[Samba] clients not connecting to samba shares

Gary Dale gary at extremeground.com
Mon Apr 10 23:19:19 UTC 2023 

On 2023-04-05 09:56, Gary Dale via samba wrote:
> On 2023-04-04 19:36, Gary Dale via samba wrote:
>> On 2023-04-02 02:49, Rowland Penny via samba wrote:
>>>
>>>
>>> On 02/04/2023 04:54, Gary Dale via samba wrote:
>>>
>>>> I could, but that seems like overkill. A complete second (virtually 
>>>> identical) system to administer and update just to hive off the 
>>>> authentication task.
>>>>
>>>
>>> To be honest, I would run two DC's just for authentication and other 
>>> Samba machines as Unix domain members.
>>>
>>> However, I cannot force you to do anything, all I can do is advise 
>>> you of best practices, neither Samba or Microsoft recommend using a 
>>> DC for anything other than authentication.
>>>
>>> Rowland
>>>
>> I've set up a Debian/Stable VM with the backports in a minimal 
>> install. Then I added an ssh server and connected to it (so I can cut 
>> & paste to the Konsole session), and did the Debian 
>> distribution-specific installation. I removed the installer's 
>> smb.conf and ran the interactive provisioning.  TheLibrarian is 
>> already a
>>
>> I then figured I'd try the Create a reverse zone but that failed:
>>
>> # samba-tool dns zonecreate  DC1 1.168.192.in-addr.arpa -U Administrator
>> Failed to connect host 192.168.1.13 on port 135 - 
>> NT_STATUS_CONNECTION_REFUSED
>> Failed to connect host 192.168.1.13 (DC1) on port 135 - 
>> NT_STATUS_CONNECTION_REFUSED.
>> ERROR: Connecting to DNS RPC server DC1 failed with (3221226038, 'The 
>> transport-connection attempt was refused by the remote system.')
>>
>> The message shows that the DC1 name resolved properly. I'm not aware 
>> of anything blocking port 135 - this is a clean install to a new VM.  
>> Any ideas on what's going on?
>>
> Nevermind. I redid the entire process and got it to work this time.
>
So now I've got a separate DC and file server working - except that the 
domain controller seems hard to contact. I keep getting error messages 
such as "The specified domain either does not exist or cannot be 
contacted". This is when I'm trying to do things in Windows - and apart 
from being able to connect to a Samba share as Administrator (but not 
see the files), I can't do anything.

I'm looking around in the DNS backend for why.

> # samba-tool dns zonelist DC1 -U administrator
> Password for [HOME\administrator]:
>  4 zone(s) found
>
>  pszZoneName                 : 1.168.192,in-addr.rapa
>  Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>  Version                     : 50
>  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>  pszDpFqdn                   : DomainDnsZones.home.rahim-dale.org
>
>  pszZoneName                 : 1.168.192.in-addr.arpa
>  Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>  Version                     : 50
>  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>  pszDpFqdn                   : DomainDnsZones.home.rahim-dale.org
>
>  pszZoneName                 : home.rahim-dale.org
>  Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>  Version                     : 50
>  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>  pszDpFqdn                   : DomainDnsZones.home.rahim-dale.org
>
>  pszZoneName                 : _msdcs.home.rahim-dale.org
>  Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
> DNS_RPC_ZONE_UPDATE_SECURE
>  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>  Version                     : 50
>  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>  pszDpFqdn                   : ForestDnsZones.home.rahim-dale.org
> # samba-tool dns zonelist DC1 --secondary -U administrator
> Password for [HOME\administrator]:
>  0 zone(s) found
> # samba-tool dns zoneinfo DC1 home.rahim-dale.org -U administrator
> Password for [HOME\administrator]:
>  pszZoneName                 : home.rahim-dale.org
>  dwZoneType                  : DNS_ZONE_TYPE_PRIMARY
>  fReverse                    : FALSE
>  fAllowUpdate                : DNS_ZONE_UPDATE_SECURE
>  fPaused                     : FALSE
>  fShutdown                   : FALSE
>  fAutoCreated                : FALSE
>  fUseDatabase                : TRUE
>  pszDataFile                 : None
>  aipMasters                  : []
>  fSecureSecondaries          : DNS_ZONE_SECSECURE_NO_XFER
>  fNotifyLevel                : DNS_ZONE_NOTIFY_LIST_ONLY
>  aipSecondaries              : []
>  aipNotify                   : []
>  fUseWins                    : FALSE
>  fUseNbstat                  : FALSE
>  fAging                      : FALSE
>  dwNoRefreshInterval         : 168
>  dwRefreshInterval           : 168
>  dwAvailForScavengeTime      : 0
>  aipScavengeServers          : []
>  dwRpcStructureVersion       : 0x2
>  dwForwarderTimeout          : 0
>  fForwarderSlave             : 0
>  aipLocalMasters             : []
>  dwDpFlags                   : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>  pszDpFqdn                   : DomainDnsZones.home.rahim-dale.org
>  pwszZoneDn                  : 
> DC=home.rahim-dale.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=rahim-dale,DC=org
>  dwLastSuccessfulSoaCheck    : 0
>  dwLastSuccessfulXfr         : 0
>  fQueuedForBackgroundLoad    : FALSE
>  fBackgroundLoadInProgress   : FALSE
>  fReadOnlyZone               : FALSE
>  dwLastXfrAttempt            : 0
>  dwLastXfrResult             : 0
>
> # samba-tool dns query  DC1 home.rahim-dale.org @ ALL -U administrator
> Password for [HOME\administrator]:
>  Name=, Records=3, Children=0
>    SOA: serial=131, refresh=900, retry=600, expire=86400, minttl=3600, 
> ns=dc1.home.rahim-dale.org., email=hostmaster.
> home.rahim-dale.org. (flags=600000f0, serial=131, ttl=3600)
>    NS: dc1.home.rahim-dale.org. (flags=600000f0, serial=1, ttl=900)
>    A: 192.168.1.13 (flags=600000f0, serial=1, ttl=900)
>  Name=_msdcs, Records=0, Children=0
>  Name=_sites, Records=0, Children=1
>  Name=_tcp, Records=0, Children=4
>  Name=_udp, Records=0, Children=2
>  Name=dc1, Records=4, Children=0
>    A: 192.168.1.13 (flags=f0, serial=1, ttl=900)
>    SRV: dc1.home.rahim-dale.org. (8080, 0, 100) (flags=f0, serial=129, 
> ttl=900)
>    SRV: dc1.home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=130, 
> ttl=900)
>    SRV: home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=131, 
> ttl=900)
>  Name=DomainDnsZones, Records=0, Children=2
>  Name=ForestDnsZones, Records=0, Children=2
>  Name=thelibrarian, Records=1, Children=0
>    A: 192.168.1.14 (flags=f0, serial=110, ttl=3600)
>

The various A and SRV records in the query segment are (probably) from 
me trying (clumsily) to add the correct record into the backend via 
samba-tool. I think the serial=130 and 131 should have been close, but I 
still get:
> # host -t SRV _ldap,_tcp.home.rahim-dale-org
> _ldap,_tcp.home.rahim-dale-org has no SRV record
>
when I run the DNS test in the AD DC setup wiki.

> # cat /etc/resolv.conf
> search home.rahim-dale.org
> nameserver 192.168.1.13
>
> cat /etc/hosts
> 127.0.0.1       localhost
> 192.168.1.13    DC1.home.rahim-dale.org DC1
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
Having the dc1 listed in the Windows hosts file and as a SRV in the 
lmhosts file doesn't seem to have helped either.

Any ideas on what is going wrong or how I can fix it?

More information about the samba mailing list