use it as (fallback) user domain provider.
Thinking a little more and reflecting on the issue, I was able to find a functional solution to my problem. Good old NAT…
iptables -t nat -A PREROUTING -d SERVER_IP -p tcp -m multiport --dports 389,3269,135,464,88,49152:65535,3268,139,53,445,5357,636 -j DNAT --to-destination WG0_VPN_IP
iptables -t nat -A PREROUTING -d SERVER_IP -p udp -m multiport --dports 389,137,138,88,53,123,464,3702 -j DNAT --to-destination WG0_VPN_IP
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
This way, the machines on node1 network and node2 network can use the IP of both servers on the service ports. Apparently it is working perfectly. I will do more tests.
@davidep and @mrmarkuz I would really like your both to help in identifying the cause of this problem.
I am not happy with the solution I found and would like to understand why I am unable to reach the IP of wg0 from network 1.
Both nodes are running ns8 (same installation procedure), same version.
My scenario:
network1 ← router1 ↔ router2 → network2
|___ node1 - (main) |___ node2 (secondary)
router1 has a static route 10.5.4.0/24 with gw the IP of node 1
router2 has a static route 10.5.4.0/24 with gw the IP of node 2
from cluster node 1 server
→ I can reach wg0 interface from both sites
→ ipv4 net ip forward = 1
from cluster node 2 server
→ I can reach wg0 interface from both sites
→ ipv4 net ip forward = 1
from network2 (any machine)
→ I can reach wg0 interface from both sides
→ I can use the node 1 and node 2 services
from network1 (any machine)
→ I can reach wg0 interface from node 1 only
→ The wg0 interface from node 2 is being filtered (ping with admin prohibited)
→ There is no firewall rules dropping on both routers
→ There is no firewall rules dropping on node 1 server
What am I forgetting? What am I missing?
I wouldn’t recommend using port forwarding. Active Directory relies heavily on consistent IP addresses and name resolution for its members, you’d run into similar problems as with multi-homed servers.
A setup with two domain controllers bound to their respective LAN IPs might work, but it’s not supported, as we don’t yet support multi-site AD configurations.
If you’re aiming to add a second file server, this How-To shares some useful tricks, though keep in mind you’re entering unsupported territory:
As alternative, as we’re developing a File Server AD member role, you can also wait for its release instead of using two DCs.
That is really amazing. But I am still thinking that a second DC is important to not broke authentication when you lose connecting with the main server. I am convinced that in my case is a network problem related because from node 2 and network 2 I can reach any server and services. For a unknown reason yet I am can’t do the same from network 1, exactly as described above. When I identify the root of the reason that I can’t access the node 2 from network 1 (something still blocking packages routed (pass throu) on server node 1) this case will be solved. I disabled firewall to test, but I am still getting filtered by node 1 server. The wrostest that both servers apparently has the same parameters, so why node 1 blocks and node 2 don’t? Devices from network 2 can use both servers (main DC and secundary DC), but from network 1, secundary DC still inaccessible… I am troubleshooting possibilities, but maybe I am forgetting something. It could even be a silly thing going unnoticed that mental fatigue doesn’t let you see.
