What about your openvpn config?
The tun net must have an entry in your hosts allow.
If you work with briding the remote network has to be the same subnet as the
local!?
Bridging is the best way to have a remote net integrated.
I have one logging in form Berlin on my Samba-Domain.
Daniel
-----------------------------------------------
EDV Daniel M?ller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T?bingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
Auftrag von Julian Pilfold-Bagwell
Gesendet: Dienstag, 6. Juli 2010 14:12
An: samba at lists.samba.org
Betreff: [Samba] Cross subnet browsing + OpenVPN
Hi All,
I'm having a problem with cross subnet browsing and name resolution across
an openvpn tunnel. i've found quite a few people who've had the same on
mail lists but none of their fixes have worked. The spec of the setups at
both ends of the tunnel are as follows:
OS - CentOS 5.5
Samba Version 3.5.4
OpenVPN Version 2.0.9-1
Each server is configured in gateway mode with two NICS, one to the lan
and the other to a modem/router. The first machine, HEADOFFICE, has an
internal IP address of
192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1,
has an internal address of 192.168.1.254 and an external of 192.168.20.4.
On openVPN, I have configured client to client and routes and iroutes to
allow machines on each network to ping machines at the other end as well
as the server IP's.
So far so good and I can ping any machine on either subnet from anywhere
and get a reply. The servers are configured as Samba servers with the
HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1
machine configured as a BDC and WINS proxy. In order to maintain logon
facilities in the event of broadband failure,
I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates
and password changes propogate successfully from one site to the other.
If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works
perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet
fails on name resolution while
entering \\192.168.1.254\ brings up Windows Explorer and a list of shares.
I've included the remote browse entries in smb.conf on the PDC and have
WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP
back to the WINS server.
Port scanning the internal IP of each machine from the oher end of the
tunnel returns a full set of open ports for the services I'm using but no
IP.
If anyone can spot what I'm doing wrong I'd be grateful.
Thanks.
################ smb.conf - HEADOFFICE ################
### Included 2nd subnet for second remote site in browse sync
[ global]
workgroup = NEWDOM
netbios name = HEADOFFICE
security = user
enable privileges = yes
interfaces = 192.168.0.1 127.0.0.1
# hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
194.168.2.0/255.255.255.0 127.0.0.1
remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM
remote browse sync = 192.168.1.255 192.168.2.255
wins support = yes
name resolve order = wins hosts bcast
username map = /etc/samba/smbusers
server string = Samba Server %v
encrypt passwords = Yes
ldap ssl = no
unix password sync = yes
ldap passwd sync = no
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype
new
password*" %n\n"
# public = yes
# browseable = yes
# lm announce = yes
# browse list = yes
# auto services = yes
log level = 3
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
local master = Yes
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=newdom,dc=ldm
ldap suffix = dc=newdom,dc=ldm
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
[shared]
comment = shared directory
path = /dat
browseable = yes
read only = no
create mask = 0660
directory mask = 0770
############ smb.conf - REMOTE1 #############################
[global]
workgroup = NEWDOM
netbios name = REMOTE1
security = user
enable privileges = yes
interfaces = 192.168.1.254 127.0.0.1
# hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
10.8.0.0/24 127.0.0.1
wins server = 192.168.0.1
wins proxy = yes
username map = /etc/samba/smbusers
name resolve order = wins bcast hosts
