[Samba] Cross subnet browsing + vpn

Quinn Fissler qfissler at gmail.com
Mon Jul 12 06:06:12 MDT 2010 

If you have fixed IPs (or static DNS leases), one way round this is to
populate %SystemRoot%\system32\drivers\etc\lmhosts on the Windows client.

I look forward to seeing any other solutions here :-)


On 6 July 2010 13:07, <jpb at oss4all.plus.com> wrote:

> Hi All,
>
> I'm having a problem with cross subnet browsing and name resolution across
> an openvpn tunnel. i've found quite a few people who've had the same on
> mail lists but none of their fixes have worked. The spec of the setups at
> both ends of the tunnel are as follows:
>
> OS - CentOS 5.5
> Samba Version 3.5.4
> OpenVPN Version 2.0.9-1
>
> Each server is configured in gateway mode with two NICS, one to the lan
> and the other to a modem/router.  The first machine, HEADOFFICE, has an
> internal IP address of
> 192.168.0.1 and an external of 192.168.10.4.  The second machine, REMOTE1,
> has an internal address of 192.168.1.254 and an external of 192.168.20.4.
>
> On openVPN, I have configured client to client and routes and iroutes to
> allow machines on each network to ping machines at the other end as well
> as the server IP's.
> So far so good and I can ping any machine on either subnet from anywhere
> and get a reply.  The servers are configured as Samba servers with the
> HEADOFFICE machine
> working as a PDC, DMC and WINS server and the REMOTE1 machine configured
> as a BDC and WINS proxy.  In order to maintain logon facilities in the
> event of broadband failure,
> I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates
> and password changes propogate successfully from one site to the other.
>
> If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works
> perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet
> fails on name resolution while
> entering \\192.168.1.254\  brings up Windows Explorer and a list of shares.
>
> I've included the remote browse entries in smb.conf on the PDC and have
> WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP
> back to the WINS server.
> Port scanning the internal IP of each machine from the oher end of the
> tunnel returns a full set of open ports for the services I'm using but no
> IP.
>
> If anyone can spot what I'm doing wrong I'd be grateful.
>
> Thanks.
>
> ################     smb.conf - HEADOFFICE    ################
> ###  Included 2nd subnet for second remote site in browse sync
>
> [ global]
>        workgroup = NEWDOM
>        netbios name = HEADOFFICE
>        security = user
>        enable privileges = yes
>        interfaces = 192.168.0.1 127.0.0.1
> #       hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
> 194.168.2.0/255.255.255.0 127.0.0.1
>        remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM
>        remote browse sync = 192.168.1.255 192.168.2.255
>        wins support = yes
>        name resolve order = wins hosts bcast
>        username map = /etc/samba/smbusers
>        server string = Samba Server %v
>        encrypt passwords = Yes
>        ldap ssl = no
>        unix password sync = yes
>        ldap passwd sync = no
>        passwd program = /usr/sbin/smbldap-passwd -u "%u"
>        passwd chat = "Changing *\nNew password*" %n\n "*Retype new
> password*" %n\n"
>
> #        public = yes
> #        browseable = yes
> #        lm announce = yes
> #        browse list = yes
> #        auto services = yes
>
>        log level = 3
>        syslog = 0
>        log file = /var/log/samba/log.%U
>        max log size = 100000
>        time server = Yes
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        mangling method = hash2
>        Dos charset = 850
>        Unix charset = ISO8859-1
>
>        local master = Yes
>        domain logons = Yes
>        domain master = Yes
>        os level = 65
>        preferred master = Yes
>        wins support = yes
>
>        passdb backend = ldapsam:ldap://127.0.0.1
>        ldap admin dn = cn=Manager,dc=newdom,dc=ldm
>        ldap suffix = dc=newdom,dc=ldm
>        ldap group suffix = ou=Groups
>        ldap user suffix = ou=Users
>        ldap machine suffix = ou=Computers
>        ldap idmap suffix = ou=Idmap
>
>        add user script = /usr/sbin/smbldap-useradd -m "%u"
>        ldap delete dn = Yes
>        delete user script = /usr/sbin/smbldap-userdel "%u"
>        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>        add group script = /usr/sbin/smbldap-groupadd -p "%g"
>        #delete group script = /usr/sbin/smbldap-groupdel "%g"
>        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
> "%g"
>        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>
> [shared]
>        comment = shared directory
>        path = /dat
>        browseable = yes
>        read only = no
>        create mask = 0660
>        directory mask = 0770
>
>
> ############ smb.conf - REMOTE1   #############################
>
> [global]
>        workgroup = NEWDOM
>        netbios name = REMOTE1
>        security = user
>        enable privileges = yes
>        interfaces = 192.168.1.254 127.0.0.1
> #        hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
> 10.8.0.0/24 127.0.0.1
>        wins server = 192.168.0.1
>        wins proxy = yes
>        username map = /etc/samba/smbusers
>        name resolve order  = wins bcast hosts
>        server string = Samba Server %v
>        encrypt passwords = Yes
>        ldap ssl = no
>        unix password sync = yes
>        ldap passwd sync = no
>        passwd program = /usr/sbin/smbldap-passwd -u "%u"
>        passwd chat = "Changing *\nNew password*" %n\n "*Retype new
> password*" %n\n"
>
>        log level = 0
>        syslog = 0
>        log file = /var/log/samba/log.%U
>        max log size = 100000
>        time server = Yes
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        mangling method = hash2
>        Dos charset = 850
>        Unix charset = ISO8859-1
>
>        local master = Yes
>        domain logons = Yes
>        domain master = no
>        os level = 40
>        preferred master = no
>
>        passdb backend = ldapsam:ldap://127.0.0.1
>        ldap admin dn = cn=Manager,dc=newdom,dc=ldm
>        ldap suffix = dc=newdom,dc=ldm
>        ldap group suffix = ou=Groups
>        ldap user suffix = ou=Users
>        ldap machine suffix = ou=Computers
>        ldap idmap suffix = ou=Idmap
>
>        add user script = /usr/sbin/smbldap-useradd -m "%u"
>        ldap delete dn = Yes
>        delete user script = /usr/sbin/smbldap-userdel "%u"
>        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>        add group script = /usr/sbin/smbldap-groupadd -p "%g"
>        delete group script = /usr/sbin/smbldap-groupdel "%g"
>        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
> "%g"
>        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>
> [test]
>      comment = test share
>      path = /test
>      browseable = yes
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list