Re: SMB in iptables

To: <debian-firewall@lists.debian.org>
Subject: Re: SMB in iptables
From: "Paul Haesler" <paul@phaesler.org>
Date: Fri, 4 Jan 2002 17:05:09 +1000
Message-id: <[🔎] E16MNTc-0002u7-00@marge.haeslernet>
In-reply-to: <[🔎] E16M12n-0001ao-00@marge.haeslernet>
References: <[🔎] OE68MihoogG12jKW0kM0000c4b6@hotmail.com>

The following extract may shed some light on your SMB problem, if 
not on the solution:

>From a talk Tridge gave at the 1999 AUUG conference in
Melbourne, Australia entitled "Inside Microsoft 
Networking - all the dirt on the SMB protocol".

Reproduced without permission.  Copyright 1999 AUUG Inc.


... cross subnet browsing.  This is where you have a single
logical workgroup spread over multiple broadcast subnets
so they can communicate with unicast packets but not 
broadcasts. ...

The problem is that the browsing protocols were never
really designed for this sort of cross-subnet setup.
The (normal) broadcast election system won't work for
multiple subnets, so how do you do it?  This is where 
WINS and a thing called a domain master browser gets in
on the act.  WINS allows you to have a central name server
for netbios names so a specially configured computer
(the Domain Master Browser or DMB) registers the workgroup
name with the WINS server and all the local master browsers
contact the WINS server to find out who the DMB is....

This sounds OK in theory but can be a real mess in practice.
The first stumbling block is palced at your feet courtesy
of Microsoft marketing decisions.  MS likes selling lots of
copies of NT Server so they made sure it is needed.  A Win95
box doesn't know how to contact a DMB (even as a client) so
if it ends up as the LMB then that subnet is effectively cut
off.  Oops. ...  The result is that you need either an NT
server or a samba server on each subnet to do cross subnet
browsing.

Even if you do have a DMB-client capable machine on each subnet
AND make sure it becomes the LMB, you are not out of the woods
yet.  You have to contend with the fact that the protocol only
allows the LMB to contact the DMB for its own workgroup.  So if
you have separate workgroups for ACCOUNTING and ADMIN then 
the 
DMB's need some way to talk to each other or you will never see 
a workgroup list containing both workgroups.  Unfortunately that
bit of the protocol has been left out completely.  Oops again.
The only way it can work is if there happens to be a subnet
somewhere in your organisation where both workgroups co-exist.
Then the two LMBs will notice each other and the two workgroups
will magically start to see each other.

For Samba we have added a simple extension to make this a 
slightly
less hit and miss affair but as NT does not support our extension
you would have to use Samba as the DMB for each workgroup.

--
Paul Haesler                    paul@phaesler.org
                                ICQ: 124547085

Reply to:

References:
- SMB in iptables
  - From: "Kai Klopper" <kaiklopper@hotmail.com>
- Re: SMB in iptables
  - From: "Paul Haesler" <paul@phaesler.org>

Prev by Date: MASQ With Multiple IP's
Next by Date: [no subject]
Previous by thread: Re: SMB in iptables
Next by thread: Re: SMB in iptables
Index(es):
- Date
- Thread