Rowland Penny
2022-May-03 12:11 UTC
[Samba] Need help for SMBv2-connection with windows clients
On Tue, 2022-05-03 at 12:37 +0200, Bombadil via samba wrote:> Am Sonntag, dem 01.05.2022 um 16:46 +0100 schrieb Rowland Penny via > samba: > > On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote: > > > Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny > > > via > > > samba: > > > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > > > > I have problems getting my Windows 10 client(s) to connect to > > > > > my > > > > > Samba- > > > > > server using SMBv2 or higher, but no problems with SMBv1 > > > > > (NT1) > > > > > protocol. I guess this is has to do with my AD domain being > > > > > put > > > > > on > > > > > top > > > > > of my private domain (see configuration below). > > > > > > > > > > I already checked that client and server are communicating, > > > > > so > > > > > it > > > > > does > > > > > not seem to be primarily a simple DNS issue. > > > > > > > > > > My setup: > > > > > Domain: example.com > > > > > AD-Domain(realm): samdom.example.com > > > > > Network 10.0.2.0/24 > > > > > > > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com and > > > > > dc.samdom.example.com (10.0.2.15) > > > > > > > > > > Windows 10 client: wincli.example.com and > > > > > wincli.samdom.example.com > > > > > (10.0.2.53) > > > > > > > > > > example.com is resolved by a dnsmasq-server, which forwards > > > > > all > > > > > request > > > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in > > > > > dnsmasq.conf: > > > > > server=/samdom.example.com/10.0.2.15 > > > > > rebind-domain-ok=/samdom.example.com/ > > > > > > > > It looks like all your clients are in the 'example.com' DNS > > > > domain > > > > (and > > > > hence in the 'EXAMPLE.COM' realm) and the DC is in the > > > > 'samdom.example.com' DNS domain (and in the 'SAMDOM.EXAMPLE.COM > > > > realm). > > > > If this is the case, then it isn't going to work. > > > > > > > > Using a subdomain of a registered domain is best practice, so > > > > you > > > > are > > > > okay there, but your DC must be authoritative for the subdomain > > > > and > > > > your clients must be members of the subdomain. Whilst you can > > > > use > > > > an > > > > external DNS server on your network, all requests for AD > > > > records > > > > must > > > > be forwarded to the DC(s) and no AD records can be stored on > > > > the > > > > forwarding dns server (except for 'cached' records). > > > > > > > > I suggest you rethink your setup. > > > > > > > > Rowland > > > > > > > > > > > Thank you for your quick response! > > > > > > Actually I tried to set them both simply into the example.com > > > DNS- > > > domain or the samdom.example.com DNS domain, but this does not > > > solve > > > the problem. I also changed the DNS server on both machines to > > > the > > > DC- > > > DNS server (10.0.2.15), i.e., the reply is now certainly > > > authoritative, > > > but still no success. > > > > > > Is it possible that SMBv2 also performs a reverse lookup? That > > > would > > > currently result in the example.com-domain, since no PTR-entries > > > are > > > in > > > the DC-DNS server and then the request are forwarded to the > > > dnsmasq- > > > server. > > > > > > Helmut > > > > The DC should also be authoritative for the reverse zone. Unless > > the > > dnsmasq server is just as a 'cache' server and/or a dhcp server, I > > don't see the point in it. You will not be the first person (and > > probably not the last) to attempt to use an external dns server to > > control a Samba AD domain, none have worked correctly yet. > > > > Just create the reverse records in AD and nowhere else (except in a > > dns > > cacheing server, which will be created automatically). > > > > Rowland > > > > > I configured "dc1" and "wincli" now to be in NS-domain > samdom.example.com and "dc1" is only the NS-server (so the dnsmasq > server does not interfere): > > On dc1: > 'host -t A dc1': > dc1.samdom.example.com has address 10.0.2.15 > 'host -t A gimli': > gimli.samdom.example.com has address 10.0.2.96 > > 'dig dc1.samdom.example.com': > ; <<>> DiG 9.16.27 <<>> dc1.samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;dc1.samdom.example.com. IN A > > ;; ANSWER SECTION: > dc1.samdom.example.com. 900 IN A 10.0.2.15 > > ;; AUTHORITY SECTION: > samdom.example.com. 3600 IN SOA > dc1.samdom.example.com. hostmaster.samdom.example.com. 25 900 600 > 86400 > 3600 > > ;; Query time: 5 msec > ;; SERVER: 10.0.2.15#53(10.0.2.15) > ;; WHEN: Tue May 03 12:14:03 CEST 2022 > ;; MSG SIZE rcvd: 108 > > 'dig -x 10.0.2.15' > ; <<>> DiG 9.16.27 <<>> -x 10.0.2.15 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62014 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;15.2.0.10.