Re: [Samba] winbindd: Exceeding 200 client connections,no idle connection found

Elvar wrote:
>
> I meant to respond to this a long time ago and I'm sorry for the
> delay. Yes, I'm using NTLM to authenticate the users to Active
> Directory requiring specific group membership. If the users don't
> belong to group "Internet Access" they are denied out. I can stomach
> the lack of encryption, but with basic proxy auth can they still
> authenticate to AD?
>
Absolutely. There is no difference in Squid's ntlm_auth functionality
between choosing Basic or NTLM/Negotiate. ie you can still do
group-based access controls using Basic.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

My network topology is changing. One of my network segments that used to be
hard-wired will now be connecting to the rest of the network through DSL,
with a layer of OpenVPN on top. I am having the hardest time getting any
form of cross-subnet browsing or WINS working.

My PDC is called CORPSRV. It has the following IPs:
192.168.1.1
<external IP>
192.168.100.5 (OpenVPN)

The DMB on the remote subnet is called FURNSRV. It has the following IPs:
192.168.2.1
192.168.100.1 (OpenVPN)

Here are the relevant parts of CORPSRV's smb.conf:
os level = 255
wins support = yes
preferred master = yes
domain master = yes
local master = yes
remote announce = '192.168.2.1/CORP' '192.168.4.1/CORP'
remote browse sync = '192.168.2.1' '192.168.4.1'
name resolve order = wins bcast host
interfaces = 127.0.0.1 192.168.1.1 192.168.100.5/255.255.255.0
bind interfaces only = yes
hosts allow = 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24 192.168.6.0/24
192.168.100.0/24 127.0.0.1

Here are the relevant parts of FURNSRV's smb.conf:
security = domain
password server = 192.168.1.1
wins server = 192.168.1.1
wins support = no
wins proxy = yes
name resolve order = wins bcast lmhosts host
dns proxy = no
local master = yes
domain master = no
preferred master = yes
os level = 65
remote browse sync = 192.168.1.1
interfaces = 127.0.0.1 192.168.2.1 192.168.100.1/255.255.255.0
bind interfaces only = yes
hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24
192.168.6.0/24 192.168.100.0/24

I can ping each server's IP from the other server. The following nmblookup
commands both work:

root@corpsrv:/etc/samba# nmblookup -U 192.168.2.1 FURNSRV
params.c:pm_process() - Processing configuration file
"/etc/samba/printers.smb"
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
added interface ip=192.168.100.5 bcast=192.168.100.255 nmask=255.255.255.0
Socket opened.
querying FURNSRV on 192.168.2.1
Got a positive name query response from 192.168.2.1 ( 192.168.100.1
192.168.2.1 )
192.168.100.1 FURNSRV<00>
192.168.2.1 FURNSRV<00>

root@honk:/etc/samba# nmblookup -U 192.168.1.1 corpsrv
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.2.1 bcast=192.168.2.255 nmask=255.255.255.0
added interface ip=192.168.100.1 bcast=192.168.100.255 nmask=255.255.255.0
Socket opened.
querying corpsrv on 192.168.1.1
Got a positive name query response from 192.168.1.1 ( 192.168.100.5
192.168.1.1 )
192.168.100.5 corpsrv<00>
192.168.1.1 corpsrv<00>

I can mount shares on each server from the other, using IP addresses. But I
can't make FURNSRV join CORP, and I can't resolve FURNSRV via CORPSRV's WINS
server.

I know that part of the problem is that OpenVPN uses interfaces that do not
allow broadcast traffic. But I thought specifying the WINS server and using
the 'remote announce' directives would fix that.

I would appreciate any help at all! Thanks so much,
Misty



No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.24.4/1475 - Release Date: 5/30/2008
2:53 PM


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Jason Haar wrote:
> Elvar wrote:
>>
>> I meant to respond to this a long time ago and I'm sorry for the
>> delay. Yes, I'm using NTLM to authenticate the users to Active
>> Directory requiring specific group membership. If the users don't
>> belong to group "Internet Access" they are denied out. I can stomach
>> the lack of encryption, but with basic proxy auth can they still
>> authenticate to AD?
>>
> Absolutely. There is no difference in Squid's ntlm_auth functionality
> between choosing Basic or NTLM/Negotiate. ie you can still do
> group-based access controls using Basic.
>
Excellent, I'll try this out asap. Thanks!


Regards,
Elvar

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

I have the same kind of setup (except I'm using Linux 2.6 IPSEC with KAME
tools, and have two different domains, one on each side), and it almost
work. I can join the domain on the other side of the tunnel (I still have
a problem where wbinfo -t says it cannot find the DC) and winbindd can map
remote domain users.

Could you document the errors you get while joining (plus possibly level
2/3 log from smbd/winbind depending on which one raises the the error)

In my setup I added lmhosts files on both side (not sure if it helps but
at least I could join). Also, I did not include the VPN interfaces (but in
my setup, these are the public network interface due to new IPSEC
implementation). Also, I may be wrong, but I would make FURNSRV the domain
master on his subnet, and add a remote announce on the other subnets.

Hope it helps.

