[Samba] cross subnet browsing over IPSec

Jonathan Salomon joni at 2male.com
Tue Oct 4 14:13:37 GMT 2005 

Hi all!

This is a repost to this list, hoping to draw some extra attention 
because I got NO reply whatsoever to the original posting :( I would 
really appreciate if someone could comment om which of both strategies 
as described below is best.

I am having some trouble with a samba domain distributed over 2 subnets 
  (192.168.0.0/23 (supernetted) & 192.168.4.0/24). These subnets are 
linked over the internet through a IPSec gateway to gateway (network to 
network) connection (i.e. all machines can reach/ping each other on both 
subnets). The samba PDC (with LDAP backend) has IP 192.168.0.4 and there 
is a BDC (LDAP slave) in the other subnet at IP 192.168.4.2.

The problem is that login of the WinXP clients on the 192.168.4.0/24 
subnet is really slow and I suspect this is caused by data getting sent 
through the (relatively slow) IPSec connection while this is not 
necessary because the BDC should offer all services (like authentication 
and profiles/homedirs).

Until recently I had these settings on the PDC in the smb.conf:

   domain logons = Yes
   os level = 65
   preferred master = Yes
   domain master = Yes
   wins support = Yes

and this on the BDC:

   domain logons = Yes
   os level = 65
   preferred master = Yes
   domain master = No
   wins support = No
   wins server = 192.168.0.4

All machines in both subnets would get 192.168.0.4 (PDC) as WINS server 
by the dhcp server. However like stated before this works very slow. 
Does anyone know if this is actually is a good approach and the slowness 
is cuased by something else?

Anyway I read on a previous posting to this list (and the manual) that 
it's possible to use remote browse sync to sync the browse lists. So I 
decided to change the strategy and configure the PDC as below:

   domain logons = Yes
   os level = 65
   preferred master = Yes
   domain master = Yes
   wins support = Yes
   remote browse sync = 192.168.4.2

and the BDC as below:

   domain logons = Yes
   os level = 65
   preferred master = Yes
   domain master = No
   wins support = Yes
   remote browse sync = 192.168.0.4

And with this setup the machines in the 192.168.0.0/23 subnet are 
getting 192.168.0.4 as WINS server and the machines in the 
192.168.4.0/24 subnet 192.168.4.2.

After restarting samba the PDC shows this in the log.nmbd:

[2005/09/22 16:51:38, 0] 
nmbd/nmbd_browsesync.c:get_domain_master_name_node_status_fail(488)
   get_domain_master_name_node_status_fail:
   Doing a node status request to the domain master browser at IP 
10.0.1.10 failed.
   Cannot get workgroup name.

I don't really understand where the 10.0.1.10 comes from as that 
machines has no routing/interface configured to such subnet.

At the BDC side the log.nmbd shows:

[2005/09/22 15:55:47, 0] 
nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(353)
   find_domain_master_name_query_fail:
   Unable to find the Domain Master Browser name DOMAIN<1b> for the 
workgroup DOMAIN.
   Unable to sync browse lists in this workgroup.

And indeed the browselists on both subnets do not show each other's 
machines. Does anyone know what I am doing wrong here?

Thanks!
Jonathan

More information about the samba mailing list