1 <chapter id="Browsing-Quick">
4 <pubdate>July 5, 1998</pubdate>
5 <pubdate>Updated: March 15, 2003</pubdate>
8 <title>Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</title>
11 This document should be read in conjunction with Browsing and may
12 be taken as the fast track guide to implementing browsing across subnets
13 and / or across workgroups (or domains). WINS is the best tool for resolution
14 of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling
15 except by way of name to address mapping.
19 MS Windows 2000 and later can be configured to operate with NO NetBIOS
20 over TCP/IP. Samba-3 and later also supports this mode of operation.
25 <title>Discussion</title>
28 Firstly, all MS Windows networking is based on SMB (Server Message
29 Block) based messaging. SMB messaging may be implemented using NetBIOS or
30 without NetBIOS. Samba implements NetBIOS by encapsulating it over TCP/IP.
31 MS Windows products can do likewise. NetBIOS based networking uses broadcast
32 messaging to affect browse list management. When running NetBIOS over
33 TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast.
37 Normally, only unicast UDP messaging can be forwarded by routers. The
38 "remote announce" parameter to smb.conf helps to project browse announcements
39 to remote network segments via unicast UDP. Similarly, the "remote browse sync"
40 parameter of smb.conf implements browse list collation using unicast UDP.
44 Secondly, in those networks where Samba is the only SMB server technology
45 wherever possible nmbd should be configured on one (1) machine as the WINS
46 server. This makes it easy to manage the browsing environment. If each network
47 segment is configured with it's own Samba WINS server, then the only way to
48 get cross segment browsing to work is by using the "remote announce" and
49 the "remote browse sync" parameters to your smb.conf file.
53 If only one WINS server is used for an entire multi-segment network then
54 the use of the "remote announce" and the "remote browse sync" parameters
55 should NOT be necessary.
59 As of Samba-3 WINS replication is being worked on. The bulk of the code has
60 been committed, but it still needs maturation.
64 Right now samba WINS does not support MS-WINS replication. This means that
65 when setting up Samba as a WINS server there must only be one nmbd configured
66 as a WINS server on the network. Some sites have used multiple Samba WINS
67 servers for redundancy (one server per subnet) and then used "remote browse
68 sync" and "remote announce" to affect browse list collation across all
69 segments. Note that this means clients will only resolve local names,
70 and must be configured to use DNS to resolve names on other subnets in
71 order to resolve the IP addresses of the servers they can see on other
72 subnets. This setup is not recommended, but is mentioned as a practical
73 consideration (ie: an 'if all else fails' scenario).
77 Lastly, take note that browse lists are a collection of unreliable broadcast
78 messages that are repeated at intervals of not more than 15 minutes. This means
79 that it will take time to establish a browse list and it can take up to 45
80 minutes to stabilise, particularly across network segments.
86 <title>How browsing functions and how to deploy stable and
87 dependable browsing using Samba</title>
91 As stated above, MS Windows machines register their NetBIOS names
92 (i.e.: the machine name for each service type in operation) on start
93 up. Also, as stated above, the exact method by which this name registration
94 takes place is determined by whether or not the MS Windows client/server
95 has been given a WINS server address, whether or not LMHOSTS lookup
96 is enabled, or if DNS for NetBIOS name resolution is enabled, etc.
100 In the case where there is no WINS server all name registrations as
101 well as name lookups are done by UDP broadcast. This isolates name
102 resolution to the local subnet, unless LMHOSTS is used to list all
103 names and IP addresses. In such situations Samba provides a means by
104 which the samba server name may be forcibly injected into the browse
105 list of a remote MS Windows network (using the "remote announce" parameter).
109 Where a WINS server is used, the MS Windows client will use UDP
110 unicast to register with the WINS server. Such packets can be routed
111 and thus WINS allows name resolution to function across routed networks.
115 During the startup process an election will take place to create a
116 local master browser if one does not already exist. On each NetBIOS network
117 one machine will be elected to function as the domain master browser. This
118 domain browsing has nothing to do with MS security domain control.
