[Samba] Re: Access Samba Servers from the Internet?

John H Terpstra jht at samba.org
Fri Dec 13 17:20:01 GMT 2002

On Fri, 13 Dec 2002, Jean-Paul ARGUDO wrote:

> > nmbd can be master browser only on network that is on your network machine
> > eth.
> Thanks for your answer.
> If I understand you well, MASTER is only PDC for 192.168.0 because of
> eth0 configuration. Here is it:

Master browsers are 'elected' (determined) over UDP broadcast. The
semantics of that are covered in the Entire-HOWTO-collection that is
present on the home page of SWAT, see section 2.4.

Any SMB/CIFS (MS Windows NEtworking) machine can become the master browser
for the subnet it is on. It will never become the master browser for a
remote subnet. The protocol was not designed to allow it to be.

PS: "Master Browser" does not mean that same as "Domain Controller" at

The master browser simply is the machine that has the master list of
machines that are visible on the local network segment. If you want to
find a list of machines on a remote network segment, then you need to ask
the remote "master browser" for that segment. That gets very difficult,
unless you use WINS.

If you use a single WINS server (either using Samba or MS Windows NT4/2K
Server) and you configure every client so it uses that WINS server, then
all clients will register with the WINS server. Each local master browser
will also register that fact that it is master browser with that WINS
server and it will keep it's local browse list synchronised with the
domain master browser's list. The domain master browser will synchronise
it's full list with all local master browsers - and the result is that
your MS Windows clients will see all registered (active) machines in their
browse list.

Note: Again, none of this has anything to do with domain control (or what
many prefer to call PDC).

> auto eth0
> iface eth0 inet static
>          address
>          netmask
>          network
>          broadcast
>          gateway
> Given this, the solution is to change the netmask? Then, MASTER would
> listen in network 192.168. instead of 192.168.0 only.
> Am I right?

It is not what you specify as the "host allow" that determines the scope
of the master browser, it is the netmask of the network that does this.
More accurately put, network segments are broadcast isolated. Routers do
NOT forward UDP broadcast packets.

> How to achieve my PDC to become unique PDC in my LAN composed of
> 192.168.0, 192.168.1 and may be tommorrow 192.168.2 .. ??

PDC means "Master Authentication Controller" - NOT "Master Browser".
Please read my comments above very carefully.

There are three (3) essential components of MS Windows Networking:

1. Name Resolution

The ability to resolve NetBIOS Machine Names to an IP Address - WINS is
your best friend here. Some people insist on using DNS which is great, but
DNS does not deal with (no mechanism to record and tell clients about)
NetBIOS Name Type information. See section 2.4 of the
Entire-HOWTO-Collection on the SWAT home page.

2. Routing and Visibility

This involves correct network configuration in the first place. Secondly,
you need to provide a way for a local broadcast isolated machine to be
able to find a remote machine - WINS is your best friend here!

3. Security and Authentication

This is where you need to make sure that the machine that a client is
trying to access can authenticate past the security barriers.

> Given the fact I'm DBA, not an Admin sys specialized in TCP/IP, you
> understand my weakness here :-)

You are not alone. Many network admins have no clue about MS Windows
networking because so few realise that NetBIOS uses different protocols
that are implemented OVER TCP/IP. One needs to understand the NetBIOS
protocols to solve a NetBIOS problem - few TCP/IP admins care to do that!

Put another way: "If you want to catch lots of fish, as a fisherman you
need to think like a fish!"

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list