Ich benutze in meinem Netzwerk einen Raspberry Pi mit Raspbian als Firewall / OpenLDAP / DNS / DHCP
Die Problematik liegt nun darin dass die 3 Clients massive Probleme mit dem Internet haben.
Die Kommunikation mit dem Raspberry PI ist jedoch ohne Probleme möglich.
An der Firewallkonfiguration wird es vermutlich nicht liegen.
Ich habe die Befürchtung, dass sich dnsmasq und OpenLDAP in die Quere kommen.
Sicher bin ich mir allerdings nicht.
Oft funktioniert die Kommunikation auch mit dem Internet allerdings nur mit Seiten welche schonmal geladen worden sind.
Ich vermute daher dass der DNS probleme macht.
Anbei möchte ich noch den Inhalt meiner Konfigdateien mit euch teilen:
Dazu noch angemerkt dass der RPI 2 Interfaces hat: eth1 & eth0. Eth0 geht ins Interne Netzwerk (192.168.88.0) und eth1 ins Netzwerk des Routers (192.168.178.0).
Der Pi hat auf Interface eth0 die IP Adresse 192.168.88.1
Folgende configs liegen auf dem Server (Raspberry Pi)
/etc/dnsmasq.conf
Code: Alles auswählen
#Standart DHCP Interface
interface=eth0
#Block DHCP
no-dhcp-interface=eth1
#Bind stuff
bind-interfaces
#Alternative DNS Server
server=213.73.91.35
server=/localnet/213.73.91.35
#IP Address bereich und Lease time
dhcp-range=interface:eth0,192.168.88.20,192.168.88.40,infinite/etc/ldap/ldap.conf
Code: Alles auswählen
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=moonbase,dc=richter
URI ldap://server.moonbase.richter
#ldap://moonbase.richter:389
ldap://192.168.88.1:389
#ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
/etc/resolv.conf
Code: Alles auswählen
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search Speedport_W_724V_Typ_A_05011603_00_009zusätzlich noch ein netstat von dem RPI
netstat -tulpn
Code: Alles auswählen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 21093/slapd
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 20819/dnsmasq
tcp 0 0 192.168.88.1:53 0.0.0.0:* LISTEN 20819/dnsmasq
tcp 0 0 169.254.205.229:53 0.0.0.0:* LISTEN 20819/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 488/sshd
tcp6 0 0 :::389 :::* LISTEN 21093/slapd
tcp6 0 0 :::80 :::* LISTEN 19876/apache2
tcp6 0 0 ::1:53 :::* LISTEN 20819/dnsmasq
tcp6 0 0 fe80::a39b:c8e0:a2e2:53 :::* LISTEN 20819/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 488/sshd
udp 0 0 0.0.0.0:29543 0.0.0.0:* 1608/dhclient
udp 0 0 127.0.0.1:53 0.0.0.0:* 20819/dnsmasq
udp 0 0 192.168.88.1:53 0.0.0.0:* 20819/dnsmasq
udp 0 0 169.254.205.229:53 0.0.0.0:* 20819/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 20819/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 20103/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 1608/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 413/dhcpcd
udp 0 0 192.168.178.102:123 0.0.0.0:* 517/ntpd
udp 0 0 169.254.205.229:123 0.0.0.0:* 517/ntpd
udp 0 0 192.168.88.1:123 0.0.0.0:* 517/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 517/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 517/ntpd
udp 0 0 0.0.0.0:39214 0.0.0.0:* 20103/dhclient
udp6 0 0 :::7045 :::* 1608/dhclient
udp6 0 0 :::546 :::* 413/dhcpcd
udp6 0 0 ::1:53 :::* 20819/dnsmasq
udp6 0 0 fe80::a39b:c8e0:a2e2:53 :::* 20819/dnsmasq
udp6 0 0 fe80::a39b:c8e0:a2e:123 :::* 517/ntpd
udp6 0 0 2003:6f:8e7a:c807:9:123 :::* 517/ntpd
udp6 0 0 fe80::8aca:81a3:5ad:123 :::* 517/ntpd
udp6 0 0 ::1:123 :::* 517/ntpd
udp6 0 0 :::123 :::* 517/ntpd
udp6 0 0 :::36667 :::* 20103/dhclient
Folgende configs liegen auf dem client:
/etc/resolv.conf
Code: Alles auswählen
# Generated by NetworkManager
nameserver 192.168.88.1
/etc/openldap/ldap.conf
Code: Alles auswählen
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
URI ldap://192.168.88.1
BASE dc=moonbase,dc=richter
#/etc/nscd.conf
# /etc/nscd.conf
Code: Alles auswählen
#
# An example Name Service Cache config file. This file is needed by nscd.
#
# Legal entries are:
#
# logfile <file>
# debug-level <level>
# threads <initial #threads to use>
# max-threads <maximum #threads to use>
# server-user <user to run server as instead of root>
# server-user is ignored if nscd is started with -S parameters
# stat-user <user who is allowed to request statistics>
# reload-count unlimited|<number>
# paranoia <yes|no>
# restart-interval <time in seconds>
#
# enable-cache <service> <yes|no>
# positive-time-to-live <service> <time in seconds>
# negative-time-to-live <service> <time in seconds>
# suggested-size <service> <prime number>
# check-files <service> <yes|no>
# persistent <service> <yes|no>
# shared <service> <yes|no>
# max-db-size <service> <number bytes>
# auto-propagate <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts, services
#
# logfile /var/log/nscd.log
# threads 4
# max-threads 32
server-user nscd
# stat-user somebody
debug-level 0
# reload-count 5
paranoia no
# restart-interval 3600
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes
enable-cache hosts yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
enable-cache services yes
positive-time-to-live services 28800
negative-time-to-live services 20
suggested-size services 211
check-files services yes
persistent services yes
shared services yes
max-db-size services 33554432
enable-cache netgroup yes
positive-time-to-live netgroup 28800
negative-time-to-live netgroup 20
suggested-size netgroup 211
check-files netgroup yes
persistent netgroup yes
shared netgroup yes
max-db-size netgroup 33554432
/etc/nslcd.conf
Code: Alles auswählen
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid ldap
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://192.168.88.1
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base dc=moonbase,dc=richter
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map passwd uid cn
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
#map passwd homeDirectory "/home/$cn"
#map passwd gecos displayName
#map passwd loginShell "/bin/bash"
#filter group (|(objectClass=group)(objectClass=person))
#map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid
# This comment prevents repeated auto-migration of settings.
ssl no
tls_cacertdir /etc/openldap/certs
Ich danke euch vielmals im voraus.
Falls ich eine wichtige conf vergessen habe schreibt mir bitte welche ich nachreichen kann.