Re: [Samba] Cross subnet browsing + OpenVPN

tms3 Fri, 09 Jul 2010 05:44:27 -0700


--- Original message ---
Subject: Re: [Samba] Cross subnet browsing + OpenVPN
From: Robert Schetterer <rob...@schetterer.org>
To: <samba@lists.samba.org>
Date: Friday, 09/07/2010  3:05 AM

Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell:


Sorry about the delay, family emergency to deal with.
browse sync shares the info across them.  I tried putting the specific
IP addresses of the local master browsers into the browse sync but it
still doesn't seem to spread everything across all the subnets.


you should use tap interfaces with openvpn

This is a matter of network design, and has nothing to do whatsoeverwith the issue at hand. Further:


Server configuration file


dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.keyClient configuration file

remote myremote.mydomain
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key

From:

http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html

Which makes for a nice network to network setup for two locationsconnected via a wan link.

Why not shift the discussion to weather we should use IPSEC and racooninstead of OpenVPN, or perhaps we should scrap all that and argue thathe should be using Cisco vpn gateways altogether?


GUH!




From what I understand, the remote announce tells the WINS server to
broadcast across the remote subnets and remote

On 06/07/10 13:50, t...@tms3.com wrote:




SNIP



Hi All,

I'm having a problem with cross subnet browsing and name resolution
across

an openvpn tunnel. i've found quite a few people who've had the sameon

mail lists but none of their fixes have worked. The spec of the
setups at
both ends of the tunnel are as follows:

"remote announce = 192.168.2.255/NEWDOM192.168.1.255/NEWDOM

                     remote browse sync = 192.168.1.255 192.168.2.255"

This looks odd to me.

remote announce = <wins server ip>/<DOMNAME>
remote browse sync = <wins server ip>

NEEDED in both smb.conf

wins server = <wins server ip>

Can't remember default for this setting sooooo

enhanced browsing = Yes

in both smb.conf


DHCP should point clients to headoffice for WINS.  WINS proxy is not
useful.




OS - CentOS 5.5
Samba Version 3.5.4
OpenVPN Version 2.0.9-1

Each server is configured in gateway mode with two NICS, one to thelan

and the other to a modem/router. The first machine, HEADOFFICE, has an
internal IP address of
192.168.0.1 and an external of 192.168.10.4. The second machine,
REMOTE1,
has an internal address of 192.168.1.254 and an external of
192.168.20.4.

On openVPN, I have configured client to client and routes and iroutestoallow machines on each network to ping machines at the other end aswell

as the server IP's.

So far so good and I can ping any machine on either subnet fromanywhere

and get a reply. The servers are configured as Samba servers with the

HEADOFFICE machine working as a PDC, DMC and WINS server and theREMOTE1machine configured as a BDC and WINS proxy. In order tomaintain

logon
facilities in the event of broadband failure,

I have replicated the LDAP server from HEADOFFICE to REMOTE1 andupdatesand password changes propogate successfully from one site to theother.

If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet itworks

perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet
fails on name resolution while
entering \\192.168.1.254\ brings up Windows Explorer and a list of
shares.

I've included the remote browse entries in smb.conf on the PDC andhaveWINS Proxying set up on the BDC but I can't get it to push REMOTE1'sIP

back to the WINS server.
Port scanning the internal IP of each machine from the oher end of the
tunnel returns a full set of open ports for the services I'm using
but no
IP.

If anyone can spot what I'm doing wrong I'd be grateful.

Thanks.

################ smb.conf - HEADOFFICE ################
### Included 2nd subnet for second remote site in browse sync

[ global]
                     workgroup = NEWDOM
                     netbios name = HEADOFFICE
                     security = user
                     enable privileges = yes
                     interfaces = 192.168.0.1 127.0.0.1
# hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
194.168.2.0/255.255.255.0 127.0.0.1

remote announce = 192.168.2.255/NEWDOM192.168.1.255/NEWDOM

                     remote browse sync = 192.168.1.255 192.168.2.255
                     wins support = yes
                     name resolve order = wins hosts bcast
                     username map = /etc/samba/smbusers
                     server string = Samba Server %v
                     encrypt passwords = Yes
                     ldap ssl = no
                     unix password sync = yes
                     ldap passwd sync = no
                     passwd program = /usr/sbin/smbldap-passwd -u "%u"

passwd chat = "Changing *\nNew password*" %n\n"*Retype new

password*" %n\n"

# public = yes
# browseable = yes
# lm announce = yes
# browse list = yes
# auto services = yes

                     log level = 3
                     syslog = 0
                     log file = /var/log/samba/log.%U
                     max log size = 100000
                     time server = Yes

socket options = TCP_NODELAY SO_RCVBUF=8192SO_SNDBUF=8192

                     mangling method = hash2
                     Dos charset = 850
                     Unix charset = ISO8859-1

                     local master = Yes
                     domain logons = Yes
                     domain master = Yes
                     os level = 65
                     preferred master = Yes
                     wins support = yes

                     passdb backend = ldapsam:ldap://127.0.0.1
                     ldap admin dn = cn=Manager,dc=newdom,dc=ldm
                     ldap suffix = dc=newdom,dc=ldm
                     ldap group suffix = ou=Groups
                     ldap user suffix = ou=Users
                     ldap machine suffix = ou=Computers
                     ldap idmap suffix = ou=Idmap

add user script = /usr/sbin/smbldap-useradd -m"%u"

                     ldap delete dn = Yes

delete user script = /usr/sbin/smbldap-userdel"%u"add machine script = /usr/sbin/smbldap-useradd -t0 -w "%u"add group script = /usr/sbin/smbldap-groupadd -p"%g"#delete group script = /usr/sbin/smbldap-groupdel"%g"add user to group script =/usr/sbin/smbldap-groupmod -m

"%u" "%g"

delete user from group script =/usr/sbin/smbldap-groupmod

-x "%u"
"%g"

set primary group script =/usr/sbin/smbldap-usermod -g

'%g' '%u'

[shared]
                     comment = shared directory
                     path = /dat
                     browseable = yes
                     read only = no
                     create mask = 0660
                     directory mask = 0770


############ smb.conf - REMOTE1 #############################

[global]
                     workgroup = NEWDOM
                     netbios name = REMOTE1
                     security = user
                     enable privileges = yes
                     interfaces = 192.168.1.254 127.0.0.1
# hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
10.8.0.0/24 127.0.0.1
                     wins server = 192.168.0.1
                     wins proxy = yes
                     username map = /etc/samba/smbusers
                     name resolve order = wins bcast hosts
                     server string = Samba Server %v
                     encrypt passwords = Yes
                     ldap ssl = no
                     unix password sync = yes
                     ldap passwd sync = no
                     passwd program = /usr/sbin/smbldap-passwd -u "%u"