On 2021-03-02 05:47, Reindl Harald via samba wrote:> Am 01.03.21 um 22:41 schrieb Roy Eastwood via samba: >> On 01 March 2021 18:08 Gregory Sloop wrote: >>> I haven't followed this thread closely at all - but how about simply >>> really >> limiting >>> the players. >>> Reduce the network to just the DC's and client that's supposed to >>> join the >>> domain those DC's hold. >>> >>> Unplug everything else from the network. >>> >> Yes I agree; In an earlier post the OP mentioned that the clients and >> the >> server were on separate subnets connected by VPN; if so I would >> connect a >> Windows 10 client directly to the same subnet as the DC and see if a >> join works >> OK. If it does it would implicate the VPN etc is blocking SMB2/3 >> protocols. > > broad cast stuff typically don't make it over VPN and frankly i find > it somehow pervert to *start* a new setup with the one and only client > on a VPN instead build up the network step-by-step > > adding additional layers from the begin is always a terrible idea > unless you have much luck and everything works fine out-of-the-box >Initially I started testing with two VMs on the same private network, a Windows client and a Linux VM running Samba 4.11.1. These VMs were/are not physically isolated, but they are on a separate subnet with no routing to/from any other subnet. I have to work in this environment because they are not physical PCs. I got this working, but it is possible that they might have been communicating via SMB1. I then brought up an AWS instance because that is where the initial Samba server will reside (that is why there are different subnets and the VPN). Configured everything, but with 4.11.13. In the meantime the Windows VM has been updated. Now it won't support SMB1 and now my problems start. Last night, I went back to my initial test VM for the Samba server. The two VMs are on a separate subnet with no routing to/from any other network and the same problem persists. I get the exact same errors. The client still thinks that the server is trying to use SMB1. Again there is no routing between this subnet and any other subnet. However, the VMs are not physically isolated. This is not really possible in the current environment. There is an older Samba NT4 PDC on the same ESXI with the test VMs, but there is no IP routing and also the domain names are different. Is it possible that this is causing a problem? Thanks. kr
Am 02.03.21 um 14:55 schrieb K.R. Foley:> > > On 2021-03-02 05:47, Reindl Harald via samba wrote: >> Am 01.03.21 um 22:41 schrieb Roy Eastwood via samba: >>> On 01 March 2021 18:08 Gregory Sloop wrote: >>>> I haven't followed this thread closely at all - but how about simply >>>> really >>> limiting >>>> the players. >>>> Reduce the network to just the DC's and client that's supposed to >>>> join the >>>> domain those DC's hold. >>>> >>>> Unplug everything else from the network. >>>> >>> Yes I agree;? In an earlier post the OP mentioned that the clients >>> and the >>> server were on separate subnets connected by VPN;?? if so I would >>> connect a >>> Windows 10 client directly to the same subnet as the DC and see if a >>> join works >>> OK. If it does it would implicate the VPN etc is blocking SMB2/3 >>> protocols. >> >> broad cast stuff typically don't make it over VPN and frankly i find >> it somehow pervert to *start* a new setup with the one and only client >> on a VPN instead build up the network step-by-step >> >> adding additional layers from the begin is always a terrible idea >> unless you have much luck and everything works fine out-of-the-box >> > > Initially I started testing with two VMs on the same private network, a > Windows client and a Linux VM running Samba 4.11.1. These VMs were/are > not physically isolated, but they are on a separate subnet with no > routing to/from any other subnet. I have to work in this environment > because they are not physical PCs. I got this working, but it is > possible that they might have been communicating via SMB1. I then > brought up an AWS instance because that is where the initial Samba > server will reside (that is why there are different subnets and the > VPN). Configured everything, but with 4.11.13. In the meantime the > Windows VM has been updated. Now it won't support SMB1 and now my > problems start. > > Last night, I went back to my initial test VM for the Samba server. The > two VMs are on a separate subnet with no routing to/from any other > network and the same problem persists. I get the exact same errors. The > client still thinks that the server is trying to use SMB1. > > Again there is no routing between this subnet and any other subnet. > However, the VMs are not physically isolated. This is not really > possible in the current environment. There is an older Samba NT4 PDC on > the same ESXI with the test VMs, but there is no IP routing and also the > domain names are different. Is it possible that this is causing a problem?why would it not be possible in a virtualized environment to physically isolate things? nothing easier than that by just place them on a virtual vswitch with no physical NIC assigend and for operational tasks just use the vm console like you would sit in front of a physical machine
On 02/03/2021 13:55, K.R. Foley via samba wrote:> > Initially I started testing with two VMs on the same private network, > a Windows client and a Linux VM running Samba 4.11.1. These VMs > were/are not physically isolated, but they are on a separate subnet > with no routing to/from any other subnet. I have to work in this > environment because they are not physical PCs. I got this working, but > it is possible that they might have been communicating via SMB1. I > then brought up an AWS instance because that is where the initial > Samba server will reside (that is why there are different subnets and > the VPN). Configured everything, but with 4.11.13. In the meantime the > Windows VM has been updated. Now it won't support SMB1 and now my > problems start. > > Last night, I went back to my initial test VM for the Samba server. > The two VMs are on a separate subnet with no routing to/from any other > network and the same problem persists. I get the exact same errors. > The client still thinks that the server is trying to use SMB1. > > Again there is no routing between this subnet and any other subnet. > However, the VMs are not physically isolated. This is not really > possible in the current environment. There is an older Samba NT4 PDC > on the same ESXI with the test VMs, but there is no IP routing and > also the domain names are different. Is it possible that this is > causing a problem? >OK, I have downloaded the latest Win10 ISO, installed it in a VM and it joined my Samba 4.13.2 AD domain. I am now of the opinion that it is something in your setup that is causing this and I think it may be your PDC which relies on two things. SMBv1 and netbios. Netbios does not use dns, so this may be replying to the Win10 search for a DC. Rowland