samba - Sep 2002 - UNICAST cross-subnet browsing, Port 445 vs. 139, and Win2k

I have been having a heck of a time getting cross subnet browsing to work
properly. After MANY hours hunting through source and debug logs, I have
FINALLY found the source of my browsing issues.

My Samba nmdb properly becomes the LMB for my segment on a WAN. I VPN to my
servers at the home office and Samba attempts to sync with the DMB. nmbd
properly locates the DMB via WINS over the UNICAST_SUBNET, then proceeds to
try and sync with it over port 445. The connection to port 445 works JUST
FINE. I get connected, the connection to IPC$ happens just fine and the
return from the cli_NetServerEnum calls for Domains and everything else
complete fine. The problem is the returned lists are empty !!! Debug logs
show: "sync with HOMEOFFICE(172.16.10.5) for workgroup GROUPXYZ completed
(0
records)". The dumped returned blocks show a correct return record, just
with nothing in it.

I tried the same thing from the command line using smbclient with the same
results:
----------------------------------------------------------------------------
--------
[root@farmboy /]# smbclient -p 445 -L HOMEOFFICE -U% -W GROUPXYZ
added interface ip=192.168.1.10 bcast=192.168.1.255 nmask=255.255.255.0
Got a positive name query response from 172.16.10.10 ( 172.16.10.5 )
Domain=[XXXX] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

        Sharename      Type      Comment
        ---------      ----      -------
        IPC$           IPC       Remote IPC
        JACKSON.log    Disk      "Exchange message tracking logs"
        Resources$     Disk      "Event logging files"
        NETLOGON       Disk      Logon server share
        CertConfig     Disk      Certificate Services configuration
        CertEnroll     Disk      Certificate Services share
        ADMIN$         Disk      Remote Admin
        SYSVOL         Disk      Logon server share
        C$             Disk      Default share
        Address        Disk      "Access to address objects"

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
[root@farmboy /]#
----------------------------------------------------------------------------
--------

However, force the cli_NetServerEnum calls to be on the OLD NMB port (139)
and everything works !!
----------------------------------------------------------------------------
------
[root@farmboy /]# smbclient -p 139 -L HOMEOFFICE -N -U% -W GROUPXYZ
added interface ip=192.168.1.10 bcast=192.168.1.255 nmask=255.255.255.0
Got a positive name query response from 172.16.10.10 ( 172.16.10.5 )
Domain=[XXXX] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

        Sharename      Type      Comment
        ---------      ----      -------
        IPC$           IPC       Remote IPC
        JACKSON.log    Disk      "Exchange message tracking logs"
        Resources$     Disk      "Event logging files"
        NETLOGON       Disk      Logon server share
        CertConfig     Disk      Certificate Services configuration
        CertEnroll     Disk      Certificate Services share
        ADMIN$         Disk      Remote Admin
        SYSVOL         Disk      Logon server share
        C$             Disk      Default share
        Address        Disk      "Access to address objects"

        Server               Comment
        ---------            -------
        4THFLOORCONF
        QA
        QA4
        QAVM1A
        QAVM1B
        QAVM1C
        QAVM1D
        QAVM2B
        QAVM2C
        VPN
	-------- snip LOTS of stuff omitted -----------------------

        Workgroup            Master
        ---------            -------
	-------- snip LOTS of stuff omitted -----------------------
        WORKGROUP            QA10
[root@farmboy /]#
--------------------------------------------------------------------

Now my questions:

1) I figure this to be some kind of misconfigured W2K server at the other
end, correct ? Why does the connection to port 449 succeed, yet fail to
serve up all the desired info ??

2) The code in libsmb/cliconnect.c, cli_connect ALWAYS tries port 449 first,
then falls back to port 139 if the open fails. In my case the open DOESN'T
fail so I never fall back to port 139, which in my case would solve my
browsing issues. It does NOT appear that there is any way to override this
behavior. Would it be beneficial (or detrimental for that matter) for me to
create a patch that would allow a user to specify which port browse
synchronization to occur on ?? Something like a new smb.conf parm,
"browse-sync-ports   139 445" that could then be used in cli_connect
to
specify desired behavior ?

Sorry for the long post. I wasn't sure if this was the correct group or if
samba-technical was more appropriate.

Thanks
Andy Levine

Andy Levine wrote:
> 
> I have been having a heck of a time getting cross subnet browsing to work
> properly. After MANY hours hunting through source and debug logs, I have
> FINALLY found the source of my browsing issues.
> 
> My Samba nmdb properly becomes the LMB for my segment on a WAN. I VPN to my
> servers at the home office and Samba attempts to sync with the DMB. nmbd
> properly locates the DMB via WINS over the UNICAST_SUBNET, then proceeds to
> try and sync with it over port 445. The connection to port 445 works JUST
> FINE. I get connected, the connection to IPC$ happens just fine and the
> return from the cli_NetServerEnum calls for Domains and everything else
> complete fine. The problem is the returned lists are empty !!! Debug logs
> show: "sync with HOMEOFFICE(172.16.10.5) for workgroup GROUPXYZ
completed (0
> records)". The dumped returned blocks show a correct return record,
just
> with nothing in it.
> Sorry for the long post. I wasn't sure if this was the correct group or
if
> samba-technical was more appropriate.
Probably better brought up on samba-technical, now that I can confirm
that it's a known, real bug.  We just havn't fully digested the
consequences :-)  (and the fact that 2.2 is bitten by it - I was under
the impression it was 3.0 only, but we had a lot of merging a release or
two back).

Now, what we need to figure out is how to deal with this.  Is is just
that we contact 445, or is there somthing else wrong with our querys
(somehow influenced by our use of port 445).

Can you try and convince two Win2k machines to synronsise browse lists,
and get a sniff?  Ethereal has a very good SMB disector, btw.  In
particular, what ports do they use, and does it look different to
Samba?  In the meantime forcing port 139 makes sense (becouse NetBIOS
browse sync doesn't make sense on 445 anyway - it's meant to be for
'NetBIOSless' smb...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Andrew Bartlett wrote:
> Probably better brought up on samba-technical, now that I can confirm
> that it's a known, real bug.  We just haven't fully digested the
> consequences :-)  (and the fact that 2.2 is bitten by it - I was under
> the impression it was 3.0 only, but we had a lot of merging a release or
> two back).
>
> Now, what we need to figure out is how to deal with this.  Is is just
> that we contact 445, or is there somthing else wrong with our querys
> (somehow influenced by our use of port 445).
>
I "dealt" with this with a recently submitted patch to force browse
synchronization to occur on port 139 instead. A subtly placed call to
cli_set_port() in the function sync_child() solved this handily !!
>In the meantime forcing port 139 makes sense (becouse NetBIOS
> browse sync doesn't make sense on 445 anyway - it's meant to be for
> 'NetBIOSless' smb...
I totally agree. Browse sync'ing is inherently a NetBIOS thing and SHOULD
occur on 139.


Andy Levine
Senior Software Architect
epicRealm