[Samba] Samba, workgroup and Windows Wins in different subnet
Romain Pélissier
Romain.Pelissier at sqliaison.com
Tue Sep 20 14:25:02 GMT 2005
Thanks,
I am pretty sure that all is correct because the name resolution works.
If I ping a computer in the 192.x.x.x subnet by its name, it's working so the Windows wins server works the way it should but what I can't understand is that the workgroup does not appear in My Network Places on the 205.x.x.x subnet ... I have seen that I can configure samba to do a remote annouce using a broadcast address instead of the address of the remote wins server but I really don't know what is the best here (meaning having a wins server on both segment and try to make them aware of each other with the remote brose wync and remote announce settings or just use the wins proxy option ....).
I don't have swat installed.
For what I see in the log of the firewall all seems to be correct but I will pur the config here.
Also, the log of samba does not seems to complain about anything.
Here is the config of SuseFirewall2, you can see that there are some basic rules (some for the forward, other for port 80 redirection) and the only thing that I may have to change is whatever the broadcast packet should be logged or not :
-----------------------------------------------
FW_DEV_EXT="eth-id-00:11:43:cd:30:d1"
FW_DEV_INT="eth-id-00:11:43:cd:30:d2 eth-id-00:04:23:ac:5b:4b"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP="ipsec-nat-t isakmp"
FW_SERVICES_EXT_IP="esp"
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP="80"
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP="80 microsoft-ds netbios-dgm netbios-ns netbios-ssn"
FW_SERVICES_INT_UDP="netbios-ns"
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_EXT=""
FW_TRUSTED_NETS="0/0,tcp 0/0,udp"
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD="205.205.247.0/24,0/0 0/0,205.205.247.0/24 192.168.254.0/24,0/0 0/0,192.168.254.0/24 192.168.252.0/24,0/0 0/0,192.168.252.0/24 192.168.251.0/24,0/0 0/0,192.168.251.0/24"
FW_FORWARD_MASQ=""
FW_REDIRECT="205.205.247.0/24,0/0,tcp,80,8080 205.205.247.0/24,0/0,udp,80,8080 192.168.251.0/24,0/0,tcp,80,8080 192.168.251.0/24,0/0,udp,80,8080"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
##
# END of /etc/sysconfig/SuSEfirewall2
##
# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #
## Type: yesno
## Default: yes
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH=""
## Type: string(yes,no)
#
# 22.)
# Allow IP Broadcasts?
#
# Whether the firewall allows broadcasts packets.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
#
# If you want to drop broadcasts however ignore the annoying log entries, set
# FW_IGNORE_FW_BROADCAST_* to yes.
#
# Note that if you allow specifc ports here it just means that broadcast
# packets for that port are not dropped. You still need to set
# FW_SERVICES_*_UDP to actually allow regular unicast packets to
# reach the applications.
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" allow broadcast packets on port 631 and 137
# to enter the machine but drop any other broadcasts
# - "yes" do not install any extra drop rules for
# broadcast packets. They'll be treated just as unicast
# packets in this case.
# - "no" drop all broadcast packets before other filtering
# rules
#
# defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST_EXT=""
## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT="netbios-ns"
## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ=""
## Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_*
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "no" if not set
FW_IGNORE_FW_BROADCAST_EXT="yes"
## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT="no"
## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ="no"
## Type: yesno
## Default: no
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_ALLOW_CLASS_ROUTING=""
## Type: string
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""
## Type: yesno
## Default: no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_REJECT=""
## Type: string
#
# 27.)
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="dsl0,125"
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="dsl0,250"
# might be a better value than "dsl0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""
## Type: list(no,drop,reject)
## Default: drop
#
# 28.)
# What to do with IPv6 Packets?
#
# On older kernels ip6tables was not stateful so it's not possible to implement
# the same features as for IPv4 on such machines. For these there are three
# choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets. This is the default if stateful matching is
# not available.
#
# - reject: reject all IPv6 packets
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
# Leave empty to automatically detect whether your kernel supports stateful matching.
#
FW_IPv6=""
## Type: yesno
## Default: yes
#
# 28a.)
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
# Defaults to "yes" if not set
#
FW_IPv6_REJECT_OUTGOING=""