119 Instead, the domain master browser serves the role of contacting each local
120 master browser (found by asking WINS or from LMHOSTS) and exchanging browse
121 list contents. This way every master browser will eventually obtain a complete
122 list of all machines that are on the network. Every 11-15 minutes an election
123 is held to determine which machine will be the master browser. By the nature of
124 the election criteria used, the machine with the highest uptime, or the
125 most senior protocol version, or other criteria, will win the election
126 as domain master browser.
130 Clients wishing to browse the network make use of this list, but also depend
131 on the availability of correct name resolution to the respective IP
136 Any configuration that breaks name resolution and/or browsing intrinsics
137 will annoy users because they will have to put up with protracted
138 inability to use the network services.
142 Samba supports a feature that allows forced synchonisation
143 of browse lists across routed networks using the "remote
144 browse sync" parameter in the smb.conf file. This causes Samba
145 to contact the local master browser on a remote network and
146 to request browse list synchronisation. This effectively bridges
147 two networks that are separated by routers. The two remote
148 networks may use either broadcast based name resolution or WINS
149 based name resolution, but it should be noted that the "remote
150 browse sync" parameter provides browse list synchronisation - and
151 that is distinct from name to address resolution, in other
152 words, for cross subnet browsing to function correctly it is
153 essential that a name to address resolution mechanism be provided.
154 This mechanism could be via DNS, <filename>/etc/hosts</filename>,
161 <title>Use of the "Remote Announce" parameter</title>
163 The "remote announce" parameter of smb.conf can be used to forcibly ensure
164 that all the NetBIOS names on a network get announced to a remote network.
165 The syntax of the "remote announce" parameter is:
167 remote announce = a.b.c.d [e.f.g.h] ...
171 remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...
176 <varlistentry><term>a.b.c.d and e.f.g.h</term>
177 <listitem><para>is either the LMB (Local Master Browser) IP address
178 or the broadcst address of the remote network.
179 ie: the LMB is at 192.168.1.10, or the address
180 could be given as 192.168.1.255 where the netmask
181 is assumed to be 24 bits (255.255.255.0).
182 When the remote announcement is made to the broadcast
183 address of the remote network every host will receive
184 our announcements. This is noisy and therefore
185 undesirable but may be necessary if we do NOT know
186 the IP address of the remote LMB.</para></listitem>
190 <term>WORKGROUP</term>
191 <listitem><para>is optional and can be either our own workgroup
192 or that of the remote network. If you use the
193 workgroup name of the remote network then our
194 NetBIOS machine names will end up looking like
195 they belong to that workgroup, this may cause
196 name resolution problems and should be avoided.
205 <title>Use of the "Remote Browse Sync" parameter</title>
208 The "remote browse sync" parameter of smb.conf is used to announce to
209 another LMB that it must synchronise it's NetBIOS name list with our
210 Samba LMB. It works ONLY if the Samba server that has this option is
211 simultaneously the LMB on it's network segment.
215 The syntax of the "remote browse sync" parameter is:
218 remote browse sync = a.b.c.d
221 where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.
227 <title>Use of WINS</title>
230 Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly
231 recommended. Every NetBIOS machine registers it's name together with a
232 name_type value for each of of several types of service it has available.
233 eg: It registers it's name directly as a unique (the type 0x03) name.
234 It also registers it's name if it is running the lanmanager compatible
235 server service (used to make shares and printers available to other users)
236 by registering the server (the type 0x20) name.
240 All NetBIOS names are up to 15 characters in length. The name_type variable
241 is added to the end of the name - thus creating a 16 character name. Any
242 name that is shorter than 15 characters is padded with spaces to the 15th
243 character. ie: All NetBIOS names are 16 characters long (including the
244 name_type information).
248 WINS can store these 16 character names as they get registered. A client
249 that wants to log onto the network can ask the WINS server for a list
250 of all names that have registered the NetLogon service name_type. This saves
251 broadcast traffic and greatly expedites logon processing. Since broadcast
252 name resolution can not be used across network segments this type of
253 information can only be provided via WINS _or_ via statically configured
254 "lmhosts" files that must reside on all clients in the absence of WINS.
