Multi subnet samba problem - SMB

This is a discussion on Multi subnet samba problem - SMB ; I've seen several posts that are similar to my setup but not exactly. Here's the setup network-wise: 1) I have 3 distinct subnets, A, B, and C. 2) I have a Solaris machine on Subnet B running samba 2.2.8a. I ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Multi subnet samba problem

  1. Multi subnet samba problem

    I've seen several posts that are similar to my setup but not exactly.
    Here's the setup network-wise:
    1) I have 3 distinct subnets, A, B, and C.
    2) I have a Solaris machine on Subnet B running samba 2.2.8a. I have
    it setup to announce and sync to at least one machine on subnets A and
    C.
    3) All of the machines are Win2K in peer to peer mode, ie no domain
    controller, and are configured to use the same WORKGROUP name.
    4) On machine 1 on subnet A, I have it configured to use the samba
    host on subnet B as the WINS server.

    For my samba machine I have basically these settings:
    [global]
    security = user
    encrypt passwords = yes
    unix password sync = yes
    os level = 65
    domain master = yes
    local master = yes
    preferred master = yes
    wins support = yes

    Successes:
    1) I was able to successfully connect from any of the machines on
    subnet B to the samba machine after I added my userid using smbpasswd.
    2) I can see the samba server from all 3 subnets using network
    neighborhood

    Problem:
    When I try to connect via network neighborhood from computer 1A subnet
    A, it says "The account is not authorized to log in from this
    station". I have checked the registry and it doesn't appear to have
    the send plain text hack installed.

    If I use smbclient -L to pretend to be computer 1A, it lets me browse
    anonymously. If I log in using a correct account and password it says
    "NT_STATUS_ACCESS_DENIED". If I give it the wrong password it says
    "NT_STATUS_LOGON_FAILURE".

    If I use smbclient -L to pretend to be a computer 1B, it doesn't let
    me browse anonymously, error "NT_STATUS_ACCESS_DENIED". If I log in
    using correct credentials, it lets me browse. With a wrong password, I
    get error "NT_STATUS_LOGON FAILURE".

    Questions:
    1) To get this to work, do I HAVE to have the samba machine work as a
    PDC?
    2) Do I have to create a new DOMAIN for the machines to log into?
    3) Can I get this to work using a "WORKGROUP" setup?

    Any help would be much appreciated.

    Q

  2. Re: Multi subnet samba problem

    Anyone? To summarize:
    1) Multiple subnets, machines on the same subnet as samba server have
    no problems browsing and connecting to shares. Machines on different
    subnet can see samba server, but not other PCs and cannot connect to
    samba server (giving "not authorized" errors).
    2) Encryption is turned on.
    3) Test user is in smbpasswd file.
    4) All machines are win2k except 1 XP (on same samba subnet, works
    fine too).

    Any insight would be appreciated. Thanks again.

    Q

  3. Re: Multi subnet samba problem

    "q777" wrote in message
    news:9f14310.0309081331.2d149849@posting.google.co m...
    > Anyone? To summarize:
    > 1) Multiple subnets, machines on the same subnet as samba server have
    > no problems browsing and connecting to shares. Machines on different
    > subnet can see samba server, but not other PCs and cannot connect to
    > samba server (giving "not authorized" errors).
    > 2) Encryption is turned on.
    > 3) Test user is in smbpasswd file.
    > 4) All machines are win2k except 1 XP (on same samba subnet, works
    > fine too).
    >
    > Any insight would be appreciated. Thanks again.
    >
    > Q


    OK, I'll take a shot here.

    I think part of the problem may be to do with the master browser list. Check
    the smb.conf documentation for wins server and wins support.

    Basically, the systems register themselves with a WINS server or the local
    master browser using broadcast. They can't broadcast through (over ?) a
    router so if the master browser isn't on their subnet, they can't register
    themselves.

