Topic: SME Samba connects across multiple subnets - urgent !!!

[Darrin]

I have a major problem that is totally destroying my confidence in SME as a potential deployment platform for client sites. We have extensively used SME 5.12 / 5.5 for LAN environments but have just begun to prep a number of deployments based on SME 5.5 in VPN / multi subnet environments and are having major issues... (ie: no samba connectivity from remote networks)

The planned architecture is as follows:
SME 5.5 (update 2) running as a network server for Windows clients spanning multiple subnets (192.168.x.x). The networks are all interconnected using IPsec VPN tunnels running from one ZyWALL firewall to another as shown:

192.168.1.x <---> Firewall (192.168.1.1) <---- IPsec tunnel --> Firewall (192.168.2.1)  <--->192.168.2.x

Problem:
Windows XP clients can browse MS based shares on any remote subnet fine.
Attempted connects to remote SME server shares fail, yet I ping the remote SME server.
I have added the remote subnets as local networks on the SME server, and ensured that access privlieges are correct but nothing seems to work.
This is not WINS based as we are trying to connect to the remote SME server using IP address with zero luck.
This is made stranger by the fact that a workstation on the remote subnet can connect to PHPmyadmin using the IP address of the SME server.
I know SAMBA is running as I can connect from the local subnet.

Any great minds have any ideas ??? This is a major concern as we are to do the first multi subnet deployment this weekend.

Thanks in advance,
Darrin Domoney
Senior Technology Consultant
E-Merging Frontiers

[guestHH]

Hi Darrin,

Sounds weird the 'problem' you have. I do not have the hardware so I can't test it, but did you 'play' with the RemoteAnnounce variable in smb.conf?

If you're trying to connect to a ibay on a remote subnet, try to add the 'browseable=yes' variable in that specific ibay within smb.conf.

Don't forget to restart samba 'service smb restart' and give it a try.

Hope it helps a bit.

Regards,
guestHH

[Darrin]

RequestedDeletion,
Thanks for the response - I verified the smb.conf file and for all the ibays browseable= was not present. I manually edited the file template to include this option (set to yes by default now) and I can now access ibays across subnets (at least on the one that I tried).

I guess I had been staring at this thing so long that I just didn't give a moments thought.... I think maybe that SME sometime makes things too easy - If this had been a RedHat box running Samba I would have been into the config files first thing to do some tuning.

I have looked at my cheat sheets on Samba (especially in a multi subnet environment) and this is probably worth a how-to ie: setting domain master browsers, etc.

Anyone have any thoughts on the value a a quick cheat sheet / how-to on this?

[schotty]

Well my thoughts on a Samba hot-to is :

Ill be very pleased to read it when you have written it...


Cheers.....

[Tom Keiser]

If you have the time and desire to write the how-to, I'll certainly make good use of it! Thanks for the offer.

Tom

[guestHH]

Hi,

Did you guys stumble on '/usr/share/doc/samba-2.2.x'

It has been there for a long time.....

Regards,
guestHH

[Darrin]

Just when I thought I was out of the woods........... my multi subnet browsing is
working now (sort of) below is a quick summary - anyone with any input is very welcome at this point.

Test 1- Browse network shares via VPN connection using xDSL
--- Result - Win2k workstation to MS workstation shares - successful
--- Result - WinXP workstation to MS workstation shares - successful
--- Result - Win2k workstation to samba shares - successful
--- Result - WinXP workstation to samba shares - successful
Note: firewall type ZyWALL50

Test 2 - Browse network shares via VPN connection using Cable
--- Result - WinXP workstation to MS workstation shares - successful
--- Result - WinXP workstation to samba shares - UNSUCCESSFUL
Note: firewall type ZyWALL1

Thoughts:
I think we have ruled out the firewall as a problem point here as the XP workstation can browse remote MS shares.
The only variable appears to be the Samba server ???!!

Other (below is some error messages that MAY be related):

[2002/12/06 08:19:24, 0] printing/pcap.c:pcap_printer_fn(371)
  Unable to open printcap file /etc/printcap for read!
[2002/12/06 08:19:56, 0] smbd/server.c:open_sockets(238)
  Got SIGHUP
[2002/12/06 08:19:56, 0] printing/pcap.c:pcap_printer_fn(371)
  Unable to open printcap file /etc/printcap for read!
[2002/12/06 08:20:36, 0] smbd/server.c:open_sockets(238)
  Got SIGHUP
[2002/12/06 08:20:36, 0] printing/pcap.c:pcap_printer_fn(371)
  Unable to open printcap file /etc/printcap for read!
[2002/12/06 08:21:06, 0] smbd/server.c:open_sockets(238)
  Got SIGHUP
[2002/12/06 08:21:06, 0] printing/pcap.c:pcap_printer_fn(371)
  Unable to open printcap file /etc/printcap for read!
[2002/12/06 08:21:58, 0] smbd/server.c:main(707)
  smbd version 2.2.5 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2002
[2002/12/06 08:21:58, 0] printing/pcap.c:pcap_printer_fn(371)
  Unable to open printcap file /etc/printcap for read!

I even went so far as to force delete any network shares on the remote side and
try to reestablish them via a net use command.

Ideas are as always very welcome....

Darrin

[ryan]

I have experienced similar problems with XP.  Anytime I attempt to access a share on a client/server in a different domain, it will not allow access...even if the username and password are the same.  I do not have this issue with Windows2k...i get prompted for a username and password if not the same.  These problems exist for shared folders and shared printers.

At home, I can not access my XP pro(in a workgroup) from my win2k server which is a member server in my SME (PDC) domain even when logged in using the same administrator name and password for the XP machine.  

You might try testing XP as server/client in different workgroups/domains on your lan.  I have 3 locations connected by SME IPSEC VPN and everything works as if all computers are on the same lan.

I have read about making BDC's with Redhat Samba boxes that basically requires you to copy the SID of the first samba PDC to other samba PDC's essentially creating suedo BDC's.  The BDC's will respond to user logins...the info I read also  explained how to copy the user database on a timed interval so all samba domain controllers have the same user database.  New users are created only on the primary (first) domain controller.   WINS can get tricky with all samba DCs.  This setup might fix your problem if both XP machines think they are in the same domain.  (domain SIDs are the same).  Just my 2 cents.  Hope it helps.

A quick test to see if VPN is your problem...do this on your lan AND accoss VPN:

Put 2 XP Pro systems in the same workgroup on your lan.  Create an identical user account on both XP systems.  Login in as that user on sysA and attempt to connect to a share on sysB.  It should work.  Now try with a different user that is not on the remote sysB...it should fail.  You should get the same results doing this with a VPN between the XP systems.  If results differ, VPN could be an issue in addition to the XP problem I mention here.

Ryan