samba - Jan 2024 - {Device Timeout} The I/O operation specified in %hs was not completed before the timeout period expired

On Wed, 3 Jan 2024 15:24:02 -0300
Elias Pereira <empbilly at gmail.com> wrote:
> >
> > I am not sure what you are trying to say, but your pfsense device
> > shouldn't come into your AD domain dns.
> 
> I mean that between the DCs, pfsense won't block them because
they're
> on the same vlan.
> 
> Your AD clients (and this
> > includes the DCs) should look to AD to find each other and anything
> > outside the AD dns domain should be forwarded to a dns server
> > outside the AD domain.
> 
> And yes, the configuration of the DCs is as you described. The clients
> receive the DCs'
> IPs as DNS via pfsense DHCP and bind9 forwards what doesn't belong to
> the DCs to our authoritative DNS.
> 
> root at dc2:~# netstat -plaunt | egrep
"ntp|bind|named|samba|?mbd"
> https://pastebin.com/raw/NbECKVB8 (output from command netstat)
> 
> Regarding the command above, I think the ports are OK?
> 
> Can you test the command below on one of your DCs?
> 
> nmap -p 53,88,123,135,137,138,139,389,445,464,636,3268,3269 -sV <DC
> IP>
> 
nmap -p 53,88,123,135,137,138,139,389,445,464,636,3268,3269 -sV 192.168.1.2
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-03 19:35 GMT
Nmap scan report for rpidc1.samdom.example.com (192.168.1.2)
Host is up (0.011s latency).

PORT     STATE  SERVICE      VERSION
53/tcp   open   domain       (generic dns response: NOTIMP)
88/tcp   open   kerberos-sec (server time: 2024-01-03 19:35:40Z)
123/tcp  closed ntp
135/tcp  open   msrpc        Microsoft Windows RPC
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
139/tcp  open   netbios-ssn  Samba smbd 4.6.2
389/tcp  open   ldap         (Anonymous bind OK)
445/tcp  open   netbios-ssn  Samba smbd 4.6.2
464/tcp  open   kpasswd5?
636/tcp  open   ssl/ldap     (Anonymous bind OK)
3268/tcp open   ldap         (Anonymous bind OK)
3269/tcp open   ssl/ldap     (Anonymous bind OK)
2 services unrecognized despite returning data. If you know the service/version,
please submit the following fingerprints at
https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)=============SF-Port53-TCP:V=7.93%I=7%D=1/3%Time=6595B711%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x80\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0\
SF:0\0\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)=============SF-Port88-TCP:V=7.93%I=7%D=1/3%Time=6595B711%P=x86_64-pc-linux-gnu%r(Kerbe
SF:ros,68,"\0\0\0d~b0`\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18
SF:\x0f20240103193540Z\xa5\x05\x02\x03\x07H}\xa6\x03\x02\x01\x06\xa9\x04\x
SF:1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\
SF:x02NM\xab\x16\x1b\x14No\x20client\x20in\x20request");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.97 seconds

Sorry, but I didn't realize that in the command I didn't specify to
check
for udp.

root at dc2:~# nmap --min-parallelism 100 -p
53,88,135,139,389,445,464,636,3268,3269,49152-65535 200.132.218.160 *(dc3)*
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-03 17:02 -03
Nmap scan report for DC3 (200.132.218.160)
Host is up (0.00015s latency).
Not shown: 16381 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
MAC Address: BE:79:98:04:F5:84 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

root at dc2:~# nmap --min-parallelism 100 -p 53,88,123,137,138,389,464 -sU
200.132.218.160 *(dc3)*
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-03 17:03 -03
Nmap scan report for DC3 (200.132.218.160)
Host is up (0.0011s latency).

PORT    STATE         SERVICE
53/udp  open          domain
88/udp  open|filtered kerberos-sec
123/udp open          ntp
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
389/udp open          ldap
464/udp open|filtered kpasswd5
MAC Address: BE:79:98:04:F5:84 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds

Is a firewall running and if so, are all the
> required ports open ?
Okay. All the necessary ports are open.