## Type: list(yes,no,int,ext,dmz)
## Default: no
#
# 29.)
# Trust level of IPsec packets.
#
# You do not need to change this if you do not intend to run
# services that should only be available trough an IPsec tunnel.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_EXT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INT="no"
#
# Defaults to "no" if not set
#
FW_IPSEC_TRUST="no"
## Type: string
## Default:
#
# 30.)
# Define additional firewall zones
#
# The built-in zones INT, EXT and DMZ must not be listed here. Names
# of additional zones must only contain lowercase ascii characters.
# To define rules for the additional zone, take the approriate
# variable for a built-in zone and substitute INT/EXT/DMZ with the
# name of the additional zone.
#
# Example:
# FW_ZONES="wlan"
#
FW_ZONES=""
Romain Pélissier
Administrateur Systèmes
System Administrator
T 514.333.6600 # 126
F514.333.1080
Romain.Pelissier at sqliaison.com
http://www.sqliaison.com/
Confidentiality Warning:
This message and any
attachments are intended only for the use of the intended recipient(s) or
Entity, are confidential, and may be privileged. If you are not the intended
recipient, you are hereby notified that any review, retransmission,
conversion to hard copy, copying, circulation or other use of this message
and any attachments is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately by return e-mail, and delete
this message and any attachments from your system.
Information
confidentielle:Le présent message, ainsi que tout fichier qui y est
joint, est envoyé à l'intention exclusive de son ou de ses destinataires ou
de l'organisation; il est de nature confidentielle et peut constituer une
information privilégiée. Nous avertissons toute personne autre que le
destinataire prévu que tout examen, réacheminement, impression, copie,
distribution ou toute autre utilisation de ce message et tout document joint
est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez
en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce
message et tout document joint de votre système.
From: samba-bounces+romain.pelissier=sqliaison.com at lists.samba.org
[mailto:samba-bounces+romain.pelissier=sqliaison.com at lists.samba.org]On
Behalf Of Henrik Zagerholm
Sent: 20 septembre 2005 10:09
To: samba at lists.samba.org
Subject: Re: [Samba] Samba, workgroup and Windows Wins in different
subnet
Just make sure that ports 137 - 139 are open and look at your logs to
see if something is caught in the ip filter :D
Using Swat you can se all details concerning smb.conf so point you
browser to //adressofsambaserver:901 and it should show up. =)
You can then post that info here.
//H
20 sep 2005 kl. 15.54 skrev Romain Pélissier:
> I am pretty sure that it can broadcast, the firewall rules should
> allow that because we have for the moment only some basic rules on
> the firewall.
> If you want I can poste the copy of the firewall config (from suse
> 9.3 pro).
> Let me know if it can help
>
>
>
>
>
>
> Romain Pélissier
> Administrateur Systèmes
> System Administrator
>
> T 514.333.6600 # 126
>
> F514.333.1080
> Romain.Pelissier at sqliaison.com
>
>
> http://www.sqliaison.com/
>
>
>
>
>
>
> Confidentiality Warning:
> This message and any
> attachments are intended only for the use of the intended
> recipient(s) or
> Entity, are confidential, and may be privileged. If you are not
> the intended
> recipient, you are hereby notified that any review,
> retransmission,
> conversion to hard copy, copying, circulation or other use of
> this message
> and any attachments is strictly prohibited. If you are not the
> intended
> recipient, please notify the sender immediately by return e-
> mail, and delete
> this message and any attachments from your system.
> Information
> confidentielle:Le présent message, ainsi que tout fichier qui y
> est
> joint, est envoyé à l'intention exclusive de son ou de ses
> destinataires ou
> de l'organisation; il est de nature confidentielle et peut
> constituer une
> information privilégiée. Nous avertissons toute personne autre
> que le
> destinataire prévu que tout examen, réacheminement, impression,
> copie,
> distribution ou toute autre utilisation de ce message et tout
> document joint
> est strictement interdit. Si vous n'êtes pas le destinataire
> prévu, veuillez
> en aviser immédiatement l'expéditeur par retour de courriel et
> supprimer ce
> message et tout document joint de votre système.
