Chapter 10. Samba / MS Windows Network Browsing Guide

Date: Wed, 16 Jul 2003 05:42:10 +0000 Subject: Documentation Update for Beta3. (This used to be commit a88dc502cb3b6b2d905106675f50680bf22e2cfa) --- docs/htmldocs/NetworkBrowsing.html | 205 +++++++++++++++++++------------------ 1 file changed, 103 insertions(+), 102 deletions(-) (limited to 'docs/htmldocs/NetworkBrowsing.html') diff --git a/docs/htmldocs/NetworkBrowsing.html b/docs/htmldocs/NetworkBrowsing.html index eb4d9858ca..34d48cacc3 100644 --- a/docs/htmldocs/NetworkBrowsing.html +++ b/docs/htmldocs/NetworkBrowsing.html @@ -1,4 +1,5 @@ -Chapter 10. Samba / MS Windows Network Browsing Guide

Chapter 10. Samba / MS Windows Network Browsing Guide
Prev	Part III. Advanced Configuration	Next

Chapter 10. Samba / MS Windows Network Browsing Guide

John H. Terpstra

Samba Team

<jht@samba.org>

July 5, 1998

Updated: April 21, 2003

+ +Chapter 10. Samba / MS Windows Network Browsing Guide

Chapter 10. Samba / MS Windows Network Browsing Guide
Prev	Part III. Advanced Configuration	Next

Chapter 10. Samba / MS Windows Network Browsing Guide

John H. Terpstra

Samba Team

<jht@samba.org>

July 5, 1998

Updated: April 21, 2003

This document contains detailed information as well as a fast track guide to implementing browsing across subnets and / or across workgroups (or domains). WINS is the best tool for resolution of NetBIOS names to IP addresses. WINS is @@ -9,7 +10,7 @@ over TCP/IP. Samba-3 and later also supports this mode of operation. When the use of NetBIOS over TCP/IP has been disabled then the primary means for resolution of MS Windows machine names is via DNS and Active Directory. The following information assumes that your site is running NetBIOS over TCP/IP. -

Features and Benefits

Someone once referred to the past in terms of: They were the worst of times, they were the best of times. The more we look back, them more we long for what was and hope it never returns!. @@ -42,7 +43,7 @@ support for NetBIOS, in which case WINS is of no relevance. Samba-3 supports thi

For those networks on which NetBIOS has been disabled (ie: WINS is NOT required) the use of DNS is necessary for host name resolution. -

What is Browsing?

To most people browsing means that they can see the MS Windows and Samba servers in the Network Neighborhood, and when the computer icon for a particular server is clicked, it opens up and shows the shares and printers available on the target server. @@ -80,12 +81,12 @@ called nmbd. The configuration parameters involved in For Samba, the WINS Server and WINS Support are mutually exclusive options. Those marked with an '*' are the only options that commonly MAY need to be modified. Even if not one of these parameters is set nmbd will still do it's job. -

Discussion

Firstly, all MS Windows networking uses SMB (Server Message Block) based messaging. SMB messaging may be implemented with or without NetBIOS. MS Windows 200x supports NetBIOS over TCP/IP for backwards compatibility. Microsoft is intent on phasing out NetBIOS support. -

NetBIOS over TCP/IP

Samba implements NetBIOS, as does MS Windows NT / 200x / XP, by encapsulating it over TCP/IP. MS Windows products can do likewise. NetBIOS based networking uses broadcast messaging to affect browse list management. When running NetBIOS over TCP/IP, this uses UDP based messaging. @@ -129,7 +130,7 @@ Lastly, take note that browse lists are a collection of unreliable broadcast messages that are repeated at intervals of not more than 15 minutes. This means that it will take time to establish a browse list and it can take up to 45 minutes to stabilise, particularly across network segments. -

TCP/IP - without NetBIOS

All TCP/IP using systems use various forms of host name resolution. The primary methods for TCP/IP hostname resolutions involves either a static file (/etc/hosts) or DNS (the Domain Name System). DNS is the technology that makes @@ -165,7 +166,7 @@ consequently network services will be severely impaired. The use of Dynamic DNS is highly recommended with Active Directory, in which case the use of BIND9 is preferred for it's ability to adequately support the SRV (service) records that are needed for Active Directory. -

