WG: Cross subnet browsing + OpenVPN
in [Samba]
|
From: tms3 on 12 Jul 2010 08:40 > > --- Original message --- > Subject: [Samba] WG: Cross subnet browsing + OpenVPN > From: Daniel Müller <mueller(a)tropenklinik.de> > To: <samba(a)lists.samba.org> > Date: Sunday, 11/07/2010 11:39 PM > > Hi, > Robert Schetterer is right. You will succeed in the end with tap > bridging. > Bridiging does netbios reach trough. You will achieve it either way. The TYPE of VPN is not relevant. There was a discussion a while back regarding SE Linux and netbios. I would check those settings. > > > I did this with two XP-Clients 2 Nics build at each a bridge: > Both the remote and the local Clients must be in the same subnet. > > My openvpn.conf: > > > Client or server > > dev tap > dev-node TAB > proto udp > > remote XXXXXXXXXXXX 1194 > > resolv-retry infinite > > ca C:\\ca.crt > cert C:\\client1.crt > key C:\\client1.key > ns-cert-type server > verb 6 > > # Silence repeating messages > script-security 2 > comp-lzo > tun-mtu 1500 > tun-mtu-extra 32 > mssfix 1450 > persist-tun > persist-key > route-delay 10 > > > On CENTOS look here: > http://csmorley.spaces.live.com/blog/cns!990C0A249621766!184.entry > > Greetings > > > > > ----------------------------------------------- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller(a)tropenklinik.de > Internet: http://www.tropenklinik.de > ----------------------------------------------- > -----Ursprüngliche Nachricht----- > Von: samba-bounces(a)lists.samba.org > [mailto:samba-bounces(a)lists.samba.org] Im > Auftrag von Robert Schetterer > Gesendet: Freitag, 9. Juli 2010 17:26 > An: tms3(a)tms3.com > Cc: samba(a)lists.samba.org > Betreff: Re: [Samba] Cross subnet browsing + OpenVPN > > Am 09.07.2010 14:42, schrieb tms3(a)tms3.com: >> >> >> >> >>> >>> --- Original message --- >>> *Subject:* Re: [Samba] Cross subnet browsing + OpenVPN >>> *From:* Robert Schetterer <robert(a)schetterer.org> >>> *To:* <samba(a)lists.samba.org> >>> *Date:* Friday, 09/07/2010 3:05 AM >>> >>> Am 09.07.2010 11:37, schrieb Julian Pilfold-Bagwell: >>>> >>>> Sorry about the delay, family emergency to deal with. >>>> browse sync shares the info across them. I tried putting the specific >>>> IP addresses of the local master browsers into the browse sync but it >>>> still doesn't seem to spread everything across all the subnets. >>> >>> you should use tap interfaces with openvpn >> This is a matter of network design, and has nothing to do whatsoever >> with the issue at hand. Further: > > i used samba with subnet browsing years ago > it dont worked with tun interfaces, it must have been tab interfaces > additional right samba setup > times may changed, samba and openvpn changed > but simply try it does not cost anything > > > my setup was > > > bdc--internalnet--firewall--(tunnel)--firewall--internalnet--pdc > > i had samba on the firewalls to bind to tab tunnel interfaces > as wins proxy > the pdc was the wins server, bdc as wins proxy and directed browsing > to > pdc, all clients did got well configured parameters per dhcp > additional there was a working dns which matched dynamicly wins > > anyway times may change , and there are better solutions now > but this one worked stable an robust > > read samba faqs wins and subnet browsing etc > > > good luck > > > >> >> >> >> Server configuration file >> >> *dev tun >> ifconfig 10.8.0.1 10.8.0.2 >> secret static.key* >> >> >> Client configuration file >> >> *remote myremote.mydomain >> dev tun >> ifconfig 10.8.0.2 10.8.0.1 >> secret static.key* >> >> >> From: >> >> > http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-stat > ic-key-mini-howto.html >> >> >> Which makes for a nice network to network setup for two locations >> connected via a wan link. >> >> Why not shift the discussion to weather we should use IPSEC and racoon >> instead of OpenVPN, or perhaps we should scrap all that and argue that >> he should be using Cisco vpn gateways altogether? >> >> GUH! >> >> ** >> >> >>> >>> >>> >>>> >>>> >>>> >>>> From what I understand, the remote announce tells the WINS server to >>>> broadcast across the remote subnets and remote >>>> >>>> On 06/07/10 13:50, tms3(a)tms3.com wrote: >>>>> >>>>> >>>>> >>>>> SNIP >>>>>> >>>>>> >>>>>> Hi