samba - Mar 2021 - Windows 10 cannot connect without SMB1

On 2021-03-02 10:12, Rowland penny via samba wrote:
> On 02/03/2021 13:55, K.R. Foley via samba wrote:
>> 
>> Initially I started testing with two VMs on the same private network, 
>> a Windows client and a Linux VM running Samba 4.11.1. These VMs 
>> were/are not physically isolated, but they are on a separate subnet 
>> with no routing to/from any other subnet. I have to work in this 
>> environment because they are not physical PCs. I got this working, but 
>> it is possible that they might have been communicating via SMB1. I 
>> then brought up an AWS instance because that is where the initial 
>> Samba server will reside (that is why there are different subnets and 
>> the VPN). Configured everything, but with 4.11.13. In the meantime the 
>> Windows VM has been updated. Now it won't support SMB1 and now my 
>> problems start.
>> 
>> Last night, I went back to my initial test VM for the Samba server. 
>> The two VMs are on a separate subnet with no routing to/from any other 
>> network and the same problem persists. I get the exact same errors. 
>> The client still thinks that the server is trying to use SMB1.
>> 
>> Again there is no routing between this subnet and any other subnet. 
>> However, the VMs are not physically isolated. This is not really 
>> possible in the current environment. There is an older Samba NT4 PDC 
>> on the same ESXI with the test VMs, but there is no IP routing and 
>> also the domain names are different. Is it possible that this is 
>> causing a problem?
>> 
> 
> OK, I have downloaded the latest Win10 ISO, installed it in a VM and
> it joined my Samba 4.13.2 AD domain. I am now of the opinion that it
> is something in your setup that is causing this and I think it may be
> your PDC which relies on two things. SMBv1 and netbios. Netbios does
> not use dns, so this may be replying to the Win10 search for a DC.
> 
> Rowland
> 
Thanks. This evening I am going to try isolating the VMs completely. If 
I am unable to isolate them completely, I may just turn off the PDC 
momentarily to test. I will report back with my results.

kr

On 2021-03-02 10:32, K.R. Foley via samba wrote:
> On 2021-03-02 10:12, Rowland penny via samba wrote:
>> On 02/03/2021 13:55, K.R. Foley via samba wrote:
>>> 
>>> Initially I started testing with two VMs on the same private
network,
>>> a Windows client and a Linux VM running Samba 4.11.1. These VMs 
>>> were/are not physically isolated, but they are on a separate subnet
>>> with no routing to/from any other subnet. I have to work in this 
>>> environment because they are not physical PCs. I got this working, 
>>> but it is possible that they might have been communicating via
SMB1.
>>> I then brought up an AWS instance because that is where the initial
>>> Samba server will reside (that is why there are different subnets
and
>>> the VPN). Configured everything, but with 4.11.13. In the meantime 
>>> the Windows VM has been updated. Now it won't support SMB1 and
now my
>>> problems start.
>>> 
>>> Last night, I went back to my initial test VM for the Samba server.
>>> The two VMs are on a separate subnet with no routing to/from any 
>>> other network and the same problem persists. I get the exact same 
>>> errors. The client still thinks that the server is trying to use 
>>> SMB1.
>>> 
>>> Again there is no routing between this subnet and any other subnet.
>>> However, the VMs are not physically isolated. This is not really 
>>> possible in the current environment. There is an older Samba NT4
PDC
>>> on the same ESXI with the test VMs, but there is no IP routing and 
>>> also the domain names are different. Is it possible that this is 
>>> causing a problem?
>>> 
>> 
>> OK, I have downloaded the latest Win10 ISO, installed it in a VM and
>> it joined my Samba 4.13.2 AD domain. I am now of the opinion that it
>> is something in your setup that is causing this and I think it may be
>> your PDC which relies on two things. SMBv1 and netbios. Netbios does
>> not use dns, so this may be replying to the Win10 search for a DC.
>> 
>> Rowland
>> 
> 
> Thanks. This evening I am going to try isolating the VMs completely.
> If I am unable to isolate them completely, I may just turn off the PDC
> momentarily to test. I will report back with my results.
> 
Just a quick update on this. I was able to test with a freshly installed 
Windows 10 VM last night that was not updated to the latest patch and it 
was able to join the AD without issue.

I was not able to isolate the other VM and Samba server last night, but 
should be able to this evening. So, I will isolate them on a vswitch to 
see if the old PDC is in fact causing the join problem with the original 
test VM or if it is something else.

kr