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 15.2.0.10.in-addr.arpa. 900 IN PTR > dc1.samdom.example.com. > > ;; AUTHORITY SECTION: > 2.0.10.in-addr.arpa. 3600 IN SOA > dc1.samdom.example.com. > hostmaster.samdom.example.com. 6 900 600 86400 3600 > > ;; Query time: 5 msec > ;; SERVER: 10.0.2.15#53(10.0.2.15) > ;; WHEN: Tue May 03 12:15:40 CEST 2022 > ;; MSG SIZE rcvd: 128 > > The outputs for "wincli" are analogue. I also checked on "wincli" the > NS-lookups with nslookup and got the same results. Thus, both > machines > are in the same domain, reverse lookup is working, and the NS answers > are authoritative. > > When I switch off SMBv1 on "wincli" and "dc1" I still get "RPC server > is not available"! > > For testing I removed "wincli" from the AD-domain, and tried to join > it > again using just SMBv2. But then I am getting the error that "A > device > attached to the system is not functioning". Whatever this means. > As soon as I enable SMBv1 again, I can join the domain without > problems... > > HelmutI have reviewed this thread and several things got masked by the totally incorrect dns setup. You cannot turn off the RPC server by setting '* min protocol' on a DC, it is service run from the 'server services' line and you do not have that line, so the defaults are used, one of which is 'rpc'. You also have numerous lines in your smb.conf that are either defaults or have no place in a DC smb.conf e.g. 'wins support' Is a firewall running and blocking the ports that a DC requires ? Rowland
Bombadil
2022-May-03 16:03 UTC
[Samba] Need help for SMBv2-connection with windows clients
Am Dienstag, dem 03.05.2022 um 13:11 +0100 schrieb Rowland Penny via samba:> On Tue, 2022-05-03 at 12:37 +0200, Bombadil via samba wrote: > > Am Sonntag, dem 01.05.2022 um 16:46 +0100 schrieb Rowland Penny via > > samba: > > > On Sun, 2022-05-01 at 17:21 +0200, Bombadil via samba wrote: > > > > Am Samstag, dem 30.04.2022 um 18:22 +0100 schrieb Rowland Penny > > > > via > > > > samba: > > > > > On Sat, 2022-04-30 at 18:14 +0200, Bombadil via samba wrote: > > > > > > I have problems getting my Windows 10 client(s) to connect > > > > > > to > > > > > > my > > > > > > Samba- > > > > > > server using SMBv2 or higher, but no problems with SMBv1 > > > > > > (NT1) > > > > > > protocol. I guess this is has to do with my AD domain being > > > > > > put > > > > > > on > > > > > > top > > > > > > of my private domain (see configuration below). > > > > > > > > > > > > I already checked that client and server are communicating, > > > > > > so > > > > > > it > > > > > > does > > > > > > not seem to be primarily a simple DNS issue. > > > > > > > > > > > > My setup: > > > > > > Domain: example.com > > > > > > AD-Domain(realm): samdom.example.com > > > > > > Network 10.0.2.0/24 > > > > > > > > > > > > Samba AD with FreeBSD 13.0, samba-4.13.17: dc.example.com > > > > > > and > > > > > > dc.samdom.example.com (10.0.2.15) > > > > > > > > > > > > Windows 10 client: wincli.example.com and > > > > > > wincli.samdom.example.com > > > > > > (10.0.2.53) > > > > > > > > > > > > example.com is resolved by a dnsmasq-server, which forwards > > > > > > all > > > > > > request > > > > > > for 'samdom.example.com' to 10.0.2.15 (dc), i.e. in > > > > > > dnsmasq.conf: > > > > > > server=/samdom.example.com/10.0.2.15 > > > > > > rebind-domain-ok=/samdom.example.com/ > > > > > > > > > > It looks like all your clients are in the 'example.com' DNS > > > > > domain > > > > > (and > > > > > hence in the 'EXAMPLE.COM' realm) and the DC is in the > > > > > 'samdom.example.com' DNS domain (and in the > > > > > 'SAMDOM.EXAMPLE.COM > > > > > realm). > > > > > If this is the case, then it isn't going to work. > > > > > > > > > > Using a subdomain of a registered domain is best practice, so > > > > > you > > > > > are > > > > > okay there, but your DC must be authoritative for the > > > > > subdomain > > > > > and > > > > > your clients must be members of the subdomain. Whilst you can > > > > > use > > > > > an > > > > > external DNS server on your network, all requests for AD > > > > > records > > > > > must > > > > > be forwarded to the DC(s) and no AD records can be stored on > > > > > the > > > > > forwarding dns server (except for 'cached' records). > > > > > > > > > > I suggest you rethink your setup. > > > > > > > > > > Rowland > > > > > > > > > > > > > > Thank you for your quick response! > > > > > > > > Actually I tried to set them both simply into the example.com > > > > DNS- > > > > domain or the samdom.example.com DNS domain, but this does not > > > > solve > > > > the problem. I also changed the DNS server on both machines to > > > > the > > > > DC- > > > > DNS server (10.0.2.15), i.e., the reply is now certainly > > > > authoritative, > > > > but still no success. > > > > > > > > Is it possible that SMBv2 also performs a reverse lookup? That > > > > would > > > > currently result in the example.com-domain, since no