Is dns configured correctly ?

root at dc2:~# cat /etc/resolv.conf
search campus.sertao.ifrs.edu.br
nameserver 200.132.218.163 (*own IP*)

root at dc3:~# cat /etc/resolv.conf
search campus.sertao.ifrs.edu.br
nameserver 200.132.218.160 (*own IP*)

Based on this, what could be causing the "timeout" in the replica
command?

On Wed, Jan 3, 2024 at 4:41?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 3 Jan 2024 15:24:02 -0300
> Elias Pereira <empbilly at gmail.com> wrote:
>
> > >
> > > I am not sure what you are trying to say, but your pfsense device
> > > shouldn't come into your AD domain dns.
> >
> > I mean that between the DCs, pfsense won't block them because
they're
> > on the same vlan.
> >
> > Your AD clients (and this
> > > includes the DCs) should look to AD to find each other and
anything
> > > outside the AD dns domain should be forwarded to a dns server
> > > outside the AD domain.
> >
> > And yes, the configuration of the DCs is as you described. The clients
> > receive the DCs'
> > IPs as DNS via pfsense DHCP and bind9 forwards what doesn't belong
to
> > the DCs to our authoritative DNS.
> >
> > root at dc2:~# netstat -plaunt | egrep
"ntp|bind|named|samba|?mbd"
> > https://pastebin.com/raw/NbECKVB8 (output from command netstat)
> >
> > Regarding the command above, I think the ports are OK?
> >
> > Can you test the command below on one of your DCs?
> >
> > nmap -p 53,88,123,135,137,138,139,389,445,464,636,3268,3269 -sV <DC
> > IP>
> >
>
> nmap -p 53,88,123,135,137,138,139,389,445,464,636,3268,3269 -sV 192.168.1.2
> Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-03 19:35 GMT
> Nmap scan report for rpidc1.samdom.example.com (192.168.1.2)
> Host is up (0.011s latency).
>
> PORT     STATE  SERVICE      VERSION
> 53/tcp   open   domain       (generic dns response: NOTIMP)
> 88/tcp   open   kerberos-sec (server time: 2024-01-03 19:35:40Z)
> 123/tcp  closed ntp
> 135/tcp  open   msrpc        Microsoft Windows RPC
> 137/tcp  closed netbios-ns
> 138/tcp  closed netbios-dgm
> 139/tcp  open   netbios-ssn  Samba smbd 4.6.2
> 389/tcp  open   ldap         (Anonymous bind OK)
> 445/tcp  open   netbios-ssn  Samba smbd 4.6.2
> 464/tcp  open   kpasswd5?
> 636/tcp  open   ssl/ldap     (Anonymous bind OK)
> 3268/tcp open   ldap         (Anonymous bind OK)
> 3269/tcp open   ssl/ldap     (Anonymous bind OK)
> 2 services unrecognized despite returning data. If you know the
> service/version, please submit the following fingerprints at
> https://nmap.org/cgi-bin/submit.cgi?new-service :
> ==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)=============>
SF-Port53-TCP:V=7.93%I=7%D=1/3%Time=6595B711%P=x86_64-pc-linux-gnu%r(DNSVe
>
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x80\0\x01\0\0\0\0\0\0\x07version\x
>
SF:04bind\0\0\x10\0\x03")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0\
> SF:0\0\0\0\0\0");
> ==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)=============>
SF-Port88-TCP:V=7.93%I=7%D=1/3%Time=6595B711%P=x86_64-pc-linux-gnu%r(Kerbe
>
SF:ros,68,"\0\0\0d~b0`\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18
> SF:\x0f20240103193540Z\xa5\x05\x02\x03\x07H}\xa6\x03\x02\x01\x06\xa9\x04\x
> SF:1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06krbtgt\x1b\
> SF:x02NM\xab\x16\x1b\x14No\x20client\x20in\x20request");
> Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
>
> Service detection performed. Please report any incorrect results at
> https://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 51.97 seconds
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira