[Samba] Samba3 on multiple networks, how to make it hand out the correct IP?

L.P.H. van Belle belle at bazuin.nl
Wed Sep 24 06:14:57 MDT 2014 

use advanded routing with some firewall rules. 

like 
allow in on eth0 from 192.168.200.0/24 to 192.168.200.254 
allow in on eth0 from 192.168.230.0/24 to 192.168.230.228 

add the rules for advanced routing.
ip rule add from 192.168.200.0/24 table UseSchule1
ip rule add to 192.168.200.0/24 table UseSchule1
ip rule add from 192.168.230.0/24 table UseSchule2
ip rule add to 192.168.230.0/24 table UseSchule2

ip route add 192.168.200.0/24 dev eth0 src 192.168.200.254 table UseSchule1
ip route add 192.168.230.0/24 dev eth0 src 192.168.200.254 table UseSchule2

etc etc 

should work.. 

if you have multiple interfaces, then you can also disable routing over the interfaces.

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: walk2sun at arcor.de [mailto:samba-bounces at lists.samba.org] 
>Namens Harry Jede
>Verzonden: woensdag 24 september 2014 12:56
>Aan: samba at lists.samba.org
>CC: Bram Matthys
>Onderwerp: Re: [Samba] Samba3 on multiple networks, how to 
>make it hand out the correct IP?
>
>On 11:34:25 wrote Bram Matthys:
>> Hi,
>> 
>> First, I see my subject says Samba3, this has to be Samba4.
>Yes, but what I posted is a soltuion for the client side. So 
>it does not 
>matter what server version or what server type (samba, ftp, ...) you 
>use.
> 
>> L.P.H. van Belle wrote, on 24-9-2014 8:31:
>> > I suggest you setup advanced routing with routing tables.
>> > google a bit for it and start with reading..  [..]
>> 
>> Thanks Louis for your reply. I'm sorry if my question caused any
>> confusion. My problem isn't on the routing side, but on the DNS side
>> of things.
>> 
>> I think your suggestion is to make both networks reachable from
>> either end. That is not what I want, the clients on network A
>> shouldn't and cannot reach the clients&server on network B (and vice
>> versa) as a matter of policy.
>> 
>> This should be no problem as long as Samba hands out the "correct"
>> DNS record: Samba replies to a query for dc1.company.net with two A
>> records, one of which is in the clients network, and one of which is
>> not. I want Samba to only reply with one A record: the one that is
>> within the clients' network.
>If I understand your setup, you have one samba AD machine and a dual 
>homed samba3 fileserver.
>
>> I guess in BIND terms you would call this two "views", but IMO Samba
>> should be able to figure this out without such complexity.
>Views are not complex, but samba4 use the "bind dlz" driver. 
>And as far 
>as i know, this driver does not support views.
>
>
>Andrew Bartlett has written this driver.
>
>> Now, as for Harry's suggestion...
>> 
>> Harry Jede wrote, on 24-9-2014 10:05:
>> >> My Samba 4.1.x server is connected to two networks, one in the
>> >> 192.168.* range (wired) and one in the 10.* range (wifi). The
>> >> clients on either network normally cannot reach each other.
>> >> I noticed Samba hands out (eg: for dcname.company.net) it's IP's
>> >> from both ranges to clients on both sides. So the 192.168.*
>> >> clients get two A records: 192.168.1.1 & 10.0.0.2.
>> >> 
>> >> I noticed that, because of this current behavior, domain logins
>> >> (well, time between login & until the user sees a desktop) have an
>> >> extra delay of more than 60 seconds because the client tries to
>> >> connect to the wrong IP. Eventually it works, but the penalty is
>> >> huge.
>> >> 
>> >> 
>> >> Given that Samba knows which network the client is on I would have
>> >> expected it to actually be a little bit smarter with regards to
>> >> that.
>> >> 
>> >> 
>> >> Anyway, I'd like to see this changed so that any clients on
>> >> 192.168.* only get the 192.168.1.1 address, and the clients on
>> >> 10.* only get 10.0.0.2.
>> >> 
>> >> How can I do this?
>> > 
>> > I dont know how to do this on the dns server, but you may do it on 
>the clients:
>> Ok. Not really what I want in the end, but it would help as a
>> temporary quick fix :)
>> 
>> > i.e. modifiy your dns resolver settings
>> > a working setup on my home networks:
>> > 
>> > ## client PC
>> > # cat /etc/resolv.conf
>> > domain home.lan
>> > nameserver 192.168.231.254
>> > search home.lan ad.schule.lan
>> > sortlist 192.168.231.0/255.255.255.0
>> > 
>> > Important is the sortlist statement. It points to clients local
>> > network.
>> > 
>> > The Samba/DNS Server has 4 adresses. The nameserver 192.168.231.254
>> > is a slave bind server for my ad domain.
>> > 
>> > ## client PC
>> > # host dc0
>> > dc0.ad.schule.lan has address 192.168.200.254
>> > dc0.ad.schule.lan has address 192.168.230.228
>> > dc0.ad.schule.lan has address 192.168.231.228
>> > dc0.ad.schule.lan has address 192.168.232.228
>> > 
>> > # ping -c1 dc0
>> > PING dc0.ad.schule.lan (192.168.231.228) 56(84) bytes of data.
>> > 64 bytes from 192.168.231.228: icmp_req=1 ttl=64 time=0.491 ms
>> > 
>> > Network clients like ping always uses the local name server
>> > address.
>> 
>> I see. Interesting feature.
>> It would work, except, and sorry for not mentioning this in the first
>> place.. blunt oversight: all my clients are on Windows 7.
>> From what I can see (quick search) Windows 7 doesn't seem to provide
>> that functionality.
>Yes, you are right. One way could be to add your server to the local 
>hosts file. Not a good solution, but a working one.
>
>> 
>> Regards,
>> 
>> Bram.
>
>
>-- 
>
>Gruss
>	Harry Jede
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list