samba - Mar 2020 - Samba as DC member UDP ports used

Hello,

I have a customer that complains that Samba (as DC member) uses UDP 
during? AD authentication when clients mount a share.
I have run a test and traced network packet and it seems UDP is used by 
the CLDAP (Samba server is 10.50.50.35, AD is 10.50.50.85)

Frame 1: 133 bytes on wire (1064 bits), 133 bytes captured (1064 bits) 
on interface vmxnet3s0, id 0
Ethernet II, Src: 00:0c:29:92:02:dd, Dst: 00:0c:29:b0:43:a7
Internet Protocol Version 4, *Src: 10.50.50.35, Dst: 10.50.50.85*
*User Datagram Protocol*,*Src Port: 60549, Dst Port: 389*
 ??? Source Port: 60549
 ??? Destination Port: 389
 ??? Length: 99
 ??? Checksum: 0x7950 [unverified]
 ??? [Checksum Status: Unverified]
 ??? [Stream index: 0]
 ??? [Timestamps]
*Connectionless Lightweight Directory Access Protocol*
 ??? LDAPMessage searchRequest(10556) "<ROOT>" baseObject
 ??????? messageID: 10556
 ??????? protocolOp: searchRequest (3)
 ??????????? searchRequest
 ??????????????? baseObject:
 ??????????????? scope: baseObject (0)
 ??????????????? derefAliases: neverDerefAliases (0)
 ??????????????? sizeLimit: 0
 ??????????????? timeLimit: 0
 ??????????????? typesOnly: False
 ??????????????? Filter: 
(&(&(NtVer=0x00000006)(DnsDomain=HF3.LOCAL))(AAC=00:00:00:00))
 ??????????????????? filter: and (0)
 ??????????????????????? and: 
(&(&(NtVer=0x00000006)(DnsDomain=HF3.LOCAL))(AAC=00:00:00:00))
 ??????????????? attributes: 1 item
 ??????????????????? AttributeDescription: NetLogon

I searched in the smb.conf man page and I can change the CLDAP port used 
but it seems I can't force to use TCP.
Is there a way to force Samba to use TCP instead of UDP?
If it's not possible could you please shortly explain why Samba is using 
UDP port.

Regards
Andrea

On 05/03/2020 09:57, Andrea Cucciarre' via samba
wrote:
> Hello,
>
> I have a customer that complains that Samba (as DC member) uses UDP 
> during? AD authentication when clients mount a share.
> I have run a test and traced network packet and it seems UDP is used 
> by the CLDAP (Samba server is 10.50.50.35, AD is 10.50.50.85)
>
> Is there a way to force Samba to use TCP instead of UDP?
Not that I am aware of.
> If it's not possible could you please shortly explain why Samba is 
> using UDP port.
Probably because this is what Microsoft uses.

Rowland

On Thu, 2020-03-05 at 10:12 +0000, Rowland penny via samba
wrote:
> On 05/03/2020 09:57, Andrea Cucciarre' via samba wrote:
> > Hello,
> > 
> > I have a customer that complains that Samba (as DC member) uses
> > UDP 
> > during  AD authentication when clients mount a share.
> > I have run a test and traced network packet and it seems UDP is
> > used 
> > by the CLDAP (Samba server is 10.50.50.35, AD is 10.50.50.85)
> > 
> > Is there a way to force Samba to use TCP instead of UDP?
> 
> Not that I am aware of.
> > If it's not possible could you please shortly explain why Samba is
> > using UDP port.
> 
> Probably because this is what Microsoft uses.
Correct, this is for Domain Controller discovery.  UDP is used to find
close, responsive directories to make further connections to.

It is not recommended, but forcing a particular DC with 
'password server = ' might by bypass this location step.

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba