samba - Jan 2024 - {Device Timeout} The I/O operation specified in %hs was not completed before the timeout period expired

>
> I am not sure what you are trying to say, but your pfsense device
> shouldn't come into your AD domain dns.
I mean that between the DCs, pfsense won't block them because they're on
the same vlan.

Your AD clients (and this
> includes the DCs) should look to AD to find each other and anything
> outside the AD dns domain should be forwarded to a dns server outside
> the AD domain.
And yes, the configuration of the DCs is as you described. The clients
receive the DCs'
IPs as DNS via pfsense DHCP and bind9 forwards what doesn't belong to the
DCs to our authoritative DNS.

root at dc2:~# netstat -plaunt | egrep "ntp|bind|named|samba|?mbd"
https://pastebin.com/raw/NbECKVB8 (output from command netstat)

Regarding the command above, I think the ports are OK?

Can you test the command below on one of your DCs?

nmap -p 53,88,123,135,137,138,139,389,445,464,636,3268,3269 -sV <DC IP>

On Wed, Jan 3, 2024 at 2:57?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 3 Jan 2024 14:42:54 -0300
> Elias Pereira <empbilly at gmail.com> wrote:
>
> > >
> > > and not between your DCs.
> >
> > You're right. If it's on the same network/vlan, it doesn't
go through
> > the gateway/firewall.
> >
>
> I am not sure what you are trying to say, but your pfsense device
> shouldn't come into your AD domain dns. Your AD clients (and this
> includes the DCs) should look to AD to find each other and anything
> outside the AD dns domain should be forwarded to a dns server outside
> the AD domain. If you are going to use a firewall, it should be a
> software type running on each DC/AD client.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira

On Wed, 3 Jan 2024 15:24:02 -0300
Elias Pereira <empbilly at gmail.com> wrote:
> >
> > I am not sure what you are trying to say, but your pfsense device
> > shouldn't come into your AD domain dns.
> 
> I mean that between the DCs, pfsense won't block them because
they're
> on the same vlan.
> 
> Your AD clients (and this
> > includes the DCs) should look to AD to find each other and anything
> > outside the AD dns domain should be forwarded to a dns server
> > outside the AD domain.
> 
> And yes, the configuration of the DCs is as you described. The clients
> receive the DCs'
> IPs as DNS via pfsense DHCP and bind9 forwards what doesn't belong to
> the DCs to our authoritative DNS.
> 
> root at dc2:~# netstat -plaunt | egrep
"ntp|bind|named|samba|?mbd"
> https://pastebin.com/raw/NbECKVB8 (output from command netstat)
> 
> Regarding the command above, I think the ports are OK?
> 
> Can you test the command below on one of your DCs?
> 
> nmap -p 53,88,123,135,137,138,139,389,445,464,636,3268,3269 -sV <DC
> IP>
> 
nmap -p 53,88,123,135,137,138,139,389,445,464,636,3268,3269 -sV 192.168.1.2
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-03 19:35 GMT
Nmap scan report for rpidc1.samdom.example.com (192.168.1.2)
Host is up (0.011s latency).

PORT     STATE  SERVICE      VERSION
53/tcp   open   domain       (generic dns response: NOTIMP)
88/tcp   open   kerberos-sec (server time: 2024-01-03 19:35:40Z)
123/tcp  closed ntp
135/tcp  open   msrpc        Microsoft Windows RPC
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
139/tcp  open   netbios-ssn  Samba smbd 4.6.2
389/tcp  open   ldap         (Anonymous bind OK)
445/tcp  open   netbios-ssn  Samba smbd 4.6.2
464/tcp  open   kpasswd5?
636/tcp  open   ssl/ldap     (Anonymous bind OK)
3268/tcp open   ldap         (Anonymous bind OK)
3269/tcp open   ssl/ldap     (Anonymous bind OK)
2 services unrecognized despite returning data. If you know the service/version,
please submit the following fingerprints at
https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)=============SF-Port53-TCP:V=7.93%I=7%D=1/3%Time=6595B711%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x80\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0\
SF:0\0\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)=============SF-Port88-TCP:V=7.93%I=7%D=1/3%Time=6595B711%P=x86_64-pc-linux-gnu%r(Kerbe
SF:ros,68,"\0\0\0d~b0`\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18
SF:\x0f20240103193540Z\xa5\x05\x02\x03\x07H}\xa6\x03\x02\x01\x06\xa9\x04\x
SF:1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\
SF:x02NM\xab\x16\x1b\x14No\x20client\x20in\x20request");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.97 seconds