samba - Sep 2014 - Samba3 on multiple networks, how to make it hand out the correct IP?

Hi,

My Samba 4.1.x server is connected to two networks, one in the 192.168.*
range (wired) and one in the 10.* range (wifi). The clients on either
network normally cannot reach each other.
I noticed Samba hands out (eg: for dcname.company.net) it's IP's from
both
ranges to clients on both sides. So the 192.168.* clients get two A records:
192.168.1.1 & 10.0.0.2.

I noticed that, because of this current behavior, domain logins (well, time
between login & until the user sees a desktop) have an extra delay of more
than 60 seconds because the client tries to connect to the wrong IP.
Eventually it works, but the penalty is huge.

Given that Samba knows which network the client is on I would have expected
it to actually be a little bit smarter with regards to that.

Anyway, I'd like to see this changed so that any clients on 192.168.* only
get the 192.168.1.1 address, and the clients on 10.* only get 10.0.0.2.

How can I do this?

Thanks,

Bram.

-- 
Bram Matthys
Software developer/IT consultant        syzop at vulnscan.org
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

I think if you have two A (HOST) records the clients will do a DNS 
lookup for the hosts, get all host entries list (but the order might 
change), and use the  first one in the list.  At least this is how it 
works for things like looking up web sites.  I am not sure if Windows 
clients apply more thought to locating the nearest windows server 
(unless it is tracking the number of hops.)


I think in larger environments, you would have separate DC's for each 
site or network segment.



How is DHCP handled?    Could you have a separate DNS server allocated 
for the wifi clients, and add the 10.* DNS entries. then the Samba 
server could be configured as a DNS server for the wired connections only.

Maybe don't use Samba 4 as its the  DNS server at all.  I think if you 
use BIND you can configure split DNS.



On 09/23/14 13:54, Bram Matthys wrote:
> Hi,
>
> My Samba 4.1.x server is connected to two networks, one in the 192.168.*
> range (wired) and one in the 10.* range (wifi). The clients on either
> network normally cannot reach each other.
> I noticed Samba hands out (eg: for dcname.company.net) it's IP's
from both
> ranges to clients on both sides. So the 192.168.* clients get two A
records:
> 192.168.1.1 & 10.0.0.2.
>
> I noticed that, because of this current behavior, domain logins (well, time
> between login & until the user sees a desktop) have an extra delay of
more
> than 60 seconds because the client tries to connect to the wrong IP.
> Eventually it works, but the penalty is huge.
>
> Given that Samba knows which network the client is on I would have expected
> it to actually be a little bit smarter with regards to that.
>
> Anyway, I'd like to see this changed so that any clients on 192.168.*
only
> get the 192.168.1.1 address, and the clients on 10.* only get 10.0.0.2.
>
> How can I do this?
>
> Thanks,
>
> Bram.
>

I suggest you setup advanced routing with routing tables. 
google a bit for it and start with reading.. 

here are some pointers. 

add a table to /etc/iproute2/rt_tables 
100	UseFirstNetwork
200	UseSecondNetwork

something like this in your interfaces file.

# The primary network interface
auto eth0
iface eth0 inet static
    address 192.168.1.221
    netmask 255.255.255.0
    post-up ip route add 192.168.1.0/24 dev eth0 src 192.168.249.221 table
UseFirstNetwork
    post-up ip route add 10.1.0.0/24 dev eth0 via 192.168.249.1 table
UseSecondNetwork
    post-up ip rule add from 192.168.1.0/24 table UseFirstNetwork
    post-up ip rule add to 192.168.1.0/24 table UseFirstNetwork
    post-up ip rule add from 10.1.0.0/16 table UseSecondNetwork
    post-up ip rule add to 10.1.0.0/16 table UseSecondNetwork
    post-up ip route add 192.168.1.0/24 via YOURGATEWAYIP table UseFirstNetwork
    post-up ip route add 0.1.0.0/24 via YOURGATEWAYIP2 table UseSecondNetwork
    post-down ip rule del from 192.168.1.0/24 table UseFirstNetwork
    post-down ip rule del from 10.1.0.0/16 table UseSecondNetwork
 

these is a nice links to read.
https://www.debian-administration.org/article/377/Routing_for_multiple_uplinks
www.lartc.org
http://www.rjsystems.nl/en/2100-adv-routing.php

and really read and understand before you start using this in production. 

