Using remote announce w/ security=domain

Andrew Perrin - Demography aperrin at demog.Berkeley.EDU
Wed Apr 14 22:09:17 GMT 1999

So, let me see if I understand the upshot here: what we're hoping to do on
campus is (at least for now) not possible: that is, to plop samba servers
in 'foreign' subnets where we are unable to control the configuration of
the Win9x machines (except to guarantee that they have NetBIOS and TCP/IP)
and have users on those machines be able to view our server's shares and
grab stuff off of them.

1.) Am I wrong that this is not possible?

2.) Does anyone have a suggestion for approximating this result?


Andrew J. Perrin - aperrin at - NT/Unix Admin/Support
Department of Demography    -    University of California at Berkeley
2232 Piedmont Avenue #2120  -    Berkeley, California, 94720-2120 USA --------------------------SEIU1199

On Thu, 15 Apr 1999, Luke Kenneth Casson Leighton wrote:

> On Wed, 14 Apr 1999, Dave J. Andruczyk wrote:
> > > this is the correct solution.  use of remote announce not recommended
> > > (only heard of one situation on a LAN where it really had to be used).
> > > 
> > > > > we'd really like to be able to set a remote browse master in various
> > > > > buildings around campus and thereby have Win9X machines running on their
> > > > > subnets see our domain. Is there any way to do this?
> > > > 
> > > > In EACH subnet should be a WINS server.
> > > 
> > > why??
> > 
> > Oops, I stand corrected.  Was thinking in NT terms, as theire can be a
> > "secondary WINS" server (similar to a BDC for load sharing).  All machines
> > no matter what the subnet thought should have their  TCP/IP settings
> > changed to point to the WINS server that DOES exist.
> think of it this way.  adding an extra DNS server does nothing for your
> network neighbourhood, therefore why would adding an extra WINS server do
> anything?
> > The browse masters on each subnet that DOES NOT have a wins server should
> > have a line saying "wins server = WINS_NETBIOS_NAME" where you replace
> > WINS_NETBIOS_NAME with the netbios name of the WINS server (NT or samba).
> partially correct.
> think of the NN as a totally, utterly independent service from "name
> resolution", because it is.  name resolution HAPPENS, in most
> environments, to be NetBIOS (including WINS).
> think of WINS as a dynamic form of DNS.
> being a Domain Master Browser, which is responsible for collating browse
> lists from Local Master Browsers, has nothing to do with resolution of the
> names that are IN the browse lists.
> this is why so many mis-configured sites run into problems.  you need:
> - a CENTRALISED system to resolve names in the browse lists.  this is
> USUALLY a single WINS server in a samba environment or USUALLY a group of
> replicating WINS servers in an nt environment.
> if your samba environment HAPPENS to have identical NetBIOS names as DNS
> names then you can enable "dns proxy = yes" and have multiple samba WINS
> servers.  you will also need to add, in this case, static DOMAIN<1b>
> entries to the one samba WINS server that is NOT used by the DMBs on your
> network.  ignore this paragraph if you're not sure what i mean.
> - every client to use the SAME centralised name resolution system.  that
> means, non-local-master-browsers, LMBs on each and every subnet AND your
> DMB.
> - your DMB can HAPPEN to be running on the same host (or in the case of
> samba, in the same nmbd process) but even the DMB part of that nmbd
> process needs to use ITSELF as the WINS server just like every other
> browsing client.
> one other point: in order to minimise the amount of lookups it's best to
> specify ip address in wins server = not the netbios name.  you end up with
> catch 22 otherwise.
> > That way the browse masters will send their lists to the wins server.
> definitely not.  

More information about the samba-ntdom mailing list