server string = Samba Server %v
encrypt passwords = Yes
ldap ssl = no
unix password sync = yes
ldap passwd sync = no
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype
new
password*" %n\n"
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
local master = Yes
domain logons = Yes
domain master = no
os level = 40
preferred master = no
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=newdom,dc=ldm
ldap suffix = dc=newdom,dc=ldm
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
[test]
comment = test share
path = /test
browseable = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Hi, Robert Schetterer is right. You will succeed in the end with tap bridging. Bridiging does netbios reach trough. I did this with two XP-Clients 2 Nics build at each a bridge: Both the remote and the local Clients must be in the same subnet. My openvpn.conf: Client or server dev tap dev-node TAB proto udp remote XXXXXXXXXXXX 1194 resolv-retry infinite ca C:\\ca.crt cert C:\\client1.crt key C:\\client1.key ns-cert-type server verb 6 # Silence repeating messages script-security 2 comp-lzo tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-tun persist-key route-delay 10 On CENTOS look here: http://csmorley.spaces.live.com/blog/cns!990C0A249621766!184.entry Greetings ----------------------------------------------- EDV Daniel M?ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T?bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Robert Schetterer Gesendet: Freitag, 9. Juli 2010 17:26 An: tms3 at tms3.com Cc: samba at lists.samba.org Betreff: Re: [Samba] Cross subnet browsing + OpenVPN Am 09.07.2010 14:42, schrieb tms3 at tms3.com:> > > >> --- Original message --- >> *Subject:* Re: [Samba] Cross subnet browsing + OpenVPN >> *From:* Robert Schetterer <robert at schetterer.org> >> *To:* <samba at lists.samba.org> >> *Date:* Friday, 09/07/2010 3:05 AM >> >> Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell: >>> Sorry about the delay, family emergency to deal with. >>> browse sync shares the info across them. I tried putting the specific >>> IP addresses of the local master browsers into the browse sync but it >>> still doesn't seem to spread everything across all the subnets. >> >> you should use tap interfaces with openvpn > This is a matter of network design, and has nothing to do whatsoever > with the issue at hand. Further:i used samba with subnet browsing years ago it dont worked with tun interfaces, it must have been tab interfaces additional right samba setup times may changed, samba and openvpn changed but simply try it does not cost anything my setup was bdc--internalnet--firewall--(tunnel)--firewall--internalnet--pdc i had samba on the firewalls to bind to tab tunnel interfaces as wins proxy the pdc was the wins server, bdc as wins proxy and directed browsing to pdc, all clients did got well configured parameters per dhcp additional there was a working dns which matched dynamicly wins anyway times may change , and there are better solutions now but this one worked stable an robust read samba faqs wins and subnet browsing etc good luck> > > Server configuration file > > *dev tun > ifconfig 10.8.0.1 10.8.0.2 > secret static.key* > > > Client configuration file > > *remote myremote.mydomain > dev tun > ifconfig 10.8.0.2 10.8.0.1 > secret static.key* > > > From: > >http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-stat ic-key-mini-howto.html> > Which makes for a nice network to network setup for two locations > connected via a wan link. > > Why not shift the discussion to weather we should use IPSEC and racoon > instead of OpenVPN, or perhaps we should scrap all that and argue that > he should be using Cisco vpn gateways altogether? > > GUH! > > ** > > >> >> >>> >>> >>> From what I understand, the remote announce tells the WINS server to >>> broadcast across the remote subnets and remote >>> >>> On 06/07/10 13:50, tms3 at tms3.com wrote: >>>> >>>> >>>> SNIP >>>>> >>>>> Hi All, >>>>> >>>>> I'm having a problem with cross subnet browsing