[Samba] Domain logons and client IP broadcasts

Matt Skerritt matt.skerritt at agrav.net
Thu Feb 1 06:09:05 GMT 2007 

I had a very similar problem (without the worm) not too long ago.

My current setup has the following in the dhcp server:

option netbios-node-type 2;
option netbios-name-servers a.b.c.d;

(where a.b.c.d  is the actually IP address of my PDC).

This tells the windows clients to use peer-peer mode (only uses WINS,  
doesn't use broadcast)  and tells them where the WINS server is. This  
is working quite well, and previously unknown (and uncached)  users  
have no problems logging onto the workstations.

You also need to have wins support = yes in your smb.conf, of course.  
(Which, I notice, you say you already have).

I did have a couple of teething problems with this setup still  
exhibiting the same problems, but they went away. I think you might  
need to be sure that the samba server is, indeed the master browser -  
by starting it up before any other clients on the windows network,  
but that's just a wild guess.

Hope this helps.

On 31/01/2007, at 7:14 AM, Sherwood Botsford wrote:

>
> Ok, I'm stumped.
> Last week domain logons worked.
> Now when I try to logon, I get a message, "You could not logon  
> because the SJSA domain is not available.
>
>
> I've had this happen before when the trust account between the  
> client and server was out of sync (restored a disk image that had a  
> different trust account password)
>
> To fix this, it has been sufficient to quit the domain, reset the  
> password for the machine account, and rejoin the domain.
> If I do this, I get a new message:
> "The specified domain either does not exist or could not be contacted"
>
> If I log in as a local user, I can map network shares with no problem.
>
> ***
>
> Had an idea to test, and now have some more info.
>
> I've recently had problems with a network worm.  Part of my
> plan is to minimize broadcast traffic, and create a situation where  
> the clients can't see each other at all.
>
> To this effect I used f-secure to block all tcp traffic to  
> 192.168.1.2 to 192.168.1.239, which corresponds to my client  
> space.  This part seems to work.
>
> The rule that got me was I tried to block 192.168.1.255 -- the  
> broadcast address, thinking that if the clients couldn't do  
> broadcasts, they wouldn't be able to find each other.
>
> My server is set up with wins support = yes
> with name resolution order of lmhosts (which has the names of my  
> servers) dns hosts, but no broadcast.
>
> At first I thought that without broadcast, it couldn't send arp  
> requests, but arps are ether broadcasts, not tcp.  And if the  
> profile was cached, then logons worked, and browsing worked.
>
> So finally my questions:
>
> 1.  Why does stopping ip broadcasts break domain logons, but not  
> browsing shares?
>
> 2.  What changes can I make to my setup to further inhibit client  
> to client communication?
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba


--
Matt Skerritt
matt.skerritt at agrav.net

More information about the samba mailing list