258 WINS also serves the purpose of forcing browse list synchronisation by all
259 LMB's. LMB's must synchronise their browse list with the DMB (domain master
260 browser) and WINS helps the LMB to identify it's DMB. By definition this
261 will work only within a single workgroup. Note that the domain master browser
262 has NOTHING to do with what is referred to as an MS Windows NT Domain. The
263 later is a reference to a security environment while the DMB refers to the
264 master controller for browse list information only.
268 Use of WINS will work correctly only if EVERY client TCP/IP protocol stack
269 has been configured to use the WINS server/s. Any client that has not been
270 configured to use the WINS server will continue to use only broadcast based
271 name registration so that WINS may NEVER get to know about it. In any case,
272 machines that have not registered with a WINS server will fail name to address
273 lookup attempts by other clients and will therefore cause workstation access
278 To configure Samba as a WINS server just add "wins support = yes" to the
279 smb.conf file [globals] section.
283 To configure Samba to register with a WINS server just add
284 "wins server = a.b.c.d" to your smb.conf file [globals] section.
288 <emphasis>DO NOT EVER</emphasis> use both "wins support = yes" together
289 with "wins server = a.b.c.d" particularly not using it's own IP address.
290 Specifying both will cause nmbd to refuse to start!
296 <title>Do NOT use more than one (1) protocol on MS Windows machines</title>
299 A very common cause of browsing problems results from installing more than
300 one protocol on an MS Windows machine.
304 Every NetBIOS machine takes part in a process of electing the LMB (and DMB)
305 every 15 minutes. A set of election criteria is used to determine the order
306 of precidence for winning this election process. A machine running Samba or
307 Windows NT will be biased so that the most suitable machine will predictably
308 win and thus retain it's role.
312 The election process is "fought out" so to speak over every NetBIOS network
313 interface. In the case of a Windows 9x machine that has both TCP/IP and IPX
314 installed and has NetBIOS enabled over both protocols the election will be
315 decided over both protocols. As often happens, if the Windows 9x machine is
316 the only one with both protocols then the LMB may be won on the NetBIOS
317 interface over the IPX protocol. Samba will then lose the LMB role as Windows
318 9x will insist it knows who the LMB is. Samba will then cease to function
319 as an LMB and thus browse list operation on all TCP/IP only machines will
324 Windows 95, 98, 98se, Me are referred to generically as Windows 9x.
325 The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly
326 referred to as the WinNT family, but it should be recognised that 2000 and
327 XP/2003 introduce new protocol extensions that cause them to behave
328 differently from MS Windows NT4. Generally, where a server does NOT support
329 the newer or extended protocol, these will fall back to the NT4 protocols.
333 The safest rule of all to follow it this - USE ONLY ONE PROTOCOL!
339 <title>Name Resolution Order</title>
342 Resolution of NetBIOS names to IP addresses can take place using a number
343 of methods. The only ones that can provide NetBIOS name_type information
347 <member>WINS: the best tool!</member>
348 <member>LMHOSTS: is static and hard to maintain.</member>
349 <member>Broadcast: uses UDP and can not resolve names across remote segments.</member>
353 Alternative means of name resolution includes:</para>
355 <member>/etc/hosts: is static, hard to maintain, and lacks name_type info</member>
356 <member>DNS: is a good choice but lacks essential name_type info.</member>
360 Many sites want to restrict DNS lookups and want to avoid broadcast name
361 resolution traffic. The "name resolve order" parameter is of great help here.
362 The syntax of the "name resolve order" parameter is:
364 name resolve order = wins lmhosts bcast host
368 name resolve order = wins lmhosts (eliminates bcast and host)
372 name resolve order = host lmhost wins bcast
374 where "host" refers the the native methods used by the Unix system
375 to implement the gethostbyname() function call. This is normally
376 controlled by <filename>/etc/host.conf</filename>, <filename>/etc/nsswitch.conf</filename> and <filename>/etc/resolv.conf</filename>.
git.samba.org / kai / samba.git / blob