DNS and Active Directory

Occasionally we hear from Unix network administrators who want to use a Unix based Dynamic DNS server in place of the Microsoft DNS server. While this might be desirable to some, the MS Windows 200x DNS server is auto-configured to work with Active Directory. It is possible @@ -187,7 +188,7 @@ The following are some of the default service records that Active Directory requ

_ldap._tcp.Site.gc.ms-dcs.DomainTree

Used by MS Windows clients to locate site configuration dependent Global Catalog server. -

How Browsing Functions

MS Windows machines register their NetBIOS names (ie: the machine name for each service type in operation) on start up. The exact method by which this name registration @@ -242,7 +243,7 @@ words, for cross subnet browsing to function correctly it is essential that a name to address resolution mechanism be provided. This mechanism could be via DNS, /etc/hosts, and so on. -

Setting up WORKGROUP Browsing

To set up cross subnet browsing on a network containing machines in up to be in a WORKGROUP, not an NT Domain you need to set up one Samba server to be the Domain Master Browser (note that this is *NOT* @@ -260,22 +261,22 @@ Samba server, and there must only be one domain master browser per workgroup name. To set up a Samba server as a domain master browser, set the following option in the [global] section of the smb.conf file : -

+

+ 	domain master = yes
-

-

+

The domain master browser should also preferrably be the local master browser for its own subnet. In order to achieve this set the following options in the [global] section of the smb.conf file : -

+

+ 	domain master = yes
 	local master = yes
 	preferred master = yes
 	os level = 65
-

-

+

The domain master browser may be the same machine as the WINS server, if you require.

@@ -287,14 +288,14 @@ tend to get rebooted more often, so it's not such a good idea to use these). To make a Samba server a local master browser set the following options in the [global] section of the smb.conf file : -

+

+ 	domain master = no
 	local master = yes
 	preferred master = yes
 	os level = 65
-

-

+

Do not do this for more than one Samba server on each subnet, or they will war with each other over which is to be the local master browser. @@ -309,14 +310,14 @@ be the local master browser then you can disable Samba from becoming a local master browser by setting the following options in the [global] section of the smb.conf file : -

+

+ 	domain master = no
 	local master = no
 	preferred master = no
 	os level = 0
-

-

Setting up DOMAIN Browsing

+ +

Setting up DOMAIN Browsing

If you are adding Samba servers to a Windows NT Domain then you must not set up a Samba server as a domain master browser. By default, a Windows NT Primary Domain Controller for a domain @@ -330,14 +331,14 @@ you may set up Samba servers as local master browsers as described. To make a Samba server a local master browser set the following options in the [global] section of the smb.conf file : -

+

+ 	domain master = no
 	local master = yes
 	preferred master = yes
 	os level = 65
-

-

+

If you wish to have a Samba server fight the election with machines on the same subnet you may set the os level parameter to lower levels. By doing this you can tune the order of machines that @@ -352,14 +353,14 @@ you can disable Samba from taking part in browser elections and ever becoming a local master browser by setting following options in the [global] section of the smb.conf file : -

+

+         domain master = no
         local master = no
         preferred master = no
         os level = 0
-

-

Forcing Samba to be the master

+ +

Forcing Samba to be the master

Who becomes the master browser is determined by an election process using broadcasts. Each election packet contains a number of parameters which determine what precedence (bias) a host should have in the @@ -396,7 +397,7 @@ attempt to become the domain master browser every 5 minutes. They will find that another Samba server is already the domain master browser and will fail. This provides automatic redundancy, should the current domain master browser fail. -

Making Samba the domain master

The domain master is responsible for collating the browse lists of multiple subnets so that browsing can occur between subnets. You can make Samba act as the domain master by setting domain master = yes @@ -438,30 +439,30 @@ If, however, both Samba and your clients are using a WINS server, then: resolve the NetBIOS name of that host. as long as that host has registered its NetBIOS name with the same WINS server, the user will be able to see that host. -