PTR- > > > > entries > > > > are > > > > in > > > > the DC-DNS server and then the request are forwarded to the > > > > dnsmasq- > > > > server. > > > > > > > > ? Helmut > > > > > > The DC should also be authoritative for the reverse zone. Unless > > > the > > > dnsmasq server is just as a 'cache' server and/or a dhcp server, > > > I > > > don't see the point in it. You will not be the first person (and > > > probably not the last) to attempt to use an external dns server > > > to > > > control a Samba AD domain, none have worked correctly yet. > > > > > > Just create the reverse records in AD and nowhere else (except in > > > a > > > dns > > > cacheing server, which will be created automatically). > > > > > > Rowland > > > > > > > > I configured "dc1" and "wincli" now to be in NS-domain > > samdom.example.com and "dc1" is only the NS-server (so the dnsmasq > > server does not interfere): > > > > On dc1: > > ? 'host -t A dc1': > > ??? dc1.samdom.example.com has address 10.0.2.15 > > ? 'host -t A gimli': > > ??? gimli.samdom.example.com has address 10.0.2.96 > > > > ? 'dig dc1.samdom.example.com': > > ; <<>> DiG 9.16.27 <<>> dc1.samdom.example.com > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376 > > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, > > ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;dc1.samdom.example.com.?? IN????? A > > > > ;; ANSWER SECTION: > > dc1.samdom.example.com. 900 IN???? A?????? 10.0.2.15 > > > > ;; AUTHORITY SECTION: > > samdom.example.com.????? 3600??? IN????? SOA??? > > dc1.samdom.example.com. hostmaster.samdom.example.com. 25 900 600 > > 86400 > > 3600 > > > > ;; Query time: 5 msec > > ;; SERVER: 10.0.2.15#53(10.0.2.15) > > ;; WHEN: Tue May 03 12:14:03 CEST 2022 > > ;; MSG SIZE? rcvd: 108 > > > > ? 'dig -x 10.0.2.15' > > ; <<>> DiG 9.16.27 <<>> -x 10.0.2.15 > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62014 > > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, > > ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;15.2.0.10.in-addr.arpa.??????????????? IN????? PTR > > > > ;; ANSWER SECTION: > > 15.2.0.10.in-addr.arpa. 900???? IN????? PTR??? > > dc1.samdom.example.com. > > > > ;; AUTHORITY SECTION: > > 2.0.10.in-addr.arpa.??? 3600??? IN????? SOA??? > > dc1.samdom.example.com. > > hostmaster.samdom.example.com. 6 900 600 86400 3600 > > > > ;; Query time: 5 msec > > ;; SERVER: 10.0.2.15#53(10.0.2.15) > > ;; WHEN: Tue May 03 12:15:40 CEST 2022 > > ;; MSG SIZE? rcvd: 128 > > > > The outputs for "wincli" are analogue. I also checked on "wincli" > > the > > NS-lookups with nslookup and got the same results. Thus, both > > machines > > are in the same domain, reverse lookup is working, and the NS > > answers > > are authoritative. > > > > When I switch off SMBv1 on "wincli" and "dc1" I still get "RPC > > server > > is not available"! > > > > For testing I removed "wincli" from the AD-domain, and tried to > > join > > it > > again using just SMBv2. But then I am getting the error that "A > > device > > attached to the system is not functioning". Whatever this means. > > As soon as I enable SMBv1 again, I can join the domain without > > problems... > > > > ? Helmut > > I have reviewed this thread and several things got masked by the > totally incorrect dns setup. > > You cannot turn off the RPC server by setting '* min protocol' on a > DC, > it is service run from the 'server services' line and you do not have > that line, so the defaults are used, one of which is 'rpc'. > > You also have numerous lines in your smb.conf that are either > defaults > or have no place in a DC smb.conf e.g. 'wins support' > > Is a firewall running and blocking the ports that a DC requires ? > > Rowland > ? >Maybe, a misunderstanding, I never claimed to have switch off the RPC- server. Windows clients are complaining that they are not finding the rpc server. From Linux clients 'net rpc info' gives proper results. That there are some unusual or default options set in smb.conf are partly because of my desperate attempt to figure out, what is going wrong. I removed now the following lines: disable netbios = no allow dns updates = nonsecure nsupdate command = /usr/local/bin/nsupdate -g wins support = yes name resolve order = wins lmhosts bcast dns forwarder = 10.0.2.2 (the latter just for testing to assure that the NS on dc1 is not communicating with the dnsmasq-NS.) But this does change anything in the attempt to communicate from a Windows client to the Samba AD with SMBv2. And that there is some communication I can see with tcpdump on 'dc1', where there is always a SMBnegprot-request from 'wincli' to 'dc1' and then some potentially encrypted answer from dc1. But apparently at some point the communication stops prematurely. Any clues, what can be wrong in the dns setup, when hostname lookups and reverse lookups give the results as expected? ?Helmut