[Samba] Need help for SMBv2-connection with windows clients

Rowland Penny rpenny at samba.org
Tue May 3 12:11:51 UTC 2022


On Tue, 2022-05-03 at 12:37 +0200, Bombadil via samba wrote:
> Am Sonntag, dem 01.05.2022 um 16:46 +0100 schrieb Rowland Penny via
> samba:
> > On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote:
> > > Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny
> > > via
> > > samba:
> > > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote:
> > > > > I have problems getting my Windows 10 client(s) to connect to
> > > > > my
> > > > > Samba-
> > > > > server using SMBv2 or higher, but no problems with SMBv1
> > > > > (NT1)
> > > > > protocol. I guess this is has to do with my AD domain being
> > > > > put
> > > > > on
> > > > > top
> > > > > of my private domain (see configuration below).
> > > > > 
> > > > > I already checked that client and server are communicating,
> > > > > so
> > > > > it
> > > > > does
> > > > > not seem to be primarily a simple DNS issue.
> > > > > 
> > > > > My setup:
> > > > > Domain: example.com
> > > > > AD-Domain(realm): samdom.example.com
> > > > > Network 10.0.2.0/24
> > > > > 
> > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
> > > > > dc.samdom.example.com (10.0.2.15)
> > > > > 
> > > > > Windows 10 client: wincli.example.com and
> > > > > wincli.samdom.example.com
> > > > > (10.0.2.53)
> > > > > 
> > > > > example.com is resolved by a dnsmasq-server, which forwards
> > > > > all
> > > > > request
> > > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in
> > > > > dnsmasq.conf:
> > > > > server=/samdom.example.com/10.0.2.15
> > > > > rebind-domain-ok=/samdom.example.com/
> > > > 
> > > > It looks like all your clients are in the 'example.com' DNS
> > > > domain
> > > > (and
> > > > hence in the 'EXAMPLE.COM' realm) and the DC is in the
> > > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM
> > > > realm).
> > > > If this is the case, then it isn't going to work.
> > > > 
> > > > Using a subdomain of a registered domain is best practice, so
> > > > you
> > > > are
> > > > okay there, but your DC must be authoritative for the subdomain
> > > > and
> > > > your clients must be members of the subdomain. Whilst you can
> > > > use
> > > > an
> > > > external DNS server on your network, all requests for AD
> > > > records
> > > > must
> > > > be forwarded to the DC(s) and no AD records can be stored on
> > > > the
> > > > forwarding dns server (except for 'cached' records).
> > > > 
> > > > I suggest you rethink your setup.
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > Thank you for your quick response!
> > > 
> > > Actually I tried to set them both simply into the example.com
> > > DNS-
> > > domain or the samdom.example.com DNS domain, but this does not
> > > solve
> > > the problem. I also changed the DNS server on both machines to
> > > the
> > > DC-
> > > DNS server (10.0.2.15), i.e., the reply is now certainly
> > > authoritative,
> > > but still no success.
> > > 
> > > Is it possible that SMBv2 also performs a reverse lookup? That
> > > would
> > > currently result in the example.com-domain, since no PTR-entries
> > > are
> > > in
> > > the DC-DNS server and then the request are forwarded to the
> > > dnsmasq-
> > > server. 
> > > 
> > >   Helmut
> > 
> > The DC should also be authoritative for the reverse zone. Unless
> > the
> > dnsmasq server is just as a 'cache' server and/or a dhcp server, I
> > don't see the point in it. You will not be the first person (and
> > probably not the last) to attempt to use an external dns server to
> > control a Samba AD domain, none have worked correctly yet.
> > 
> > Just create the reverse records in AD and nowhere else (except in a
> > dns
> > cacheing server, which will be created automatically).
> > 
> > Rowland
> > 
> > 
> I configured "dc1" and "wincli" now to be in NS-domain
> samdom.example.com and "dc1" is only the NS-server (so the dnsmasq
> server does not interfere):
> 
> On dc1:
>   'host -t A dc1':
>     dc1.samdom.example.com has address 10.0.2.15
>   'host -t A gimli':
>     gimli.samdom.example.com has address 10.0.2.96
> 
>   'dig dc1.samdom.example.com':
> ; <<>> DiG 9.16.27 <<>> dc1.samdom.example.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
> ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;dc1.samdom.example.com.   IN      A
> 
> ;; ANSWER SECTION:
> dc1.samdom.example.com. 900 IN     A       10.0.2.15
> 
> ;; AUTHORITY SECTION:
> samdom.example.com.      3600    IN      SOA    
> dc1.samdom.example.com. hostmaster.samdom.example.com. 25 900 600
> 86400
> 3600
> 
> ;; Query time: 5 msec
> ;; SERVER: 10.0.2.15#53(10.0.2.15)
> ;; WHEN: Tue May 03 12:14:03 CEST 2022
> ;; MSG SIZE  rcvd: 108
> 
>   'dig -x 10.0.2.15'
> ; <<>> DiG 9.16.27 <<>> -x 10.0.2.15
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62014
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1,
> ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;15.2.0.10.in-addr.arpa.                IN      PTR
> 
> ;; ANSWER SECTION:
> 15.2.0.10.in-addr.arpa. 900     IN      PTR    
> dc1.samdom.example.com.
> 
> ;; AUTHORITY SECTION:
> 2.0.10.in-addr.arpa.    3600    IN      SOA    
> dc1.samdom.example.com.
> hostmaster.samdom.example.com. 6 900 600 86400 3600
> 
> ;; Query time: 5 msec
> ;; SERVER: 10.0.2.15#53(10.0.2.15)
> ;; WHEN: Tue May 03 12:15:40 CEST 2022
> ;; MSG SIZE  rcvd: 128
> 
> The outputs for "wincli" are analogue. I also checked on "wincli" the
> NS-lookups with nslookup and got the same results. Thus, both
> machines
> are in the same domain, reverse lookup is working, and the NS answers
> are authoritative.
> 
> When I switch off SMBv1 on "wincli" and "dc1" I still get "RPC server
> is not available"!
> 
> For testing I removed "wincli" from the AD-domain, and tried to join
> it
> again using just SMBv2. But then I am getting the error that "A
> device
> attached to the system is not functioning". Whatever this means.
> As soon as I enable SMBv1 again, I can join the domain without
> problems...
> 
>   Helmut

I have reviewed this thread and several things got masked by the
totally incorrect dns setup.

You cannot turn off the RPC server by setting '* min protocol' on a DC,
it is service run from the 'server services' line and you do not have
that line, so the defaults are used, one of which is 'rpc'.

You also have numerous lines in your smb.conf that are either defaults
or have no place in a DC smb.conf e.g. 'wins support'

Is a firewall running and blocking the ports that a DC requires ?

Rowland
 




More information about the samba mailing list