[Samba] Windows 10 cannot connect without SMB1

[K.R. Foley]

On 2021-03-02 08:25, Reindl Harald via samba wrote:
> Am 02.03.21 um 14:55 schrieb K.R. Foley:
>> 
>> 
>> On 2021-03-02 05:47, Reindl Harald via samba wrote:
>>> Am 01.03.21 um 22:41 schrieb Roy Eastwood via samba:
>>>> On 01 March 2021 18:08 Gregory Sloop wrote:
>>>>> I haven't followed this thread closely at all - but how about 
>>>>> simply really
>>>> limiting
>>>>> the players.
>>>>> Reduce the network to just the DC's and client that's supposed to 
>>>>> join the
>>>>> domain those DC's hold.
>>>>> 
>>>>> Unplug everything else from the network.
>>>>> 
>>>> Yes I agree;  In an earlier post the OP mentioned that the clients 
>>>> and the
>>>> server were on separate subnets connected by VPN;   if so I would 
>>>> connect a
>>>> Windows 10 client directly to the same subnet as the DC and see if a 
>>>> join works
>>>> OK. If it does it would implicate the VPN etc is blocking SMB2/3 
>>>> protocols.
>>> 
>>> broad cast stuff typically don't make it over VPN and frankly i find
>>> it somehow pervert to *start* a new setup with the one and only 
>>> client
>>> on a VPN instead build up the network step-by-step
>>> 
>>> adding additional layers from the begin is always a terrible idea
>>> unless you have much luck and everything works fine out-of-the-box
>>> 
>> 
>> Initially I started testing with two VMs on the same private network, 
>> a Windows client and a Linux VM running Samba 4.11.1. These VMs 
>> were/are not physically isolated, but they are on a separate subnet 
>> with no routing to/from any other subnet. I have to work in this 
>> environment because they are not physical PCs. I got this working, but 
>> it is possible that they might have been communicating via SMB1. I 
>> then brought up an AWS instance because that is where the initial 
>> Samba server will reside (that is why there are different subnets and 
>> the VPN). Configured everything, but with 4.11.13. In the meantime the 
>> Windows VM has been updated. Now it won't support SMB1 and now my 
>> problems start.
>> 
>> Last night, I went back to my initial test VM for the Samba server. 
>> The two VMs are on a separate subnet with no routing to/from any other 
>> network and the same problem persists. I get the exact same errors. 
>> The client still thinks that the server is trying to use SMB1.
>> 
>> Again there is no routing between this subnet and any other subnet. 
>> However, the VMs are not physically isolated. This is not really 
>> possible in the current environment. There is an older Samba NT4 PDC 
>> on the same ESXI with the test VMs, but there is no IP routing and 
>> also the domain names are different. Is it possible that this is 
>> causing a problem?
> 
> why would it not be possible in a virtualized environment to
> physically isolate things?
> 
> nothing easier than that by just place them on a virtual vswitch with
> no physical NIC assigend and for operational tasks just use the vm
> console like you would sit in front of a physical machine

I will take a closer look tonight, but what I read about creating a 
vswitch indicated that the two VMs must reside on the same ESXi host, 
which they do not. Therefore, I did not try this.

kr