[Samba] Need help for SMBv2-connection with windows clients

Bombadil bombadil_00 at web.de
Sat Apr 30 16:14:58 UTC 2022 

I have problems getting my Windows 10 client(s) to connect to my Samba-
server using SMBv2 or higher, but no problems with SMBv1 (NT1)
protocol. I guess this is has to do with my AD domain being put on top
of my private domain (see configuration below).

I already checked that client and server are communicating, so it does
not seem to be primarily a simple DNS issue.

My setup:
Domain: example.com
AD-Domain(realm): samdom.example.com
Network 10.0.2.0/24

Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
dc.samdom.example.com (10.0.2.15)

Windows 10 client: wincli.example.com and wincli.samdom.example.com
(10.0.2.53)

example.com is resolved by a dnsmasq-server, which forwards all request
for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf:
server=/samdom.example.com/10.0.2.15
rebind-domain-ok=/samdom.example.com/

I had to add the following entries to dnsmasq.conf to get 'net rpc
info' working:
srv-host=_ldap._tcp.pdc._msdcs.samdom,dc.samdom.example.com,389,0,100
srv-host=_ldap._tcp.gc._msdcs.samdom,dc.samdom.example.com,3268,0,100
srv-host=_ldap._tcp.dc._msdcs.samdom,dc.samdom.example.com,389,0,100
srv-host=_kerberos._tcp.dc._msdcs.samdom,dc.samdom.example.com,88,0,100

Reverse lookups of IP addresses usually yield .example.com - names
(without the samdom), since they are performed by the dnsmasq server,
but I also added (for testing)
ptr-record=15.2.0.10.in-addr.arpa.,dc.samdom.example.com
in dnsmasq.conf to get for the samba AD the reverse lookup to the AD-
Domain (although this does not seem to be required). 

wincli also uses the time-server of dc, so both are in sync.

Two setups:
NT1)
  dc.example.com:
   server min protocol = NT1
   server max protocol = NT1

  wincli.example.com:
   sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
   sc.exe config mrxsmb10 start= auto

SMB2)	
 dc.example.com:
  server min protocol = SMB2_02
  server max protocol = SMB3

 wincli.example.com:
  sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
  sc.exe config mrxsmb10 start= disabled

wincli.example.com has joined the domain in setup NT1 and it is
possible to access the AD with the group policy on wincli. When I now
change to setup SMB2, and try to access the AD I get "The RPC server is
not available" (or something analogue in German).

I tested, if the RPC-server is operating in the SMB2-setup from a linux
machine using "net rpc info -U Administrator" getting this output:
Password for [samdom\Administrator]:
Domain Name: samdom
Domain SID: S-?-?-?-*
Sequence number: 1
Num users: 27
Num domain groups: 13
Num local groups: 5

So the RPC-server seems to be running. And from linux clients I have no
problems when using the SMB2 setup.

wincli and dc seem also to communicate in the SMB2 setup since tcpdump
shows me a SMBnegprot (REQUEST) from wincli and dc is answering with a
SMB-over-TCP packet (I guess it's encrypted).

Does anybody has an idea what the problem could be? 

Here's more of my smb.conf (10.0.2.2 is the dnsmasq server): 
        dns forwarder = 10.0.2.2
        netbios name = DC
        realm = SAMDOM.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        kdc:user ticket lifetime = 48
        kdc:renewal lifetime = 120
#               server min protocol = SMB2_02
#               server max protocol = SMB3
# this stops rpc server, but without windows clients don't work
        client min protocol = NT1
        server min protocol = NT1
        server max protocol = NT1
        disable netbios = no
        prefork children = 2
        allow dns updates = nonsecure
        nsupdate command = /usr/local/bin/nsupdate -g
        ntp signd socket directory = /var/db/samba4/ntp_signd
        server signing = desired
        client signing = desired
        smb encrypt = enabled 
        wins support = yes
        name resolve order = wins lmhosts bcast
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind separator = +
        winbind nss info = rfc2307
        template homedir = /home/%U
        template shell = /bin/tcsh
        idmap_ldb:use rfc2307 = yes
        idmap config * : range = 500-550
        map acl inherit = yes 
        xattr_tdb:file  = /var/db/samba4/xattr.tdb

More information about the samba mailing list