What for OS is the server and windows clients? The VPN tunnel, are you lowering MTU sizes? Something like: -A FORWARD -m policy --pol ipsec --dir in -s 192.168.0.0/24 -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 On the client PC's, have you checkout the windows firewall and are you allowing the remote subnets. The samba server on the remote site, check if replicatiosn is correct. Are the "remote" zones in the AD-DC's DNS configured? Try adding option edns0 to resolv.conf So few things more to checkout. I also suggest on a pc local and remote. Run: ipconfig /all Checkout the primary dns suffix and search suffixes So far, lunch time.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Habel via samba > Verzonden: vrijdag 30 augustus 2019 11:38 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] no DNS functionality on second subnet > > > -----Original Message----- > > From: samba <samba-bounces at lists.samba.org> On Behalf Of > Rowland penny via > > samba > > Sent: fredag 30. august 2019 11:17 > > To: samba at lists.samba.org > > Subject: Re: [Samba] no DNS functionality on second subnet > > > > On 30/08/2019 09:42, Andreas Habel via samba wrote: > > > > > >> -----Original Message----- > > >> From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland > > >> penny via samba > > >> Sent: fredag 30. august 2019 09:57 > > >> To: samba at lists.samba.org > > >> Subject: Re: [Samba] no DNS functionality on second subnet > > >> > > >> On 30/08/2019 07:00, Andreas Habel via samba wrote: > > >>> -----Original Message----- > > >>> From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland > > >>> penny via samba > > >>> Sent: torsdag 29. august 2019 16:33 > > >>> To: samba at lists.samba.org > > >>> Subject: Re: [Samba] no DNS functionality on second subnet > > >>> > > >>> On 29/08/2019 13:50, Andreas Habel via samba wrote: > > >>>> Hi, > > we have successfully installed our samba4 AD > domain with > > >>>> AD DC, > > >>> smb > file server and Windows/Linux clients in the same > subnet. > > > > >>> Now we try to add a couple of Windows PCs to the domain > that are > > > >>> located in a different subnet. As soon as the AD DC is > added as the > > >>> > DNS server on the Windows clients it is no longer possible to > > >>> resolve > > >>>> ip addresses. In other words, for those PCs DNS is not > working. > > > > >>> We added - the new clients to our DNS using samba-tool > dns add > - a > > >>> new reverse lookup zone for the new subnet and filled it > using > > >>> samba-tool dns add - a new subnet in RSAT Active > > Directory Sites > > >>> and Services > > Routing seems to be OK - we can run > telnet <IP of > > >>> AD DC> > > >>> 53 from one > of the "new" Windows clients and a > connection will be > > >>> established. > However, analyses from wireshark/tshark > show that on > > >>> DNS requests > there is never an answer from our AD DC. > > > It seems > > >>> that we are missing something here - any help would be > > appreciated. > > >>>>> Andreas [[AH:]] > > >>> Does 'telnet <DC short hostname> 53' work ? > > >>> > > >>> Rowland > > >>> > > >>> No, neither short name or FQDN work: > > >>> > > >>> C:\Users\Administrator>telnet smbdc 53 Connecting To > smbdc...Could > > >>> not open connection to the host, on port 53: Connect failed > > >>> > > >>> C:\Users\Administrator>telnet smbdc.ier.ux.uis.no 53 > Connecting To > > >>> smbdc.ier.ux.uis.no...Could not open connection to the > host, on port > > >>> 53: Connect failed > > >>> > > >>> > > >>> Andreas > > >> Then you have DNS problems, is a firewall running > blocking port 53 ? > > >> > > >> Do dns lookup commands on the client work ? > > >> > > > No, all kind of lookups (to the DC, intern or external > hosts) fail with > > a timeout. This applies to clients on the "new" subnet. > Lookups work on > > clients that are on the same subnet as the DC. > > > > > > Andreas > > > > > This sounds more and more like a dns problem, are the > clients set to use > > the DC as their nameserver ? > > Yes > > > Until you get basic dns commands working, AD will not work. > > > > Are you using a router ? > > > > Yes -- all ip traffic to and from the DC is allowed. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Ah, you gave the solution yourselve..