samba - Apr 2022 - Need help for SMBv2-connection with windows clients

I have problems getting my Windows 10 client(s) to connect to my Samba-
server using SMBv2 or higher, but no problems with SMBv1 (NT1)
protocol. I guess this is has to do with my AD domain being put on top
of my private domain (see configuration below).

I already checked that client and server are communicating, so it does
not seem to be primarily a simple DNS issue.

My setup:
Domain: example.com
AD-Domain(realm): samdom.example.com
Network 10.0.2.0/24

Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
dc.samdom.example.com (10.0.2.15)

Windows 10 client: wincli.example.com and wincli.samdom.example.com
(10.0.2.53)

example.com is resolved by a dnsmasq-server, which forwards all request
for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf:
server=/samdom.example.com/10.0.2.15
rebind-domain-ok=/samdom.example.com/

I had to add the following entries to dnsmasq.conf to get 'net rpc
info' working:
srv-host=_ldap._tcp.pdc._msdcs.samdom,dc.samdom.example.com,389,0,100
srv-host=_ldap._tcp.gc._msdcs.samdom,dc.samdom.example.com,3268,0,100
srv-host=_ldap._tcp.dc._msdcs.samdom,dc.samdom.example.com,389,0,100
srv-host=_kerberos._tcp.dc._msdcs.samdom,dc.samdom.example.com,88,0,100

Reverse lookups of IP addresses usually yield .example.com - names
(without the samdom), since they are performed by the dnsmasq server,
but I also added (for testing)
ptr-record=15.2.0.10.in-addr.arpa.,dc.samdom.example.com
in dnsmasq.conf to get for the samba AD the reverse lookup to the AD-
Domain (although this does not seem to be required). 

wincli also uses the time-server of dc, so both are in sync.

Two setups:
NT1)
  dc.example.com:
   server min protocol = NT1
   server max protocol = NT1

  wincli.example.com:
   sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
   sc.exe config mrxsmb10 start= auto

SMB2)	
 dc.example.com:
  server min protocol = SMB2_02
  server max protocol = SMB3

 wincli.example.com:
  sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
  sc.exe config mrxsmb10 start= disabled

wincli.example.com has joined the domain in setup NT1 and it is
possible to access the AD with the group policy on wincli. When I now
change to setup SMB2, and try to access the AD I get "The RPC server is
not available" (or something analogue in German).

I tested, if the RPC-server is operating in the SMB2-setup from a linux
machine using "net rpc info -U Administrator" getting this output:
Password for [samdom\Administrator]:
Domain Name: samdom
Domain SID: S-?-?-?-*
Sequence number: 1
Num users: 27
Num domain groups: 13
Num local groups: 5

So the RPC-server seems to be running. And from linux clients I have no
problems when using the SMB2 setup.

wincli and dc seem also to communicate in the SMB2 setup since tcpdump
shows me a SMBnegprot (REQUEST) from wincli and dc is answering with a
SMB-over-TCP packet (I guess it's encrypted).

Does anybody has an idea what the problem could be? 

Here's more of my smb.conf (10.0.2.2 is the dnsmasq server):?
        dns forwarder = 10.0.2.2
        netbios name = DC
        realm = SAMDOM.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        kerberos method = secrets and keytab
        dedicated keytab file = /etc/krb5.keytab
        kdc:user ticket lifetime = 48
        kdc:renewal lifetime = 120
#               server min protocol = SMB2_02
#               server max protocol = SMB3
# this stops rpc server, but without windows clients don't work
        client min protocol = NT1
        server min protocol = NT1
        server max protocol = NT1
        disable netbios = no
        prefork children = 2
        allow dns updates = nonsecure
        nsupdate command = /usr/local/bin/nsupdate -g
        ntp signd socket directory = /var/db/samba4/ntp_signd
        server signing = desired
        client signing = desired
        smb encrypt = enabled 
        wins support = yes
        name resolve order = wins lmhosts bcast
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind separator = +
        winbind nss info = rfc2307
        template homedir = /home/%U
        template shell = /bin/tcsh
        idmap_ldb:use rfc2307 = yes
        idmap config * : range = 500-550
        map acl inherit = yes 
        xattr_tdb:file  = /var/db/samba4/xattr.tdb

