[Samba] Cross subnet browsing + OpenVPN

Moray Henderson Moray.Henderson at ict-software.org
Wed Jul 7 04:49:57 MDT 2010


Julian Pilfold-Bagwell wrote:
>I'm having a problem with cross subnet browsing and name resolution
across
>an openvpn tunnel. i've found quite a few people who've had the same on
>mail lists but none of their fixes have worked. The spec of the setups
at
>both ends of the tunnel are as follows:
>
>OS - CentOS 5.5
>Samba Version 3.5.4
>OpenVPN Version 2.0.9-1
>
>Each server is configured in gateway mode with two NICS, one to the lan
>and the other to a modem/router.  The first machine, HEADOFFICE, has an
>internal IP address of
>192.168.0.1 and an external of 192.168.10.4.  The second machine,
REMOTE1,
>has an internal address of 192.168.1.254 and an external of
192.168.20.4.
>
>On openVPN, I have configured client to client and routes and iroutes
to
>allow machines on each network to ping machines at the other end as
well
>as the server IP's.
>So far so good and I can ping any machine on either subnet from
anywhere
>and get a reply.  The servers are configured as Samba servers with the
>HEADOFFICE machine working as a PDC, DMC and WINS server and the
REMOTE1
>  machine configured as a BDC and WINS proxy.  In order to maintain
logon
>facilities in the event of broadband failure,
>I have replicated the LDAP server from HEADOFFICE to REMOTE1 and
updates
>and password changes propogate successfully from one site to the other.
>
>If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it
works
>perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet
>fails on name resolution while
>entering \\192.168.1.254\  brings up Windows Explorer and a list of
shares.
>
>I've included the remote browse entries in smb.conf on the PDC and have
>WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP
>back to the WINS server.
>Port scanning the internal IP of each machine from the oher end of the
>tunnel returns a full set of open ports for the services I'm using but
no
>IP.
>
>If anyone can spot what I'm doing wrong I'd be grateful.
>
>Thanks.
>
>################     smb.conf - HEADOFFICE    ################
>###  Included 2nd subnet for second remote site in browse sync
>
>[ global]
>         workgroup = NEWDOM
>         netbios name = HEADOFFICE
>         security = user
>         enable privileges = yes
>         interfaces = 192.168.0.1 127.0.0.1
>#       hosts allow = 192.168.0.0/255.255.255.0
192.168.1.0/255.255.255.0
>194.168.2.0/255.255.255.0 127.0.0.1
>         remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM
>         remote browse sync = 192.168.1.255 192.168.2.255
>         wins support = yes
>         name resolve order = wins hosts bcast
>         username map = /etc/samba/smbusers
>         server string = Samba Server %v
>         encrypt passwords = Yes
>         ldap ssl = no
>         unix password sync = yes
>         ldap passwd sync = no
>         passwd program = /usr/sbin/smbldap-passwd -u "%u"
>         passwd chat = "Changing *\nNew password*" %n\n "*Retype new
>password*" %n\n"
>
>#        public = yes
>#        browseable = yes
>#        lm announce = yes
>#        browse list = yes
>#        auto services = yes
>
>         log level = 3
>         syslog = 0
>         log file = /var/log/samba/log.%U
>         max log size = 100000
>         time server = Yes
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         mangling method = hash2
>         Dos charset = 850
>         Unix charset = ISO8859-1
>
>         local master = Yes
>         domain logons = Yes
>         domain master = Yes
>         os level = 65
>         preferred master = Yes
>         wins support = yes
>
>         passdb backend = ldapsam:ldap://127.0.0.1
>         ldap admin dn = cn=Manager,dc=newdom,dc=ldm
>         ldap suffix = dc=newdom,dc=ldm
>         ldap group suffix = ou=Groups
>         ldap user suffix = ou=Users
>         ldap machine suffix = ou=Computers
>         ldap idmap suffix = ou=Idmap
>
>         add user script = /usr/sbin/smbldap-useradd -m "%u"
>         ldap delete dn = Yes
>         delete user script = /usr/sbin/smbldap-userdel "%u"
>         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>         #delete group script = /usr/sbin/smbldap-groupdel "%g"
>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
>"%g"
>         delete user from group script = /usr/sbin/smbldap-groupmod -x
>"%u"
>"%g"
>         set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
>
>[shared]
>         comment = shared directory
>         path = /dat
>         browseable = yes
>         read only = no
>         create mask = 0660
>         directory mask = 0770
>
>
>############ smb.conf - REMOTE1   #############################
>
>[global]
>         workgroup = NEWDOM
>         netbios name = REMOTE1
>         security = user
>         enable privileges = yes
>         interfaces = 192.168.1.254 127.0.0.1
>#        hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
>10.8.0.0/24 127.0.0.1
>         wins server = 192.168.0.1
>         wins proxy = yes
>         username map = /etc/samba/smbusers
>         name resolve order  = wins bcast hosts
>         server string = Samba Server %v
>         encrypt passwords = Yes
>         ldap ssl = no
>         unix password sync = yes
>         ldap passwd sync = no
>         passwd program = /usr/sbin/smbldap-passwd -u "%u"
>         passwd chat = "Changing *\nNew password*" %n\n "*Retype new
>password*" %n\n"
>
>         log level = 0
>         syslog = 0
>         log file = /var/log/samba/log.%U
>         max log size = 100000
>         time server = Yes
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         mangling method = hash2
>         Dos charset = 850
>         Unix charset = ISO8859-1
>
>         local master = Yes
>         domain logons = Yes
>         domain master = no
>         os level = 40
>         preferred master = no
>
>         passdb backend = ldapsam:ldap://127.0.0.1
>         ldap admin dn = cn=Manager,dc=newdom,dc=ldm
>         ldap suffix = dc=newdom,dc=ldm
>         ldap group suffix = ou=Groups
>         ldap user suffix = ou=Users
>         ldap machine suffix = ou=Computers
>         ldap idmap suffix = ou=Idmap
>
>         add user script = /usr/sbin/smbldap-useradd -m "%u"
>         ldap delete dn = Yes
>         delete user script = /usr/sbin/smbldap-userdel "%u"
>         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>         delete group script = /usr/sbin/smbldap-groupdel "%g"
>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
>"%g"
>         delete user from group script = /usr/sbin/smbldap-groupmod -x
>"%u"
>"%g"
>         set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
>
>[test]
>       comment = test share
>       path = /test
>       browseable = yes

We had trouble with some subnet name resolution on CentOS until we added


  modprobe ip_conntrack_netbios_ns

into the firewall start script.  It lets the firewall recognise that
replies to netbios requests are part of an established conversation, so
it's okay to allow them.


Moray.
"To err is human.  To purr, feline"






More information about the samba mailing list