    One way around it is the tell the systems where the WINS server is by hand
    writing it into the TCP/IP settings of every system, or you can get DHCP to
    distribute the location if you use DHCP to allocate IP addresses. Another
    solution is to put the master browser on all three nets. It would have a
    connection to all subnets. All the other systems can then see it.



  4. Re: Multi subnet samba problem

    In article , "m.marien" wrote:
    >"q777" wrote in message
    >news:9f14310.0309081331.2d149849@posting.google.co m...
    >> Anyone? To summarize:
    >> 1) Multiple subnets, machines on the same subnet as samba server have
    >> no problems browsing and connecting to shares. Machines on different
    >> subnet can see samba server, but not other PCs and cannot connect to
    >> samba server (giving "not authorized" errors).
    >> 2) Encryption is turned on.
    >> 3) Test user is in smbpasswd file.
    >> 4) All machines are win2k except 1 XP (on same samba subnet, works
    >> fine too).
    >>


    >
    >I think part of the problem may be to do with the master browser list. Check
    >the smb.conf documentation for wins server and wins support.
    >
    >Basically, the systems register themselves with a WINS server or the local
    >master browser using broadcast. They can't broadcast through (over ?) a
    >router so if the master browser isn't on their subnet, they can't register
    >themselves.
    >
    >One way around it is the tell the systems where the WINS server is by hand
    >writing it into the TCP/IP settings of every system, or you can get DHCP to
    >distribute the location if you use DHCP to allocate IP addresses. Another
    >solution is to put the master browser on all three nets. It would have a
    >connection to all subnets. All the other systems can then see it.
    >


    I face a similar problem here with 2 IP subnets .. I kind of solved the
    problem with using 2 nics in the server each configured on a subnet .. not an
    elegant methode but it kind of works .. although there is seemingly a master
    browser problem :-( .. I can only see the workgroups when I log on to the
    "local pc" not if I logon to the domain ... it probably also works by defining
    a "network alias" ie a single nic with 2 ip adresses (aka eth0 & eth0:1) did
    not push the research/functionality of that combination though

    so any flashy ideas on how to improve things are most welcome :-)


    --
    remove_clothes to answer over email



  5. Re: Multi subnet samba problem


    "imbsysop" wrote in message
    news:bjk158$ol8$4@snic.vub.ac.be...
    > In article , "m.marien"

    wrote:
    > >"q777" wrote in message
    > >news:9f14310.0309081331.2d149849@posting.google.co m...
    > >> Anyone? To summarize:
    > >> 1) Multiple subnets, machines on the same subnet as samba server have
    > >> no problems browsing and connecting to shares. Machines on different
    > >> subnet can see samba server, but not other PCs and cannot connect to
    > >> samba server (giving "not authorized" errors).
    > >> 2) Encryption is turned on.
    > >> 3) Test user is in smbpasswd file.
    > >> 4) All machines are win2k except 1 XP (on same samba subnet, works
    > >> fine too).
    > >>

    >
    > >
    > >I think part of the problem may be to do with the master browser list.

    Check
    > >the smb.conf documentation for wins server and wins support.
    > >
    > >Basically, the systems register themselves with a WINS server or the

    local
    > >master browser using broadcast. They can't broadcast through (over ?) a
    > >router so if the master browser isn't on their subnet, they can't

    register
    > >themselves.
    > >
    > >One way around it is the tell the systems where the WINS server is by

    hand
    > >writing it into the TCP/IP settings of every system, or you can get DHCP

    to
    > >distribute the location if you use DHCP to allocate IP addresses. Another
    > >solution is to put the master browser on all three nets. It would have a
    > >connection to all subnets. All the other systems can then see it.
    > >

    >
    > I face a similar problem here with 2 IP subnets .. I kind of solved the
    > problem with using 2 nics in the server each configured on a subnet .. not

    an
    > elegant methode but it kind of works .. although there is seemingly a

    master
    > browser problem :-( .. I can only see the workgroups when I log on to the
    > "local pc" not if I logon to the domain ... it probably also works by

    defining
    > a "network alias" ie a single nic with 2 ip adresses (aka eth0 & eth0:1)

    did
    > not push the research/functionality of that combination though
    >


    The browsing from a local logon but not the domain logon is certainly
    strange.