See my post of May 29, 2008 with subject "Trustdom setup and trusted group
management"


François

> My network topology is changing. One of my network segments that used to
> be
> hard-wired will now be connecting to the rest of the network through DSL,
> with a layer of OpenVPN on top. I am having the hardest time getting any
> form of cross-subnet browsing or WINS working.
>
> My PDC is called CORPSRV. It has the following IPs:
> 192.168.1.1
> <external IP>
> 192.168.100.5 (OpenVPN)
>
> The DMB on the remote subnet is called FURNSRV. It has the following IPs:
> 192.168.2.1
> 192.168.100.1 (OpenVPN)
>
> Here are the relevant parts of CORPSRV's smb.conf:
> os level = 255
> wins support = yes
> preferred master = yes
> domain master = yes
> local master = yes
> remote announce = '192.168.2.1/CORP' '192.168.4.1/CORP'
> remote browse sync = '192.168.2.1' '192.168.4.1'
> name resolve order = wins bcast host
> interfaces = 127.0.0.1 192.168.1.1 192.168.100.5/255.255.255.0
> bind interfaces only = yes
> hosts allow = 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24 192.168.6.0/24
> 192.168.100.0/24 127.0.0.1
>
> Here are the relevant parts of FURNSRV's smb.conf:
> security = domain
> password server = 192.168.1.1
> wins server = 192.168.1.1
> wins support = no
> wins proxy = yes
> name resolve order = wins bcast lmhosts host
> dns proxy = no
> local master = yes
> domain master = no
> preferred master = yes
> os level = 65
> remote browse sync = 192.168.1.1
> interfaces = 127.0.0.1 192.168.2.1 192.168.100.1/255.255.255.0
> bind interfaces only = yes
> hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24
> 192.168.6.0/24 192.168.100.0/24
>
> I can ping each server's IP from the other server. The following
> nmblookup
> commands both work:
>
> root@corpsrv:/etc/samba# nmblookup -U 192.168.2.1 FURNSRV
> params.c:pm_process() - Processing configuration file
> "/etc/samba/printers.smb"
> added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
> added interface ip=192.168.100.5 bcast=192.168.100.255 nmask=255.255.255.0
> Socket opened.
> querying FURNSRV on 192.168.2.1
> Got a positive name query response from 192.168.2.1 ( 192.168.100.1
> 192.168.2.1 )
> 192.168.100.1 FURNSRV<00>
> 192.168.2.1 FURNSRV<00>
>
> root@honk:/etc/samba# nmblookup -U 192.168.1.1 corpsrv
> added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> added interface ip=192.168.2.1 bcast=192.168.2.255 nmask=255.255.255.0
> added interface ip=192.168.100.1 bcast=192.168.100.255 nmask=255.255.255.0
> Socket opened.
> querying corpsrv on 192.168.1.1
> Got a positive name query response from 192.168.1.1 ( 192.168.100.5
> 192.168.1.1 )
> 192.168.100.5 corpsrv<00>
> 192.168.1.1 corpsrv<00>
>
> I can mount shares on each server from the other, using IP addresses. But
> I
> can't make FURNSRV join CORP, and I can't resolve FURNSRV via CORPSRV's
> WINS
> server.
>
> I know that part of the problem is that OpenVPN uses interfaces that do
> not
> allow broadcast traffic. But I thought specifying the WINS server and
> using
> the 'remote announce' directives would fix that.
>
> I would appreciate any help at all! Thanks so much,
> Misty
>
>
>
> No virus found in this outgoing message.
> Checked by AVG.
> Version: 7.5.524 / Virus Database: 269.24.4/1475 - Release Date: 5/30/2008
> 2:53 PM
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
> Message scanned by ClamAV engine (http://www.clamav.net)
> --------------------------------------------------------
>


--
François Legal


Message scanned by ClamAV engine (http://www.clamav.net)
--------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Copied to list. (Forgot to hit 'Reply All'_

On Mon, Jun 2, 2008 at 3:02 PM, Rob Shinn <rob.shinn@gmail.com> wrote:

>
> I can ping each server's IP from the other server. The following nmblookup
>> commands both work:
>
>
> Hi, Misty:
>
> The all-important question is not whether you can ping each server's IP
> address from the other server, but can you ping each server *by* *name* from
> the other. In otherwords, can you type 'ping corpsrv' from furnsrv and get
> a response?
>
> In order for cross-subnet browsing to work, it is /essential/ that this
> work. The easiest way to get this working if you don't already have a DNS
> server is to add CORPSRV and FURNSRV to each machines' /etc/hosts file.
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Jason Haar wrote:
> Elvar wrote:
>>
>> I meant to respond to this a long time ago and I'm sorry for the
>> delay. Yes, I'm using NTLM to authenticate the users to Active
>> Directory requiring specific group membership. If the users don't
>> belong to group "Internet Access" they are denied out. I can stomach
>> the lack of encryption, but with basic proxy auth can they still
>> authenticate to AD?
>>
> Absolutely. There is no difference in Squid's ntlm_auth functionality
> between choosing Basic or NTLM/Negotiate. ie you can still do
> group-based access controls using Basic.
>

Ok, I set this up using only basic and not NTLM and the problem I'm
seeing is that it prompts the users for their credentials instead of
passing automatically in the background. With NTLM they don't have to
type in their username and password which is what I need. They will
never be ok with having to type in their creds all the time. I'm
guessing I'm stuck with NTLM then?


Regards,
Elvar

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba