Rowland Penny
2022-May-01 15:46 UTC
[Samba] Need help for SMBv2-connection with windows clients
On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote:> Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via > samba: > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > > I have problems getting my Windows 10 client(s) to connect to my > > > Samba- > > > server using SMBv2 or higher, but no problems with SMBv1 (NT1) > > > protocol. I guess this is has to do with my AD domain being put > > > on > > > top > > > of my private domain (see configuration below). > > > > > > I already checked that client and server are communicating, so it > > > does > > > not seem to be primarily a simple DNS issue. > > > > > > My setup: > > > Domain: example.com > > > AD-Domain(realm): samdom.example.com > > > Network 10.0.2.0/24 > > > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and > > > dc.samdom.example.com (10.0.2.15) > > > > > > Windows 10 client: wincli.example.com and > > > wincli.samdom.example.com > > > (10.0.2.53) > > > > > > example.com is resolved by a dnsmasq-server, which forwards all > > > request > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in dnsmasq.conf: > > > server=/samdom.example.com/10.0.2.15 > > > rebind-domain-ok=/samdom.example.com/ > > > > It looks like all your clients are in the 'example.com' DNS domain > > (and > > hence in the 'EXAMPLE.COM' realm) and the DC is in the > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM > > realm). > > If this is the case, then it isn't going to work. > > > > Using a subdomain of a registered domain is best practice, so you > > are > > okay there, but your DC must be authoritative for the subdomain and > > your clients must be members of the subdomain. Whilst you can use > > an > > external DNS server on your network, all requests for AD records > > must > > be forwarded to the DC(s) and no AD records can be stored on the > > forwarding dns server (except for 'cached' records). > > > > I suggest you rethink your setup. > > > > Rowland > > > > > Thank you for your quick response! > > Actually I tried to set them both simply into the example.com DNS- > domain or the samdom.example.com DNS domain, but this does not solve > the problem. I also changed the DNS server on both machines to the > DC- > DNS server (10.0.2.15), i.e., the reply is now certainly > authoritative, > but still no success. > > Is it possible that SMBv2 also performs a reverse lookup? That would > currently result in the example.com-domain, since no PTR-entries are > in > the DC-DNS server and then the request are forwarded to the dnsmasq- > server. > > HelmutThe DC should also be authoritative for the reverse zone. Unless the dnsmasq server is just as a 'cache' server and/or a dhcp server, I don't see the point in it. You will not be the first person (and probably not the last) to attempt to use an external dns server to control a Samba AD domain, none have worked correctly yet. Just create the reverse records in AD and nowhere else (except in a dns cacheing server, which will be created automatically). Rowland
Bombadil
2022-May-03 10:37 UTC
[Samba] Need help for SMBv2-connection with windows clients
Am Sonntag, dem 01.05.2022 um 16:46 +0100 schrieb Rowland Penny via samba:> On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote: > > Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via > > samba: > > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > > > I have problems getting my Windows 10 client(s) to connect to > > > > my > > > > Samba- > > > > server using SMBv2 or higher, but no problems with SMBv1 (NT1) > > > > protocol. I guess this is has to do with my AD domain being put > > > > on > > > > top > > > > of my private domain (see configuration below). > > > > > > > > I already checked that client and server are communicating, so > > > > it > > > > does > > > > not seem to be primarily a simple DNS issue. > > > > > > > > My setup: > > > > Domain: example.com > > > > AD-Domain(realm): samdom.example.com > > > > Network 10.0.2.0/24 > > > > > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and > > > > dc.samdom.example.com (10.0.2.15) > > > > > > > > Windows 10 client: wincli.example.com and > > > > wincli.samdom.example.com > > > > (10.0.2.53) > > > > > > > > example.com is resolved by a dnsmasq-server, which forwards all > > > > request > > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in > > > > dnsmasq.conf: > > > > server=/samdom.example.com/10.0.2.15 > > > > rebind-domain-ok=/samdom.example.com/ > > > > > > It looks like all your clients are in the 'example.com' DNS > > > domain > > > (and > > > hence in the 'EXAMPLE.COM' realm) and the DC is in the > > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM > > > realm). > > > If this is the case, then it isn't going to work. > > > > > > Using a subdomain of a registered domain is best practice, so you > > > are > > > okay there, but your DC must be authoritative for the subdomain > > > and > > > your clients must be members of the subdomain. Whilst you can use > > > an > > > external DNS server on your network, all requests for AD records > > > must > > > be forwarded to the DC(s) and no AD records can be stored on the > > > forwarding dns server (except for 'cached' records). > > > > > > I suggest you rethink your setup. > > > > > > Rowland > > > > > > > > Thank you for your quick response! > > > > Actually I tried to set them both simply into the example.com DNS- > > domain or the samdom.example.com DNS domain, but this does not > > solve > > the problem. I also changed the DNS server on both machines to the > > DC- > > DNS server (10.0.2.15), i.e., the reply is now certainly > > authoritative, > > but still no success. > > > > Is it possible that SMBv2 also performs a reverse lookup? That > > would > > currently result in the example.com-domain, since no PTR-entries > > are > > in > > the DC-DNS server and then the request are forwarded to the > > dnsmasq- > > server. > > > > ? Helmut > > The DC should also be authoritative for the reverse zone. Unless the > dnsmasq server is just as a 'cache' server and/or a dhcp server, I > don't see the point in it. You will not be the first person (and > probably not the last) to attempt to use an external dns server to > control a Samba AD domain, none have worked correctly yet. > > Just create the reverse records in AD and nowhere else (except in a > dns > cacheing server, which will be created automatically). > > Rowland > >I configured "dc1" and "wincli" now to be in NS-domain samdom.example.com and "dc1" is only the NS-server (so the dnsmasq server does not interfere): On dc1: ? 'host -t A dc1': ??? dc1.samdom.example.com has address 10.0.2.15 ? 'host -t A gimli': ??? gimli.samdom.example.com has address 10.0.2.96 ? 'dig dc1.samdom.example.com': ; <<>> DiG 9.16.27 <<>> dc1.samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;dc1.samdom.example.com.?? IN????? A ;; ANSWER SECTION: dc1.samdom.example.com. 900 IN???? A?????? 10.0.2.15 ;; AUTHORITY SECTION: samdom.example.com.????? 3600??? IN????? SOA??? dc1.samdom.example.com. hostmaster.samdom.example.com. 25 900 600 86400 3600 ;; Query time: 5 msec ;; SERVER: 10.0.2.15#53(10.0.2.15) ;; WHEN: Tue May 03 12:14:03 CEST 2022 ;; MSG SIZE? rcvd: 108 ? 'dig -x 10.0.2.15' ; <<>> DiG 9.16.27 <<>> -x 10.0.2.15 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62014 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;15.2.0.10.in-addr.arpa.??????????????? IN????? PTR ;; ANSWER SECTION: 15.2.0.10.in-addr.arpa. 900???? IN????? PTR???? dc1.samdom.example.com. ;; AUTHORITY SECTION: 2.0.10.in-addr.arpa.??? 3600??? IN????? SOA???? dc1.samdom.example.com. hostmaster.samdom.example.com. 6 900 600 86400 3600 ;; Query time: 5 msec ;; SERVER: 10.0.2.15#53(10.0.2.15) ;; WHEN: Tue May 03 12:15:40 CEST 2022 ;; MSG SIZE? rcvd: 128 The outputs for "wincli" are analogue. I also checked on "wincli" the NS-lookups with nslookup and got the same results. Thus, both machines are in the same domain, reverse lookup is working, and the NS answers are authoritative. When I switch off SMBv1 on "wincli" and "dc1" I still get "RPC server is not available"! For testing I removed "wincli" from the AD-domain, and tried to join it again using just SMBv2. But then I am getting the error that "A device attached to the system is not functioning". Whatever this means. As soon as I enable SMBv1 again, I can join the domain without problems... ? Helmut