Bombadil
2022-May-01 15:21 UTC
[Samba] Need help for SMBv2-connection with windows clients
Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via samba:> On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > I have problems getting my Windows 10 client(s) to connect to my > > Samba- > > server using SMBv2 or higher, but no problems with SMBv1 (NT1) > > protocol. I guess this is has to do with my AD domain being put on > > top > > of my private domain (see configuration below). > > > > I already checked that client and server are communicating, so it > > does > > not seem to be primarily a simple DNS issue. > > > > My setup: > > Domain: example.com > > AD-Domain(realm): samdom.example.com > > Network 10.0.2.0/24 > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and > > dc.samdom.example.com (10.0.2.15) > > > > Windows 10 client: wincli.example.com and wincli.samdom.example.com > > (10.0.2.53) > > > > example.com is resolved by a dnsmasq-server, which forwards all > > request > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf: > > server=/samdom.example.com/10.0.2.15 > > rebind-domain-ok=/samdom.example.com/ > > It looks like all your clients are in the 'example.com' DNS domain > (and > hence in the 'EXAMPLE.COM' realm) and the DC is in the > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM > realm). > If this is the case, then it isn't going to work. > > Using a subdomain of a registered domain is best practice, so you are > okay there, but your DC must be authoritative for the subdomain and > your clients must be members of the subdomain. Whilst you can use an > external DNS server on your network, all requests for AD records must > be forwarded to the DC(s) and no AD records can be stored on the > forwarding dns server (except for 'cached' records). > > I suggest you rethink your setup. > > Rowland > >Thank you for your quick response! Actually I tried to set them both simply into the example.com DNS- domain or the samdom.example.com DNS domain, but this does not solve the problem. I also changed the DNS server on both machines to the DC- DNS server (10.0.2.15), i.e., the reply is now certainly authoritative, but still no success. Is it possible that SMBv2 also performs a reverse lookup? That would currently result in the example.com-domain, since no PTR-entries are in the DC-DNS server and then the request are forwarded to the dnsmasq- server. ? Helmut
Rowland Penny
2022-May-01 15:46 UTC
[Samba] Need help for SMBv2-connection with windows clients
On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote:> Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via > samba: > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > > I have problems getting my Windows 10 client(s) to connect to my > > > Samba- > > > server using SMBv2 or higher, but no problems with SMBv1 (NT1) > > > protocol. I guess this is has to do with my AD domain being put > > > on > > > top > > > of my private domain (see configuration below). > > > > > > I already checked that client and server are communicating, so it > > > does > > > not seem to be primarily a simple DNS issue. > > > > > > My setup: > > > Domain: example.com > > > AD-Domain(realm): samdom.example.com > > > Network 10.0.2.0/24 > > > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and > > > dc.samdom.example.com (10.0.2.15) > > > > > > Windows 10 client: wincli.example.com and > > > wincli.samdom.example.com > > > (10.0.2.53) > > > > > > example.com is resolved by a dnsmasq-server, which forwards all > > > request > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf: > > > server=/samdom.example.com/10.0.2.15 > > > rebind-domain-ok=/samdom.example.com/ > > > > It looks like all your clients are in the 'example.com' DNS domain > > (and > > hence in the 'EXAMPLE.COM' realm) and the DC is in the > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM > > realm). > > If this is the case, then it isn't going to work. > > > > Using a subdomain of a registered domain is best practice, so you > > are > > okay there, but your DC must be authoritative for the subdomain and > > your clients must be members of the subdomain. Whilst you can use > > an > > external DNS server on your network, all requests for AD records > > must > > be forwarded to the DC(s) and no AD records can be stored on the > > forwarding dns server (except for 'cached' records). > > > > I suggest you rethink your setup. > > > > Rowland > > > > > Thank you for your quick response! > > Actually I tried to set them both simply into the example.com DNS- > domain or the samdom.example.com DNS domain, but this does not solve > the problem. I also changed the DNS server on both machines to the > DC- > DNS server (10.0.2.15), i.e., the reply is now certainly > authoritative, > but still no success. > > Is it possible that SMBv2 also performs a reverse lookup? That would > currently result in the example.com-domain, since no PTR-entries are > in > the DC-DNS server and then the request are forwarded to the dnsmasq- > server. > > HelmutThe DC should also be authoritative for the reverse zone. Unless the dnsmasq server is just as a 'cache' server and/or a dhcp server, I don't see the point in it. You will not be the first person (and probably not the last) to attempt to use an external dns server to control a Samba AD domain, none have worked correctly yet. Just create the reverse records in AD and nowhere else (except in a dns cacheing server, which will be created automatically). Rowland