--- Original message ---
Subject: [Samba] WG: Cross subnet browsing + OpenVPN
From: Daniel Müller <muel...@tropenklinik.de>
To: <samba@lists.samba.org>
Date: Sunday, 11/07/2010 11:39 PM
Hi,
Robert Schetterer is right. You will succeed in the end with tap
bridging.
Bridiging does netbios reach trough.
You will achieve it either way. The TYPE of VPN is not relevant.
There was a discussion a while back regarding SE Linux and netbios. I
would check those settings.
I did this with two XP-Clients 2 Nics build at each a bridge:
Both the remote and the local Clients must be in the same subnet.
My openvpn.conf:
Client or server
dev tap
dev-node TAB
proto udp
remote XXXXXXXXXXXX 1194
resolv-retry infinite
ca C:\\ca.crt
cert C:\\client1.crt
key C:\\client1.key
ns-cert-type server
verb 6
# Silence repeating messages
script-security 2
comp-lzo
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-tun
persist-key
route-delay 10
On CENTOS look here:
http://csmorley.spaces.live.com/blog/cns!990C0A249621766!184.entry
Greetings
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: http://www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] Im
Auftrag von Robert Schetterer
Gesendet: Freitag, 9. Juli 2010 17:26
An: t...@tms3.com
Cc: samba@lists.samba.org
Betreff: Re: [Samba] Cross subnet browsing + OpenVPN
Am 09.07.2010 14:42, schrieb t...@tms3.com:
--- Original message ---
*Subject:* Re: [Samba] Cross subnet browsing + OpenVPN
*From:* Robert Schetterer <rob...@schetterer.org>
*To:* <samba@lists.samba.org>
*Date:* Friday, 09/07/2010 3:05 AM
Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell:
Sorry about the delay, family emergency to deal with.
browse sync shares the info across them. I tried putting the specific
IP addresses of the local master browsers into the browse sync but it
still doesn't seem to spread everything across all the subnets.
you should use tap interfaces with openvpn
This is a matter of network design, and has nothing to do whatsoever
with the issue at hand. Further:
i used samba with subnet browsing years ago
it dont worked with tun interfaces, it must have been tab interfaces
additional right samba setup
times may changed, samba and openvpn changed
but simply try it does not cost anything
my setup was
bdc--internalnet--firewall--(tunnel)--firewall--internalnet--pdc
i had samba on the firewalls to bind to tab tunnel interfaces
as wins proxy
the pdc was the wins server, bdc as wins proxy and directed browsing
to
pdc, all clients did got well configured parameters per dhcp
additional there was a working dns which matched dynamicly wins
anyway times may change , and there are better solutions now
but this one worked stable an robust
read samba faqs wins and subnet browsing etc
good luck
Server configuration file
*dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key*
Client configuration file
*remote myremote.mydomain
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key*
From:
http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-stat
ic-key-mini-howto.html
Which makes for a nice network to network setup for two locations
connected via a wan link.
Why not shift the discussion to weather we should use IPSEC and racoon
instead of OpenVPN, or perhaps we should scrap all that and argue that
he should be using Cisco vpn gateways altogether?
GUH!
**
From what I understand, the remote announce tells the WINS server to
broadcast across the remote subnets and remote
On 06/07/10 13:50, t...@tms3.com wrote:
SNIP
Hi All,
I'm having a problem with cross subnet browsing and name resolution
across
an openvpn tunnel. i've found quite a few people who've had the same
on
mail lists but none of their fixes have worked. The spec of the
setups at
both ends of the tunnel are as follows:
"remote announce = 192.168.2.255/NEWDOM
192.168.1.255/NEWDOM
remote browse sync = 192.168.1.255
192.168.2.255"
This looks odd to me.
remote announce = <wins server ip>/<DOMNAME>
remote browse sync = <wins server ip>
NEEDED in both smb.conf
wins server = <wins server ip>
Can't remember default for this setting sooooo
enhanced browsing = Yes
in both smb.conf
DHCP should point clients to headoffice for WINS. WINS proxy is not
useful.
OS - CentOS 5.5
Samba Version 3.5.4
OpenVPN Version 2.0.9-1
Each server is configured in gateway mode with two NICS, one to the
lan
and the other to a modem/router. The first machine, HEADOFFICE, has an
internal IP address of
192.168.0.1 and an external of 192.168.10.4. The second machine,
REMOTE1,
has an internal address of 192.168.1.254 and an external of
192.168.20.4.
