[Samba] clients not connecting to samba shares

Gary Dale gary at extremeground.com
Tue Apr 11 12:36:12 UTC 2023 

On 2023-04-11 04:15, Rowland Penny via samba wrote:
>
>
> On 11/04/2023 00:19, Gary Dale via samba wrote:
>> On 2023-04-05 09:56, Gary Dale via samba wrote:
>>> On 2023-04-04 19:36, Gary Dale via samba wrote:
>>>> On 2023-04-02 02:49, Rowland Penny via samba wrote:
>>>>>
>>>>>
>>>>> On 02/04/2023 04:54, Gary Dale via samba wrote:
>>>>>
>>>>>> I could, but that seems like overkill. A complete second 
>>>>>> (virtually identical) system to administer and update just to 
>>>>>> hive off the authentication task.
>>>>>>
>>>>>
>>>>> To be honest, I would run two DC's just for authentication and 
>>>>> other Samba machines as Unix domain members.
>>>>>
>>>>> However, I cannot force you to do anything, all I can do is advise 
>>>>> you of best practices, neither Samba or Microsoft recommend using 
>>>>> a DC for anything other than authentication.
>>>>>
>>>>> Rowland
>>>>>
>>>> I've set up a Debian/Stable VM with the backports in a minimal 
>>>> install. Then I added an ssh server and connected to it (so I can 
>>>> cut & paste to the Konsole session), and did the Debian 
>>>> distribution-specific installation.
>
> What 'Debian distribution-specific' installation did you follow ?
The one linked to in AD DC wiki.
>
>>>> I removed the installer's smb.conf and ran the interactive 
>>>> provisioning.  TheLibrarian is already a
>>>>
>>>> I then figured I'd try the Create a reverse zone but that failed:
>>>>
>>>> # samba-tool dns zonecreate  DC1 1.168.192.in-addr.arpa -U 
>>>> Administrator
>>>> Failed to connect host 192.168.1.13 on port 135 - 
>>>> NT_STATUS_CONNECTION_REFUSED
>>>> Failed to connect host 192.168.1.13 (DC1) on port 135 - 
>>>> NT_STATUS_CONNECTION_REFUSED.
>>>> ERROR: Connecting to DNS RPC server DC1 failed with (3221226038, 
>>>> 'The transport-connection attempt was refused by the remote system.')
>>>>
>>>> The message shows that the DC1 name resolved properly. I'm not 
>>>> aware of anything blocking port 135 - this is a clean install to a 
>>>> new VM. Any ideas on what's going on?
>>>>
>>> Nevermind. I redid the entire process and got it to work this time.
>>>
>> So now I've got a separate DC and file server working - except that 
>> the domain controller seems hard to contact. I keep getting error 
>> messages such as "The specified domain either does not exist or 
>> cannot be contacted". This is when I'm trying to do things in Windows 
>> - and apart from being able to connect to a Samba share as 
>> Administrator (but not see the files), I can't do anything.
>>
>> I'm looking around in the DNS backend for why.
>>
>>> # samba-tool dns zonelist DC1 -U administrator
>>> Password for [HOME\administrator]:
>>>  4 zone(s) found
>>>
>>>  pszZoneName                 : 1.168.192,in-addr.rapa
>>>  Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>  Version                     : 50
>>>  dwDpFlags                   : DNS_DP_AUTOCREATED 
>>> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>>>  pszDpFqdn                   : DomainDnsZones.home.rahim-dale.org
>>>
>>>  pszZoneName                 : 1.168.192.in-addr.arpa
>>>  Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>  Version                     : 50
>>>  dwDpFlags                   : DNS_DP_AUTOCREATED 
>>> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
>>>  pszDpFqdn                   : DomainDnsZones.home.rahim-dale.org
>>>
>>
>
> Do you actually have two reverse zones, one called 
> '1.168.192,in-addr.rapa' and another called '1.168.192.in-addr.arpa' ?
>
> If you do, I would remove '1.168.192,in-addr.rapa'
>
> Rowland
>
OK. Now it passes the DNS test (again):

> # host -t SRV _ldap._tcp.home.rahim-dale.org
> _ldap._tcp.home.rahim-dale.org has SRV record 0 100 389 
> dc1.home.rahim-dale.org.
and
> # host -t A dc1.home.rahim-dale.org
> dc1.home.rahim-dale.org has address 192.168.1.13
>
But when I use my Windows 10 VM (logged in as HOME\Administrator) to run 
Active Directory Users and Computers I get a pop-up saying "Naming 
information cannot be located for the following reason: The server is 
not operational." It goes on to suggest something about a service pack & 
Windows 2000 in relation to the tools....

I also have to manually change to the DC1 domain controller to access 
the domain accounts.

However once I get past that, I seem to be able to manipulate the domain 
accounts.

Unfortunately I still can't access the shares. I can connect and 
disconnect but I can't actually see the files. I get an error message 
when I connect that says "Windows cannot access 
\\TheLibrarian\Archives\  You do not have permission to access 
\\TheLibrarian\Archives\. Contact your network administrator to request 
access."

The share permissions are:

> drwxrwx---+ 39 root HOME\domain admins 4096 Nov 23 16:32 archives
>
while the file permissions are (sample):

> # ls -l /home/shares/archives/
> total 480
>
....

> drwxrwx---+  12 garydale HOME\domain admins  4096 Nov  2  2021  2021
> drwxrwx---+  15 garydale HOME\domain admins  4096 Nov 27 11:10  2022
> drwxrwx---+  10 garydale HOME\domain admins  4096 Feb 25 15:30  2023
This is the same whether I am logged in as the Domain Administrator or 
myself (also in the Domain Admins group).

And ideas?

More information about the samba mailing list