samba - Jul 2015 - Strange issue with share access on domain controllers

Hi list,

I've a strange issue with Windows 7 (also occurs on 8.1) when accessing 
shares on domain controllers. If I use IP address or in-domain FQDN 
(server.domain.name), all is right. If I use another DNS entry pointing 
to the same IP, share access fails with following message (translated 
from french) :
\\somehost.somsuffix\someshare is not accessible. […]  Invalid parameter

Issue occurs on both sysvol, netlogon and custom shares (yes evil not 
the point)

Log does not seem to contain anything relevant, last line before failure 
is [CLIENT IP] (ipv4:[Client IP]:49296) connect to service [share] 
initially as user [DOMAIN\User] (uid=[uid], gid=[main gid]) (pid 15374)

Issue occurs on all tested machines, with different account names, on 
(at least) two differrent DC. Access is fine from smbclient no matter if 
I use IP, domain FQDN or alternate FQDN.

smb.conf snipped (sysvol & netlogon are default provisioned ones)

[global]
         workgroup = SOMEDOM
         realm = somedom.fdqdn
         netbios name = SOMEDC
         server string = AD DC SOMEDC
         server role = active directory domain controller

         idmap_ldb:use rfc2307 = yes

         interfaces = someIP/24
         bind interfaces only = Yes

         template shell = /bin/false
         template homedir = /data/homes/%ACCOUNTNAME%

         dns forwarder = 127.0.0.1



Regards,

Sébastien

set

netbios aliases = 

in the global section of smb.conf

Good luck

Klaus

Klaus Zerwes
Rosa Luxemburg Stiftung | IT-Auslandskoordinator
Franz-Mehring-Platz 1   | 10243 Berlin

Tel. +49 30 44310-555   | Fax +49 30 44310-182
zerwes at rosalux.de       | www.rosalux.de

________________________________________
Von: samba [samba-bounces at lists.samba.org]" im Auftrag von
"Sébastien Le Ray [sebastien-samba at orniz.org]
Gesendet: Sonntag, 12. Juli 2015 18:41
An: Samba Mailing List
Betreff: [Samba] Strange issue with share access on domain controllers

Hi list,

I've a strange issue with Windows 7 (also occurs on 8.1) when accessing
shares on domain controllers. If I use IP address or in-domain FQDN
(server.domain.name), all is right. If I use another DNS entry pointing
to the same IP, share access fails with following message (translated
from french) :
\\somehost.somsuffix\someshare is not accessible. […]  Invalid parameter

Issue occurs on both sysvol, netlogon and custom shares (yes evil not
the point)

Log does not seem to contain anything relevant, last line before failure
is [CLIENT IP] (ipv4:[Client IP]:49296) connect to service [share]
initially as user [DOMAIN\User] (uid=[uid], gid=[main gid]) (pid 15374)

Issue occurs on all tested machines, with different account names, on
(at least) two differrent DC. Access is fine from smbclient no matter if
I use IP, domain FQDN or alternate FQDN.

smb.conf snipped (sysvol & netlogon are default provisioned ones)

[global]
         workgroup = SOMEDOM
         realm = somedom.fdqdn
         netbios name = SOMEDC
         server string = AD DC SOMEDC
         server role = active directory domain controller

         idmap_ldb:use rfc2307 = yes

         interfaces = someIP/24
         bind interfaces only = Yes

         template shell = /bin/false
         template homedir = /data/homes/%ACCOUNTNAME%

         dns forwarder = 127.0.0.1



Regards,

Sébastien

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,

No change
According to netbios aliases documentation, it only modify NETBIOS 
announce, but I'm using DNS to access the host (and it is correctly 
resolved since smbclient access works, shares list works on windows)

Regards

Le 13/07/2015 15:53, Zerwes, Klaus a écrit :
> set
>
> netbios aliases >
> in the global section of smb.conf
>
> Good luck
>
> Klaus
>
> Klaus Zerwes
> Rosa Luxemburg Stiftung | IT-Auslandskoordinator
> Franz-Mehring-Platz 1   | 10243 Berlin
>
> Tel. +49 30 44310-555   | Fax +49 30 44310-182
> zerwes at rosalux.de       | www.rosalux.de
>
> ________________________________________
> Von: samba [samba-bounces at lists.samba.org]" im Auftrag von
"Sébastien Le Ray [sebastien-samba at orniz.org]
> Gesendet: Sonntag, 12. Juli 2015 18:41
> An: Samba Mailing List
> Betreff: [Samba] Strange issue with share access on domain controllers
>
> Hi list,
>
> I've a strange issue with Windows 7 (also occurs on 8.1) when accessing
> shares on domain controllers. If I use IP address or in-domain FQDN
> (server.domain.name), all is right. If I use another DNS entry pointing
> to the same IP, share access fails with following message (translated
> from french) :
> \\somehost.somsuffix\someshare is not accessible. […]  Invalid parameter
>
> Issue occurs on both sysvol, netlogon and custom shares (yes evil not
> the point)
>
> Log does not seem to contain anything relevant, last line before failure
> is [CLIENT IP] (ipv4:[Client IP]:49296) connect to service [share]
> initially as user [DOMAIN\User] (uid=[uid], gid=[main gid]) (pid 15374)
>
> Issue occurs on all tested machines, with different account names, on
> (at least) two differrent DC. Access is fine from smbclient no matter if
> I use IP, domain FQDN or alternate FQDN.
>
> smb.conf snipped (sysvol & netlogon are default provisioned ones)
>
> [global]
>           workgroup = SOMEDOM
>           realm = somedom.fdqdn
>           netbios name = SOMEDC
>           server string = AD DC SOMEDC
>           server role = active directory domain controller
>
>           idmap_ldb:use rfc2307 = yes
>
>           interfaces = someIP/24
>           bind interfaces only = Yes
>
>           template shell = /bin/false
>           template homedir = /data/homes/%ACCOUNTNAME%
>
>           dns forwarder = 127.0.0.1
>
>
>
> Regards,
>
> Sébastien
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 12/07/15 17:41, Sébastien Le Ray wrote:
> Hi list,
>
> I've a strange issue with Windows 7 (also occurs on 8.1) when 
> accessing shares on domain controllers. If I use IP address or 
> in-domain FQDN (server.domain.name), all is right. If I use another 
> DNS entry pointing to the same IP, share access fails with following 
> message (translated from french) :
> \\somehost.somsuffix\someshare is not accessible. […]  Invalid parameter
>
> Issue occurs on both sysvol, netlogon and custom shares (yes evil not 
> the point)
>
> Log does not seem to contain anything relevant, last line before 
> failure is [CLIENT IP] (ipv4:[Client IP]:49296) connect to service 
> [share] initially as user [DOMAIN\User] (uid=[uid], gid=[main gid]) 
> (pid 15374)
>
> Issue occurs on all tested machines, with different account names, on 
> (at least) two differrent DC. Access is fine from smbclient no matter 
> if I use IP, domain FQDN or alternate FQDN.
>
> smb.conf snipped (sysvol & netlogon are default provisioned ones)
>
> [global]
>         workgroup = SOMEDOM
>         realm = somedom.fdqdn
>         netbios name = SOMEDC
>         server string = AD DC SOMEDC
>         server role = active directory domain controller
>
>         idmap_ldb:use rfc2307 = yes
>
>         interfaces = someIP/24
>         bind interfaces only = Yes
>
>         template shell = /bin/false
>         template homedir = /data/homes/%ACCOUNTNAME%
>
>         dns forwarder = 127.0.0.1
Why is the DC forwarding unknown DNS addresses to itself ?

Rowland
>
>
>
> Regards,
>
> Sébastien
>

Make sure you use the new GPO policies. 
Looks like the problem "[Samba] Windows 10 in Samba 3 domain: netlogon
share access denied"

Its not only for windows 10, also 7 and 8.x 

Solution: GPEDIT.MSC -> Computer -> Administrative templates -> Network
-> Networkprovider -> Hardened UNC Paths

Added

\\foo.lan\netlogon and Value:  
RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0

also added this for \\dc1\... and \\dc1.e2c.lan\... works :)


 
>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Zerwes, Klaus
>Verzonden: maandag 13 juli 2015 15:53
>Aan: Sébastien Le Ray; Samba Mailing List
>Onderwerp: Re: [Samba] Strange issue with share access on 
>domain controllers
>
>set
>
>netbios aliases = 
>
>in the global section of smb.conf
>
>Good luck
>
>Klaus
>
>Klaus Zerwes
>Rosa Luxemburg Stiftung | IT-Auslandskoordinator
>Franz-Mehring-Platz 1   | 10243 Berlin
>
>Tel. +49 30 44310-555   | Fax +49 30 44310-182
>zerwes at rosalux.de       | www.rosalux.de
>
>________________________________________
>Von: samba [samba-bounces at lists.samba.org]" im Auftrag 
>von "Sébastien Le Ray [sebastien-samba at orniz.org]
>Gesendet: Sonntag, 12. Juli 2015 18:41
>An: Samba Mailing List
>Betreff: [Samba] Strange issue with share access on domain controllers
>
>Hi list,
>
>I've a strange issue with Windows 7 (also occurs on 8.1) when accessing
>shares on domain controllers. If I use IP address or in-domain FQDN
>(server.domain.name), all is right. If I use another DNS entry pointing
>to the same IP, share access fails with following message (translated
>from french) :
>\\somehost.somsuffix\someshare is not accessible. [?]  Invalid 
>parameter
>
>Issue occurs on both sysvol, netlogon and custom shares (yes evil not
>the point)
>
>Log does not seem to contain anything relevant, last line 
>before failure
>is [CLIENT IP] (ipv4:[Client IP]:49296) connect to service [share]
>initially as user [DOMAIN\User] (uid=[uid], gid=[main gid]) (pid 15374)
>
>Issue occurs on all tested machines, with different account names, on
>(at least) two differrent DC. Access is fine from smbclient no 
>matter if
>I use IP, domain FQDN or alternate FQDN.
>
>smb.conf snipped (sysvol & netlogon are default provisioned ones)
>
>[global]
>         workgroup = SOMEDOM
>         realm = somedom.fdqdn
>         netbios name = SOMEDC
>         server string = AD DC SOMEDC
>         server role = active directory domain controller
>
>         idmap_ldb:use rfc2307 = yes
>
>         interfaces = someIP/24
>         bind interfaces only = Yes
>
>         template shell = /bin/false
>         template homedir = /data/homes/%ACCOUNTNAME%
>
>         dns forwarder = 127.0.0.1
>
>
>
>Regards,
>
>Sébastien
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 13/07/15 15:57, Sébastien Le Ray wrote:
>
>
> Le 13/07/2015 16:51, Rowland Penny a écrit :
>> On 12/07/15 17:41, Sébastien Le Ray wrote:
>>>         dns forwarder = 127.0.0.1
>>
>> Why is the DC forwarding unknown DNS addresses to itself ?
>
>
> It isn't 127.0.0.1 is not part of the interfaces directive :-)
OK then, what is running on 127.0.0.1:53 ??