Good luck.
Louis
>-----Oorspronkelijk bericht-----
>Van: syzop at vulnscan.org [mailto:samba-bounces at lists.samba.org] 
>Namens Bram Matthys
>Verzonden: dinsdag 23 september 2014 19:55
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Samba3 on multiple networks, how to make it 
>hand out the correct IP?
>
>Hi,
>
>My Samba 4.1.x server is connected to two networks, one in the 
>192.168.*
>range (wired) and one in the 10.* range (wifi). The clients on either
>network normally cannot reach each other.
>I noticed Samba hands out (eg: for dcname.company.net) it's 
>IP's from both
>ranges to clients on both sides. So the 192.168.* clients get 
>two A records:
>192.168.1.1 & 10.0.0.2.
>
>I noticed that, because of this current behavior, domain 
>logins (well, time
>between login & until the user sees a desktop) have an extra 
>delay of more
>than 60 seconds because the client tries to connect to the wrong IP.
>Eventually it works, but the penalty is huge.
>
>Given that Samba knows which network the client is on I would 
>have expected
>it to actually be a little bit smarter with regards to that.
>
>Anyway, I'd like to see this changed so that any clients on 
>192.168.* only
>get the 192.168.1.1 address, and the clients on 10.* only get 10.0.0.2.
>
>How can I do this?
>
>Thanks,
>
>Bram.
>
>-- 
>Bram Matthys
>Software developer/IT consultant        syzop at vulnscan.org
>Website:                                  www.vulnscan.org
>PGP key:                       www.vulnscan.org/pubkey.asc
>PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 09:15:11 wrote Bram Matthys:
> Hi,
> 
> My Samba 4.1.x server is connected to two networks, one in the
> 192.168.* range (wired) and one in the 10.* range (wifi). The
> clients on either network normally cannot reach each other.
> I noticed Samba hands out (eg: for dcname.company.net) it's IP's
from
> both ranges to clients on both sides. So the 192.168.* clients get
> two A records: 192.168.1.1 & 10.0.0.2.
> 
> I noticed that, because of this current behavior, domain logins
> (well, time between login & until the user sees a desktop) have an
> extra delay of more than 60 seconds because the client tries to
> connect to the wrong IP. Eventually it works, but the penalty is
> huge.
> 
> Given that Samba knows which network the client is on I would have
> expected it to actually be a little bit smarter with regards to
> that.
> 
> Anyway, I'd like to see this changed so that any clients on 192.168.*
> only get the 192.168.1.1 address, and the clients on 10.* only get
> 10.0.0.2.
> 
> How can I do this?
I dont know how to do this on the dns server, but you may do it on the 
clients:

i.e. modifiy your dns resolver settings

a working setup on my home networks:

## client PC
# cat /etc/resolv.conf 
domain home.lan
nameserver 192.168.231.254
search home.lan ad.schule.lan
sortlist 192.168.231.0/255.255.255.0

Important is the sortlist statement. It points to clients local network.

The Samba/DNS Server has 4 adresses. The nameserver 192.168.231.254 is a 
slave bind server for my ad domain.


## client PC
# host dc0
dc0.ad.schule.lan has address 192.168.200.254
dc0.ad.schule.lan has address 192.168.230.228
dc0.ad.schule.lan has address 192.168.231.228
dc0.ad.schule.lan has address 192.168.232.228

# ping -c1 dc0
PING dc0.ad.schule.lan (192.168.231.228) 56(84) bytes of data.
64 bytes from 192.168.231.228: icmp_req=1 ttl=64 time=0.491 ms

Network clients like ping always uses the local name server address.
> 
> Thanks,
> 
> Bram.

-- 

Regards
	Harry Jede