Patch for samba 3.3.9 to resolve AD name requests from other subnets

John Wehle john at feith.com
Thu Dec 3 15:09:55 MST 2009 

Consider:

  router
  192.168.1.1 ------------------- clients + AD server
  192.168.2.1 -----
                  |
                  |-------------- clients

We'd like clients on the .2 subnet to be able to logon to the domain.

Currently when a client on the .2 subnet attempts to join the domain
it broadcasts a name query for ADDOMAIN#1c which goes unanswered.

One solution is probably to configure everything to use WINS.

Another somewhat more transparent solution is to run nmbd on the .2 subnet
with the following configuration:

lib/smb.conf:
  [global]
    bind interfaces only = true
    hosts allow = 192.168.2.0/24
    interfaces = 192.168.2.2
    workgroup = ADDOMAIN
    domain master = no
    local master = no
    preferred master = no
    wins support = yes
    wins proxy = yes

lib/lmhosts:
    192.168.1.2    ADDOMAIN#1c

The enclosed patch is required because normally nmbd will not search for
answers that refers to a different subnet.

Changes:

  1) If the name isn't present on the same subnet, then try all subnets.

  2) Respond to broadcast queries for a Primary Domain Controller name.

     Interestingly enough the code already had a comment claiming that
     this was handled, however the existing code referred to type 0x1b.
     The Microsoft documentation says:

     1b  master browser name
     1c  domain controller name

-- John Wehle
------------------8<------------------------8<------------------------
--- source/nmbd/nmbd_incomingrequests.c.ORIGINAL	2009-10-12 07:11:53.000000000 -0400
+++ source/nmbd/nmbd_incomingrequests.c	2009-12-02 18:34:50.000000000 -0500
@@ -458,8 +458,11 @@ void process_name_query_request(struct s
 
 	if(subrec == remote_broadcast_subnet)
 		namerec = find_name_for_remote_broadcast_subnet( question, FIND_ANY_NAME);
-	else
+	else {
 		namerec = find_name_on_subnet(subrec, question, FIND_ANY_NAME);
+		if (! namerec)
+			namerec = find_name_for_remote_broadcast_subnet( question, FIND_ANY_NAME);
+	}
 
 	/* Check if it is a name that expired */
 	if (namerec && 
@@ -480,6 +483,7 @@ void process_name_query_request(struct s
 		
 		if (!bcast || 
 		    (bcast && ((name_type == 0x1b) ||
+			       (name_type == 0x1c) ||
 			       (namerec->data.source == SELF_NAME) ||
 			       (namerec->data.source == PERMANENT_NAME) ||
 			       ((namerec->data.source == WINS_PROXY_NAME) &&
-------------------------------------------------------------------------
|   Feith Systems  |   Voice: 1-215-646-8000  |  Email: john at feith.com  |
|    John Wehle    |     Fax: 1-215-540-5495  |                         |
-------------------------------------------------------------------------

More information about the samba-technical mailing list