All, >>>>>> >>>>>> I'm having a problem with cross subnet browsing and name resolution >>>>>> across >>>>>> an openvpn tunnel. i've found quite a few people who've had the same > on >> >>> >>>> >>>>> >>>>>> >>>>>> mail lists but none of their fixes have worked. The spec of the >>>>>> setups at >>>>>> both ends of the tunnel are as follows: >>>>> "remote announce = 192.168.2.255/NEWDOM >>>>> 192.168.1.255/NEWDOM >>>>> remote browse sync = 192.168.1.255 >>>>> 192.168.2.255" >>>>> >>>>> This looks odd to me. >>>>> >>>>> remote announce = <wins server ip>/<DOMNAME> >>>>> remote browse sync = <wins server ip> >>>>> >>>>> NEEDED in both smb.conf >>>>> >>>>> wins server = <wins server ip> >>>>> >>>>> Can't remember default for this setting sooooo >>>>> >>>>> enhanced browsing = Yes >>>>> >>>>> in both smb.conf >>>>> >>>>> >>>>> DHCP should point clients to headoffice for WINS. WINS proxy is not >>>>> useful. >>>>>> >>>>>> >>>>>> >>>>>> OS - CentOS 5.5 >>>>>> Samba Version 3.5.4 >>>>>> OpenVPN Version 2.0.9-1 >>>>>> >>>>>> Each server is configured in gateway mode with two NICS, one to the > lan >> >>> >>>> >>>>> >>>>>> >>>>>> and the other to a modem/router. The first machine, HEADOFFICE, has an >>>>>> internal IP address of >>>>>> 192.168.0.1 and an external of 192.168.10.4. The second machine, >>>>>> REMOTE1, >>>>>> has an internal address of 192.168.1.254 and an external of >>>>>> 192.168.20.4. >>>>>> >>>>>> On openVPN, I have configured client to client and routes and >>>>>> iroutes to >>>>>> allow machines on each network to ping machines at the other end as >>>>>> well >>>>>> as the server IP's. >>>>>> So far so good and I can ping any machine on either subnet from >>>>>> anywhere >>>>>> and get a reply. The servers are configured as Samba servers with the >>>>>> HEADOFFICE machine working as a PDC, DMC and WINS server and the >>>>>> REMOTE1 >>>>>> machine configured as a BDC and WINS proxy. In order to >>>>>> maintain >>>>>> logon >>>>>> facilities in the event of broadband failure, >>>>>> I have replicated the LDAP server from HEADOFFICE to REMOTE1 and >>>>>> updates >>>>>> and password changes propogate successfully from one site to the > other. >> >>> >>>> >>>>> >>>>>> >>>>>> >>>>>> If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it >>>>>> works >>>>>> perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet >>>>>> fails on name resolution while >>>>>> entering \\192.168.1.254\ brings up Windows Explorer and a list of >>>>>> shares. >>>>>> >>>>>> I've included the remote browse entries in smb.conf on the PDC and > have >> >>> >>>> >>>>> >>>>>> >>>>>> WINS Proxying set up on the BDC but I can't get it to push REMOTE1's > IP >> >>> >>>> >>>>> >>>>>> >>>>>> back to the WINS server. >>>>>> Port scanning the internal IP of each machine from the oher end of the >>>>>> tunnel returns a full set of open ports for the services I'm using >>>>>> but no >>>>>> IP. >>>>>> >>>>>> If anyone can spot what I'm doing wrong I'd be grateful. >>>>>> >>>>>> Thanks. >>>>>> >>>>>> ################ smb.conf - HEADOFFICE ################ >>>>>> ### Included 2nd subnet for second remote site in browse sync >>>>>> >>>>>> [ global] >>>>>> workgroup = NEWDOM >>>>>> netbios name = HEADOFFICE >>>>>> security = user >>>>>> enable privileges = yes >>>>>> interfaces = 192.168.0.1 127.0.0.1 >>>>>> # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 >>>>>> 194.168.2.0/255.255.255.0 127.0.0.1 >>>>>> remote announce = 192.168.2.255/NEWDOM > 192.168.1.255/NEWDOM >> >>> >>>> >>>>> >>>>>> >>>>>> remote browse sync = 192.168.1.255 >>>>>> 192.168.2.255 >>>>>> wins support = yes >>>>>> name resolve order = wins hosts bcast >>>>>> username map = /etc/samba/smbusers >>>>>> server string = Samba Server %v >>>>>> encrypt passwords = Yes >>>>>> ldap ssl = no >>>>>> unix password sync = yes >>>>>> ldap passwd sync = no >>>>>> passwd program = /usr/sbin/smbldap-passwd -u >>>>>> "%u" >>>>>> passwd chat = "Changing *\nNew password*" >>>>>> %n\n "*Retype > new >> >>> >>>> >>>>> >>>>>> >>>>>> password*" %n\n" >>>>>> >>>>>> # public = yes >>>>>> # browseable = yes >>>>>> # lm announce = yes >>>>>> # browse list = yes >>>>>> # auto services = yes >>>>>> >>>>>> log level = 3 >>>>>> syslog = 0 >>>>>> log file = /var/log/samba/log.