Note about broadcast addresses

If your network uses a "0" based broadcast address (for example if it ends in a 0) then you will strike problems. Windows for Workgroups does not seem to support a 0's broadcast and you will probably find that browsing and name lookups won't work. -

Multiple interfaces

Samba now supports machines with multiple network interfaces. If you have multiple interfaces then you will need to use the interfaces option in smb.conf to configure them. -

Use of the Remote Announce parameter

The remote announce parameter of smb.conf can be used to forcibly ensure that all the NetBIOS names on a network get announced to a remote network. The syntax of the remote announce parameter is: -

+ 	remote announce = a.b.c.d [e.f.g.h] ...
-

+

or -

+ 	remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
-

+

where: -

a.b.c.d and + a.b.c.d and e.f.g.h is either the LMB (Local Master Browser) IP address or the broadcast address of the remote network. ie: the LMB is at 192.168.1.10, or the address @@ -477,23 +478,23 @@ workgroup name of the remote network then our NetBIOS machine names will end up looking like they belong to that workgroup, this may cause name resolution problems and should be avoided. - -

Use of the Remote Browse Sync parameter

The remote browse sync parameter of smb.conf is used to announce to another LMB that it must synchronise its NetBIOS name list with our Samba LMB. It works ONLY if the Samba server that has this option is simultaneously the LMB on its network segment. -

The syntax of the remote browse sync parameter is: -

+ remote browse sync = a.b.c.d
-

+

where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment. -

WINS - The Windows Internetworking Name Server

Use of WINS (either Samba WINS or MS Windows NT Server WINS) is highly recommended. Every NetBIOS machine registers its name together with a name_type value for each of several types of service it has available. @@ -544,16 +545,16 @@ Never use both wins support = yes together with wins server = a.b.c.d particularly not using it's own IP address. Specifying both will cause nmbd to refuse to start! -

Setting up a WINS server

Either a Samba machine or a Windows NT Server machine may be set up as a WINS server. To set a Samba machine to be a WINS server you must add the following option to the smb.conf file on the selected machine : in the [globals] section add the line -

+

+ 	wins support = yes
-

-

+

Versions of Samba prior to 1.9.17 had this parameter default to yes. If you have any older versions of Samba on your network it is strongly suggested you upgrade to a recent version, or at the very @@ -585,11 +586,11 @@ the Control Panel->Network->Protocols->TCP->W in Windows 95 or Windows NT. To tell a Samba server the IP address of the WINS server add the following line to the [global] section of all smb.conf files : -

+

+ 	wins server = <name or IP address>
-

-

+

where <name or IP address> is either the DNS name of the WINS server machine or its IP address.

@@ -604,45 +605,45 @@ The first details setting up cross subnet browsing on a network containing Windows 95, Samba and Windows NT machines that are not configured as part of a Windows NT Domain. The second details setting up cross subnet browsing on networks that contain NT Domains. -

WINS Replication

Samba-3 permits WINS replication through the use of the wrepld utility. This tool is not currently capable of being used as it is still in active development. As soon as this tool becomes moderately functional we will prepare man pages and enhance this section of the documentation to provide usage and technical details. -

Static WINS Entries

Adding static entries to your Samba-3 WINS server is actually fairly easy. All you have to do is add a line to wins.dat, typically located in /usr/local/samba/var/locks. -

Entries in wins.dat take the form of -

 "NAME#TYPE" TTL ADDRESS+ FLAGS
-

where NAME is the NetBIOS name, TYPE is the NetBIOS type, TTL is the time-to-live as an absolute time in seconds, ADDRESS+ is one or more addresses corresponding to the registration and FLAGS are the NetBIOS flags for the registration. -

+ A typical dynamic entry looks like: -

 "MADMAN#03" 1055298378 192.168.1.2 66R
-

To make it static, all that has to be done is set the TTL to 0: -

 "MADMAN#03" 0 192.168.1.2 66R
-

Though this method works with early Samba-3 versions, there's a possibility that it may change in future versions if WINS replication is added. -

Helpful Hints

The following hints should be carefully considered as they are stumbling points for many new network administrators. -

Windows Networking Protocols

Warning

Windows Networking Protocols

Warning

Do NOT use more than one (1) protocol on MS Windows machines

A very common cause of browsing problems results from installing more than @@ -672,32 +673,32 @@ differently from MS Windows NT4. Generally, where a server does NOT support the newer or extended protocol, these will fall back to the NT4 protocols.