Rowland

Le 13/07/2015 17:02, Rowland Penny a écrit :
> On 13/07/15 15:57, Sébastien Le Ray wrote:
>> Le 13/07/2015 16:51, Rowland Penny a écrit :
>>> On 12/07/15 17:41, Sébastien Le Ray wrote:
>>>>         dns forwarder = 127.0.0.1
>>> Why is the DC forwarding unknown DNS addresses to itself ?
>> It isn't 127.0.0.1 is not part of the interfaces directive :-)
>
> OK then, what is running on 127.0.0.1:53 ??
Bind as a slave + recursive resolver

Nice try but it is an AD one ;-)

Seems that the netbios aliases did the trick. Maybe manpage should be 
updated since reading it does suggest (to me at least) that it is only 
related to netbios announces (broadcasting when no DNS is available), 
but also seems to be involved in share access.

Regards

Le 13/07/2015 16:53, L.P.H. van Belle a écrit :
> Make sure you use the new GPO policies.
> Looks like the problem "[Samba] Windows 10 in Samba 3 domain: netlogon
share access denied"
>
> Its not only for windows 10, also 7 and 8.x
>
> Solution: GPEDIT.MSC -> Computer -> Administrative templates ->
Network
> -> Networkprovider -> Hardened UNC Paths
>
> Added
>
> \\foo.lan\netlogon and Value:
> RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0
>
> also added this for \\dc1\... and \\dc1.e2c.lan\... works :)
>
>
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Zerwes,
Klaus
>> Verzonden: maandag 13 juli 2015 15:53
>> Aan: Sébastien Le Ray; Samba Mailing List
>> Onderwerp: Re: [Samba] Strange issue with share access on
>> domain controllers
>>
>> set
>>
>> netbios aliases >>
>> in the global section of smb.conf
>>
>> Good luck
>>
>> Klaus
>>
>> Klaus Zerwes
>> Rosa Luxemburg Stiftung | IT-Auslandskoordinator
>> Franz-Mehring-Platz 1   | 10243 Berlin
>>
>> Tel. +49 30 44310-555   | Fax +49 30 44310-182
>> zerwes at rosalux.de       | www.rosalux.de
>>
>> ________________________________________
>> Von: samba [samba-bounces at lists.samba.org]" im Auftrag
>> von "Sébastien Le Ray [sebastien-samba at orniz.org]
>> Gesendet: Sonntag, 12. Juli 2015 18:41
>> An: Samba Mailing List
>> Betreff: [Samba] Strange issue with share access on domain controllers
>>
>> Hi list,
>>
>> I've a strange issue with Windows 7 (also occurs on 8.1) when
accessing
>> shares on domain controllers. If I use IP address or in-domain FQDN
>> (server.domain.name), all is right. If I use another DNS entry pointing
>> to the same IP, share access fails with following message (translated
> >from french) :
>> \\somehost.somsuffix\someshare is not accessible. [?]  Invalid
>> parameter
>>
>> Issue occurs on both sysvol, netlogon and custom shares (yes evil not
>> the point)
>>
>> Log does not seem to contain anything relevant, last line
>> before failure
>> is [CLIENT IP] (ipv4:[Client IP]:49296) connect to service [share]
>> initially as user [DOMAIN\User] (uid=[uid], gid=[main gid]) (pid 15374)
>>
>> Issue occurs on all tested machines, with different account names, on
>> (at least) two differrent DC. Access is fine from smbclient no
>> matter if
>> I use IP, domain FQDN or alternate FQDN.
>>
>> smb.conf snipped (sysvol & netlogon are default provisioned ones)
>>
>> [global]
>>          workgroup = SOMEDOM
>>          realm = somedom.fdqdn
>>          netbios name = SOMEDC
>>          server string = AD DC SOMEDC
>>          server role = active directory domain controller
>>
>>          idmap_ldb:use rfc2307 = yes
>>
>>          interfaces = someIP/24
>>          bind interfaces only = Yes
>>
>>          template shell = /bin/false
>>          template homedir = /data/homes/%ACCOUNTNAME%
>>
>>          dns forwarder = 127.0.0.1
>>
>>
>>
>> Regards,
>>
>> Sébastien
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>