> client on "different" subnet: > > Host Name . . . . . . . . . . . . : pitter35 > Primary Dns Suffix . . . . . . . : <<< your missing .. > DNS Suffix Search List. . . . . . : ier.ux.uis.no> client on same subnet as DC: > > Host Name . . . . . . . . . . . . : geoah > Primary Dns Suffix . . . . . . . : ier.ux.uis.no > DNS Suffix Search List. . . . . . : ier.ux.uis.no > ux.uis.noAdd Primary Dns Suffix for the other domain. Then try again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Andreas Habel [mailto:andreas.habel at uis.no] > Verzonden: vrijdag 30 augustus 2019 13:51 > Aan: L.P.H. van Belle > Onderwerp: RE: [Samba] no DNS functionality on second subnet > > > -----Original Message----- > > From: samba <samba-bounces at lists.samba.org> On Behalf Of > L.P.H. van Belle > > via samba > > Sent: fredag 30. august 2019 12:20 > > To: samba at lists.samba.org > > Subject: Re: [Samba] no DNS functionality on second subnet > > > > What for OS is the server and windows clients? > > DC: Ubuntu 18.04 with samba 4.7.6-Ubuntu > Client: W10 1903 > > > > > The VPN tunnel, are you lowering MTU sizes? > > Something like: > > -A FORWARD -m policy --pol ipsec --dir in -s 192.168.0.0/24 > -o eth1 -p tcp > > -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j > TCPMSS --set- > > mss 1360 > > There is no VPN tunnel. > > > > > On the client PC's, have you checkout the windows firewall > and are you > > allowing the remote subnets. > > The Windows firewall on the client is currently switched off. > > > The samba server on the remote site, check if replicatiosn > is correct. > > Are the "remote" zones in the AD-DC's DNS configured? > > The A records of the clients from the new subnet are in the > same zone as the A records of the clients that are in the > DC's subnet. A new reverse lookup zone has been created for > the reverse records. > > > > Try adding > > option edns0 to resolv.conf > > It's already there. > > > So few things more to checkout. > > > > I also suggest on a pc local and remote. > > Run: ipconfig /all > > Checkout the primary dns suffix and search suffixes > > client on "different" subnet: > > Host Name . . . . . . . . . . . . : pitter35 > Primary Dns Suffix . . . . . . . : > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : ier.ux.uis.no > > client on same subnet as DC: > > Host Name . . . . . . . . . . . . : geoah > Primary Dns Suffix . . . . . . . : ier.ux.uis.no > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : ier.ux.uis.no > ux.uis.no > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Andreas Habel > > > via samba > > > Verzonden: vrijdag 30 augustus 2019 11:38 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] no DNS functionality on second subnet > > > > > > > -----Original Message----- > > > > From: samba <samba-bounces at lists.samba.org> On Behalf Of > > > Rowland penny via > > > > samba > > > > Sent: fredag 30. august 2019 11:17 > > > > To: samba at lists.samba.org > > > > Subject: Re: [Samba] no DNS functionality on second subnet > > > > > > > > On 30/08/2019 09:42, Andreas Habel via samba wrote: > > > > > > > > > >> -----Original Message----- > > > > >> From: samba <samba-bounces at lists.samba.org> On > Behalf Of Rowland > > > > >> penny via samba > > > > >> Sent: fredag 30. august 2019 09:57 > > > > >> To: samba at lists.samba.org > > > > >> Subject: Re: [Samba] no DNS functionality on second subnet > > > > >> > > > > >> On 30/08/2019 07:00, Andreas Habel via samba wrote: > > > > >>> -----Original Message----- > > > > >>> From: samba <samba-bounces at lists.samba.org> On > Behalf Of Rowland > > > > >>> penny via samba > > > > >>> Sent: torsdag 29. august 2019 16:33 > > > > >>> To: samba at lists.samba.org > > > > >>> Subject: Re: [Samba] no DNS functionality on second subnet > > > > >>> > > > > >>> On 29/08/2019 13:50, Andreas Habel via samba wrote: > > > > >>>> Hi, > > we have successfully installed our samba4 AD > > > domain with > > > > >>>> AD DC, > > > > >>> smb > file server and Windows/Linux clients in the same > > > subnet. > > > > > > >>> Now we try to add a couple of Windows PCs to the domain > > > that are > > > > > >>> located in a different subnet. As soon as the AD DC is > > > added as the > > > > >>> > DNS server on the Windows clients it is no longer > possible to > > > > >>> resolve > > > > >>>> ip addresses. In other words, for those PCs DNS is not > > > working. > > > > > > >>> We added - the new clients to our DNS using samba-tool > > > dns add > - a > > > > >>> new reverse lookup zone for the new subnet and > filled it > using > > > > >>> samba-tool dns add - a new subnet in RSAT Active > > > > Directory Sites > > > > >>> and Services > > Routing seems to be OK - we can run > > > telnet <IP of > > > > >>> AD DC> > > > > >>> 53 from one > of the "new" Windows clients and a > > > connection will be > > > > >>> established. > However, analyses from wireshark/tshark > > > show that on > > > > >>> DNS requests > there is never an answer from our AD DC. > > > > > It seems > > > > >>> that we are missing something here - any help would be > > > > appreciated. > > > > >>>>> Andreas [[AH:]] > > > > >>> Does 'telnet <DC short hostname> 53' work ? > > > > >>> > > > > >>> Rowland > > > > >>> > > > > >>> No, neither