The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! -

Name Resolution Order

Resolution of NetBIOS names to IP addresses can take place using a number of methods. The only ones that can provide NetBIOS name_type information are:

WINS: the best tool!

LMHOSTS: is static and hard to maintain.

Broadcast: uses UDP and can not resolve names across remote segments.

Alternative means of name resolution includes: -

/etc/hosts: is static, hard to maintain, and lacks name_type info

DNS: is a good choice but lacks essential name_type info.

/etc/hosts: is static, hard to maintain, and lacks name_type info

DNS: is a good choice but lacks essential name_type info.

Many sites want to restrict DNS lookups and want to avoid broadcast name resolution traffic. The name resolve order parameter is of great help here. The syntax of the name resolve order parameter is: -

 name resolve order = wins lmhosts bcast host
-

or -

+ name resolve order = wins lmhosts  	(eliminates bcast and host)
-

+

The default is: -

 name resolve order = host lmhost wins bcast
-

where "host" refers the the native methods used by the Unix system to implement the gethostbyname() function call. This is normally controlled by /etc/host.conf, /etc/nsswitch.conf and /etc/resolv.conf. -

Technical Overview of browsing

SMB networking provides a mechanism by which clients can access a list of machines in a network, a so-called browse list. This list contains machines that are ready to offer file and/or print services @@ -717,7 +718,7 @@ Where NetBIOS over TCP/IP is enabled use of a WINS server is highly recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. WINS allows remote segment clients to obtain NetBIOS name_type information that can NOT be provided by any other means of name resolution. -

Browsing support in Samba

Samba facilitates browsing. The browsing is supported by nmbd and is also controlled by options in the smb.conf file. Samba can act as a local browse master for a workgroup and the ability @@ -752,7 +753,7 @@ browsing on another subnet. It is recommended that this option is only used for 'unusual' purposes: announcements over the internet, for example. See remote announce in the smb.conf man page. -

Problem resolution

If something doesn't work then hopefully the log.nmbd file will help you track down the problem. Try a debug level of 2 or 3 for finding problems. Also note that the current browse list usually gets stored @@ -777,7 +778,7 @@ server resources. The other big problem people have is that their broadcast address, netmask or IP address is wrong (specified with the "interfaces" option in smb.conf) -

Browsing across subnets

Since the release of Samba 1.9.17(alpha1), Samba has supported the replication of browse lists across subnet boundaries. This section describes how to set this feature up in different settings. @@ -798,16 +799,16 @@ be they Windows 95, Windows NT, or Samba servers must have the IP address of a WINS server given to them by a DHCP server, or by manual configuration (for Win95 and WinNT, this is in the TCP/IP Properties, under Network settings) for Samba this is in the smb.conf file. -

How does cross subnet browsing work ?

Cross subnet browsing is a complicated dance, containing multiple moving parts. It has taken Microsoft several years to get the code that achieves this correct, and Samba lags behind in some areas. Samba is capable of cross subnet browsing when configured correctly.

Consider a network set up as follows : -

+                                    (DMB)
              N1_A      N1_B        N1_C       N1_D        N1_E
               |          |           |          |           |
@@ -822,8 +823,8 @@ Consider a network set up as follows :
   |     |     |      |               |        |         |           |
  N2_A  N2_B  N2_C   N2_D           N3_A     N3_B      N3_C        N3_D 
                     (WINS)
-

-

+

Consisting of 3 subnets (1, 2, 3) connected by two routers (R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume @@ -864,9 +865,9 @@ called 'non-authoritative'. At this point the browse lists look as follows (these are the machines you would see in your network neighborhood if you looked in it on a particular network right now). -

Table 10.1. Browse subnet example 1

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D

Table 10.1. Browse subnet example 1

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D

Note that at this point all the subnets are separate, no machine is seen across any of the subnets.