On openVPN, I have configured client to client and routes and
iroutes to
allow machines on each network to ping machines at the other end as
well
as the server IP's.
So far so good and I can ping any machine on either subnet from
anywhere
and get a reply. The servers are configured as Samba servers with the
HEADOFFICE machine working as a PDC, DMC and WINS server and the
REMOTE1
machine configured as a BDC and WINS proxy. In order to
maintain
logon
facilities in the event of broadband failure,
I have replicated the LDAP server from HEADOFFICE to REMOTE1 and
updates
and password changes propogate successfully from one site to the
other.
If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it
works
perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet
fails on name resolution while
entering \\192.168.1.254\ brings up Windows Explorer and a list of
shares.
I've included the remote browse entries in smb.conf on the PDC and
have
WINS Proxying set up on the BDC but I can't get it to push REMOTE1's
IP
back to the WINS server.
Port scanning the internal IP of each machine from the oher end of the
tunnel returns a full set of open ports for the services I'm using
but no
IP.
If anyone can spot what I'm doing wrong I'd be grateful.
Thanks.
################ smb.conf - HEADOFFICE ################
### Included 2nd subnet for second remote site in browse sync
[ global]
workgroup = NEWDOM
netbios name = HEADOFFICE
security = user
enable privileges = yes
interfaces = 192.168.0.1 127.0.0.1
# hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
194.168.2.0/255.255.255.0 127.0.0.1
remote announce = 192.168.2.255/NEWDOM
192.168.1.255/NEWDOM
remote browse sync = 192.168.1.255
192.168.2.255
wins support = yes
name resolve order = wins hosts bcast
username map = /etc/samba/smbusers
server string = Samba Server %v
encrypt passwords = Yes
ldap ssl = no
unix password sync = yes
ldap passwd sync = no
passwd program = /usr/sbin/smbldap-passwd -u
"%u"
passwd chat = "Changing *\nNew password*"
%n\n "*Retype
new
password*" %n\n"
# public = yes
# browseable = yes
# lm announce = yes
# browse list = yes
# auto services = yes
log level = 3
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
local master = Yes
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=newdom,dc=ldm
ldap suffix = dc=newdom,dc=ldm
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd
-m "%u"
ldap delete dn = Yes
delete user script =
/usr/sbin/smbldap-userdel "%u"
add machine script =
/usr/sbin/smbldap-useradd -t 0 -w
"%u"
add group script = /usr/sbin/smbldap-groupadd
-p "%g"
#delete group script =
/usr/sbin/smbldap-groupdel "%g"
add user to group script =
/usr/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/usr/sbin/smbldap-groupmod
-x "%u"
"%g"
set primary group script =
/usr/sbin/smbldap-usermod -g
'%g' '%u'
[shared]
comment = shared directory
path = /dat
browseable = yes
read only = no
create mask = 0660
directory mask = 0770
############ smb.conf - REMOTE1 #############################
[global]
workgroup = NEWDOM
netbios name = REMOTE1
security = user
enable privileges = yes
interfaces = 192.168.1.254 127.0.0.1
# hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
10.8.0.0/24 127.0.0.1
wins server = 192.168.0.1
wins proxy = yes
username map = /etc/samba/smbusers
name resolve order = wins bcast hosts
server string = Samba Server %v
encrypt passwords = Yes
ldap ssl = no
unix password sync = yes
ldap passwd sync = no
passwd program = /usr/sbin/smbldap-passwd -u
"%u"
passwd chat = "Changing *\nNew password*"
%n\n "*Retype
new
password*" %n\n"
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
local master = Yes
domain logons = Yes
domain master = no
os level = 40
preferred master = no
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=newdom,dc=ldm
ldap suffix = dc=newdom,dc=ldm
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd
-m "%u"
ldap delete dn = Yes
delete user script =
/usr/sbin/smbldap-userdel "%u"
add machine script =
/usr/sbin/smbldap-useradd -t 0 -w
"%u"
add group script = /usr/sbin/smbldap-groupadd
-p "%g"
delete group script =
/usr/sbin/smbldap-groupdel "%g"
add user to group script =
/usr/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/usr/sbin/smbldap-groupmod
-x "%u"
"%g"
set primary group script =
/usr/sbin/smbldap-usermod -g
'%g' '%u'
[test]
comment = test share
path = /test
browseable = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
