[Samba] Samba3 on multiple networks, how to make it hand out the correct IP?

Harry Jede walk2sun at arcor.de
Wed Sep 24 04:56:26 MDT 2014 

On 11:34:25 wrote Bram Matthys:
> Hi,
> 
> First, I see my subject says Samba3, this has to be Samba4.
Yes, but what I posted is a soltuion for the client side. So it does not 
matter what server version or what server type (samba, ftp, ...) you 
use.
 
> L.P.H. van Belle wrote, on 24-9-2014 8:31:
> > I suggest you setup advanced routing with routing tables.
> > google a bit for it and start with reading..  [..]
> 
> Thanks Louis for your reply. I'm sorry if my question caused any
> confusion. My problem isn't on the routing side, but on the DNS side
> of things.
> 
> I think your suggestion is to make both networks reachable from
> either end. That is not what I want, the clients on network A
> shouldn't and cannot reach the clients&server on network B (and vice
> versa) as a matter of policy.
> 
> This should be no problem as long as Samba hands out the "correct"
> DNS record: Samba replies to a query for dc1.company.net with two A
> records, one of which is in the clients network, and one of which is
> not. I want Samba to only reply with one A record: the one that is
> within the clients' network.
If I understand your setup, you have one samba AD machine and a dual 
homed samba3 fileserver.

> I guess in BIND terms you would call this two "views", but IMO Samba
> should be able to figure this out without such complexity.
Views are not complex, but samba4 use the "bind dlz" driver. And as far 
as i know, this driver does not support views.


Andrew Bartlett has written this driver.

> Now, as for Harry's suggestion...
> 
> Harry Jede wrote, on 24-9-2014 10:05:
> >> My Samba 4.1.x server is connected to two networks, one in the
> >> 192.168.* range (wired) and one in the 10.* range (wifi). The
> >> clients on either network normally cannot reach each other.
> >> I noticed Samba hands out (eg: for dcname.company.net) it's IP's
> >> from both ranges to clients on both sides. So the 192.168.*
> >> clients get two A records: 192.168.1.1 & 10.0.0.2.
> >> 
> >> I noticed that, because of this current behavior, domain logins
> >> (well, time between login & until the user sees a desktop) have an
> >> extra delay of more than 60 seconds because the client tries to
> >> connect to the wrong IP. Eventually it works, but the penalty is
> >> huge.
> >> 
> >> 
> >> Given that Samba knows which network the client is on I would have
> >> expected it to actually be a little bit smarter with regards to
> >> that.
> >> 
> >> 
> >> Anyway, I'd like to see this changed so that any clients on
> >> 192.168.* only get the 192.168.1.1 address, and the clients on
> >> 10.* only get 10.0.0.2.
> >> 
> >> How can I do this?
> > 
> > I dont know how to do this on the dns server, but you may do it on 
the clients:
> Ok. Not really what I want in the end, but it would help as a
> temporary quick fix :)
> 
> > i.e. modifiy your dns resolver settings
> > a working setup on my home networks:
> > 
> > ## client PC
> > # cat /etc/resolv.conf
> > domain home.lan
> > nameserver 192.168.231.254
> > search home.lan ad.schule.lan
> > sortlist 192.168.231.0/255.255.255.0
> > 
> > Important is the sortlist statement. It points to clients local
> > network.
> > 
> > The Samba/DNS Server has 4 adresses. The nameserver 192.168.231.254
> > is a slave bind server for my ad domain.
> > 
> > ## client PC
> > # host dc0
> > dc0.ad.schule.lan has address 192.168.200.254
> > dc0.ad.schule.lan has address 192.168.230.228
> > dc0.ad.schule.lan has address 192.168.231.228
> > dc0.ad.schule.lan has address 192.168.232.228
> > 
> > # ping -c1 dc0
> > PING dc0.ad.schule.lan (192.168.231.228) 56(84) bytes of data.
> > 64 bytes from 192.168.231.228: icmp_req=1 ttl=64 time=0.491 ms
> > 
> > Network clients like ping always uses the local name server
> > address.
> 
> I see. Interesting feature.
> It would work, except, and sorry for not mentioning this in the first
> place.. blunt oversight: all my clients are on Windows 7.
> From what I can see (quick search) Windows 7 doesn't seem to provide
> that functionality.
Yes, you are right. One way could be to add your server to the local 
hosts file. Not a good solution, but a working one.

> 
> Regards,
> 
> Bram.


-- 

Gruss
	Harry Jede

More information about the samba mailing list