[Samba] Need help for SMBv2-connection with windows clients
Rowland Penny
rpenny at samba.org
Sun May 1 15:46:11 UTC 2022
On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote:
> Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via
> samba:
> > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote:
> > > I have problems getting my Windows 10 client(s) to connect to my
> > > Samba-
> > > server using SMBv2 or higher, but no problems with SMBv1 (NT1)
> > > protocol. I guess this is has to do with my AD domain being put
> > > on
> > > top
> > > of my private domain (see configuration below).
> > >
> > > I already checked that client and server are communicating, so it
> > > does
> > > not seem to be primarily a simple DNS issue.
> > >
> > > My setup:
> > > Domain: example.com
> > > AD-Domain(realm): samdom.example.com
> > > Network 10.0.2.0/24
> > >
> > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
> > > dc.samdom.example.com (10.0.2.15)
> > >
> > > Windows 10 client: wincli.example.com and
> > > wincli.samdom.example.com
> > > (10.0.2.53)
> > >
> > > example.com is resolved by a dnsmasq-server, which forwards all
> > > request
> > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf:
> > > server=/samdom.example.com/10.0.2.15
> > > rebind-domain-ok=/samdom.example.com/
> >
> > It looks like all your clients are in the 'example.com' DNS domain
> > (and
> > hence in the 'EXAMPLE.COM' realm) and the DC is in the
> > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM
> > realm).
> > If this is the case, then it isn't going to work.
> >
> > Using a subdomain of a registered domain is best practice, so you
> > are
> > okay there, but your DC must be authoritative for the subdomain and
> > your clients must be members of the subdomain. Whilst you can use
> > an
> > external DNS server on your network, all requests for AD records
> > must
> > be forwarded to the DC(s) and no AD records can be stored on the
> > forwarding dns server (except for 'cached' records).
> >
> > I suggest you rethink your setup.
> >
> > Rowland
> >
> >
> Thank you for your quick response!
>
> Actually I tried to set them both simply into the example.com DNS-
> domain or the samdom.example.com DNS domain, but this does not solve
> the problem. I also changed the DNS server on both machines to the
> DC-
> DNS server (10.0.2.15), i.e., the reply is now certainly
> authoritative,
> but still no success.
>
> Is it possible that SMBv2 also performs a reverse lookup? That would
> currently result in the example.com-domain, since no PTR-entries are
> in
> the DC-DNS server and then the request are forwarded to the dnsmasq-
> server.
>
> Helmut
The DC should also be authoritative for the reverse zone. Unless the
dnsmasq server is just as a 'cache' server and/or a dhcp server, I
don't see the point in it. You will not be the first person (and
probably not the last) to attempt to use an external dns server to
control a Samba AD domain, none have worked correctly yet.
Just create the reverse records in AD and nowhere else (except in a dns
cacheing server, which will be created automatically).
Rowland
More information about the samba
mailing list