Page 1 of 1
samba browsing across subnets via vpn [solved]
Posted: Tue Jan 15, 2013 2:51 pm
by patey
I have set up an IPSec VPN from a machine running mint 14 (64 bit) using a Shrew client (version 2.2.0) and connecting to a Netgear VPN gateway/router. This seems to be working fine - I can ping clients on the remote network and ssh into a NAS box running linux and I can connect to windows shares by ip address.
What I would like to do is get network browsing working. I have followed a guide here
http://www.linuxplanet.com/linuxplanet/tutorials/6600/1 which basically says the trick is to have a WINS server. So I have tried to set up the NAS box to be a WINS server and to be the domain master browser. On my remote machine I have set it to become the local master browser and set the wins server to the ip of the NAS box (192.168.1.2). But I can't see the remote computers in the network browser. In the nmbd log file it says:
- [2013/01/15 18:31:23, 0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
*****
Samba name server MATT is now a local master browser for workgroup PATEYHOME on subnet 10.21.150.184
*****
[2013/01/15 18:32:00, 0] nmbd/nmbd_browsesync.c:248(domain_master_node_status_fail)
domain_master_node_status_fail:
Doing a node status request to the domain master browser
for workgroup PATEYHOME at IP 169.254.231.202 failed.
Cannot sync browser lists.
The remote subnet is 192.168.1.2/24
the VPN subnet is 10.21.150.184/32 assigned to a virtual adapter by the shrew client (tap0)
the IP in the error message seems to be a link-local address on eth0, so it can't reach the WINS server at 192.168.1.2 but I don't really understand what's going on.
Any ideas what I'm doing wrong?
Re: samba browsing across subnets via vpn
Posted: Mon Jan 21, 2013 8:45 am
by snison
what do you get when using
nmblookup computername
Code: Select all
uslrkpr0@uslrkpr0 ~ $ nmblookup vbrp0mint
querying vbpr0mint on 192.168.22.255
192.168.22.193 vbpr0mint<00>
Re: samba browsing across subnets via vpn
Posted: Mon Jan 21, 2013 4:52 pm
by patey
Hi, I get:
Code: Select all
$ nmblookup ds508
querying ds508 on 192.168.0.255
querying ds508 on 10.21.150.187
name_query failed to find name ds508
ds508 is at 192.168.1.2, which is accessible through the 10.21.150.187/32 subnet I defined for the VPN.
Re: samba browsing across subnets via vpn
Posted: Mon Jan 21, 2013 11:45 pm
by snison
name_query failed to find name ds508
ds508 is at 192.168.1.2, which is accessible through the 10.21.150.187/32 subnet I defined for the VPN.
You can only connect to one machine with a /32. A CIDR for .187 must be at /24 or higher. /25 would only go to .124 I believe.
What is your local subnet?
Re: samba browsing across subnets via vpn
Posted: Tue Jan 22, 2013 4:52 am
by patey
Sorry, it was a typo. The mask is /30 not /32 (ie. 255.255.255.252). This PC is at 10.21.150.184 and I guess 10.21.150.187 is the broadcast address.
The local subnet is 192.168.0.0/24. The remote network is 192.168.1.0/24.
Re: samba browsing across subnets via vpn
Posted: Tue Jan 22, 2013 6:42 pm
by snison
Are you able to ping 192.168.1.2?
If you are using 10.21.150.184/30, then you can only use 10.21.50.185 and 186 as the IPs. You can't use .184 or .187.
Re: samba browsing across subnets via vpn
Posted: Wed Jan 23, 2013 10:48 am
by patey
Yes, I can ping 192.168.1.2 (and the gateway (192.168.1.1) or any other computer on the remote network). Computers on the remote network can ping my computer (10.21.150.184). Unless this reply is not from my computer but from the VPN gateway?
I can also connect to windows shares by using the IP address. It seems to be only browsing/name resolution that doesn't work. Am I right in thinking that the nmblookup command failed because it tried to use broadcasts to find the server and broadcasts aren't passed on by routers? I have set the lookup priority for the client to wins lmhosts hosts bcast, but since wins isn't working it is apparently resorting to broadcasts for name resolution.
Later today I will try setting the client ip to 10.21.150.185 and see how that goes.
Re: samba browsing across subnets via vpn
Posted: Wed Jan 23, 2013 6:12 pm
by patey
OK, so I tried it with the IP x.x.x.185 but it still doesn't work. From the nmbd log on the client (see below) it seems to be failing at the WINS registration stage with error code 5. I've had a quick search, but so far I haven't managed to find out what that means.
I've tried to check the logs on the remote server (192.168.1.2), but for some reason it's not logging or I can't find where it is logging. There are two empty files /var/log/log.nmbd and /var/log/log.smbd. I have tried adding the following to smb.conf on the server:
Code: Select all
log file = /var/log/log.%m
max log size = 1000
log level = 10
but still no logging. Any ideas?