and name resolution >>>>> across >>>>> an openvpn tunnel. i've found quite a few people who've had the sameon>>>>> mail lists but none of their fixes have worked. The spec of the >>>>> setups at >>>>> both ends of the tunnel are as follows: >>>> "remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM >>>> remote browse sync = 192.168.1.255 192.168.2.255" >>>> >>>> This looks odd to me. >>>> >>>> remote announce = <wins server ip>/<DOMNAME> >>>> remote browse sync = <wins server ip> >>>> >>>> NEEDED in both smb.conf >>>> >>>> wins server = <wins server ip> >>>> >>>> Can't remember default for this setting sooooo >>>> >>>> enhanced browsing = Yes >>>> >>>> in both smb.conf >>>> >>>> >>>> DHCP should point clients to headoffice for WINS. WINS proxy is not >>>> useful. >>>>> >>>>> >>>>> OS - CentOS 5.5 >>>>> Samba Version 3.5.4 >>>>> OpenVPN Version 2.0.9-1 >>>>> >>>>> Each server is configured in gateway mode with two NICS, one to thelan>>>>> and the other to a modem/router. The first machine, HEADOFFICE, has an >>>>> internal IP address of >>>>> 192.168.0.1 and an external of 192.168.10.4. The second machine, >>>>> REMOTE1, >>>>> has an internal address of 192.168.1.254 and an external of >>>>> 192.168.20.4. >>>>> >>>>> On openVPN, I have configured client to client and routes and >>>>> iroutes to >>>>> allow machines on each network to ping machines at the other end as >>>>> well >>>>> as the server IP's. >>>>> So far so good and I can ping any machine on either subnet from >>>>> anywhere >>>>> and get a reply. The servers are configured as Samba servers with the >>>>> HEADOFFICE machine working as a PDC, DMC and WINS server and the >>>>> REMOTE1 >>>>> machine configured as a BDC and WINS proxy. In order to maintain >>>>> logon >>>>> facilities in the event of broadband failure, >>>>> I have replicated the LDAP server from HEADOFFICE to REMOTE1 and >>>>> updates >>>>> and password changes propogate successfully from one site to theother.>>>>> >>>>> If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it >>>>> works >>>>> perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet >>>>> fails on name resolution while >>>>> entering \\192.168.1.254\ brings up Windows Explorer and a list of >>>>> shares. >>>>> >>>>> I've included the remote browse entries in smb.conf on the PDC andhave>>>>> WINS Proxying set up on the BDC but I can't get it to push REMOTE1'sIP>>>>> back to the WINS server. >>>>> Port scanning the internal IP of each machine from the oher end of the >>>>> tunnel returns a full set of open ports for the services I'm using >>>>> but no >>>>> IP. >>>>> >>>>> If anyone can spot what I'm doing wrong I'd be grateful. >>>>> >>>>> Thanks. >>>>> >>>>> ################ smb.conf - HEADOFFICE ################ >>>>> ### Included 2nd subnet for second remote site in browse sync >>>>> >>>>> [ global] >>>>> workgroup = NEWDOM >>>>> netbios name = HEADOFFICE >>>>> security = user >>>>> enable privileges = yes >>>>> interfaces = 192.168.0.1 127.0.0.1 >>>>> # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 >>>>> 194.168.2.0/255.255.255.0 127.0.0.1 >>>>> remote announce = 192.168.2.255/NEWDOM192.168.1.255/NEWDOM>>>>> remote browse sync = 192.168.1.255 192.168.2.255 >>>>> wins support = yes >>>>> name resolve order = wins hosts bcast >>>>> username map = /etc/samba/smbusers >>>>> server string = Samba Server %v >>>>> encrypt passwords = Yes >>>>> ldap ssl = no >>>>> unix password sync = yes >>>>> ldap passwd sync = no >>>>> passwd program = /usr/sbin/smbldap-passwd -u "%u" >>>>> passwd chat = "Changing *\nNew password*" %n\n "*Retypenew>>>>> password*" %n\n" >>>>> >>>>> # public = yes >>>>> # browseable = yes >>>>> # lm announce = yes >>>>> # browse list = yes >>>>> # auto services = yes >>>>> >>>>> log level = 3 >>>>> syslog = 0 >>>>> log file = /var/log/samba/log.