[Samba] Cross subnet browsing + OpenVPN

Julian Pilfold-Bagwell jpb at bordengrammar.kent.sch.uk
Tue Jul 6 06:12:24 MDT 2010


Hi All,

I'm having a problem with cross subnet browsing and name resolution across
an openvpn tunnel. i've found quite a few people who've had the same on
mail lists but none of their fixes have worked. The spec of the setups at
both ends of the tunnel are as follows:

OS - CentOS 5.5
Samba Version 3.5.4
OpenVPN Version 2.0.9-1

Each server is configured in gateway mode with two NICS, one to the lan
and the other to a modem/router.  The first machine, HEADOFFICE, has an
internal IP address of
192.168.0.1 and an external of 192.168.10.4.  The second machine, REMOTE1,
has an internal address of 192.168.1.254 and an external of 192.168.20.4.

On openVPN, I have configured client to client and routes and iroutes to
allow machines on each network to ping machines at the other end as well
as the server IP's.
So far so good and I can ping any machine on either subnet from anywhere
and get a reply.  The servers are configured as Samba servers with the
HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1
  machine configured as a BDC and WINS proxy.  In order to maintain logon
facilities in the event of broadband failure,
I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates
and password changes propogate successfully from one site to the other.

If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works
perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet
fails on name resolution while
entering \\192.168.1.254\  brings up Windows Explorer and a list of shares.

I've included the remote browse entries in smb.conf on the PDC and have
WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP
back to the WINS server.
Port scanning the internal IP of each machine from the oher end of the
tunnel returns a full set of open ports for the services I'm using but no
IP.

If anyone can spot what I'm doing wrong I'd be grateful.

Thanks.

################     smb.conf - HEADOFFICE    ################
###  Included 2nd subnet for second remote site in browse sync

[ global]
         workgroup = NEWDOM
         netbios name = HEADOFFICE
         security = user
         enable privileges = yes
         interfaces = 192.168.0.1 127.0.0.1
#       hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
194.168.2.0/255.255.255.0 127.0.0.1
         remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM
         remote browse sync = 192.168.1.255 192.168.2.255
         wins support = yes
         name resolve order = wins hosts bcast
         username map = /etc/samba/smbusers
         server string = Samba Server %v
         encrypt passwords = Yes
         ldap ssl = no
         unix password sync = yes
         ldap passwd sync = no
         passwd program = /usr/sbin/smbldap-passwd -u "%u"
         passwd chat = "Changing *\nNew password*" %n\n "*Retype new
password*" %n\n"

#        public = yes
#        browseable = yes
#        lm announce = yes
#        browse list = yes
#        auto services = yes

         log level = 3
         syslog = 0
         log file = /var/log/samba/log.%U
         max log size = 100000
         time server = Yes
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         mangling method = hash2
         Dos charset = 850
         Unix charset = ISO8859-1

         local master = Yes
         domain logons = Yes
         domain master = Yes
         os level = 65
         preferred master = Yes
         wins support = yes

         passdb backend = ldapsam:ldap://127.0.0.1
         ldap admin dn = cn=Manager,dc=newdom,dc=ldm
         ldap suffix = dc=newdom,dc=ldm
         ldap group suffix = ou=Groups
         ldap user suffix = ou=Users
         ldap machine suffix = ou=Computers
         ldap idmap suffix = ou=Idmap

         add user script = /usr/sbin/smbldap-useradd -m "%u"
         ldap delete dn = Yes
         delete user script = /usr/sbin/smbldap-userdel "%u"
         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
         add group script = /usr/sbin/smbldap-groupadd -p "%g"
         #delete group script = /usr/sbin/smbldap-groupdel "%g"
         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
         delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
         set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

[shared]
         comment = shared directory
         path = /dat
         browseable = yes
         read only = no
         create mask = 0660
         directory mask = 0770


############ smb.conf - REMOTE1   #############################

[global]
         workgroup = NEWDOM
         netbios name = REMOTE1
         security = user
         enable privileges = yes
         interfaces = 192.168.1.254 127.0.0.1
#        hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
10.8.0.0/24 127.0.0.1
         wins server = 192.168.0.1
         wins proxy = yes
         username map = /etc/samba/smbusers
         name resolve order  = wins bcast hosts
         server string = Samba Server %v
         encrypt passwords = Yes
         ldap ssl = no
         unix password sync = yes
         ldap passwd sync = no
         passwd program = /usr/sbin/smbldap-passwd -u "%u"
         passwd chat = "Changing *\nNew password*" %n\n "*Retype new
password*" %n\n"

         log level = 0
         syslog = 0
         log file = /var/log/samba/log.%U
         max log size = 100000
         time server = Yes
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         mangling method = hash2
         Dos charset = 850
         Unix charset = ISO8859-1

         local master = Yes
         domain logons = Yes
         domain master = no
         os level = 40
         preferred master = no

         passdb backend = ldapsam:ldap://127.0.0.1
         ldap admin dn = cn=Manager,dc=newdom,dc=ldm
         ldap suffix = dc=newdom,dc=ldm
         ldap group suffix = ou=Groups
         ldap user suffix = ou=Users
         ldap machine suffix = ou=Computers
         ldap idmap suffix = ou=Idmap

         add user script = /usr/sbin/smbldap-useradd -m "%u"
         ldap delete dn = Yes
         delete user script = /usr/sbin/smbldap-userdel "%u"
         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
         add group script = /usr/sbin/smbldap-groupadd -p "%g"
         delete group script = /usr/sbin/smbldap-groupdel "%g"
         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
         delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
         set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

[test]
       comment = test share
       path = /test
       browseable = yes




More information about the samba mailing list