Everything worked fine. Email server on one subnet was reachable from the other, the samba server was available with \\ip style address. I thought that was all, work done…

Not quite.

Well we had domain logons with roaming profiles before the subnet split and we wanted it to stay the same.

Before I go into detail about the problems and solutions lets take a look at our simplified network.
The two firewalls are connected with adsl through ppp0.
Subnet1 has an internal network with 192.168.1.0/24 with the server ip 192.168.1.254 and a tun0 interface with 10.8.0.1.
Subnet2 has 192.168.2.0/24 (ip 192.168.2.254) with tun0 10.8.0.6.
Because we have limited number of servers both firewalls are also the samba servers. (However the setup is the same if you have internal samba servers, just change the ip addresses).

Subnet2 has the domain controller for DOMAIN1.

Server on Subnet1 is called SERVER2 on Subnet2 it’s SERVER, sorry for this we have a switched setup and I don’t want to tamper with the included logs.

Configuration

We need a WINS server on our network. Let SERVER (192.168.2.254) be it:

smb.conf on SERVER:

netbios name = SERVER
workgroup = DOMAIN1
os level = 128
preferred master = Yes
domain master = Yes
local master = Yes

wins support = Yes
wins proxy = Yes

# If you want domain logons just turn on the relevant options

smb.conf on SERVER2

netbios name = SERVER2
workgroup = DOMAIN1
os level = 64
preferred master = Yes
domain master = No
local master = Yes

wins support = No
wins proxy = No
wins server = 192.168.2.254

It is important to switch on wins support = Yes on only one server per workgroup!

Ok now we have name resolution for NetBIOS names set up.

If you have dhcp for your subnets put option netbios-name-servers 192.168.2.254; in dhcpd.conf so your clients will know about our WINS server (you can also put option netbios-node-type 8; this will change the clients NetBIOS name resolution to WINS server and network broadcast in this order)

Problem 1

This one is quite important and hard to notice.
If you have

interfaces = 127.0.0.0/8 eth1 ...
bind interfaces only = yes

Comment it out now! The problem is with this setup is no matter how hard you try to add tun0 (or tun0 ip range) to this config samba will refuse to use this interface because it has no broadcast capability. And the traffic between the two servers will go through the tunnel and use the tun0 ip for source, and in turn samba will refuse inter samba communication from this source.

The relevant log file entries are not too informative:

On the WINS server:

[2009/04/22 16:53:16,  3, pid=26633, effective(0, 0), real(0, 0)] nmbd/nmbd_winsserver.c:wins_multihomed_register_query_fail(1491)
  wins_multihomed_register_query_fail: Registering machine at IP 192.168.1.254 failed to answer query successfully for name SERVER2<20>.

On the other server:

[2009/04/22 16:53:26, 0, pid=30630, effective(0, 0), real(0, 0)] nmbd/nmbd_namelistdb.c:standard_fail_register(305)
  standard_fail_register: Failed to register/refresh name SERVER2<03> on subnet UNICAST_SUBNET
[2009/04/22 16:53:26, 0, pid=30630, effective(0, 0), real(0, 0)] nmbd/nmbd_nameregister.c:register_name_response(130)
  register_name_response: WINS server at IP 192.168.2.254 rejected our name registration of SERVER2<00> IP 192.168.1.254 with error code 5.

Problem 2

On each subnet only the host which reside on the same subnet are visible to the clients. We have to force our other server(s) to sync its browse list with the WINS server. This can be done by adding the following to the config of the WINS server.

# This forces samba to announce itself to 192.168.1.254 (our local master browser on the other subnet)
# and also on the broadcast address, just to be sure it reaches the clients.
remote announce = 192.168.1.254 192.168.1.255

# This forces the lmb 192.168.1.254 to sync its browse list with us.
remote browse sync = 192.168.1.254

Problem 3

As I said before we have domain logons enabled. Without the above changes joining the domain was easy (just like with a single subnet) however the clients were unable to log in to the domain. The error was at login time after selecting the domain to log on and entering user/pass information and it said something like “Domain DOMAIN1 not available”. No details, no errors. Sometimes I was able to log in but the client machine was unable to mount the network drives from the server. After digging into the problem it boiled down to NetBIOS name resolution. So the changes above seems to solve this issue as well.

Now we are done :)

Final thoughts

MS networking is complicated and unreliable. I really hate it. Broadcasting, elections, resolution order changes…
So do not ever trust it! Browsing the network was never easy either and I don’t think it ever will be.

Oh and also as of samba 3.2.3 XP clients don’t seem to need the signorseal registry hack, however in local policy/security setting you should disable “…signing and encrypting (always)”.

And hard to get rid of. Today spyware writers are becoming quite good at hiding spyware activity and making sure that an infected computer remains infected. A common approach is to change the winlogon notify registry key to run malware code on every single user login. Yes, even if you start windows in safe mode you have to log in, and if a program is loaded you cannot easily remove it from the computer.

This is an everyday problem for most IT professionals. Cleaning a system that’s already running is almost impossible.

So linux for the rescue:

My solution for the problem is a linux live cd with an antivirus removal tool.

The easy part was the live cd. Ubuntu has a nice live system which is easy to customize, supports almost every available hardware, and also has mature NTFS support.

I got rid of openoffice.org packages because they took up a lot of space, which I needed for the antivirus software.

The harder part was finding the ideal virus removal tool for the job. I really like clamav (we use it to scan our email traffic for obvious viruses) however as of today it knows 472153 viruses. Don’t get me wrong it IS a great tool for slowly evolving or fixed viruses, like mass mailing viruses and older ones, but currently not fast enough for the spyware war. On my first attempts with the live antivir solution it missed a lot newer threats and variants.

So I started to look for another solution. Well “linux and viruses” wasn’t the best search term, but in the end I found a very promising site: Viruspool.net. This site is exactly what I’ve been looking for. It lists unix command line scanners with a percentage of accuracy, ease of install, price and such information. Although it is a bit outdated, but still a good reference point.

Obviously I aimed at the highest accuracy, but because I wanted only to testdrive the products simple availability was important too.

To make a long story short I ended up with the BitDefender product (evaluation version is available after filling a simple form) and they currently run a beta test program for the unix version. They sent me an email about it, so I think I can include the link here http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Beta/

Today it has 2 336 009 signatures, and a lot of it is malware related.

So after creating the live cd I booted the machine with it and simply did this:

#Update the definitions
bdscan --update
# Mounted the windows partition (in read only mode at first)
mount -o ro /dev/sda1 /mnt
cd /mnt
bdscan --no-list path/to/check

This gave me the list of infected files, but did not change anything on the machine in question.
(On this particular machine, a lot of expected dll-s and .tmp files and an unexpected trojan infection in userinit.exe [this caused the owner to ask for help, because it made the desktop disappear on boot... badly written trojan...]).

This was enough for me. Remounted the drive in rw mode, removed the infections by hand and replaced userinit.exe with a clean copy.

But bdscan can also remove/quarantine/repair(!) infections automaticaly. See bdscan --help for details.

Now I’m quite satisfied with the result.

If I’ll have a bit free time I’ll check more of the products even if it’s a bit harder to get them.
The more engines I try the more spyware I’ll catch, and I currently have quite a few machines to check for malware…

After creating the live cd you can remove /opt/BitDefender-scanner/var/bddt.dat this will keep the software in trial mode, but must be run as root to be able to recreate the file.

I hope this helps a bit, and of course every comment is welcome :)