%U >>>>> max log size = 100000 >>>>> time server = Yes >>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>>> mangling method = hash2 >>>>> Dos charset = 850 >>>>> Unix charset = ISO8859-1 >>>>> >>>>> local master = Yes >>>>> domain logons = Yes >>>>> domain master = Yes >>>>> os level = 65 >>>>> preferred master = Yes >>>>> wins support = yes >>>>> >>>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm >>>>> ldap suffix = dc=newdom,dc=ldm >>>>> ldap group suffix = ou=Groups >>>>> ldap user suffix = ou=Users >>>>> ldap machine suffix = ou=Computers >>>>> ldap idmap suffix = ou=Idmap >>>>> >>>>> add user script = /usr/sbin/smbldap-useradd -m "%u" >>>>> ldap delete dn = Yes >>>>> delete user script = /usr/sbin/smbldap-userdel "%u" >>>>> add machine script = /usr/sbin/smbldap-useradd -t 0 -w"%u">>>>> add group script = /usr/sbin/smbldap-groupadd -p "%g" >>>>> #delete group script = /usr/sbin/smbldap-groupdel "%g" >>>>> add user to group script = /usr/sbin/smbldap-groupmod -m >>>>> "%u" "%g" >>>>> delete user from group script = /usr/sbin/smbldap-groupmod >>>>> -x "%u" >>>>> "%g" >>>>> set primary group script = /usr/sbin/smbldap-usermod -g >>>>> '%g' '%u' >>>>> >>>>> [shared] >>>>> comment = shared directory >>>>> path = /dat >>>>> browseable = yes >>>>> read only = no >>>>> create mask = 0660 >>>>> directory mask = 0770 >>>>> >>>>> >>>>> ############ smb.conf - REMOTE1 ############################# >>>>> >>>>> [global] >>>>> workgroup = NEWDOM >>>>> netbios name = REMOTE1 >>>>> security = user >>>>> enable privileges = yes >>>>> interfaces = 192.168.1.254 127.0.0.1 >>>>> # hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 >>>>> 10.8.0.0/24 127.0.0.1 >>>>> wins server = 192.168.0.1 >>>>> wins proxy = yes >>>>> username map = /etc/samba/smbusers >>>>> name resolve order = wins bcast hosts >>>>> server string = Samba Server %v >>>>> encrypt passwords = Yes >>>>> ldap ssl = no >>>>> unix password sync = yes >>>>> ldap passwd sync = no >>>>> passwd program = /usr/sbin/smbldap-passwd -u "%u" >>>>> passwd chat = "Changing *\nNew password*" %n\n "*Retypenew>>>>> password*" %n\n" >>>>> >>>>> log level = 0 >>>>> syslog = 0 >>>>> log file = /var/log/samba/log.%U >>>>> max log size = 100000 >>>>> time server = Yes >>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>>> mangling method = hash2 >>>>> Dos charset = 850 >>>>> Unix charset = ISO8859-1 >>>>> >>>>> local master = Yes >>>>> domain logons = Yes >>>>> domain master = no >>>>> os level = 40 >>>>> preferred master = no >>>>> >>>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm >>>>> ldap suffix = dc=newdom,dc=ldm >>>>> ldap group suffix = ou=Groups >>>>> ldap user suffix = ou=Users >>>>> ldap machine suffix = ou=Computers >>>>> ldap idmap suffix = ou=Idmap >>>>> >>>>> add user script = /usr/sbin/smbldap-useradd -m "%u" >>>>> ldap delete dn = Yes >>>>> delete user script = /usr/sbin/smbldap-userdel "%u" >>>>> add machine script = /usr/sbin/smbldap-useradd -t 0 -w"%u">>>>> add group script = /usr/sbin/smbldap-groupadd -p "%g" >>>>> delete group script = /usr/sbin/smbldap-groupdel "%g" >>>>> add user to group script = /usr/sbin/smbldap-groupmod -m >>>>> "%u" "%g" >>>>> delete user from group script = /usr/sbin/smbldap-groupmod >>>>> -x "%u" >>>>> "%g" >>>>> set primary group script = /usr/sbin/smbldap-usermod -g >>>>> '%g' '%u' >>>>> >>>>> [test] >>>>> comment = test share >>>>> path = /test >>>>> browseable = yes >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >> >> >> -- >> Best Regards >> >> MfG Robert Schetterer >> >> Germany/Munich/Bavaria >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >-- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
