[Samba] Need help for SMBv2-connection with windows clients
Bombadil
bombadil_00 at web.de
Sat Apr 30 16:14:58 UTC 2022
I have problems getting my Windows 10 client(s) to connect to my Samba-
server using SMBv2 or higher, but no problems with SMBv1 (NT1)
protocol. I guess this is has to do with my AD domain being put on top
of my private domain (see configuration below).
I already checked that client and server are communicating, so it does
not seem to be primarily a simple DNS issue.
My setup:
Domain: example.com
AD-Domain(realm): samdom.example.com
Network 10.0.2.0/24
Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
dc.samdom.example.com (10.0.2.15)
Windows 10 client: wincli.example.com and wincli.samdom.example.com
(10.0.2.53)
example.com is resolved by a dnsmasq-server, which forwards all request
for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf:
server=/samdom.example.com/10.0.2.15
rebind-domain-ok=/samdom.example.com/
I had to add the following entries to dnsmasq.conf to get 'net rpc
info' working:
srv-host=_ldap._tcp.pdc._msdcs.samdom,dc.samdom.example.com,389,0,100
srv-host=_ldap._tcp.gc._msdcs.samdom,dc.samdom.example.com,3268,0,100
srv-host=_ldap._tcp.dc._msdcs.samdom,dc.samdom.example.com,389,0,100
srv-host=_kerberos._tcp.dc._msdcs.samdom,dc.samdom.example.com,88,0,100
Reverse lookups of IP addresses usually yield .example.com - names
(without the samdom), since they are performed by the dnsmasq server,
but I also added (for testing)
ptr-record=15.2.0.10.in-addr.arpa.,dc.samdom.example.com
in dnsmasq.conf to get for the samba AD the reverse lookup to the AD-
Domain (although this does not seem to be required).
wincli also uses the time-server of dc, so both are in sync.
Two setups:
NT1)
dc.example.com:
server min protocol = NT1
server max protocol = NT1
wincli.example.com:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto
SMB2)
dc.example.com:
server min protocol = SMB2_02
server max protocol = SMB3
wincli.example.com:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
wincli.example.com has joined the domain in setup NT1 and it is
possible to access the AD with the group policy on wincli. When I now
change to setup SMB2, and try to access the AD I get "The RPC server is
not available" (or something analogue in German).
I tested, if the RPC-server is operating in the SMB2-setup from a linux
machine using "net rpc info -U Administrator" getting this output:
Password for [samdom\Administrator]:
Domain Name: samdom
Domain SID: S-?-?-?-*
Sequence number: 1
Num users: 27
Num domain groups: 13
Num local groups: 5
So the RPC-server seems to be running. And from linux clients I have no
problems when using the SMB2 setup.
wincli and dc seem also to communicate in the SMB2 setup since tcpdump
shows me a SMBnegprot (REQUEST) from wincli and dc is answering with a
SMB-over-TCP packet (I guess it's encrypted).
Does anybody has an idea what the problem could be?
Here's more of my smb.conf (10.0.2.2 is the dnsmasq server):
dns forwarder = 10.0.2.2
netbios name = DC
realm = SAMDOM.EXAMPLE.COM
server role = active directory domain controller
workgroup = SAMDOM
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
kdc:user ticket lifetime = 48
kdc:renewal lifetime = 120
# server min protocol = SMB2_02
# server max protocol = SMB3
# this stops rpc server, but without windows clients don't work
client min protocol = NT1
server min protocol = NT1
server max protocol = NT1
disable netbios = no
prefork children = 2
allow dns updates = nonsecure
nsupdate command = /usr/local/bin/nsupdate -g
ntp signd socket directory = /var/db/samba4/ntp_signd
server signing = desired
client signing = desired
smb encrypt = enabled
wins support = yes
name resolve order = wins lmhosts bcast
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
winbind nss info = rfc2307
template homedir = /home/%U
template shell = /bin/tcsh
idmap_ldb:use rfc2307 = yes
idmap config * : range = 500-550
map acl inherit = yes
xattr_tdb:file = /var/db/samba4/xattr.tdb
More information about the samba
mailing list