samba - Sep 1999 - NAT + different subnets + NT domain = ???

I appologize since this is not strictly samba-related, but I thought
some kind soul might be able to help.

I have a configuration that looks like this:


  NT clients \      .xx        	        .yyy / WINS server
      	      }--NAT---"Ethernet cloud"-----{--misc. clients
  Samba ---- /                               \ PDC

I pointed the NT clients to the left of the NAT box (in the picture) to
the WINS server, I also told Samba to act as a WINS proxy(shouldn't really
be needed, but still) . Now none of the NT clients are able to log in to
the PDC, I get "domain controller not found."  Once I log in to the NT
clients locally, I can see the PDC in the "Network Neighborhood": I
can
browse its shares, etc.  I can also use "smbclient" on the Samba box
to
talk to the PDC on the other side of the NAT just fine.  I am a bit
stumped for what to do next. Why can the NT clients see the PDC in the
"network neighborhood", but not log in to it?  I tried running tcpdump
on
my NAT box, and I can see some UDP packets on netbios-dgm port being sent
out to my NT PDC and BDC (so the WINS resolution appears to work,
otherwise how would it find the IP address of the PDC and the BDC?)  but
the only UDP packets I see coming in from the NT BDC are occasional
packets on netbios-ns port.

Does someone have ideas/suggestions on how I would troubleshoot this
further?  The biggest suspition I have right now is routers might be doing
something funny with the UDP packets.  Is that likely? (After all, I can
talk to the PDC OK from my Samba box, and browse its shares from NT
clients).  



--
Evgeny Roubinchtein, eroubinc@u.washington.edu
...................
RDLI: Rotate Disk Left Immediate

I think I know what the problem is now.  The NT client sends a bunch of
UDP packets to the PDC.  When the PDC sends a reply back, it apparently
resolves the NetBIOS name to the IP address of the NT client.  In my case,
it does so through a WINS database.  Unfortunately, the WINS database has
the bogus, "behind-the-NAT-box" addresses of the NT clients in it, so
the
PDC's response gets sent to, for example 192.168.1.3, which of course is
unroutable, so it just gets dropped.  I ran tcpdump on the PDC's subnet,
and actually saw some packets with those bogus destinations, so the only
part I am inferring is the NetBIOS name to IP address resolution.  I am
not sure what the solution to this would be.  I would like to thank
everyone for their suggestions and tips.

"
I really hate this damned machine
I wish that they would sell it.
It never does quite what I want
But only what I tell it.
"

On Tue, 28 Sep 1999, Evgeny Roubinchtein wrote:
>I appologize since this is not strictly samba-related, but I thought
>some kind soul might be able to help.
>
>I have a configuration that looks like this:
>
>
>  NT clients \      .xx        	        .yyy / WINS server
>      	      }--NAT---"Ethernet cloud"-----{--misc. clients
>  Samba ---- /                               \ PDC
>
>I pointed the NT clients to the left of the NAT box (in the picture) to
>the WINS server, I also told Samba to act as a WINS proxy(shouldn't
really
>be needed, but still) . Now none of the NT clients are able to log in to
>the PDC, I get "domain controller not found."  Once I log in to
the NT
>clients locally, I can see the PDC in the "Network Neighborhood":
I can
>browse its shares, etc.  I can also use "smbclient" on the Samba
box to
>talk to the PDC on the other side of the NAT just fine.  I am a bit
>stumped for what to do next. Why can the NT clients see the PDC in the
>"network neighborhood", but not log in to it?  I tried running
tcpdump on
>my NAT box, and I can see some UDP packets on netbios-dgm port being sent
>out to my NT PDC and BDC (so the WINS resolution appears to work,
>otherwise how would it find the IP address of the PDC and the BDC?)  but
>the only UDP packets I see coming in from the NT BDC are occasional
>packets on netbios-ns port.
>
>Does someone have ideas/suggestions on how I would troubleshoot this
>further?  The biggest suspition I have right now is routers might be doing
>something funny with the UDP packets.  Is that likely? (After all, I can
>talk to the PDC OK from my Samba box, and browse its shares from NT
>clients).  
>
>
>
>--
>Evgeny Roubinchtein, eroubinc@u.washington.edu
>...................
>RDLI: Rotate Disk Left Immediate
>
>
--
Evgeny Roubinchtein, eroubinc@u.washington.edu
...................
SPAT: Show Passwords on All Terminals