[Samba] simple cross-network browsing setup is failing

Matt Swift swift at alum.mit.edu
Fri Jun 3 02:18:00 GMT 2005


PROBLEM: Cross-subnet browsing is not working.  Browse lists on all machines
         contain only the machines on the local subnet.

SUMMARY OF ANALYSIS: The Local Master Browser (LMB) running Windows XP (ZAYIN)
                     never contacts the Domain Master Browser (DMB) running
                     Samba (BETH) to initiate a synchronization of browse
                     lists.  

NETWORK TOPOLOGY (3 machines):

VAV, WinXP
(192.168.2.245)
|
|
(192.168.2.2)
BETH, Linux (Debian 2.6.8), gateway masquerading for VAV
|     samba 3.0.14a (Debian): WINS, LMB and DMB for workgroup TRANSFINITES
|                             on subnet 192.168.2.0/255.255.255.0
|     masquerading
|
|
<routed OpenVPN over Internet (i.e., P-t-P, no broadcast)>
|
|
(192.168.9.10)
ZAYIN, WinXP: LMB for workgroup TRANSFINITES on subnet 192.168.9.0/255.255.255.0


DATA AND OBSERVATIONS:

The WINS server (Samba) contains correct entries for the three hosts and the
workgroup/domain:

    [BETH]# cat /var/lib/samba/wins.dat
    VERSION 1 0
    "^A^B__MSBROWSE__^B#01" 1118035265 255.255.255.255 e4R
    "BETH#00" 1118010575 192.168.2.2 66R
    "BETH#03" 1118010575 192.168.2.2 66R
    "BETH#20" 1118010575 192.168.2.2 66R
    "TRANSFINITES#00" 1118010575 255.255.255.255 e4R
    "TRANSFINITES#1b" 1118010575 192.168.2.2 64R
    "TRANSFINITES#1e" 1118010575 255.255.255.255 e4R
    "VAV#00" 1118045806 192.168.2.245 64R
    "VAV#20" 1118045806 192.168.2.245 64R
    "ZAYIN#00" 1118035254 192.168.9.10 64R
    "ZAYIN#20" 1118035255 192.168.9.10 64R

The nmblookup utility provides further confirmation:

    [BETH]# nmblookup -U beth -R --debuglevel=3 transfinites
    lp_load: refreshing parameters
    Initialising global parameters
    params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
    Processing section "[global]"
    added interface ip=192.168.2.2 bcast=192.168.2.255 nmask=255.255.255.0
    Socket opened.
    querying transfinites on 192.168.2.2
    Got a positive name query response from 192.168.2.2 ( 255.255.255.255 )
    255.255.255.255 transfinites<00>

    [BETH]# nmblookup -U beth -R -S --debuglevel=3 beth vav zayin 
    lp_load: refreshing parameters
    Initialising global parameters
    params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
    Processing section "[global]"
    added interface ip=192.168.2.2 bcast=192.168.2.255 nmask=255.255.255.0
    Socket opened.
    querying beth on 192.168.2.2
    Got a positive name query response from 192.168.2.2 ( 192.168.2.2 )
    192.168.2.2 beth<00>
    Looking up status of 192.168.2.2
            BETH            <00> -         H <ACTIVE> 
            BETH            <03> -         H <ACTIVE> 
            BETH            <20> -         H <ACTIVE> 
            ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> 
            TRANSFINITES    <00> - <GROUP> H <ACTIVE> 
            TRANSFINITES    <1b> -         H <ACTIVE> 
            TRANSFINITES    <1d> -         H <ACTIVE> 
            TRANSFINITES    <1e> - <GROUP> H <ACTIVE> 

            MAC Address = 00-00-00-00-00-00

    querying vav on 192.168.2.2
    Got a positive name query response from 192.168.2.2 ( 192.168.2.245 )
    192.168.2.245 vav<00>
    Looking up status of 192.168.2.245
            VAV             <00> -         M <ACTIVE> 
            VAV             <20> -         M <ACTIVE> 
            TRANSFINITES    <00> - <GROUP> M <ACTIVE> 
            TRANSFINITES    <1e> - <GROUP> M <ACTIVE> 

            MAC Address = 00-0E-0C-64-43-F1

    querying zayin on 192.168.2.2
    Got a positive name query response from 192.168.2.2 ( 192.168.9.10 )
    192.168.9.10 zayin<00>
    Looking up status of 192.168.9.10
            ZAYIN           <00> -         M <ACTIVE> 
            ZAYIN           <20> -         M <ACTIVE> 
            TRANSFINITES    <00> - <GROUP> M <ACTIVE> 
            TRANSFINITES    <1e> - <GROUP> M <ACTIVE> 
            TRANSFINITES    <1d> -         M <ACTIVE> 
            ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE> 

            MAC Address = 00-FF-D3-F2-34-06

The browse lists on both subnets are incomplete (this is the problem):

    [ZAYIN]# net view
    Server Name            Remark

    -------------------------------------------------------------------------------
    \\ZAYIN                                                                        
    The command completed successfully.

    [VAV]# net view
    Server Name            Remark

    -------------------------------------------------------------------------------
    \\BETH                                                                         
    \\VAV                                                                          
    The command completed successfully.