%U >>>>>> max log size = 100000 >>>>>> time server = Yes >>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 >>>>>> SO_SNDBUF=8192 >>>>>> mangling method = hash2 >>>>>> Dos charset = 850 >>>>>> Unix charset = ISO8859-1 >>>>>> >>>>>> local master = Yes >>>>>> domain logons = Yes >>>>>> domain master = Yes >>>>>> os level = 65 >>>>>> preferred master = Yes >>>>>> wins support = yes >>>>>> >>>>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm >>>>>> ldap suffix = dc=newdom,dc=ldm >>>>>> ldap group suffix = ou=Groups >>>>>> ldap user suffix = ou=Users >>>>>> ldap machine suffix = ou=Computers >>>>>> ldap idmap suffix = ou=Idmap >>>>>> >>>>>> add user script = /usr/sbin/smbldap-useradd >>>>>> -m "%u" >>>>>> ldap delete dn = Yes >>>>>> delete user script = >>>>>> /usr/sbin/smbldap-userdel "%u" >>>>>> add machine script = >>>>>> /usr/sbin/smbldap-useradd -t 0 -w > "%u" >> >>> >>>> >>>>> >>>>>> >>>>>> add group script = /usr/sbin/smbldap-groupadd >>>>>> -p "%g" >>>>>> #delete group script = >>>>>> /usr/sbin/smbldap-groupdel "%g" >>>>>> add user to group script = >>>>>> /usr/sbin/smbldap-groupmod -m >>>>>> "%u" "%g" >>>>>> delete user from group script = >>>>>> /usr/sbin/smbldap-groupmod >>>>>> -x "%u" >>>>>> "%g" >>>>>> set primary group script = >>>>>> /usr/sbin/smbldap-usermod -g >>>>>> '%g' '%u' >>>>>> >>>>>> [shared] >>>>>> comment = shared directory >>>>>> path = /dat >>>>>> browseable = yes >>>>>> read only = no >>>>>> create mask = 0660 >>>>>> directory mask = 0770 >>>>>> >>>>>> >>>>>> ############ smb.conf - REMOTE1 ############################# >>>>>> >>>>>> [global] >>>>>> workgroup = NEWDOM >>>>>> netbios name = REMOTE1 >>>>>> security = user >>>>>> enable privileges = yes >>>>>> interfaces = 192.168.1.254 127.0.0.1 >>>>>> # hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 >>>>>> 10.8.0.0/24 127.0.0.1 >>>>>> wins server = 192.168.0.1 >>>>>> wins proxy = yes >>>>>> username map = /etc/samba/smbusers >>>>>> name resolve order = wins bcast hosts >>>>>> server string = Samba Server %v >>>>>> encrypt passwords = Yes >>>>>> ldap ssl = no >>>>>> unix password sync = yes >>>>>> ldap passwd sync = no >>>>>> passwd program = /usr/sbin/smbldap-passwd -u >>>>>> "%u" >>>>>> passwd chat = "Changing *\nNew password*" >>>>>> %n\n "*Retype > new >> >>> >>>> >>>>> >>>>>> >>>>>> password*" %n\n" >>>>>> >>>>>> log level = 0 >>>>>> syslog = 0 >>>>>> log file = /var/log/samba/log.%U >>>>>> max log size = 100000 >>>>>> time server = Yes >>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 >>>>>> SO_SNDBUF=8192 >>>>>> mangling method = hash2 >>>>>> Dos charset = 850 >>>>>> Unix charset = ISO8859-1 >>>>>> >>>>>> local master = Yes >>>>>> domain logons = Yes >>>>>> domain master = no >>>>>> os level = 40 >>>>>> preferred master = no >>>>>> >>>>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>>>> ldap admin dn = cn=Manager,dc=newdom,dc=ldm >>>>>> ldap suffix = dc=newdom,dc=ldm >>>>>> ldap group suffix = ou=Groups >>>>>> ldap user suffix = ou=Users >>>>>> ldap machine suffix = ou=Computers >>>>>> ldap idmap suffix = ou=Idmap >>>>>> >>>>>> add user script = /usr/sbin/smbldap-useradd >>>>>> -m "%u" >>>>>> ldap delete dn = Yes >>>>>> delete user script = >>>>>> /usr/sbin/smbldap-userdel "%u" >>>>>> add machine script = >>>>>> /usr/sbin/smbldap-useradd -t 0 -w > "%u" >> >>> >>>> >>>>> >>>>>> >>>>>> add group script = /usr/sbin/smbldap-groupadd >>>>>> -p "%g" >>>>>> delete group script = >>>>>> /usr/sbin/smbldap-groupdel "%g" >>>>>> add user to group script = >>>>>> /usr/sbin/smbldap-groupmod -m >>>>>> "%u" "%g" >>>>>> delete user from group script = >>>>>> /usr/sbin/smbldap-groupmod >>>>>> -x "%u" >>>>>> "%g" >>>>>> set primary group script = >>>>>> /usr/sbin/smbldap-usermod -g >>>>>> '%g' '%u' >>>>>> >>>>>> [test] >>>>>> comment = test share >>>>>> path = /test >>>>>> browseable = yes >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>> >>> >>> -- >>> Best Regards >>> >>> MfG Robert Schetterer >>> >>> Germany/Munich/Bavaria >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- > Best Regards > > MfG Robert Schetterer > > Germany/Munich/Bavaria > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: Cross subnet browsing + vpn Next: [Samba] smbldap-groupmod problem |