NetBIOS name resolution from FreeBSD?

[Bruco]

So, I'm banging my head against this and the answer may be simple, but I'm not stumbling into it.

I have a FreeBSD 6.3 box that does some monitoring, arpwatch, ntop, etc. at work.

I'd like this box to be able to resolve NetBIOS names - we have a number of thin clients and other devices that do not register with DNS. From a Windows machine with NetBIOS over TCP/IP enable I'm able to ping these things by name. I want to be able to do the same with the FreeBSD box.

I assume I need nmbd for this. So I installed samba. I'm running nmbd by itself right now, as I don't need any file shares or anything. I let it run overnight, in fact. And still, I can't ping any nodes by NetBIOS name.

Here's what I believe is the relevant section of smb.conf:

Code:

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one	WINS Server on the network. The default is NO.
;   wins proxy = no

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
   dns proxy = no

Now, I do have WINS in the environment. So I tried pointing the WINS server setting to a Windows DC running WINS. Then I waited 20 minutes... and still nothing. No pinging of NetBIOS names.

I CAN, however, ping the FreeBSD box by name from Windows clients! But... that's not what I need, unfortunately.

So, what am I missing? Am I incorrect in my understanding of Windows networking? Does nmbd not provide the functionality I'm looking for? Am I likely just missing a simple configuration piece?

(By the way, if this should have gone into ports and packages, please move, and I apologize.)

[J65nko]

For many years, even before Windows networking exisited, resolving symbolic names to their numerical IP address is done according to settings in the "/etc/resolv.conf" file.

This file only handles settings for the Domain Namy System (DNS) and is used in the C resolver library. Programs like ping are use this library whenever they have to resolve a symbolic name into an IP address. NETBIOS name lookups are not handled by that library at all.

A younger addition to name resolutions is the "/etc/nsswitch.conf" file. The name stands for NameServerSwitch.conf. It allows more ways to resolve names, e.g. NIS. Unfortunately for you NETBIOS is not one of them

You can do NETBIOS lookups from the command line:

Code:

$ nmblookup hercules
querying hercules on 192.168.222.255
192.168.222.20 hercules<00>

You would have to write a small script to extract the found IP address and then pass it to ping.

[Bruco]

Thanks for the education! It's rather depressing though - I was hoping to get arpwatch to be able to resolve NetBIOS names. When devices are plugged into the network I get an email with the IP and MAC of course, and then if I'm suspicious I can track down the physical port they are plugged into. If the name is in DNS it's part of the email, but if not there's no name listed. Sometimes a name would help me realize more quickly what the device might be!

Yeah, yeah, I know, I can just do a nmblookup myself when I get an email from arpwatch - but what fun is that?

Maybe I can script it somehow...

[J65nko]

Can you paste a sample of an email sent out by arpwatch? That way we can give a helping hand to script it

[phoenix]

Alternatively, there's the draconian approach of disabling dynamic IP allocation on the network. IOW, nothing get an IP until you manually enter the MAC address into the DHCP config.

We moved to this to get a better grip on what's allowed on our networks. No more "bring device from home, plug into network, and away you go".

But, that's not always applicable to every network layout/setup.

[Bruco]

This is what one of the emails from arpwatch looks like. In this example the device plugged in was an HP thin client. Those do broadcast a NetBIOS name, but do not register in DNS:

Code:

            hostname: <unknown>
          ip address: 192.168.3.8
    ethernet address: 0:f:20:d9:5b:23
     ethernet vendor: Hewlett Packard
           timestamp: Monday, March 2, 2009 15:42:03 -0500

If a name exists in DNS, arpwatch will include it in that email. Not if it's just a NetBIOS name, though. If I could cram that nmblookup into what arpwatch does somehow it would probably do the trick!

(And yes, you are probably noticing that weird MAC address - I think arpwatch has problems with 0 as the first character in each set. Not a big deal.)

phoenix - Yeah, you are right. And I could do MAC filtering on my Cisco switches too. But I don't think they want me to be that exclusive... yet. So for the time being I can content myself with knowing whenever a new device plugs into the network!