>
>
>
>
> From: samba-bounces+romain.pelissier=sqliaison.com at lists.samba.org
> [mailto:samba-bounces
> +romain.pelissier=sqliaison.com at lists.samba.org]On
> Behalf Of Henrik Zagerholm
> Sent: 20 septembre 2005 09:34
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba, workgroup and Windows Wins in different
> subnet
>
>
> Are you sure that the workgroup can broadcast through the router?
> Just want to make sure it is not a network errer.
>
> //H
> 20 sep 2005 kl. 15.11 skrev Romain Pélissier:
>
>
>> Hi,
>> I hope that someone could help me because I am a real newby in
>> Samba and have a tons of questions about this apps.
>>
>> My first question is : how works samba when it act as a wins client
>> (not server) ?
>>
>> I have 2 subnets in my company, the 205.205.247.0 is a windows
>> segment with wins.
>> the second one is 192.168.251.0 for the training classroom.
>> The gateway where Samba is installed is used both as a proxy
>> server, central point of accessing the net, dhcp server for the
>> training segment.
>> Looks like this :
>>
>>
>> 205.205.247.0 (Windows with Active Directory
>> domain)----------------------------
>>
>> |
>>
>> Gateway (squid)-------->
>> Internet
>>
>> |
>>
>> DHCP, Samba
>>
>> |
>> 192.168.251.0 (workgroup training)
>> ---------------------------------------------------
>>
>> I have tried to configure samba so it can work with the windows
>> wins server on the 205.205.247.0 segment and it seems to works. All
>> client in the 192.x.x.x segment have the Windows wins server
>> registred and when I look at the records in the wins server, the
>> pcs from the training network appear with their workgroup (I can
>> see the records) but for an unknow reason, I can't see the
>> workgroup training in my windows domain.
>> I will put my configuration here, hoping that someone can give me
>> the best pratice to make my windows domain, windows wins and samba
>> work well together.
>>
>> ----------------------
>>
>> [global]
>>
>> protocol = NT1
>>
>> browse list = Yes
>>
>> wins server = 205.205.247.3
>>
>> domain master = No
>>
>> interfaces = 192.168.251.1/255.255.255.0
>>
>> ;wins proxy = Yes
>>
>> allow hosts = 192.168.251.0/255.255.255.0
>> 205.205.247.0/255.255.255.0
>>
>> netbios name = proxy-srv
>>
>> netbios aliases = proxy-srv
>>
>> server string = Samba Server
>>
>> invalid users = root
>>
>> default = global
>>
>> remote announce = 205.205.247.3
>>
>> workgroup = TRAINING
>>
>> debug level = 2
>>
>> ;os level = 20
>>
>> os level = 20
>>
>> announce as = NT
>>
>> bind interfaces only = Yes
>>
>> enhanced browsing = yes
>>
>> remote browse sync = 205.205.247.3
>>
>> local master = no
>>
>> preferred master = no
>>
>>
>>
>>
>> Romain Pélissier
>> Administrateur Systèmes
>> System Administrator
>>
>> T 514.333.6600 # 126
>>
>> F514.333.1080
>> Romain.Pelissier at sqliaison.com
>>
>>
>> http://www.sqliaison.com/
>>
>>
>>
>>
>>
>>
>> Confidentiality Warning:
>> This message and any
>> attachments are intended only for the use of the intended
>> recipient(s) or
>> Entity, are confidential, and may be privileged. If you are not
>> the intended
>> recipient, you are hereby notified that any review,
>> retransmission,
>> conversion to hard copy, copying, circulation or other use of
>> this message
>> and any attachments is strictly prohibited. If you are not the
>> intended
>> recipient, please notify the sender immediately by return e-
>> mail, and delete
>> this message and any attachments from your system.
>> Information
>> confidentielle:Le présent message, ainsi que tout fichier qui y
>> est
>> joint, est envoyé à l'intention exclusive de son ou de ses
>> destinataires ou
>> de l'organisation; il est de nature confidentielle et peut
>> constituer une
>> information privilégiée. Nous avertissons toute personne autre
>> que le
>> destinataire prévu que tout examen, réacheminement, impression,
>> copie,
>> distribution ou toute autre utilisation de ce message et tout
>> document joint
>> est strictement interdit. Si vous n'êtes pas le destinataire
>> prévu, veuillez
>> en aviser immédiatement l'expéditeur par retour de courriel et
>> supprimer ce
>> message et tout document joint de votre système.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list