"multiple response" errors in log.nmb (fwd)

[Axel Thimm]

Hi Chris,

On Fri, May 25, 2001 at 03:40:39PM -0500, Christopher R. Hertel wrote:
> > The setup is a Samba (2.2.x cvs) controlled domain with a lot of Samba and
> > Windows clients. I think what happens is the following: Some Windows
> > clients broadcast elections on IPX or NetBEUI and as they are the only
> > ones (the Samba boxes only radiate on TCP/IP) they think they have
> > won. I'd call this a Master-Domain-Browser-Hijacking. When a client asks
> > for the domain master browser both answer. The second reply is then logged
> > as a warning.
> 
> Good thinking.  Yes, this is a possibility.
> 
> > It would be nice, if the Samba team could extend this warning to include
> > also the *first* response, which is the one from the guilty IPX/NetBEUI
> > Windows box (mostly Windows 95 variants which included IPX by default, or
> > paranoic sysadmins that install all protocolls ("the most I have the
> > better ..."))
> 
> Remind me in two weeks and I will have debug print a list of IPs if 
> possible.  I'm packing for a trip right now...

Reminding ;=)
Thanks in advance!

> > I have been spending days with ethereal and tcpdump to find those damned
> > IPX machines in our nets and I still have 5-10 here :(
> 
> It would be really nice to have a tool that did NetBEUI and IPX adapter 
> status queries.  That would be a great diagnostic tool.

Ethereal is doing quite some good job in identifying the caught ethernet
packets. Unfortunately one can only get the MAC from an IPX packet. In order
to associate this with the location of the IPX box, one has either to seek
across switches for the port connection of this MAC (horrible), or to create a
persistant `arp cache' with for instance arpwatch. I am then using the
MAC-IP[-FQDN] tables from arpwatch, converting them to a sed script and
running this over a tcpdump/ethereal output to replace MACs with something I
can track down.

This is a big headache. As those IPX machines are some old Win95 boxes turned
on irregularly, one has to rescan the net very frequently to spot them.

It would be great, if instead nmbd would dump all responding master domain
browsers including the first one (I guess it is already dumping all besides
the first one, which is assumed to be the right one).

> > All of the above modulo my guessing. Christoffer R. Hertel is the NetBIOS
> > expert, so if he deems my findings, be sure, he is right. ;)
> 
> Actually, I think your diagnosis is much better than mine.  Good thinking!
> 
> A sniffer trace would show for sure...
-- 
Axel.Thimm at physik.fu-berlin.de