    Do you have a WINS support turned on ? The file BROWSING.txt in the Samba
    /docs folder explains the problems with subnet browsing and how to solve it.

    > so any flashy ideas on how to improve things are most welcome :-)
    >
    >
    > --
    > remove_clothes to answer over email
    >
    >




  6. Re: Multi subnet samba problem

    In article , "m.marien" wrote:
    >
    >"imbsysop" wrote in message
    >news:bjk158$ol8$4@snic.vub.ac.be...


    >> browser problem :-( .. I can only see the workgroups when I log on to the
    >> "local pc" not if I logon to the domain ... it probably also works by

    >defining
    >> a "network alias" ie a single nic with 2 ip adresses (aka eth0 & eth0:1)

    >did
    >> not push the research/functionality of that combination though
    >>

    >
    >The browsing from a local logon but not the domain logon is certainly
    >strange.
    >
    >Do you have a WINS support turned on ? The file BROWSING.txt in the Samba
    >/docs folder explains the problems with subnet browsing and how to solve it.
    >


    yes wins support is on .. but I think the problem emerges from a rather
    peculiar way in which teh IP subnets are attribuated .. it is not a priority
    as such because I'm better off if the users can't mess around in the other
    workgroups that contain a lot of (badly protected) W95/98 machines :-)

    thnx !

    --
    remove_clothes to answer over email



  7. Re: Multi subnet samba problem

    I found what was causing my problems. I vaguely remembered somebody
    mentioning something about a "signorseal" registry entry that caused
    problems for people using XP and possibly Win2K with SP4. So I started
    searching and snooping around and an article pointed me to the "Local
    Security Policy" in the Administrative Tools. Under "Security
    Settings" -> "Local Policies" -> "Security Options" there are several
    settings:
    "Digitally sign client communication (always)"
    "Digitally sign client communication (when possible)"
    "Digitally sign server communication (always)"
    "Digitally sign server communication (when possible)"

    If the "always" settings are set to "enable", then it causes the "not
    authorized" errors. The "when possible" settings can be on or off.
    Once I disabled the "always" for server, samba can connect without the
    (ACCESS DENIED). If "always" is disabled for client, then I can
    connect to the samba server. All of the machines can map to each
    other, but only machines in the same subnet can see each other in the
    "network neighborhood". Will look at the BROWSING.txt documentation.
    Just thought I would share my experience to save someone from having
    to go through all this. I'm not sure if SP4 enabled this feature or
    not because another machine that has SP4 doesn't have the always
    settings enabled. Thanks for all the suggestions above.

    Q

  8. Re: Multi subnet samba problem

    In article <9f14310.0309111348.535856cb@posting.google.com>, quang777@email.com (q777) wrote:
    >I found what was causing my problems. I vaguely remembered somebody
    >mentioning something about a "signorseal" registry entry that caused
    >problems for people using XP and possibly Win2K with SP4. So I started
    >searching and snooping around and an article pointed me to the "Local
    >Security Policy" in the Administrative Tools. Under "Security
    >Settings" -> "Local Policies" -> "Security Options" there are several
    >settings:
    >"Digitally sign client communication (always)"
    >"Digitally sign client communication (when possible)"
    >"Digitally sign server communication (always)"
    >"Digitally sign server communication (when possible)"
    >


    I set these all to disabled by "default" before attempting anything from
    workstation towards server .. I did read through the browing.txt a couple of
    times and it does not become any clearer .. there is however something rather
    obscure in the Microsoft documentation that suggests that for browing across
    "Microsoft" subnets (not absolutely clear by their definitions if this spans
    only IP subnets or MS domains) each subnet needs its own DC .. so I've kind of
    given up :-)