/var/log/samba/log.nmbd on client:
Code: Select all
nmbd version 3.6.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[2013/01/23 21:17:42, 0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
*****
Samba name server MATT is now a local master browser for workgroup PATEYHOME on subnet 192.168.0.192
*****
[2013/01/23 21:17:42, 0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
*****
Samba name server MATT is now a local master browser for workgroup PATEYHOME on subnet 10.21.150.185
*****
[2013/01/23 21:18:01, 0] nmbd/nmbd_nameregister.c:138(register_name_response)
register_name_response: WINS server at IP 192.168.1.2 rejected our name registration of MATT<20> IP 10.21.150.185 with error code 5.
[2013/01/23 21:18:01, 0] nmbd/nmbd_namelistdb.c:309(standard_fail_register)
standard_fail_register: Failed to register/refresh name MATT<20> on subnet UNICAST_SUBNET
[2013/01/23 21:18:01, 0] nmbd/nmbd_nameregister.c:138(register_name_response)
register_name_response: WINS server at IP 192.168.1.2 rejected our name registration of MATT<03> IP 10.21.150.185 with error code 5.
[2013/01/23 21:18:01, 0] nmbd/nmbd_namelistdb.c:309(standard_fail_register)
standard_fail_register: Failed to register/refresh name MATT<03> on subnet UNICAST_SUBNET
[2013/01/23 21:18:01, 0] nmbd/nmbd_nameregister.c:138(register_name_response)
register_name_response: WINS server at IP 192.168.1.2 rejected our name registration of MATT<00> IP 10.21.150.185 with error code 5.
[2013/01/23 21:18:01, 0] nmbd/nmbd_namelistdb.c:309(standard_fail_register)
standard_fail_register: Failed to register/refresh name MATT<00> on subnet UNICAST_SUBNET
[2013/01/23 21:18:03, 0] nmbd/nmbd_browsesync.c:248(domain_master_node_status_fail)
domain_master_node_status_fail:
Doing a node status request to the domain master browser
for workgroup PATEYHOME at IP 169.254.231.202 failed.
Cannot sync browser lists.
Re: samba browsing across subnets via vpn
Posted: Thu Jan 24, 2013 1:38 pm
by patey
I think I have found out where the problem lies, but I'm still not sure how to solve it.
I noticed that, in my last post, this error message in the client nmbd log was new:
Code: Select all
register_name_response: WINS server at IP 192.168.1.2 rejected our name registration of MATT<20> IP 10.21.150.185 with error code 5.
It turns out that this was because the name MATT was already registered by the WINS server.
Name registrations seem to be stored in a file called wins.dat:
Code: Select all
# grep MATT /var/run/wins.dat
"MATT#03" 1359241388 10.21.150.184 64R
"MATT#20" 1359241388 10.21.150.184 64R
"MATT#00" 1359241388 10.21.150.184 64R
I manually changed the IP address in wins.dat to match the client (10.21.150.185) and now I am back to the original error message in the client nmbd log:
Code: Select all
domain_master_node_status_fail:
Doing a node status request to the domain master browser
for workgroup PATEYHOME at IP 169.254.231.202 failed.
Cannot sync browser lists.
I also noticed that the wins.dat on the server contains the following for its own entry:
Code: Select all
# grep DS508 /var/run/wins.dat
"DS508#00" 1359306211 169.254.231.202 192.168.1.2 66R
"DS508#03" 1359306211 169.254.231.202 192.168.1.2 66R
"DS508#20" 1359306211 169.254.231.202 192.168.1.2 66R
Here there are 2 IPs: the good ip (192.168.1.2) and a link-local address, which is the same as that in the client's nmbd.log. So this means that
- 1. WINS name registration is working.
2. Browsing is failing because the local master browser on the other subnet (ie. the client connecting via vpn) cannot connect to the domain master browser (which is the same machine as the WINS server) because the wins server has registered a link-local address for itself
I am not sure why this is or how to resolve it. I did find a reference to 169.254.231.202 in /etc/hosts so I removed it and restarted the server, but still the same problem. I have also tried removing wins.dat so that a new one is generated, but the link-local address is generated next to the functioning IP address, as before. My patchy understanding of link-local addresses is that they are used in address autoconfiguration, but I don't use DHCP to assign this server's IP, so I am a bit stuck as to what is going on.
Any ideas what is going on and how I might get the samba WINS server to register just one, correct IP address for itself?
Re: samba browsing across subnets via vpn
Posted: Thu Jan 24, 2013 6:01 pm
by patey
OK, Solved!
The problem was pretty simple. There is a second network card in the server that is unplugged and was setup for DHCP. This is the reason that the server had two ip addresses and that one of them was an unconfigured link-local address. Samba by default uses all network interfaces, and so it put the address of both interfaces in its database. The solution was to make it listen only on one interface by adding the following to the [global] section of smb.conf on the server:
interfaces = eth0
after changing that network browsing in nautilus and tools like nmblookup work:
$ nmblookup -U 192.168.1.2 ds508
querying ds508 on 192.168.1.2
192.168.1.2 ds508<00>