> > --- Original message --- > Subject: [Samba] WG: Cross subnet browsing + OpenVPN > From: Daniel M?ller <mueller at tropenklinik.de> > To: <samba at lists.samba.org> > Date: Sunday, 11/07/2010 11:39 PM > > Hi, > Robert Schetterer is right. You will succeed in the end with tap > bridging. > Bridiging does netbios reach trough.You will achieve it either way. The TYPE of VPN is not relevant. There was a discussion a while back regarding SE Linux and netbios. I would check those settings.> > > I did this with two XP-Clients 2 Nics build at each a bridge: > Both the remote and the local Clients must be in the same subnet. > > My openvpn.conf: > > > Client or server > > dev tap > dev-node TAB > proto udp > > remote XXXXXXXXXXXX 1194 > > resolv-retry infinite > > ca C:\\ca.crt > cert C:\\client1.crt > key C:\\client1.key > ns-cert-type server > verb 6 > > # Silence repeating messages > script-security 2 > comp-lzo > tun-mtu 1500 > tun-mtu-extra 32 > mssfix 1450 > persist-tun > persist-key > route-delay 10 > > > On CENTOS look here: > http://csmorley.spaces.live.com/blog/cns!990C0A249621766!184.entry > > Greetings > > > > > ----------------------------------------------- > EDV Daniel M?ller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 T?bingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: http://www.tropenklinik.de > ----------------------------------------------- > -----Urspr?ngliche Nachricht----- > Von: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] Im > Auftrag von Robert Schetterer > Gesendet: Freitag, 9. Juli 2010 17:26 > An: tms3 at tms3.com > Cc: samba at lists.samba.org > Betreff: Re: [Samba] Cross subnet browsing + OpenVPN > > Am 09.07.2010 14:42, schrieb tms3 at tms3.com: >> >> >> >> >>> >>> --- Original message --- >>> *Subject:* Re: [Samba] Cross subnet browsing + OpenVPN >>> *From:* Robert Schetterer <robert at schetterer.org> >>> *To:* <samba at lists.samba.org> >>> *Date:* Friday, 09/07/2010 3:05 AM >>> >>> Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell: >>>> >>>> Sorry about the delay, family emergency to deal with. >>>> browse sync shares the info across them. I tried putting the specific >>>> IP addresses of the local master browsers into the browse sync but it >>>> still doesn't seem to spread everything across all the subnets. >>> >>> you should use tap interfaces with openvpn >> This is a matter of network design, and has nothing to do whatsoever >> with the issue at hand. Further: > > i used samba with subnet browsing years ago > it dont worked with tun interfaces, it must have been tab interfaces > additional right samba setup > times may changed, samba and openvpn changed > but simply try it does not cost anything > > > my setup was > > > bdc--internalnet--firewall--(tunnel)--firewall--internalnet--pdc > > i had samba on the firewalls to bind to tab tunnel interfaces > as wins proxy > the pdc was the wins server, bdc as wins proxy and directed browsing > to > pdc, all clients did got well configured parameters per dhcp > additional there was a working dns which matched dynamicly wins > > anyway times may change , and there are better solutions now > but this one worked stable an robust > > read samba faqs wins and subnet browsing etc > > > good luck > > > >> >> >> >> Server configuration file >> >> *dev tun >> ifconfig 10.8.0.1 10.8.0.2 >> secret static.key* >> >> >> Client configuration file >> >> *remote myremote.mydomain >> dev tun >> ifconfig 10.8.0.2 10.8.0.1 >> secret static.key* >> >> >> From: >> >> > http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-stat > ic-key-mini-howto.html >> >> >> Which makes for a nice network to network setup for two locations >> connected via a wan link. >> >> Why not shift the discussion to weather we should use IPSEC and racoon >> instead of OpenVPN, or perhaps we should scrap all that and argue that >> he should be using Cisco vpn gateways altogether? >> >> GUH! >> >> ** >> >> >>> >>> >>> >>>> >>>> >>>> >>>> From what I understand, the remote announce tells the WINS server to >>>> broadcast across the remote subnets and remote >>>> >>>> On 06/07/10 13:50, tms3 at tms3.com wrote: >>>>> >>>>> >>>>> >>>>> SNIP >>>>>> >>>>>> >>>>>> Hi All, >>>>>> >>>>>> I'm having a problem with cross subnet browsing and name resolution >>>>>> across >>>>>> an openvpn tunnel. i've found quite a few people who've had the same > on >> >>> >>>> >>>>> >>>>>> >>>>>> mail lists but none of their fixes have worked. The spec of the >>>>>> setups at >>>>>> both ends of the tunnel are as follows: >>>>> "remote announce = 192.168.2.255/NEWDOM >>>>> 192.168.1.255/NEWDOM >>>>> remote browse sync = 192.168.1.255 >>>>> 192.168.2.255" >>>>> >>>>> This looks odd to me. >>>>> >>>>> remote announce = <wins server ip>/<DOMNAME> >>>>> remote browse sync = <wins server ip> >>>>> >>>>> NEEDED in both smb.conf >>>>> >>>>> wins server = <wins server ip> >>>>> >>>>> Can't remember default for this setting sooooo >>>>> >>>>> enhanced browsing = Yes >>>>> >>>>> in both smb.conf >>>>> >>>>> >>>>> DHCP should point clients to headoffice for WINS. WINS proxy is not >>>>> useful. >>>>>> >>>>>> >>>>>> >>>>>> OS - CentOS 5.5 >>>>>> Samba Version 3.5.4 >>>>>> OpenVPN Version 2.0.9-1 >>>>>> >>>>>> Each server is configured in gateway mode with two NICS, one to the > lan >> >>> >>>> >>>>> >>>>>> >>>>>> and the other to a modem/router. The first machine, HEADOFFICE, has an >>>>>> internal IP address of >>>>>> 192.168.0.1 and an external of 192.168.10.4. The second machine, >>>>>> REMOTE1, >>>>>> has an internal address of 192.168.1.254 and an external of >>>>>> 192.168.20.4. >>>>>> >>>>>> On openVPN, I have configured client to client and routes and >>>>>> iroutes to >>>>>> allow machines on each network to ping machines at the other end as >>>>>> well >>>>>> as the server IP's. >>>>>> So far so good and I can ping any machine on either subnet from >>>>>> anywhere >>>>>> and get a reply. The servers are configured as Samba servers with the >>>>>> HEADOFFICE machine working as a PDC, DMC and WINS server and the >>>>>> REMOTE1 >>>>>> machine configured as a BDC and WINS proxy. In order to >>>>>> maintain >>>>>> logon >>>>>> facilities in the event of broadband failure, >>>>>> I have replicated the LDAP server from HEADOFFICE to REMOTE1 and >>>>>> updates >>>>>> and password changes propogate successfully from one site to the > other. >> >>> >>>> >>>>> >>>>>> >>>>>> >>>>>> If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it >>>>>> works >>>>>> perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet >>>>>> fails on name resolution while >>>>>> entering \\192.168.1.254\ brings up Windows Explorer and a list of >>>>>> shares. >>>>>> >>>>>> I've included the remote browse entries in smb.conf on the PDC and > have >> >>> >>>> >>>>> >>>>>> >>>>>> WINS Proxying set up on the BDC but I can't get it to push REMOTE1's > IP >> >>> >>>> >>>>> >>>>>> >>>>>> back to the WINS server. >>>>>> Port scanning the internal IP of each machine from the oher end of the >>>>>> tunnel returns a full set of open ports for the services I'm using >>>>>> but no >>>>>> IP. >>>>>> >>>>>> If anyone can spot what I'm doing wrong I'd be grateful. >>>>>> >>>>>> Thanks. >>>>>> >>>>>> ################ smb.conf - HEADOFFICE ################ >>>>>> ### Included 2nd subnet for second remote site in browse sync >>>>>> >>>>>> [ global] >>>>>> workgroup = NEWDOM >>>>>> netbios name = HEADOFFICE >>>>>> security = user >>>>>> enable privileges = yes >>>>>> interfaces = 192.168.0.1 127.0.0.1 >>>>>> # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 >>>>>> 194.168.2.0/255.255.255.0 127.0.0.1 >>>>>> remote announce = 192.168.2.255/NEWDOM > 192.168.1.255/NEWDOM >> >>> >>>> >>>>> >>>>>> >>>>>> remote browse sync = 192.168.1.255 >>>>>> 192.168.2.255 >>>>>> wins support = yes >>>>>> name resolve order = wins hosts bcast >>>>>> username map = /etc/samba/smbusers >>>>>> server string = Samba Server %v >>>>>> encrypt passwords = Yes >>>>>> ldap ssl = no >>>>>> unix password sync = yes >>>>>> ldap passwd sync = no >>>>>> passwd program = /usr/sbin/smbldap-passwd -u >>>>>> "%u" >>>>>> passwd chat = "Changing *\nNew password*" >>>>>> %n\n "*Retype > new >> >>> >>>> >>>>> >>>>>> >>>>>> password*" %n\n" >>>>>> >>>>>> # public = yes >>>>>> # browseable = yes >>>>>> # lm announce = yes >>>>>> # browse list = yes >>>>>> # auto services = yes >>>>>> >>>>>> log level = 3 >>>>>> syslog = 0 >>>>>> log file = /var/log/samba/log.