[Samba] simple cross-network browsing setup is failing
Matt Swift
swift at alum.mit.edu
Fri Jun 3 02:18:00 GMT 2005
PROBLEM: Cross-subnet browsing is not working. Browse lists on all machines
contain only the machines on the local subnet.
SUMMARY OF ANALYSIS: The Local Master Browser (LMB) running Windows XP (ZAYIN)
never contacts the Domain Master Browser (DMB) running
Samba (BETH) to initiate a synchronization of browse
lists.
NETWORK TOPOLOGY (3 machines):
VAV, WinXP
(192.168.2.245)
|
|
(192.168.2.2)
BETH, Linux (Debian 2.6.8), gateway masquerading for VAV
| samba 3.0.14a (Debian): WINS, LMB and DMB for workgroup TRANSFINITES
| on subnet 192.168.2.0/255.255.255.0
| masquerading
|
|
<routed OpenVPN over Internet (i.e., P-t-P, no broadcast)>
|
|
(192.168.9.10)
ZAYIN, WinXP: LMB for workgroup TRANSFINITES on subnet 192.168.9.0/255.255.255.0
DATA AND OBSERVATIONS:
The WINS server (Samba) contains correct entries for the three hosts and the
workgroup/domain:
[BETH]# cat /var/lib/samba/wins.dat
VERSION 1 0
"^A^B__MSBROWSE__^B#01" 1118035265 255.255.255.255 e4R
"BETH#00" 1118010575 192.168.2.2 66R
"BETH#03" 1118010575 192.168.2.2 66R
"BETH#20" 1118010575 192.168.2.2 66R
"TRANSFINITES#00" 1118010575 255.255.255.255 e4R
"TRANSFINITES#1b" 1118010575 192.168.2.2 64R
"TRANSFINITES#1e" 1118010575 255.255.255.255 e4R
"VAV#00" 1118045806 192.168.2.245 64R
"VAV#20" 1118045806 192.168.2.245 64R
"ZAYIN#00" 1118035254 192.168.9.10 64R
"ZAYIN#20" 1118035255 192.168.9.10 64R
The nmblookup utility provides further confirmation:
[BETH]# nmblookup -U beth -R --debuglevel=3 transfinites
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface ip=192.168.2.2 bcast=192.168.2.255 nmask=255.255.255.0
Socket opened.
querying transfinites on 192.168.2.2
Got a positive name query response from 192.168.2.2 ( 255.255.255.255 )
255.255.255.255 transfinites<00>
[BETH]# nmblookup -U beth -R -S --debuglevel=3 beth vav zayin
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface ip=192.168.2.2 bcast=192.168.2.255 nmask=255.255.255.0
Socket opened.
querying beth on 192.168.2.2
Got a positive name query response from 192.168.2.2 ( 192.168.2.2 )
192.168.2.2 beth<00>
Looking up status of 192.168.2.2
BETH <00> - H <ACTIVE>
BETH <03> - H <ACTIVE>
BETH <20> - H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
TRANSFINITES <00> - <GROUP> H <ACTIVE>
TRANSFINITES <1b> - H <ACTIVE>
TRANSFINITES <1d> - H <ACTIVE>
TRANSFINITES <1e> - <GROUP> H <ACTIVE>
MAC Address = 00-00-00-00-00-00
querying vav on 192.168.2.2
Got a positive name query response from 192.168.2.2 ( 192.168.2.245 )
192.168.2.245 vav<00>
Looking up status of 192.168.2.245
VAV <00> - M <ACTIVE>
VAV <20> - M <ACTIVE>
TRANSFINITES <00> - <GROUP> M <ACTIVE>
TRANSFINITES <1e> - <GROUP> M <ACTIVE>
MAC Address = 00-0E-0C-64-43-F1
querying zayin on 192.168.2.2
Got a positive name query response from 192.168.2.2 ( 192.168.9.10 )
192.168.9.10 zayin<00>
Looking up status of 192.168.9.10
ZAYIN <00> - M <ACTIVE>
ZAYIN <20> - M <ACTIVE>
TRANSFINITES <00> - <GROUP> M <ACTIVE>
TRANSFINITES <1e> - <GROUP> M <ACTIVE>
TRANSFINITES <1d> - M <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> M <ACTIVE>
MAC Address = 00-FF-D3-F2-34-06
The browse lists on both subnets are incomplete (this is the problem):
[ZAYIN]# net view
Server Name Remark
-------------------------------------------------------------------------------
\\ZAYIN
The command completed successfully.
