[Samba] cross subnet browsing over IPSec

Doug VanLeuven roamdad at sonic.net
Tue Oct 4 23:58:57 GMT 2005

Jonathan Salomon wrote:
> Hi all!
> This is a repost to this list, hoping to draw some extra attention 
> because I got NO reply whatsoever to the original posting :( I would 
> really appreciate if someone could comment om which of both strategies 
> as described below is best.
> I am having some trouble with a samba domain distributed over 2 subnets 
>  ( (supernetted) & These subnets are 
> linked over the internet through a IPSec gateway to gateway (network to 
> network) connection (i.e. all machines can reach/ping each other on both 
> subnets). The samba PDC (with LDAP backend) has IP and there 
> is a BDC (LDAP slave) in the other subnet at IP
> The problem is that login of the WinXP clients on the 
> subnet is really slow and I suspect this is caused by data getting sent 
> through the (relatively slow) IPSec connection while this is not 
> necessary because the BDC should offer all services (like authentication 
> and profiles/homedirs).

If ipsec is correctly configured, you can treat it as a simple
multihomed router.

It's not a cut and dried one size fits all solution.

Multiple WINS servers only works where they replicate their data
on some schedule.  Someone correct me if I'm wrong, but there are
no samba configuration options for replication between samba servers.
There have been posts about using rsync on browse.dat but I never
went that road.
My own experience with an MS NT40 domain was if the PDC was
unreachable, not much worked well even though a BDC was available.
If the WAN was down for a sufficient amount of time, promote the
BDC to a PDC.  This only worked well where each BDC had it's own
WINS server and replicated the data. Reconnecting the WAN meant
demoting the temporary PDC back to BDC status.  Never did that
with samba, but with MS servers.  Pretty complicated what with
RID master data and everything.

One WINS server that every machine points to is the easiest to
maintain, but puts the domain at the mercy of the WAN.

With the BDC backend LDAP a slave, you've got multiple sync issues
and probably your best best is the one WINS server, every other
machine pointed to it.  Then work on the speed and WAN reliability
as seperate functions.

Profiles and home dirs are set per user using User Manager for Domains.
Providing users stay on a respective side of the WAN, one can eliminate
dragging data across the WAN by setting the user to use only
shares on the samba server on their respective side.

Get users used to the concept of dragging file contents across the
WAN before editing and then drag them back when they're done, where

Regards, Doug

More information about the samba mailing list