Hi all! This is a repost to this list, hoping to draw some extra attention because I got NO reply whatsoever to the original posting :( I would really appreciate if someone could comment om which of both strategies as described below is best. I am having some trouble with a samba domain distributed over 2 subnets (192.168.0.0/23 (supernetted) & 192.168.4.0/24). These subnets are linked over the internet through a IPSec gateway to gateway (network to network) connection (i.e. all machines can reach/ping each other on both subnets). The samba PDC (with LDAP backend) has IP 192.168.0.4 and there is a BDC (LDAP slave) in the other subnet at IP 192.168.4.2. The problem is that login of the WinXP clients on the 192.168.4.0/24 subnet is really slow and I suspect this is caused by data getting sent through the (relatively slow) IPSec connection while this is not necessary because the BDC should offer all services (like authentication and profiles/homedirs). Until recently I had these settings on the PDC in the smb.conf: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes and this on the BDC: domain logons = Yes os level = 65 preferred master = Yes domain master = No wins support = No wins server = 192.168.0.4 All machines in both subnets would get 192.168.0.4 (PDC) as WINS server by the dhcp server. However like stated before this works very slow. Does anyone know if this is actually is a good approach and the slowness is cuased by something else? Anyway I read on a previous posting to this list (and the manual) that it's possible to use remote browse sync to sync the browse lists. So I decided to change the strategy and configure the PDC as below: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes remote browse sync = 192.168.4.2 and the BDC as below: domain logons = Yes os level = 65 preferred master = Yes domain master = No wins support = Yes remote browse sync = 192.168.0.4 And with this setup the machines in the 192.168.0.0/23 subnet are getting 192.168.0.4 as WINS server and the machines in the 192.168.4.0/24 subnet 192.168.4.2. After restarting samba the PDC shows this in the log.nmbd: [2005/09/22 16:51:38, 0] nmbd/nmbd_browsesync.c:get_domain_master_name_node_status_fail(488) get_domain_master_name_node_status_fail: Doing a node status request to the domain master browser at IP 10.0.1.10 failed. Cannot get workgroup name. I don't really understand where the 10.0.1.10 comes from as that machines has no routing/interface configured to such subnet. At the BDC side the log.nmbd shows: [2005/09/22 15:55:47, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(353) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name DOMAIN<1b> for the workgroup DOMAIN. Unable to sync browse lists in this workgroup. And indeed the browselists on both subnets do not show each other's machines. Does anyone know what I am doing wrong here? Thanks! Jonathan
Jonathan Salomon wrote:> Hi all! > > This is a repost to this list, hoping to draw some extra attention > because I got NO reply whatsoever to the original posting :( I would > really appreciate if someone could comment om which of both strategies > as described below is best. > > I am having some trouble with a samba domain distributed over 2 subnets > (192.168.0.0/23 (supernetted) & 192.168.4.0/24). These subnets are > linked over the internet through a IPSec gateway to gateway (network to > network) connection (i.e. all machines can reach/ping each other on both > subnets). The samba PDC (with LDAP backend) has IP 192.168.0.4 and there > is a BDC (LDAP slave) in the other subnet at IP 192.168.4.2. > > The problem is that login of the WinXP clients on the 192.168.4.0/24 > subnet is really slow and I suspect this is caused by data getting sent > through the (relatively slow) IPSec connection while this is not > necessary because the BDC should offer all services (like authentication > and profiles/homedirs).If ipsec is correctly configured, you can treat it as a simple multihomed router. It's not a cut and dried one size fits all solution. Multiple WINS servers only works where they replicate their data on some schedule. Someone correct me if I'm wrong, but there are no samba configuration options for replication between samba servers. There have been posts about using rsync on browse.dat but I never went that road. My own experience with an MS NT40 domain was if the PDC was unreachable, not much worked well even though a BDC was available. If the WAN was down for a sufficient amount of time, promote the BDC to a PDC. This only worked well where each BDC had it's own WINS server and replicated the data. Reconnecting the WAN meant demoting the temporary PDC back to BDC status. Never did that with samba, but with MS servers. Pretty complicated what with RID master data and everything. One WINS server that every machine points to is the easiest to maintain, but puts the domain at the mercy of the WAN. With the BDC backend LDAP a slave, you've got multiple sync issues and probably your best best is the one WINS server, every other machine pointed to it. Then work on the speed and WAN reliability as seperate functions. Profiles and home dirs are set per user using User Manager for Domains. Providing users stay on a respective side of the WAN, one can eliminate dragging data across the WAN by setting the user to use only shares on the samba server on their respective side. Get users used to the concept of dragging file contents across the WAN before editing and then drag them back when they're done, where possible. Regards, Doug
Hi, I know a lot of cross-subnet browsing in a ipsec environment stem(?) from the MTU settings for your connection. I know I have the turn it down to around 1200 to be sure all data arrives on the other end. All the symptoms (slow logins etc) point at it. Regards, Bolke