[VAV]# net view
Server Name Remark
-------------------------------------------------------------------------------
\\BETH
\\VAV
The command completed successfully.
[BETH]# cat /var/cache/samba/browse.dat
"TRANSFINITES" c0001000 "BETH" "TRANSFINITES"
"BETH" 400d9a23 "" "TRANSFINITES"
"VAV" 40011003 "" "TRANSFINITES"
Host ZAYIN can access shares on BETH and VAV, via, e.g., "net view \\vav".
(Naturally, access via IP address also works.)
ZAYIN is correctly querying its WINS server (BETH) to obtain the IP address of
the server (verified in nmbd.log and by inspecting ZAYIN's netbios cache with
"nbstat -c").
Host BETH can access shares on VAV and ZAYIN, via, e.g., "smbclient -L vav -U
user". (Naturally, access via IP address also works.)
Host ZAYIN recognizes that BETH is the Primary Domain Controller for
TRANSFINITES. Everything I have read indicates that to Windows machines, the
DMB is always on the PDC, so my conclusion is that ZAYIN recognizes BETH as the
DMB for TRANSFINITES:
[ZAYIN]# browstat getpdc '\Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26}' transfinites
PDC: BETH
Host ZAYIN recognizes that the LMB on its subnet is itself:
[ZAYIN]# browstat getmaster '\Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26}' transfinites
Master Browser: ZAYIN
ZAYIN never initiates a sync with BETH, its DMB/PDC. With Samba running as DMB
and debug level set to 10, nmbd.log should indicate with the phrase
"sync_with_lmb" whenever a LMB tries to sync with it (see the source file
samba-3.0.14a/source/nmbd/nmbd_browsesync.c). That phrase never appears in
nmbd.log after several hours.
Firewalls are not the problem. There is no firewall on the OpenVPN interface
on ZAYIN. On BETH, UDP port 138 (see support.microsoft.com/kb/188305) is open,
and in any case is set to log dropped packets, and no packets from ZAYIN are
dropped.
Setting Samba parameter "remote announce" to ZAYIN's IP address (192.168.9.10)
causes BETH to appear in ZAYIN's browse list, as expected, but otherwise all
browse lists remain the same. This is further confirmation that low-level
network problems are not the cause of the failure to synchronize browse lists
across the subnets.
Documentation of parameter "domain master" in smb.conf and all other
documentation indicates that the LMB ZAYIN should be initiating syncs with the
DMB BETH, and that as a result, the browse list on each machine should contain
all three hosts.
The nbtstat utility reports expected results:
[ZAYIN]# nbtstat -n
OpenVPN connection:
Node IpAddress: [192.168.9.10] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
ZAYIN <00> UNIQUE Registered
ZAYIN <20> UNIQUE Registered
TRANSFINITES <00> GROUP Registered
TRANSFINITES <1E> GROUP Registered
TRANSFINITES <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
[VAV]# nbtstat -n
Brainerd LAN:
Node IpAddress: [192.168.2.245] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
VAV <00> UNIQUE Registered
VAV <20> UNIQUE Registered
TRANSFINITES <00> GROUP Registered
TRANSFINITES <1E> GROUP Registered
ZAYIN can query BETH for its browse list with the browstat utility:
[ZAYIN]# browstat view '\Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26}' '\\beth'
Remoting NetServerEnum to \\beth on transport \Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26} with flags ffffffff
3 entries returned. 3 total. 891 milliseconds
\\BETH NT 00.00 (W,S,TS,PQ,XN,NT,SS,PBR,MBR,00080000)
\\PLANKTON NT 00.00 (W,S,NT,PBR)
\\VAV NT 00.00 (W,S,NT,PBR)
NOTE: I don't know what the "00080000" is doing! Also, BETH is not listed with
the PDC flag, despite the fact that the "getpdc" operation lists BETH. I
assume that the reason is that the above "view" operation does not specify a
workgroup/domain.
# Samba config file created using SWAT
# from 192.168.2.2 (192.168.2.2)
# Date: 2005/06/02 18:17:35
# Global parameters
[global]
display charset = UTF8
workgroup = TRANSFINITES
server string =
map to guest = Bad User
guest account = sambaguest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
username map = /etc/samba.mss/users.map
log level = 10
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins
time server = Yes
deadtime = 15
printcap name = cups
os level = 65
lm announce = No
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
invalid users = root
printer admin = @lp
printing = cups
print command =
lpq command =
lprm command =
case sensitive = Yes
map archive = No
More information about the samba
mailing list