short name or FQDN work: > > > > >>> > > > > >>> C:\Users\Administrator>telnet smbdc 53 Connecting To > > > smbdc...Could > > > > >>> not open connection to the host, on port 53: Connect failed > > > > >>> > > > > >>> C:\Users\Administrator>telnet smbdc.ier.ux.uis.no 53 > > > Connecting To > > > > >>> smbdc.ier.ux.uis.no...Could not open connection to the > > > host, on port > > > > >>> 53: Connect failed > > > > >>> > > > > >>> > > > > >>> Andreas > > > > >> Then you have DNS problems, is a firewall running > > > blocking port 53 ? > > > > >> > > > > >> Do dns lookup commands on the client work ? > > > > >> > > > > > No, all kind of lookups (to the DC, intern or external > > > hosts) fail with > > > > a timeout. This applies to clients on the "new" subnet. > > > Lookups work on > > > > clients that are on the same subnet as the DC. > > > > > > > > > > Andreas > > > > > > > > > This sounds more and more like a dns problem, are the > > > clients set to use > > > > the DC as their nameserver ? > > > > > > Yes > > > > > > > Until you get basic dns commands working, AD will not work. > > > > > > > > Are you using a router ? > > > > > > > > > > Yes -- all ip traffic to and from the DC is allowed. > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
On 30/08/2019 12:59, L.P.H. van Belle via samba wrote:> Ah, you gave the solution yourselve.. > >> client on "different" subnet: >> >> Host Name . . . . . . . . . . . . : pitter35 >> Primary Dns Suffix . . . . . . . : <<< your missing .. >> DNS Suffix Search List. . . . . . : ier.ux.uis.no >> client on same subnet as DC: >> >> Host Name . . . . . . . . . . . . : geoah >> Primary Dns Suffix . . . . . . . : ier.ux.uis.no >> DNS Suffix Search List. . . . . . : ier.ux.uis.no >> ux.uis.no > Add Primary Dns Suffix for the other domain. > Then try again. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: Andreas Habel [mailto:andreas.habel at uis.no] >> Verzonden: vrijdag 30 augustus 2019 13:51 >> Aan: L.P.H. van Belle >> Onderwerp: RE: [Samba] no DNS functionality on second subnet >> >>> -----Original Message----- >>> From: samba <samba-bounces at lists.samba.org> On Behalf Of >> L.P.H. van Belle >>> via samba >>> Sent: fredag 30. august 2019 12:20 >>> To: samba at lists.samba.org >>> Subject: Re: [Samba] no DNS functionality on second subnet >>> >>> What for OS is the server and windows clients? >> DC: Ubuntu 18.04 with samba 4.7.6-Ubuntu >> Client: W10 1903 >> >>> The VPN tunnel, are you lowering MTU sizes? >>> Something like: >>> -A FORWARD -m policy --pol ipsec --dir in -s 192.168.0.0/24 >> -o eth1 -p tcp >>> -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j >> TCPMSS --set- >>> mss 1360 >> There is no VPN tunnel. >> >>> On the client PC's, have you checkout the windows firewall >> and are you >>> allowing the remote subnets. >> The Windows firewall on the client is currently switched off. >> >>> The samba server on the remote site, check if replicatiosn >> is correct. >>> Are the "remote" zones in the AD-DC's DNS configured? >> The A records of the clients from the new subnet are in the >> same zone as the A records of the clients that are in the >> DC's subnet. A new reverse lookup zone has been created for >> the reverse records. >> >> >>> Try adding >>> option edns0 to resolv.conf >> It's already there. >> >>> So few things more to checkout. >>> >>> I also suggest on a pc local and remote. >>> Run: ipconfig /all >>> Checkout the primary dns suffix and search suffixes >> client on "different" subnet: >> >> Host Name . . . . . . . . . . . . : pitter35 >> Primary Dns Suffix . . . . . . . : >> Node Type . . . . . . . . . . . . : Hybrid >> IP Routing Enabled. . . . . . . . : No >> WINS Proxy Enabled. . . . . . . . : No >> DNS Suffix Search List. . . . . . : ier.ux.uis.no >> >> client on same subnet as DC: >> >> Host Name . . . . . . . . . . . . : geoah >> Primary Dns Suffix . . . . . . . : ier.ux.uis.no >> Node Type . . . . . . . . . . . . : Hybrid >> IP Routing Enabled. . . . . . . . : No >> WINS Proxy Enabled. . . . . . . . : No >> DNS Suffix Search List. . . . . . : ier.ux.uis.no >> ux.uis.noIt looks like the OP sent the above directly to Louis and not to the list and it backs up what I said, this is a dns problem ;-) Rowland
> > It looks like the OP sent the above directly to Louis and not to the > list and it backs up what I said, this is a dns problem ;-) >Ah, i did not notice that is was send directly. A small bit of extra info, how/why/what. Primary DNS suffix is used by your workstation as search suffix when you connect to a server. The connection DNS suffix can be used if the computer needs to be also registered in another dns zone. ( connection DNS suffice : DHCP option 15 ) Handy to know. Greetz, Louis