On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba
wrote:
> I have problems getting my Windows 10 client(s) to connect to my
> Samba-
> server using SMBv2 or higher, but no problems with SMBv1 (NT1)
> protocol. I guess this is has to do with my AD domain being put on
> top
> of my private domain (see configuration below).
> 
> I already checked that client and server are communicating, so it
> does
> not seem to be primarily a simple DNS issue.
> 
> My setup:
> Domain: example.com
> AD-Domain(realm): samdom.example.com
> Network 10.0.2.0/24
> 
> Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
> dc.samdom.example.com (10.0.2.15)
> 
> Windows 10 client: wincli.example.com and wincli.samdom.example.com
> (10.0.2.53)
> 
> example.com is resolved by a dnsmasq-server, which forwards all
> request
> for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf:
> server=/samdom.example.com/10.0.2.15
> rebind-domain-ok=/samdom.example.com/
It looks like all your clients are in the 'example.com' DNS domain (and
hence in the 'EXAMPLE.COM' realm) and the DC is in the
'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM
realm).
If this is the case, then it isn't going to work.

Using a subdomain of a registered domain is best practice, so you are
okay there, but your DC must be authoritative for the subdomain and
your clients must be members of the subdomain. Whilst you can use an
external DNS server on your network, all requests for AD records must
be forwarded to the DC(s) and no AD records can be stored on the
forwarding dns server (except for 'cached' records).

I suggest you rethink your setup.

Rowland

Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via
samba:
> On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote:
> > I have problems getting my Windows 10 client(s) to connect to my
> > Samba-
> > server using SMBv2 or higher, but no problems with SMBv1 (NT1)
> > protocol. I guess this is has to do with my AD domain being put on
> > top
> > of my private domain (see configuration below).
> > 
> > I already checked that client and server are communicating, so it
> > does
> > not seem to be primarily a simple DNS issue.
> > 
> > My setup:
> > Domain: example.com
> > AD-Domain(realm): samdom.example.com
> > Network 10.0.2.0/24
> > 
> > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and
> > dc.samdom.example.com (10.0.2.15)
> > 
> > Windows 10 client: wincli.example.com and wincli.samdom.example.com
> > (10.0.2.53)
> > 
> > example.com is resolved by a dnsmasq-server, which forwards all
> > request
> > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in
dnsmasq.conf:
> > server=/samdom.example.com/10.0.2.15
> > rebind-domain-ok=/samdom.example.com/
> 
> It looks like all your clients are in the 'example.com' DNS domain
> (and
> hence in the 'EXAMPLE.COM' realm) and the DC is in the
> 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM
> realm).
> If this is the case, then it isn't going to work.
> 
> Using a subdomain of a registered domain is best practice, so you are
> okay there, but your DC must be authoritative for the subdomain and
> your clients must be members of the subdomain. Whilst you can use an
> external DNS server on your network, all requests for AD records must
> be forwarded to the DC(s) and no AD records can be stored on the
> forwarding dns server (except for 'cached' records).
> 
> I suggest you rethink your setup.
> 
> Rowland
> 
> 
Thank you for your quick response!

Actually I tried to set them both simply into the example.com DNS-
domain or the samdom.example.com DNS domain, but this does not solve
the problem. I also changed the DNS server on both machines to the DC-
DNS server (10.0.2.15), i.e., the reply is now certainly authoritative,
but still no success.

Is it possible that SMBv2 also performs a reverse lookup? That would
currently result in the example.com-domain, since no PTR-entries are in
the DC-DNS server and then the request are forwarded to the dnsmasq-
server. 

? Helmut