    [BETH]# cat /var/cache/samba/browse.dat 
    "TRANSFINITES"            c0001000 "BETH"                        "TRANSFINITES"
    "BETH"                    400d9a23 ""                            "TRANSFINITES"
    "VAV"                     40011003 ""                            "TRANSFINITES"

Host ZAYIN can access shares on BETH and VAV, via, e.g., "net view \\vav".
(Naturally, access via IP address also works.)

ZAYIN is correctly querying its WINS server (BETH) to obtain the IP address of
the server (verified in nmbd.log and by inspecting ZAYIN's netbios cache with
"nbstat -c").

Host BETH can access shares on VAV and ZAYIN, via, e.g., "smbclient -L vav -U
user".  (Naturally, access via IP address also works.)

Host ZAYIN recognizes that BETH is the Primary Domain Controller for
TRANSFINITES.  Everything I have read indicates that to Windows machines, the
DMB is always on the PDC, so my conclusion is that ZAYIN recognizes BETH as the
DMB for TRANSFINITES:

    [ZAYIN]# browstat getpdc '\Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26}' transfinites
    PDC: BETH

Host ZAYIN recognizes that the LMB on its subnet is itself:

    [ZAYIN]# browstat getmaster '\Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26}' transfinites
    Master Browser: ZAYIN

ZAYIN never initiates a sync with BETH, its DMB/PDC.  With Samba running as DMB
and debug level set to 10, nmbd.log should indicate with the phrase
"sync_with_lmb" whenever a LMB tries to sync with it (see the source file
samba-3.0.14a/source/nmbd/nmbd_browsesync.c).  That phrase never appears in
nmbd.log after several hours.

Firewalls are not the problem.  There is no firewall on the OpenVPN interface
on ZAYIN.  On BETH, UDP port 138 (see support.microsoft.com/kb/188305) is open,
and in any case is set to log dropped packets, and no packets from ZAYIN are
dropped.

Setting Samba parameter "remote announce" to ZAYIN's IP address (192.168.9.10)
causes BETH to appear in ZAYIN's browse list, as expected, but otherwise all
browse lists remain the same.  This is further confirmation that low-level
network problems are not the cause of the failure to synchronize browse lists
across the subnets.

Documentation of parameter "domain master" in smb.conf and all other
documentation indicates that the LMB ZAYIN should be initiating syncs with the
DMB BETH, and that as a result, the browse list on each machine should contain
all three hosts.

The nbtstat utility reports expected results:

    [ZAYIN]# nbtstat -n

    OpenVPN connection:
    Node IpAddress: [192.168.9.10] Scope Id: []

                    NetBIOS Local Name Table

           Name               Type         Status
        ---------------------------------------------
        ZAYIN          <00>  UNIQUE      Registered 
        ZAYIN          <20>  UNIQUE      Registered 
        TRANSFINITES   <00>  GROUP       Registered 
        TRANSFINITES   <1E>  GROUP       Registered 
        TRANSFINITES   <1D>  UNIQUE      Registered 
        ..__MSBROWSE__.<01>  GROUP       Registered 

    [VAV]# nbtstat -n

    Brainerd LAN:
    Node IpAddress: [192.168.2.245] Scope Id: []

                    NetBIOS Local Name Table

           Name               Type         Status
        ---------------------------------------------
        VAV            <00>  UNIQUE      Registered 
        VAV            <20>  UNIQUE      Registered 
        TRANSFINITES   <00>  GROUP       Registered 
        TRANSFINITES   <1E>  GROUP       Registered 

ZAYIN can query BETH for its browse list with the browstat utility:

    [ZAYIN]# browstat view '\Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26}' '\\beth'
    Remoting NetServerEnum to \\beth on transport \Device\NetBT_Tcpip_{D3F23406-7D0D-475B-8F2D-0C0C29C1CE26} with flags ffffffff
    3 entries returned.  3 total. 891 milliseconds

    \\BETH              NT   00.00 (W,S,TS,PQ,XN,NT,SS,PBR,MBR,00080000)
    \\PLANKTON          NT   00.00 (W,S,NT,PBR)
    \\VAV               NT   00.00 (W,S,NT,PBR)


NOTE: I don't know what the "00080000" is doing!  Also, BETH is not listed with
the PDC flag, despite the fact that the "getpdc" operation lists BETH.  I
assume that the reason is that the above "view" operation does not specify a
workgroup/domain.

    # Samba config file created using SWAT
    # from 192.168.2.2 (192.168.2.2)
    # Date: 2005/06/02 18:17:35

    # Global parameters
    [global]
            display charset = UTF8
            workgroup = TRANSFINITES
            server string = 
            map to guest = Bad User
            guest account = sambaguest
            passwd program = /usr/bin/passwd %u
            passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
            username map = /etc/samba.mss/users.map
            log level = 10
            log file = /var/log/samba/log.%m
            max log size = 1000
            name resolve order = wins
            time server = Yes
            deadtime = 15
            printcap name = cups
            os level = 65
            lm announce = No
            preferred master = Yes
            domain master = Yes
            dns proxy = No
            wins support = Yes
            ldap ssl = no
            panic action = /usr/share/samba/panic-action %d
            invalid users = root
            printer admin = @lp
            printing = cups
            print command = 
            lpq command = 
            lprm command = 
            case sensitive = Yes
            map archive = No



More information about the samba mailing list