Everything worked fine. Email server on one subnet was reachable from the other, the samba server was available with \\ip style address. I thought that was all, work done…

Not quite.

Well we had domain logons with roaming profiles before the subnet split and we wanted it to stay the same.

Before I go into detail about the problems and solutions lets take a look at our simplified network.
The two firewalls are connected with adsl through ppp0.
Subnet1 has an internal network with 192.168.1.0/24 with the server ip 192.168.1.254 and a tun0 interface with 10.8.0.1.
Subnet2 has 192.168.2.0/24 (ip 192.168.2.254) with tun0 10.8.0.6.
Because we have limited number of servers both firewalls are also the samba servers. (However the setup is the same if you have internal samba servers, just change the ip addresses).

Subnet2 has the domain controller for DOMAIN1.

Server on Subnet1 is called SERVER2 on Subnet2 it’s SERVER, sorry for this we have a switched setup and I don’t want to tamper with the included logs.

Configuration

We need a WINS server on our network. Let SERVER (192.168.2.254) be it:

smb.conf on SERVER:

netbios name = SERVER
workgroup = DOMAIN1
os level = 128
preferred master = Yes
domain master = Yes
local master = Yes

wins support = Yes
wins proxy = Yes

# If you want domain logons just turn on the relevant options

smb.conf on SERVER2

netbios name = SERVER2
workgroup = DOMAIN1
os level = 64
preferred master = Yes
domain master = No
local master = Yes

wins support = No
wins proxy = No
wins server = 192.168.2.254

It is important to switch on wins support = Yes on only one server per workgroup!

Ok now we have name resolution for NetBIOS names set up.

If you have dhcp for your subnets put option netbios-name-servers 192.168.2.254; in dhcpd.conf so your clients will know about our WINS server (you can also put option netbios-node-type 8; this will change the clients NetBIOS name resolution to WINS server and network broadcast in this order)

Problem 1

This one is quite important and hard to notice.
If you have

interfaces = 127.0.0.0/8 eth1 ...
bind interfaces only = yes

Comment it out now! The problem is with this setup is no matter how hard you try to add tun0 (or tun0 ip range) to this config samba will refuse to use this interface because it has no broadcast capability. And the traffic between the two servers will go through the tunnel and use the tun0 ip for source, and in turn samba will refuse inter samba communication from this source.

The relevant log file entries are not too informative:

On the WINS server:

[2009/04/22 16:53:16,  3, pid=26633, effective(0, 0), real(0, 0)] nmbd/nmbd_winsserver.c:wins_multihomed_register_query_fail(1491)
  wins_multihomed_register_query_fail: Registering machine at IP 192.168.1.254 failed to answer query successfully for name SERVER2<20>.

On the other server:

[2009/04/22 16:53:26, 0, pid=30630, effective(0, 0), real(0, 0)] nmbd/nmbd_namelistdb.c:standard_fail_register(305)
  standard_fail_register: Failed to register/refresh name SERVER2<03> on subnet UNICAST_SUBNET
[2009/04/22 16:53:26, 0, pid=30630, effective(0, 0), real(0, 0)] nmbd/nmbd_nameregister.c:register_name_response(130)
  register_name_response: WINS server at IP 192.168.2.254 rejected our name registration of SERVER2<00> IP 192.168.1.254 with error code 5.

Problem 2

On each subnet only the host which reside on the same subnet are visible to the clients. We have to force our other server(s) to sync its browse list with the WINS server. This can be done by adding the following to the config of the WINS server.

# This forces samba to announce itself to 192.168.1.254 (our local master browser on the other subnet)
# and also on the broadcast address, just to be sure it reaches the clients.
remote announce = 192.168.1.254 192.168.1.255

# This forces the lmb 192.168.1.254 to sync its browse list with us.
remote browse sync = 192.168.1.254

Problem 3

As I said before we have domain logons enabled. Without the above changes joining the domain was easy (just like with a single subnet) however the clients were unable to log in to the domain. The error was at login time after selecting the domain to log on and entering user/pass information and it said something like “Domain DOMAIN1 not available”. No details, no errors. Sometimes I was able to log in but the client machine was unable to mount the network drives from the server. After digging into the problem it boiled down to NetBIOS name resolution. So the changes above seems to solve this issue as well.

Now we are done :)

Final thoughts

MS networking is complicated and unreliable. I really hate it. Broadcasting, elections, resolution order changes…
So do not ever trust it! Browsing the network was never easy either and I don’t think it ever will be.

Oh and also as of samba 3.2.3 XP clients don’t seem to need the signorseal registry hack, however in local policy/security setting you should disable “…signing and encrypting (always)”.