    --
    remove_clothes to answer over email



  9. Re: Multi subnet samba problem


    "imbsysop" wrote in message
    news:bjrr9i$j3t$1@snic.vub.ac.be...
    > In article <9f14310.0309111348.535856cb@posting.google.com>,

    quang777@email.com (q777) wrote:
    > >I found what was causing my problems. I vaguely remembered somebody
    > >mentioning something about a "signorseal" registry entry that caused
    > >problems for people using XP and possibly Win2K with SP4. So I started
    > >searching and snooping around and an article pointed me to the "Local
    > >Security Policy" in the Administrative Tools. Under "Security
    > >Settings" -> "Local Policies" -> "Security Options" there are several
    > >settings:
    > >"Digitally sign client communication (always)"
    > >"Digitally sign client communication (when possible)"
    > >"Digitally sign server communication (always)"
    > >"Digitally sign server communication (when possible)"
    > >

    >
    > I set these all to disabled by "default" before attempting anything from
    > workstation towards server .. I did read through the browing.txt a couple

    of
    > times and it does not become any clearer .. there is however something

    rather
    > obscure in the Microsoft documentation that suggests that for browing

    across
    > "Microsoft" subnets (not absolutely clear by their definitions if this

    spans
    > only IP subnets or MS domains) each subnet needs its own DC .. so I've

    kind of
    > given up :-)


    I remeber reading about this many years ago in a manual for a product
    named SCO Vision FS. I think the documentation stated that clients could
    only see servers in other IP subnets, if both contained a Vision FS server,
    and some kind of tunneling had been set up between the two servers. I guess
    the same is true for MS servers acording to the doc you quote. I do not
    know how it is in samba.

    I believe that UDP broadcast is the way servers identify themselves to
    clients. Maybe the subnet problems are related to gateway/routers not
    forwarding UDP broadcasts for subnet to subnet?

    Have you tried to use IP rather than server name to connect from client
    to server, like \\123.123.123.123\sharename ? If this works you can make
    it work from the windows clients by adding the server to LMHOSTS. file.

    I do not know if any of this will help, but it is worth a shot.

    Roald





  10. Re: Multi subnet samba problem

    I do have both the remote announce and remote browse sync in my
    smb.conf. I've also tried to include both the IP address of the local
    master browser in the other subnet as well as the broadcast address (I
    think it's the broadcast). What's the broadcast address if the subnet
    mask is 255.255.255.128? Also, one other question regarding protocol &
    browsing. I've read in several posts and documents that if you want
    browsing to work over multiple subnets, that the machines should only
    have Netbios over TCPIP. My question is this:

    Does ALL machines on the SUBNETS have to be setup like this?
    Or can it just be ALL the machines on the SUBNET that's in the same
    workgroup (ie, same virtual LAN)?

    We're in a university campus environment with several other
    departments that we can't necessarily control what the other
    departments have configured with regards to network protocols
    installed. If a machine in another workgroup has netbeui installed
    that's on the same subnet as our machines, would that break
    multisubnet browsing? Thanks

    Q

    Gaurav Walia wrote in message news:...
    > The problem is that your samba server isn't broadcasting on the other
    > subnets. I had the same issue if I'm reading your question correctly
    >
    > Add this to your smb.conf file:
    >
    > xxx - with held
    >
    > # Configure remote browse list synchronisation here
    > # request announcement to, or browse list sync from:
    > # a specific host or from / to a whole subnet (see below)
    > remote browse sync = xxx.xxx.1.255 xxx.xxx.2.255
    > # Cause this host to announce itself to local subnets here
    > remote announce = xxx.xxx.1.255 xxx.xxx.2.255
    >
    >
    > good luck
    >
    > m.marien wrote:
    >
    > >"q777" wrote in message
    > >news:9f14310.0309081331.2d149849@posting.google.co m...
    > >
    > >
    > >>Anyone? To summarize:
    > >>1) Multiple subnets, machines on the same subnet as samba server have
    > >>no problems browsing and connecting to shares. Machines on different
    > >>subnet can see samba server, but not other PCs and cannot connect to
    > >>samba server (giving "not authorized" errors).
    > >>2) Encryption is turned on.
    > >>3) Test user is in smbpasswd file.
    > >>4) All machines are win2k except 1 XP (on same samba subnet, works
    > >>fine too).
    > >>
    > >>Any insight would be appreciated. Thanks again.
    > >>
    > >>Q
    > >>
    > >>

