Bombadil
2022-May-03 10:37 UTC
[Samba] Need help for SMBv2-connection with windows clients
Am Sonntag, dem 01.05.2022 um 16:46 +0100 schrieb Rowland Penny via samba:> On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote: > > Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny via > > samba: > > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > > > I have problems getting my Windows 10 client(s) to connect to > > > > my > > > > Samba- > > > > server using SMBv2 or higher, but no problems with SMBv1 (NT1) > > > > protocol. I guess this is has to do with my AD domain being put > > > > on > > > > top > > > > of my private domain (see configuration below). > > > > > > > > I already checked that client and server are communicating, so > > > > it > > > > does > > > > not seem to be primarily a simple DNS issue. > > > > > > > > My setup: > > > > Domain: example.com > > > > AD-Domain(realm): samdom.example.com > > > > Network 10.0.2.0/24 > > > > > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and > > > > dc.samdom.example.com (10.0.2.15) > > > > > > > > Windows 10 client: wincli.example.com and > > > > wincli.samdom.example.com > > > > (10.0.2.53) > > > > > > > > example.com is resolved by a dnsmasq-server, which forwards all > > > > request > > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in > > > > dnsmasq.conf: > > > > server=/samdom.example.com/10.0.2.15 > > > > rebind-domain-ok=/samdom.example.com/ > > > > > > It looks like all your clients are in the 'example.com' DNS > > > domain > > > (and > > > hence in the 'EXAMPLE.COM' realm) and the DC is in the > > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM > > > realm). > > > If this is the case, then it isn't going to work. > > > > > > Using a subdomain of a registered domain is best practice, so you > > > are > > > okay there, but your DC must be authoritative for the subdomain > > > and > > > your clients must be members of the subdomain. Whilst you can use > > > an > > > external DNS server on your network, all requests for AD records > > > must > > > be forwarded to the DC(s) and no AD records can be stored on the > > > forwarding dns server (except for 'cached' records). > > > > > > I suggest you rethink your setup. > > > > > > Rowland > > > > > > > > Thank you for your quick response! > > > > Actually I tried to set them both simply into the example.com DNS- > > domain or the samdom.example.com DNS domain, but this does not > > solve > > the problem. I also changed the DNS server on both machines to the > > DC- > > DNS server (10.0.2.15), i.e., the reply is now certainly > > authoritative, > > but still no success. > > > > Is it possible that SMBv2 also performs a reverse lookup? That > > would > > currently result in the example.com-domain, since no PTR-entries > > are > > in > > the DC-DNS server and then the request are forwarded to the > > dnsmasq- > > server. > > > > ? Helmut > > The DC should also be authoritative for the reverse zone. Unless the > dnsmasq server is just as a 'cache' server and/or a dhcp server, I > don't see the point in it. You will not be the first person (and > probably not the last) to attempt to use an external dns server to > control a Samba AD domain, none have worked correctly yet. > > Just create the reverse records in AD and nowhere else (except in a > dns > cacheing server, which will be created automatically). > > Rowland > >I configured "dc1" and "wincli" now to be in NS-domain samdom.example.com and "dc1" is only the NS-server (so the dnsmasq server does not interfere): On dc1: ? 'host -t A dc1': ??? dc1.samdom.example.com has address 10.0.2.15 ? 'host -t A gimli': ??? gimli.samdom.example.com has address 10.0.2.96 ? 'dig dc1.samdom.example.com': ; <<>> DiG 9.16.27 <<>> dc1.samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;dc1.samdom.example.com.?? IN????? A ;; ANSWER SECTION: dc1.samdom.example.com. 900 IN???? A?????? 10.0.2.15 ;; AUTHORITY SECTION: samdom.example.com.????? 3600??? IN????? SOA??? dc1.samdom.example.com. hostmaster.samdom.example.com. 25 900 600 86400 3600 ;; Query time: 5 msec ;; SERVER: 10.0.2.15#53(10.0.2.15) ;; WHEN: Tue May 03 12:14:03 CEST 2022 ;; MSG SIZE? rcvd: 108 ? 'dig -x 10.0.2.15' ; <<>> DiG 9.16.27 <<>> -x 10.0.2.15 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62014 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;15.2.0.10.in-addr.arpa.??????????????? IN????? PTR ;; ANSWER SECTION: 15.2.0.10.in-addr.arpa. 900???? IN????? PTR???? dc1.samdom.example.com. ;; AUTHORITY SECTION: 2.0.10.in-addr.arpa.??? 3600??? IN????? SOA???? dc1.samdom.example.com. hostmaster.samdom.example.com. 6 900 600 86400 3600 ;; Query time: 5 msec ;; SERVER: 10.0.2.15#53(10.0.2.15) ;; WHEN: Tue May 03 12:15:40 CEST 2022 ;; MSG SIZE? rcvd: 128 The outputs for "wincli" are analogue. I also checked on "wincli" the NS-lookups with nslookup and got the same results. Thus, both machines are in the same domain, reverse lookup is working, and the NS answers are authoritative. When I switch off SMBv1 on "wincli" and "dc1" I still get "RPC server is not available"! For testing I removed "wincli" from the AD-domain, and tried to join it again using just SMBv2. But then I am getting the error that "A device attached to the system is not functioning". Whatever this means. As soon as I enable SMBv1 again, I can join the domain without problems... ? Helmut
Rowland Penny
2022-May-03 12:11 UTC
[Samba] Need help for SMBv2-connection with windows clients
