samba - Mar 2021 - Windows 10 cannot connect without SMB1

Am 02.03.21 um 14:55 schrieb K.R. Foley:
> 
> 
> On 2021-03-02 05:47, Reindl Harald via samba wrote:
>> Am 01.03.21 um 22:41 schrieb Roy Eastwood via samba:
>>> On 01 March 2021 18:08 Gregory Sloop wrote:
>>>> I haven't followed this thread closely at all - but how
about simply
>>>> really
>>> limiting
>>>> the players.
>>>> Reduce the network to just the DC's and client that's
supposed to
>>>> join the
>>>> domain those DC's hold.
>>>>
>>>> Unplug everything else from the network.
>>>>
>>> Yes I agree;? In an earlier post the OP mentioned that the clients 
>>> and the
>>> server were on separate subnets connected by VPN;?? if so I would 
>>> connect a
>>> Windows 10 client directly to the same subnet as the DC and see if
a
>>> join works
>>> OK. If it does it would implicate the VPN etc is blocking SMB2/3 
>>> protocols.
>>
>> broad cast stuff typically don't make it over VPN and frankly i
find
>> it somehow pervert to *start* a new setup with the one and only client
>> on a VPN instead build up the network step-by-step
>>
>> adding additional layers from the begin is always a terrible idea
>> unless you have much luck and everything works fine out-of-the-box
>>
> 
> Initially I started testing with two VMs on the same private network, a 
> Windows client and a Linux VM running Samba 4.11.1. These VMs were/are 
> not physically isolated, but they are on a separate subnet with no 
> routing to/from any other subnet. I have to work in this environment 
> because they are not physical PCs. I got this working, but it is 
> possible that they might have been communicating via SMB1. I then 
> brought up an AWS instance because that is where the initial Samba 
> server will reside (that is why there are different subnets and the 
> VPN). Configured everything, but with 4.11.13. In the meantime the 
> Windows VM has been updated. Now it won't support SMB1 and now my 
> problems start.
> 
> Last night, I went back to my initial test VM for the Samba server. The 
> two VMs are on a separate subnet with no routing to/from any other 
> network and the same problem persists. I get the exact same errors. The 
> client still thinks that the server is trying to use SMB1.
> 
> Again there is no routing between this subnet and any other subnet. 
> However, the VMs are not physically isolated. This is not really 
> possible in the current environment. There is an older Samba NT4 PDC on 
> the same ESXI with the test VMs, but there is no IP routing and also the 
> domain names are different. Is it possible that this is causing a problem?
why would it not be possible in a virtualized environment to physically 
isolate things?

nothing easier than that by just place them on a virtual vswitch with no 
physical NIC assigend and for operational tasks just use the vm console 
like you would sit in front of a physical machine

On 2021-03-02 08:25, Reindl Harald via samba wrote:
> Am 02.03.21 um 14:55 schrieb K.R. Foley:
>> 
>> 
>> On 2021-03-02 05:47, Reindl Harald via samba wrote:
>>> Am 01.03.21 um 22:41 schrieb Roy Eastwood via samba:
>>>> On 01 March 2021 18:08 Gregory Sloop wrote:
>>>>> I haven't followed this thread closely at all - but how
about
>>>>> simply really
>>>> limiting
>>>>> the players.
>>>>> Reduce the network to just the DC's and client
that's supposed to
>>>>> join the
>>>>> domain those DC's hold.
>>>>> 
>>>>> Unplug everything else from the network.
>>>>> 
>>>> Yes I agree;? In an earlier post the OP mentioned that the
clients
>>>> and the
>>>> server were on separate subnets connected by VPN;?? if so I
would
>>>> connect a
>>>> Windows 10 client directly to the same subnet as the DC and see
if a
>>>> join works
>>>> OK. If it does it would implicate the VPN etc is blocking
SMB2/3
>>>> protocols.
>>> 
>>> broad cast stuff typically don't make it over VPN and frankly i
find
>>> it somehow pervert to *start* a new setup with the one and only 
>>> client
>>> on a VPN instead build up the network step-by-step
>>> 
>>> adding additional layers from the begin is always a terrible idea
>>> unless you have much luck and everything works fine out-of-the-box
>>> 
>> 
>> Initially I started testing with two VMs on the same private network, 
>> a Windows client and a Linux VM running Samba 4.11.1. These VMs 
>> were/are not physically isolated, but they are on a separate subnet 
>> with no routing to/from any other subnet. I have to work in this 
>> environment because they are not physical PCs. I got this working, but 
>> it is possible that they might have been communicating via SMB1. I 
>> then brought up an AWS instance because that is where the initial 
>> Samba server will reside (that is why there are different subnets and 
>> the VPN). Configured everything, but with 4.11.13. In the meantime the 
>> Windows VM has been updated. Now it won't support SMB1 and now my 
>> problems start.
>> 
>> Last night, I went back to my initial test VM for the Samba server. 
>> The two VMs are on a separate subnet with no routing to/from any other 
>> network and the same problem persists. I get the exact same errors. 
>> The client still thinks that the server is trying to use SMB1.
>> 
>> Again there is no routing between this subnet and any other subnet. 
>> However, the VMs are not physically isolated. This is not really 
>> possible in the current environment. There is an older Samba NT4 PDC 
>> on the same ESXI with the test VMs, but there is no IP routing and 
>> also the domain names are different. Is it possible that this is 
>> causing a problem?
> 
> why would it not be possible in a virtualized environment to
> physically isolate things?
> 
> nothing easier than that by just place them on a virtual vswitch with
> no physical NIC assigend and for operational tasks just use the vm
> console like you would sit in front of a physical machine
I will take a closer look tonight, but what I read about creating a 
vswitch indicated that the two VMs must reside on the same ESXi host, 
which they do not. Therefore, I did not try this.

kr