samba - Aug 2003 - Samba Domain Controller + Router

I have a Samba Domain Controller running on a Windows/Linux hybrid
network.  Actually, the network is in a state of transition right now and
I'm occupying my time by planning its re-design.  So, assume that when I
set it up again, I'll be using the latest release of Samba (or any
previous release you may recommend).

Now, to the point... A couple of the Windows clients on this domain will,
without going into much explanation of why, be behind a simple Linksys
router.  This means that the only way they can connect to the Samba domain
is via TCP port forwarding through the router.  My knowledge of the
protocols of a Windows domain being somewhat limited, I question if this
is possible.  Through no other means than forwarding TCP ports through the
router, (and through which ports in which direction?) is it possible for
multiple (read as 2 or 3) computers on the other side of that router to be
members of the Windows domain?

The computers on the other side of the router are, at the moment, running
Win2000.  But, over time, replacements will have later versions of
Windows.  Now, I would imagine that, if TCP port forwarding is enough,
then the clients won't have a problem.  They'd simply see the router as
the Domain Controller, right?  But then, through that controller (Samba),
can they browse the rest of the machines on the domain?  Note that such
browsing wouldn't be entirely necessary, but if it's possible it would
at
least make the network setup somewhat more transparent to the users.

Where I become most unclear, however, is the fact that, from the Domain
Controller's perspective, the router would be a single source (IP
address) for multiple machines.  Can it distinguish between those machines
on the other side of the router?  Can they, too, be browsed on the domain
by the rest?  Note also that the router exibits different behavior in
different directions, and I can "invert" the direction if need be.
Connections coming in on the WAN port must be forwarded by port number as
specified ahead of time.  Connections coming in on the LAN port, however,
pretty much have free reign to go as they please and expect a response.
It matters little to me which side of the network is WAN and which is LAN
from the router's perspective.

Any help you can give me in this would be very much appreciated.  Thank
you for your time.



David P. Donahue
ddonahue@ccs.neu.edu

On Sun, 3 Aug 2003, David Donahue wrote:
> I have a Samba Domain Controller running on a Windows/Linux hybrid
> network.  Actually, the network is in a state of transition right now and
> I'm occupying my time by planning its re-design.  So, assume that when
I
> set it up again, I'll be using the latest release of Samba (or any
> previous release you may recommend).
>
> Now, to the point... A couple of the Windows clients on this domain will,
> without going into much explanation of why, be behind a simple Linksys
> router.  This means that the only way they can connect to the Samba domain
> is via TCP port forwarding through the router.  My knowledge of the
> protocols of a Windows domain being somewhat limited, I question if this
> is possible.  Through no other means than forwarding TCP ports through the
> router, (and through which ports in which direction?) is it possible for
> multiple (read as 2 or 3) computers on the other side of that router to be
> members of the Windows domain?
>
> The computers on the other side of the router are, at the moment, running
> Win2000.  But, over time, replacements will have later versions of
> Windows.  Now, I would imagine that, if TCP port forwarding is enough,
> then the clients won't have a problem.  They'd simply see the
router as
> the Domain Controller, right?  But then, through that controller (Samba),
> can they browse the rest of the machines on the domain?  Note that such
> browsing wouldn't be entirely necessary, but if it's possible it
would at
> least make the network setup somewhat more transparent to the users.
>
> Where I become most unclear, however, is the fact that, from the Domain
> Controller's perspective, the router would be a single source (IP
> address) for multiple machines.  Can it distinguish between those machines
> on the other side of the router?  Can they, too, be browsed on the domain
> by the rest?  Note also that the router exibits different behavior in
> different directions, and I can "invert" the direction if need
be.
> Connections coming in on the WAN port must be forwarded by port number as
> specified ahead of time.  Connections coming in on the LAN port, however,
> pretty much have free reign to go as they please and expect a response.
> It matters little to me which side of the network is WAN and which is LAN
> from the router's perspective.
>
> Any help you can give me in this would be very much appreciated.  Thank
> you for your time.
Samba-HOWTO-Collection.pdf, Chapter 10 available from the folowing URL:

	http://us4.samba.org/samba/devel/docs/Samba-HOWTO-Collection.pdf

Chapter 10, "Samba / MS Network Browsing Guide", Should answer your
questions. If you have more, after having read this, please let's have
them.

THe SMB/CIFS protocol uses TCP ports 139 and 445, and UDP port 137.

- John T.
-- 
John H Terpstra
Email: jht@samba.org