%U >>>>>> max log size = 100000 >>>>>> time server = Yes >>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 >>>>>> SO_SNDBUF=8192 >>>>>> mangling method = hash2 >>>>>> Dos charset = 850 >>>>>> Unix charset = ISO8859-1 >>>>>> >>>>>> local master = Yes >>>>>> domain logons = Yes >>>>>> domain master = Yes >>>>>> os level = 65 >>>>>> preferred master = Yes >>>>>> wins support = yes >>>>>> >>>>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm >>>>>> ldap suffix = dc=newdom,dc=ldm >>>>>> ldap group suffix = ou=Groups >>>>>> ldap user suffix = ou=Users >>>>>> ldap machine suffix = ou=Computers >>>>>> ldap idmap suffix = ou=Idmap >>>>>> >>>>>> add user script = /usr/sbin/smbldap-useradd >>>>>> -m "%u" >>>>>> ldap delete dn = Yes >>>>>> delete user script = >>>>>> /usr/sbin/smbldap-userdel "%u" >>>>>> add machine script = >>>>>> /usr/sbin/smbldap-useradd -t 0 -w > "%u" >> >>> >>>> >>>>> >>>>>> >>>>>> add group script = /usr/sbin/smbldap-groupadd >>>>>> -p "%g" >>>>>> #delete group script = >>>>>> /usr/sbin/smbldap-groupdel "%g" >>>>>> add user to group script = >>>>>> /usr/sbin/smbldap-groupmod -m >>>>>> "%u" "%g" >>>>>> delete user from group script = >>>>>> /usr/sbin/smbldap-groupmod >>>>>> -x "%u" >>>>>> "%g" >>>>>> set primary group script = >>>>>> /usr/sbin/smbldap-usermod -g >>>>>> '%g' '%u' >>>>>> >>>>>> [shared] >>>>>> comment = shared directory >>>>>> path = /dat >>>>>> browseable = yes >>>>>> read only = no >>>>>> create mask = 0660 >>>>>> directory mask = 0770 >>>>>> >>>>>> >>>>>> ############ smb.conf - REMOTE1 ############################# >>>>>> >>>>>> [global] >>>>>> workgroup = NEWDOM >>>>>> netbios name = REMOTE1 >>>>>> security = user >>>>>> enable privileges = yes >>>>>> interfaces = 192.168.1.254 127.0.0.1 >>>>>> # hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 >>>>>> 10.8.0.0/24 127.0.0.1 >>>>>> wins server = 192.168.0.1 >>>>>> wins proxy = yes >>>>>> username map = /etc/samba/smbusers >>>>>> name resolve order = wins bcast hosts >>>>>> server string = Samba Server %v >>>>>> encrypt passwords = Yes >>>>>> ldap ssl = no >>>>>> unix password sync = yes >>>>>> ldap passwd sync = no >>>>>> passwd program = /usr/sbin/smbldap-passwd -u >>>>>> "%u" >>>>>> passwd chat = "Changing *\nNew password*" >>>>>> %n\n "*Retype > new >> >>> >>>> >>>>> >>>>>> >>>>>> password*" %n\n" >>>>>> >>>>>> log level = 0 >>>>>> syslog = 0 >>>>>> log file = /var/log/samba/log.%U >>>>>> max log size = 100000 >>>>>> time server = Yes >>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 >>>>>> SO_SNDBUF=8192 >>>>>> mangling method = hash2 >>>>>> Dos charset = 850 >>>>>> Unix charset = ISO8859-1 >>>>>> >>>>>> local master = Yes >>>>>> domain logons = Yes >>>>>> domain master = no >>>>>> os level = 40 >>>>>> preferred master = no >>>>>> >>>>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm >>>>>> ldap suffix = dc=newdom,dc=ldm >>>>>> ldap group suffix = ou=Groups >>>>>> ldap user suffix = ou=Users >>>>>> ldap machine suffix = ou=Computers >>>>>> ldap idmap suffix = ou=Idmap >>>>>> >>>>>> add user script = /usr/sbin/smbldap-useradd >>>>>> -m "%u" >>>>>> ldap delete dn = Yes >>>>>> delete user script = >>>>>> /usr/sbin/smbldap-userdel "%u" >>>>>> add machine script = >>>>>> /usr/sbin/smbldap-useradd -t 0 -w > "%u" >> >>> >>>> >>>>> >>>>>> >>>>>> add group script = /usr/sbin/smbldap-groupadd >>>>>> -p "%g" >>>>>> delete group script = >>>>>> /usr/sbin/smbldap-groupdel "%g" >>>>>> add user to group script = >>>>>> /usr/sbin/smbldap-groupmod -m >>>>>> "%u" "%g" >>>>>> delete user from group script = >>>>>> /usr/sbin/smbldap-groupmod >>>>>> -x "%u" >>>>>> "%g" >>>>>> set primary group script = >>>>>> /usr/sbin/smbldap-usermod -g >>>>>> '%g' '%u' >>>>>> >>>>>> [test] >>>>>> comment = test share >>>>>> path = /test >>>>>> browseable = yes >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>> >>> >>> -- >>> Best Regards >>> >>> MfG Robert Schetterer >>> >>> Germany/Munich/Bavaria >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- > Best Regards > > MfG Robert Schetterer > > Germany/Munich/Bavaria > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba