samba - Nov 2007 - Vista over VPN loses connection with workgroup

I've a server running CentOS 5, Samba 3.0.23c and OpenVPN-2.1beta4
A laptop running Vista connects to the server over VPN. The CentOS 
server is local, domain and preferred master, and also WINS server.

It looks like every once in a while the Vista laptop drops the VPN 
connection, which gets re-established soon after that. But the problem 
is, it appears that after the dropout the Vista laptop doesn't see the 
Samba workgroup anymore - there's nothing in the Network window, and 
printing to a printer shared by Samba on CentOS fails.
Rebooting Vista fixes the problem.
If I specify a computer name like this \\computer I can access it from 
Vista even when the workgroup is "invisible".

My question is - how to make the connection to the workgroup more 
robust? Fixing VPN is another task, but I wonder if something can be 
done with Samba and/or Vista until then.

-- 
Florin Andrei

http://florin.myip.org/

On Fri, 2007-11-30 at 13:55 -0800, Florin Andrei wrote:
> I've a server running CentOS 5, Samba 3.0.23c and OpenVPN-2.1beta4
> A laptop running Vista connects to the server over VPN. The CentOS 
> server is local, domain and preferred master, and also WINS server.
> 
> It looks like every once in a while the Vista laptop drops the VPN 
> connection, which gets re-established soon after that. But the problem 
> is, it appears that after the dropout the Vista laptop doesn't see the 
> Samba workgroup anymore - there's nothing in the Network window, and 
> printing to a printer shared by Samba on CentOS fails.
> Rebooting Vista fixes the problem.
> If I specify a computer name like this \\computer I can access it from 
> Vista even when the workgroup is "invisible".
> 
> My question is - how to make the connection to the workgroup more 
> robust? Fixing VPN is another task, but I wonder if something can be 
> done with Samba and/or Vista until then.
> 
I'd hazard that the issues are related, and that there are tweaks you
can do to the VPN that will make this more stable.  Short of sending you
to the OpenVPN lists, I'll share a couple tweaks I've found useful in
the exact same situation:
On the VPN server, add the lines:
# Insert your WINS server IP here
push "dhcp-option WINS 12.34.56.78"
# Insert your DNS server IP here
push "dhcp-option DNS 12.34.56.78"
# Insert your second (if you have one) DNS server IP here
push "dhcp-option DNS 12.34.56.79"
# Replace with your search domain
push "dhcp-option DOMAIN domain.tld"

This will force the Vista client to re-establish these options on VPN
reconnect, which it will only do on a reboot if you put the WINS server
in the Windows general network config.  I think the issue is that if the
Windows machine is unable to connect to the WINS server specified, it
simply stops trying, thus making the workgroup inaccessible.

I stand ready to be corrected on all of this of course, but my
experience is that the options above work very consistently for my own
setup and those of my clients as well.

Hope that helps!
Rubin

-- 
Rubin Bennett
rbTechnologies
rbennett@thatitguy.com
http://thatitguy.com
(802)223-4448

"Those who would give up essential liberty to purchase a little
temporary safety deserve neither liberty nor safety."
        -Ben Franklin, Historical Review of Pennsylvania, 1759

On Fri, 2007-11-30 at 14:34 -0800, Florin Andrei wrote:
> Rubin Bennett wrote:
> > I'd hazard that the issues are related, and that there are tweaks
you
> > can do to the VPN that will make this more stable.  Short of sending
you
> > to the OpenVPN lists, I'll share a couple tweaks I've found
useful in
> > the exact same situation:
> > On the VPN server, add the lines:
> > # Insert your WINS server IP here
> > push "dhcp-option WINS 12.34.56.78"
> > # Insert your DNS server IP here
> > push "dhcp-option DNS 12.34.56.78"
> > # Insert your second (if you have one) DNS server IP here
> > push "dhcp-option DNS 12.34.56.79"
> > # Replace with your search domain
> > push "dhcp-option DOMAIN domain.tld"
> 
> Yes, actually I already did that. That's how the laptop learns
where's
> the WINS server. DOMAIN, DNS and WINS are being pushed to the Windows 
> client already.
> 
> The WINS server pushed to the laptop is actually the tun0 interface, 
> created on the server by openvpnd. But that should not be a problem, I 
> see in the logs how Samba actually becomes master on that interface, so 
> it should work - and it does, for a while, and then the workgroup 
> disappears.
> 
Can you browse by IP address over the re-established VPN?  Have you
tried the old ipconfig /flushdns trick either before or after
reconnecting the VPN?

-- 
Rubin Bennett
rbTechnologies
rbennett@thatitguy.com
http://thatitguy.com
(802)223-4448

"Those who would give up essential liberty to purchase a little
temporary safety deserve neither liberty nor safety."
        -Ben Franklin, Historical Review of Pennsylvania, 1759

On Mon, 2008-01-14 at 19:41 -0800, Florin Andrei wrote:
> Rubin Bennett wrote:
> >>
> > Can you browse by IP address over the re-established VPN?
> 
> I can even browse by \\name
> It's just that the Network window is empty, and when that happens, the 
> system cannot access a printer shared by the WINS server.
> 
> > Have you
> > tried the old ipconfig /flushdns trick either before or after
> > reconnecting the VPN?
> 
> Doesn't make any difference.
> 
> To recap: Samba as a WINS server, there's a Vista client that sometimes
> loses the Network Neighborhood. It's connected over VPN, but the VPN 
> tunnel itself is solid, that's not the problem. The other end of the 
> tunnel is the WINS server which is also an OpenVPN server.
> 
> Sometimes it works fine though, it sees the Network just fine, it can 
> print, etc. Some other times nothing works. I don't understand
what's
> going on.
> 
> Using samba-3.0.25b on CentOS 5.1 64bit
> 
I assume you can't get to the printer properties or the print server by
UNC?  I can say that I definitely haven't seen this, but at the same
time, I don't know that the majority of my clients who use a Vista/
OpenVPN/ Samba combination would necessarily notice if they couldn't
print over the VPN.

I'll do some checking on my end to see if I can replicate the behavior
anywhere, but I honestly don't know where to go from here... Sporadic
Windows issues give me a consistent headache :)
 
> -- 
> Florin Andrei
> 
> http://florin.myip.org/
-- 
Rubin Bennett
rbTechnologies
rbennett@thatitguy.com
http://thatitguy.com
(802)223-4448

"Those who would give up essential liberty to purchase a little
temporary safety deserve neither liberty nor safety."
        -Ben Franklin, Historical Review of Pennsylvania, 1759