On Tue, 2022-05-03 at 12:37 +0200, Bombadil via samba wrote:> Am Sonntag, dem 01.05.2022 um 16:46 +0100 schrieb Rowland Penny via > samba: > > On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote: > > > Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny > > > via > > > samba: > > > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > > > > I have problems getting my Windows 10 client(s) to connect to > > > > > my > > > > > Samba- > > > > > server using SMBv2 or higher, but no problems with SMBv1 > > > > > (NT1) > > > > > protocol. I guess this is has to do with my AD domain being > > > > > put > > > > > on > > > > > top > > > > > of my private domain (see configuration below). > > > > > > > > > > I already checked that client and server are communicating, > > > > > so > > > > > it > > > > > does > > > > > not seem to be primarily a simple DNS issue. > > > > > > > > > > My setup: > > > > > Domain: example.com > > > > > AD-Domain(realm): samdom.example.com > > > > > Network 10.0.2.0/24 > > > > > > > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and > > > > > dc.samdom.example.com (10.0.2.15) > > > > > > > > > > Windows 10 client: wincli.example.com and > > > > > wincli.samdom.example.com > > > > > (10.0.2.53) > > > > > > > > > > example.com is resolved by a dnsmasq-server, which forwards > > > > > all > > > > > request > > > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in > > > > > dnsmasq.conf: > > > > > server=/samdom.example.com/10.0.2.15 > > > > > rebind-domain-ok=/samdom.example.com/ > > > > > > > > It looks like all your clients are in the 'example.com' DNS > > > > domain > > > > (and > > > > hence in the 'EXAMPLE.COM' realm) and the DC is in the > > > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM > > > > realm). > > > > If this is the case, then it isn't going to work. > > > > > > > > Using a subdomain of a registered domain is best practice, so > > > > you > > > > are > > > > okay there, but your DC must be authoritative for the subdomain > > > > and > > > > your clients must be members of the subdomain. Whilst you can > > > > use > > > > an > > > > external DNS server on your network, all requests for AD > > > > records > > > > must > > > > be forwarded to the DC(s) and no AD records can be stored on > > > > the > > > > forwarding dns server (except for 'cached' records). > > > > > > > > I suggest you rethink your setup. > > > > > > > > Rowland > > > > > > > > > > > Thank you for your quick response! > > > > > > Actually I tried to set them both simply into the example.com > > > DNS- > > > domain or the samdom.example.com DNS domain, but this does not > > > solve > > > the problem. I also changed the DNS server on both machines to > > > the > > > DC- > > > DNS server (10.0.2.15), i.e., the reply is now certainly > > > authoritative, > > > but still no success. > > > > > > Is it possible that SMBv2 also performs a reverse lookup? That > > > would > > > currently result in the example.com-domain, since no PTR-entries > > > are > > > in > > > the DC-DNS server and then the request are forwarded to the > > > dnsmasq- > > > server. > > > > > > Helmut > > > > The DC should also be authoritative for the reverse zone. Unless > > the > > dnsmasq server is just as a 'cache' server and/or a dhcp server, I > > don't see the point in it. You will not be the first person (and > > probably not the last) to attempt to use an external dns server to > > control a Samba AD domain, none have worked correctly yet. > > > > Just create the reverse records in AD and nowhere else (except in a > > dns > > cacheing server, which will be created automatically). > > > > Rowland > > > > > I configured "dc1" and "wincli" now to be in NS-domain > samdom.example.com and "dc1" is only the NS-server (so the dnsmasq > server does not interfere): > > On dc1: > 'host -t A dc1': > dc1.samdom.example.com has address 10.0.2.15 > 'host -t A gimli': > gimli.samdom.example.com has address 10.0.2.96 > > 'dig dc1.samdom.example.com': > ; <<>> DiG 9.16.27 <<>> dc1.samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;dc1.samdom.example.com. IN A > > ;; ANSWER SECTION: > dc1.samdom.example.com. 900 IN A 10.0.2.15 > > ;; AUTHORITY SECTION: > samdom.example.com. 3600 IN SOA > dc1.samdom.example.com. hostmaster.samdom.example.com. 25 900 600 > 86400 > 3600 > > ;; Query time: 5 msec > ;; SERVER: 10.0.2.15#53(10.0.2.15) > ;; WHEN: Tue May 03 12:14:03 CEST 2022 > ;; MSG SIZE rcvd: 108 > > 'dig -x 10.0.2.15' > ; <<>> DiG 9.16.27 <<>> -x 10.0.2.15 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62014 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;15.2.0.10.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 15.2.0.10.in-addr.arpa. 900 IN PTR > dc1.samdom.example.com. > > ;; AUTHORITY SECTION: > 2.0.10.in-addr.arpa. 3600 IN SOA > dc1.samdom.example.com. > hostmaster.samdom.example.com. 6 900 600 86400 3600 > > ;; Query time: 5 msec > ;; SERVER: 10.0.2.15#53(10.0.2.15) > ;; WHEN: Tue May 03 12:15:40 CEST 2022 > ;; MSG SIZE rcvd: 128 > > The outputs for "wincli" are analogue. I also checked on "wincli" the > NS-lookups with nslookup and got the same results. Thus, both > machines > are in the same domain, reverse lookup is working, and the NS answers > are authoritative. > > When I switch off SMBv1 on "wincli" and "dc1" I still get "RPC server > is not available"! > > For testing I removed "wincli" from the AD-domain, and tried to join > it > again using just SMBv2. But then I am getting the error that "A > device > attached to the system is not functioning". Whatever this means. > As soon as I enable SMBv1 again, I can join the domain without > problems... > > HelmutI have reviewed this thread and several things got masked by the totally incorrect dns setup. You cannot turn off the RPC server by setting '* min protocol' on a DC, it is service run from the 'server services' line and you do not have that line, so the defaults are used, one of which is 'rpc'. You also have numerous lines in your smb.conf that are either defaults or have no place in a DC smb.conf e.g. 'wins support' Is a firewall running and blocking the ports that a DC requires ? Rowland