[Samba] Cross subnet browsing + OpenVPN
Robert Schetterer
robert at schetterer.org
Fri Jul 9 03:57:35 MDT 2010
Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell:
> Sorry about the delay, family emergency to deal with.
> browse sync shares the info across them. I tried putting the specific
> IP addresses of the local master browsers into the browse sync but it
> still doesn't seem to spread everything across all the subnets.
you should use tap interfaces with openvpn
>
>
> From what I understand, the remote announce tells the WINS server to
> broadcast across the remote subnets and remote
>
> On 06/07/10 13:50, tms3 at tms3.com wrote:
>>
>>
>> SNIP
>>>
>>> Hi All,
>>>
>>> I'm having a problem with cross subnet browsing and name resolution
>>> across
>>> an openvpn tunnel. i've found quite a few people who've had the same on
>>> mail lists but none of their fixes have worked. The spec of the
>>> setups at
>>> both ends of the tunnel are as follows:
>> "remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM
>> remote browse sync = 192.168.1.255 192.168.2.255"
>>
>> This looks odd to me.
>>
>> remote announce = <wins server ip>/<DOMNAME>
>> remote browse sync = <wins server ip>
>>
>> NEEDED in both smb.conf
>>
>> wins server = <wins server ip>
>>
>> Can't remember default for this setting sooooo
>>
>> enhanced browsing = Yes
>>
>> in both smb.conf
>>
>>
>> DHCP should point clients to headoffice for WINS. WINS proxy is not
>> useful.
>>>
>>>
>>> OS - CentOS 5.5
>>> Samba Version 3.5.4
>>> OpenVPN Version 2.0.9-1
>>>
>>> Each server is configured in gateway mode with two NICS, one to the lan
>>> and the other to a modem/router. The first machine, HEADOFFICE, has an
>>> internal IP address of
>>> 192.168.0.1 and an external of 192.168.10.4. The second machine,
>>> REMOTE1,
>>> has an internal address of 192.168.1.254 and an external of
>>> 192.168.20.4.
>>>
>>> On openVPN, I have configured client to client and routes and iroutes to
>>> allow machines on each network to ping machines at the other end as well
>>> as the server IP's.
>>> So far so good and I can ping any machine on either subnet from anywhere
>>> and get a reply. The servers are configured as Samba servers with the
>>> HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1
>>> machine configured as a BDC and WINS proxy. In order to maintain
>>> logon
>>> facilities in the event of broadband failure,
>>> I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates
>>> and password changes propogate successfully from one site to the other.
>>>
>>> If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works
>>> perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet
>>> fails on name resolution while
>>> entering \\192.168.1.254\ brings up Windows Explorer and a list of
>>> shares.
>>>
>>> I've included the remote browse entries in smb.conf on the PDC and have
>>> WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP
>>> back to the WINS server.
>>> Port scanning the internal IP of each machine from the oher end of the
>>> tunnel returns a full set of open ports for the services I'm using
>>> but no
>>> IP.
>>>
>>> If anyone can spot what I'm doing wrong I'd be grateful.
>>>
>>> Thanks.