    > >
    > >OK, I'll take a shot here.
    > >
    > >I think part of the problem may be to do with the master browser list. Check
    > >the smb.conf documentation for wins server and wins support.
    > >
    > >Basically, the systems register themselves with a WINS server or the local
    > >master browser using broadcast. They can't broadcast through (over ?) a
    > >router so if the master browser isn't on their subnet, they can't register
    > >themselves.
    > >
    > >One way around it is the tell the systems where the WINS server is by hand
    > >writing it into the TCP/IP settings of every system, or you can get DHCP to
    > >distribute the location if you use DHCP to allocate IP addresses. Another
    > >solution is to put the master browser on all three nets. It would have a
    > >connection to all subnets. All the other systems can then see it.
    > >
    > >
    > >
    > >

    >
    > --


  11. Re: Multi subnet samba problem


    "q777" wrote in message
    news:9f14310.0309111348.535856cb@posting.google.co m...
    > I found what was causing my problems. I vaguely remembered somebody
    > mentioning something about a "signorseal" registry entry that caused
    > problems for people using XP and possibly Win2K with SP4. So I started
    > searching and snooping around and an article pointed me to the "Local
    > Security Policy" in the Administrative Tools. Under "Security
    > Settings" -> "Local Policies" -> "Security Options" there are several
    > settings:
    > "Digitally sign client communication (always)"
    > "Digitally sign client communication (when possible)"
    > "Digitally sign server communication (always)"
    > "Digitally sign server communication (when possible)"
    >
    > If the "always" settings are set to "enable", then it causes the "not
    > authorized" errors. The "when possible" settings can be on or off.
    > Once I disabled the "always" for server, samba can connect without the
    > (ACCESS DENIED). If "always" is disabled for client, then I can
    > connect to the samba server. All of the machines can map to each
    > other, but only machines in the same subnet can see each other in the
    > "network neighborhood". Will look at the BROWSING.txt documentation.
    > Just thought I would share my experience to save someone from having
    > to go through all this. I'm not sure if SP4 enabled this feature or
    > not because another machine that has SP4 doesn't have the always
    > settings enabled. Thanks for all the suggestions above.
    >
    > Q


    This will cause problems for XP but not Win2000 (perhaps prior to SP4). MS
    KB article is here.

    http://support.microsoft.com/default...s;318266&sd=ee

    Have you tried setting the Samba server as a WINS server and enabled the
    workstations to find the WINS server by setting the IP in the TCP/IP
    properties ?



  12. Re: Multi subnet samba problem

    In article <3f61ef93$1@news.broadpark.no>, "Roald Ribe" wrote:
    >
    >"imbsysop" wrote in message
    >news:bjrr9i$j3t$1@snic.vub.ac.be...
    >> In article <9f14310.0309111348.535856cb@posting.google.com>,

    >quang777@email.com (q777) wrote:

    snip
    >> obscure in the Microsoft documentation that suggests that for browing

    >across
    >> "Microsoft" subnets (not absolutely clear by their definitions if this

    >spans
    >> only IP subnets or MS domains) each subnet needs its own DC .. so I've

    >kind of
    >> given up :-)

    >


    >I believe that UDP broadcast is the way servers identify themselves to
    >clients. Maybe the subnet problems are related to gateway/routers not
    >forwarding UDP broadcasts for subnet to subnet?


    as far as I can trust docs .. indeed UDP seems to be the only protocol to
    cross subnets over a router ..

    >Have you tried to use IP rather than server name to connect from client
    >to server, like \\123.123.123.123\sharename ? If this works you can make
    >it work from the windows clients by adding the server to LMHOSTS. file.
    >
    >I do not know if any of this will help, but it is worth a shot.


    well I gave that a shot for one subnet but to implement it one larger scale
    and adding tons of machines in the other subnet + keeping this up to date is
    barely practical :-) .. that is why i've almost given up :-)

    --
    remove_clothes to answer over email



  13. Re: Multi subnet samba problem

    In article , Gaurav Walia wrote:
    >This is a multi-part message in MIME format.
    >--------------050209000304090401060104
    >Content-Type: text/plain; charset=us-ascii; format=flowed
    >Content-Transfer-Encoding: 7bit
    >
    >The problem is that your samba server isn't broadcasting on the other
    >subnets. I had the same issue if I'm reading your question correctly
    >
    >Add this to your smb.conf file:
    >
    >xxx - with held
    >
    ># Configure remote browse list synchronisation here
    ># request announcement to, or browse list sync from:
    ># a specific host or from / to a whole subnet (see below)
    > remote browse sync = xxx.xxx.1.255 xxx.xxx.2.255
    ># Cause this host to announce itself to local subnets here
    > remote announce = xxx.xxx.1.255 xxx.xxx.2.255


    I did put in these statement from the beginning on ... it is still not quite
    clear what they are supposed to do .. & BTW the documentation clearly states
    that the remote browse sync only works if the other network has a samba server
    .. it doesn't ..
    .. and I think I still have some obscure? problem with wins ..

    --
    remove_clothes to answer over email



  14. Re: Multi subnet samba problem


    "imbsysop" wrote in message
    news:bk40k1$f8$1@snic.vub.ac.be...
    > In article <3f61ef93$1@news.broadpark.no>, "Roald Ribe"

    wrote:
    > >
    > >"imbsysop" wrote in message
    > >news:bjrr9i$j3t$1@snic.vub.ac.be...
    > >> In article <9f14310.0309111348.535856cb@posting.google.com>,

    > >quang777@email.com (q777) wrote:

    > snip
    > >> obscure in the Microsoft documentation that suggests that for browing

    > >across
    > >> "Microsoft" subnets (not absolutely clear by their definitions if this

    > >spans
    > >> only IP subnets or MS domains) each subnet needs its own DC .. so I've

    > >kind of
    > >> given up :-)

    > >

    >
    > >I believe that UDP broadcast is the way servers identify themselves to
    > >clients. Maybe the subnet problems are related to gateway/routers not
    > >forwarding UDP broadcasts for subnet to subnet?

    >
    > as far as I can trust docs .. indeed UDP seems to be the only protocol to
    > cross subnets over a router ..
    >
    > >Have you tried to use IP rather than server name to connect from client
    > >to server, like \\123.123.123.123\sharename ? If this works you can make
    > >it work from the windows clients by adding the server to LMHOSTS. file.
    > >
    > >I do not know if any of this will help, but it is worth a shot.

    >
    > well I gave that a shot for one subnet but to implement it one larger

    scale
    > and adding tons of machines in the other subnet + keeping this up to date

    is
    > barely practical :-) .. that is why i've almost given up :-)
    >


    That is what a WINS server is for.

    > --
    > remove_clothes to answer over email
    >
    >




  15. Re: Multi subnet samba problem

    In article , "m.marien" wrote:
    >
    >"imbsysop" wrote in message
    >news:bk40k1$f8$1@snic.vub.ac.be...
    >> In article <3f61ef93$1@news.broadpark.no>, "Roald Ribe"

    >wrote:
    >> >
    >> >"imbsysop" wrote in message
    >> >news:bjrr9i$j3t$1@snic.vub.ac.be...
    >> >> In article <9f14310.0309111348.535856cb@posting.google.com>,


    >> and adding tons of machines in the other subnet + keeping this up to date

    >is
    >> barely practical :-) .. that is why i've almost given up :-)
    >>

    >
    >That is what a WINS server is for.


    .. I know :-) but I recently found out that it is not getting any response
    from one subnet so I have to dig into that for troubleshooting .. :-)


    --
    remove_clothes to answer over email



+ Reply to Thread