@@ -886,11 +887,11 @@ names it knows about. Once the domain master browser receives the MasterAnnouncement packet it schedules a synchronization request to the sender of that packet. After both synchronizations are done the browse lists look like : -

Table 10.2. Browse subnet example 2

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(), N2_B(), N2_C(), N2_D()
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(*)
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D

Table 10.2. Browse subnet example 2

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(), N2_B(), N2_C(), N2_D()
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(*)
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D

Servers with a (*) after them are non-authoritative names. -

At this point users looking in their network neighborhood on subnets 1 or 2 will see all the servers on both, users on subnet 3 will still only see the servers on their own subnet. @@ -901,11 +902,11 @@ synchronizes browse lists with the domain master browser (N1_A) it gets both the server entries on subnet 1, and those on subnet 2. After N3_D has synchronized with N1_C and vica-versa the browse lists look like. -

Table 10.3. Browse subnet example 3

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(), N2_B(), N2_C(), N2_D(), N3_A(), N3_B(), N3_C(), N3_D()
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(*)
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(), N2_A(), N2_B(), N2_C(), N2_D(*)

Table 10.3. Browse subnet example 3

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(), N2_B(), N2_C(), N2_D(), N3_A(), N3_B(), N3_C(), N3_D()
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(*)
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(), N2_A(), N2_B(), N2_C(), N2_D(*)

Servers with a (*) after them are non-authoritative names. -

At this point users looking in their network neighborhood on subnets 1 or 3 will see all the servers on all subnets, users on subnet 2 will still only see the servers on subnets 1 and 2, but not 3. @@ -914,11 +915,11 @@ Finally, the local master browser for subnet 2 (N2_B) will sync again with the domain master browser (N1_C) and will receive the missing server entries. Finally - and as a steady state (if no machines are removed or shut off) the browse lists will look like : -

Table 10.4. Browse subnet example 4

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(), N2_B(), N2_C(), N2_D(), N3_A(), N3_B(), N3_C(), N3_D()
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(), N3_A(), N3_B(), N3_C(), N3_D(*)
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(), N2_A(), N2_B(), N2_C(), N2_D(*)

Table 10.4. Browse subnet example 4

Subnet	Browse Master	List
Subnet1	N1_C	N1_A, N1_B, N1_C, N1_D, N1_E, N2_A(), N2_B(), N2_C(), N2_D(), N3_A(), N3_B(), N3_C(), N3_D()
Subnet2	N2_B	N2_A, N2_B, N2_C, N2_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(), N3_A(), N3_B(), N3_C(), N3_D(*)
Subnet3	N3_D	N3_A, N3_B, N3_C, N3_D, N1_A(), N1_B(), N1_C(), N1_D(), N1_E(), N2_A(), N2_B(), N2_C(), N2_D(*)

Servers with a (*) after them are non-authoritative names. -

Synchronizations between the domain master browser and local master browsers will continue to occur, but this should be a steady state situation. @@ -936,11 +937,11 @@ If either router R1 or R2 fails the following will occur: be able to access servers on its local subnet, by using subnet-isolated broadcast NetBIOS name resolution. The effects are similar to that of losing access to a DNS server. -

Common Errors

Many questions are asked on the mailing lists regarding browsing. The majority of browsing problems originate out of incorrect configuration of NetBIOS name resolution. Some are of particular note. -

How can one flush the Samba NetBIOS name cache without restarting Samba?

Samba's nmbd process controls all browse list handling. Under normal circumstances it is safe to restart nmbd. This will effectively flush the Samba NetBIOS name cache and cause it to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear @@ -950,7 +951,7 @@ want to clear a rogue machine from the list then every machine on the network wi shut down and restarted at after all machines are down. Failing a complete restart, the only other thing you can do is wait until the entry times out and is then flushed from the list. This may take a long time on some networks (months). -

My client reports "This server is not configured to list shared resources"

Your guest account is probably invalid for some reason. Samba uses the guest account for browsing in smbd. Check that your guest account is valid. -- cgit