>>>
>>> ################ smb.conf - HEADOFFICE ################
>>> ### Included 2nd subnet for second remote site in browse sync
>>>
>>> [ global]
>>> workgroup = NEWDOM
>>> netbios name = HEADOFFICE
>>> security = user
>>> enable privileges = yes
>>> interfaces = 192.168.0.1 127.0.0.1
>>> # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
>>> 194.168.2.0/255.255.255.0 127.0.0.1
>>> remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM
>>> remote browse sync = 192.168.1.255 192.168.2.255
>>> wins support = yes
>>> name resolve order = wins hosts bcast
>>> username map = /etc/samba/smbusers
>>> server string = Samba Server %v
>>> encrypt passwords = Yes
>>> ldap ssl = no
>>> unix password sync = yes
>>> ldap passwd sync = no
>>> passwd program = /usr/sbin/smbldap-passwd -u "%u"
>>> passwd chat = "Changing *\nNew password*" %n\n "*Retype new
>>> password*" %n\n"
>>>
>>> # public = yes
>>> # browseable = yes
>>> # lm announce = yes
>>> # browse list = yes
>>> # auto services = yes
>>>
>>> log level = 3
>>> syslog = 0
>>> log file = /var/log/samba/log.%U
>>> max log size = 100000
>>> time server = Yes
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> mangling method = hash2
>>> Dos charset = 850
>>> Unix charset = ISO8859-1
>>>
>>> local master = Yes
>>> domain logons = Yes
>>> domain master = Yes
>>> os level = 65
>>> preferred master = Yes
>>> wins support = yes
>>>
>>> passdb backend = ldapsam:ldap://127.0.0.1
>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm
>>> ldap suffix = dc=newdom,dc=ldm
>>> ldap group suffix = ou=Groups
>>> ldap user suffix = ou=Users
>>> ldap machine suffix = ou=Computers
>>> ldap idmap suffix = ou=Idmap
>>>
>>> add user script = /usr/sbin/smbldap-useradd -m "%u"
>>> ldap delete dn = Yes
>>> delete user script = /usr/sbin/smbldap-userdel "%u"
>>> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>> #delete group script = /usr/sbin/smbldap-groupdel "%g"
>>> add user to group script = /usr/sbin/smbldap-groupmod -m
>>> "%u" "%g"
>>> delete user from group script = /usr/sbin/smbldap-groupmod
>>> -x "%u"
>>> "%g"
>>> set primary group script = /usr/sbin/smbldap-usermod -g
>>> '%g' '%u'
>>>
>>> [shared]
>>> comment = shared directory
>>> path = /dat
>>> browseable = yes
>>> read only = no
>>> create mask = 0660
>>> directory mask = 0770
>>>
>>>
>>> ############ smb.conf - REMOTE1 #############################
>>>
>>> [global]
>>> workgroup = NEWDOM
>>> netbios name = REMOTE1
>>> security = user
>>> enable privileges = yes
>>> interfaces = 192.168.1.254 127.0.0.1
>>> # hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
>>> 10.8.0.0/24 127.0.0.1
>>> wins server = 192.168.0.1
>>> wins proxy = yes
>>> username map = /etc/samba/smbusers
>>> name resolve order = wins bcast hosts
>>> server string = Samba Server %v
>>> encrypt passwords = Yes
>>> ldap ssl = no
>>> unix password sync = yes
>>> ldap passwd sync = no
>>> passwd program = /usr/sbin/smbldap-passwd -u "%u"
>>> passwd chat = "Changing *\nNew password*" %n\n "*Retype new
>>> password*" %n\n"
>>>
>>> log level = 0
>>> syslog = 0
>>> log file = /var/log/samba/log.%U
>>> max log size = 100000
>>> time server = Yes
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> mangling method = hash2
>>> Dos charset = 850
>>> Unix charset = ISO8859-1
>>>
>>> local master = Yes
>>> domain logons = Yes
>>> domain master = no
>>> os level = 40
>>> preferred master = no
>>>
>>> passdb backend = ldapsam:ldap://127.0.0.1
>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm
>>> ldap suffix = dc=newdom,dc=ldm
>>> ldap group suffix = ou=Groups
>>> ldap user suffix = ou=Users
>>> ldap machine suffix = ou=Computers
>>> ldap idmap suffix = ou=Idmap
>>>
>>> add user script = /usr/sbin/smbldap-useradd -m "%u"
>>> ldap delete dn = Yes
>>> delete user script = /usr/sbin/smbldap-userdel "%u"
>>> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>> delete group script = /usr/sbin/smbldap-groupdel "%g"
>>> add user to group script = /usr/sbin/smbldap-groupmod -m
>>> "%u" "%g"
>>> delete user from group script = /usr/sbin/smbldap-groupmod
>>> -x "%u"
>>> "%g"
>>> set primary group script = /usr/sbin/smbldap-usermod -g
>>> '%g' '%u'
>>>
>>> [test]
>>> comment = test share
>>> path = /test
>>> browseable = yes
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
More information about the samba
mailing list