[Samba] Need help for SMBv2-connection with windows clients

Bombadil bombadil_00 at web.de
Tue May 3 10:37:02 UTC 2022 

Am Sonntag, dem 01.05.2022 um 16:46 +0100 schrieb Rowland Penny via
samba:
> On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote:
> > Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via
> > samba:
> > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote:
> > > > I have problems getting my Windows 10 client(s) to connect to
> > > > my
> > > > Samba-
> > > > server using SMBv2 or higher, but no problems with SMBv1 (NT1)
> > > > protocol. I guess this is has to do with my AD domain being put
> > > > on
> > > > top
> > > > of my private domain (see configuration below).
> > > > 
> > > > I already checked that client and server are communicating, so
> > > > it
> > > > does
> > > > not seem to be primarily a simple DNS issue.
> > > > 
> > > > My setup:
> > > > Domain: example.com
> > > > AD-Domain(realm): samdom.example.com
> > > > Network 10.0.2.0/24
> > > > 
> > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
> > > > dc.samdom.example.com (10.0.2.15)
> > > > 
> > > > Windows 10 client: wincli.example.com and
> > > > wincli.samdom.example.com
> > > > (10.0.2.53)
> > > > 
> > > > example.com is resolved by a dnsmasq-server, which forwards all
> > > > request
> > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in
> > > > dnsmasq.conf:
> > > > server=/samdom.example.com/10.0.2.15
> > > > rebind-domain-ok=/samdom.example.com/
> > > 
> > > It looks like all your clients are in the 'example.com' DNS
> > > domain
> > > (and
> > > hence in the 'EXAMPLE.COM' realm) and the DC is in the
> > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM
> > > realm).
> > > If this is the case, then it isn't going to work.
> > > 
> > > Using a subdomain of a registered domain is best practice, so you
> > > are
> > > okay there, but your DC must be authoritative for the subdomain
> > > and
> > > your clients must be members of the subdomain. Whilst you can use
> > > an
> > > external DNS server on your network, all requests for AD records
> > > must
> > > be forwarded to the DC(s) and no AD records can be stored on the
> > > forwarding dns server (except for 'cached' records).
> > > 
> > > I suggest you rethink your setup.
> > > 
> > > Rowland
> > > 
> > > 
> > Thank you for your quick response!
> > 
> > Actually I tried to set them both simply into the example.com DNS-
> > domain or the samdom.example.com DNS domain, but this does not
> > solve
> > the problem. I also changed the DNS server on both machines to the
> > DC-
> > DNS server (10.0.2.15), i.e., the reply is now certainly
> > authoritative,
> > but still no success.
> > 
> > Is it possible that SMBv2 also performs a reverse lookup? That
> > would
> > currently result in the example.com-domain, since no PTR-entries
> > are
> > in
> > the DC-DNS server and then the request are forwarded to the
> > dnsmasq-
> > server. 
> > 
> >   Helmut
> 
> The DC should also be authoritative for the reverse zone. Unless the
> dnsmasq server is just as a 'cache' server and/or a dhcp server, I
> don't see the point in it. You will not be the first person (and
> probably not the last) to attempt to use an external dns server to
> control a Samba AD domain, none have worked correctly yet.
> 
> Just create the reverse records in AD and nowhere else (except in a
> dns
> cacheing server, which will be created automatically).
> 
> Rowland
> 
> 
I configured "dc1" and "wincli" now to be in NS-domain
samdom.example.com and "dc1" is only the NS-server (so the dnsmasq
server does not interfere):

On dc1:
  'host -t A dc1':
    dc1.samdom.example.com has address 10.0.2.15
  'host -t A gimli':
    gimli.samdom.example.com has address 10.0.2.96

  'dig dc1.samdom.example.com':
; <<>> DiG 9.16.27 <<>> dc1.samdom.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
ADDITIONAL: 0

;; QUESTION SECTION:
;dc1.samdom.example.com.   IN      A

;; ANSWER SECTION:
dc1.samdom.example.com. 900 IN     A       10.0.2.15

;; AUTHORITY SECTION:
samdom.example.com.      3600    IN      SOA    
dc1.samdom.example.com. hostmaster.samdom.example.com. 25 900 600 86400
3600

;; Query time: 5 msec
;; SERVER: 10.0.2.15#53(10.0.2.15)
;; WHEN: Tue May 03 12:14:03 CEST 2022
;; MSG SIZE  rcvd: 108

  'dig -x 10.0.2.15'
; <<>> DiG 9.16.27 <<>> -x 10.0.2.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62014
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
ADDITIONAL: 0

;; QUESTION SECTION:
;15.2.0.10.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
15.2.0.10.in-addr.arpa. 900     IN      PTR     dc1.samdom.example.com.

;; AUTHORITY SECTION:
2.0.10.in-addr.arpa.    3600    IN      SOA     dc1.samdom.example.com.
hostmaster.samdom.example.com. 6 900 600 86400 3600

;; Query time: 5 msec
;; SERVER: 10.0.2.15#53(10.0.2.15)
;; WHEN: Tue May 03 12:15:40 CEST 2022
;; MSG SIZE  rcvd: 128

The outputs for "wincli" are analogue. I also checked on "wincli" the
NS-lookups with nslookup and got the same results. Thus, both machines
are in the same domain, reverse lookup is working, and the NS answers
are authoritative.

When I switch off SMBv1 on "wincli" and "dc1" I still get "RPC server
is not available"!

For testing I removed "wincli" from the AD-domain, and tried to join it
again using just SMBv2. But then I am getting the error that "A device
attached to the system is not functioning". Whatever this means.
As soon as I enable SMBv1 again, I can join the domain without
problems...

  Helmut

More information about the samba mailing list