Elias Pereira
2024-Jan-03  17:42 UTC
[Samba] {Device Timeout} The I/O operation specified in %hs was not completed before the timeout period expired
> > and not between your DCs.You're right. If it's on the same network/vlan, it doesn't go through the gateway/firewall. On Wed, Jan 3, 2024 at 2:37?PM Elias Pereira <empbilly at gmail.com> wrote:> Yes and you need more than those ports, see here: > > Yes, I checked the link before testing the ports. The only ones I left out in > the first test, were the 49152-65535 range. > > root at dc2:~# netstat -plaunt | egrep "ntp|bind|named|samba|?mbd" > https://pastebin.com/raw/NbECKVB8 > > Where does pfsense come into this ? From my understanding, pfsense is a >> firewall/router device and should be between your DCs and the internet >> and not between your DCs. > > > By default, pfsense starts blocking everything and we have to allow/open what > we really need. > > On Wed, Jan 3, 2024 at 1:54?PM Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Wed, 3 Jan 2024 13:30:48 -0300 >> Elias Pereira <empbilly at gmail.com> wrote: >> >> > > >> > > Is dns configured correctly ? >> > >> > root at dc2:~# cat /etc/resolv.conf >> > search campus.sertao.ifrs.edu.br >> > nameserver 200.xxx.xxx.163 (*own IP*) >> > >> > root at dc3:~# cat /etc/resolv.conf >> > search campus.sertao.ifrs.edu.br >> > nameserver 200.xxx.xxx.160 (*own IP*) >> > >> > Is a firewall running and if so, are all the >> > > required ports open ? >> > >> > We use pfsense and there's a rule allow everything between the DCs. >> > Anyway, I checked the logs while I was running the replicate command, >> > and nothing appeared in the logs. >> > >> > but strangely, some ports are closed... O.o >> > >> > PORT STATE SERVICE VERSION >> > 53/tcp open domain (unknown banner: non3) >> > 88/tcp open kerberos-sec (server time: 2024-01-03 16:19:09Z) >> > *123/tcp closed ntp* >> > 135/tcp open msrpc Microsoft Windows RPC >> > >> > *137/tcp closed netbios-ns138/tcp closed netbios-dgm* >> > 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: CAMPUS) >> > 389/tcp open ldap (Anonymous bind OK) >> > 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: CAMPUS) >> > 464/tcp open kpasswd5? >> > 636/tcp open ssl/ldap (Anonymous bind OK) >> > 3268/tcp open ldap (Anonymous bind OK) >> > 3269/tcp open ssl/ldap (Anonymous bind OK) >> > >> > Do closed ports affect replication? >> > >> >> Yes and you need more than those ports, see here: >> >> https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage `` >> >> Where does pfsense come into this ? From my understanding, pfsense is a >> firewall/router device and should be between your DCs and the internet >> and not between your DCs. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- > Elias Pereira >-- Elias Pereira
Rowland Penny
2024-Jan-03  17:57 UTC
[Samba] {Device Timeout} The I/O operation specified in %hs was not completed before the timeout period expired
On Wed, 3 Jan 2024 14:42:54 -0300 Elias Pereira <empbilly at gmail.com> wrote:> > > > and not between your DCs. > > You're right. If it's on the same network/vlan, it doesn't go through > the gateway/firewall. >I am not sure what you are trying to say, but your pfsense device shouldn't come into your AD domain dns. Your AD clients (and this includes the DCs) should look to AD to find each other and anything outside the AD dns domain should be forwarded to a dns server outside the AD domain. If you are going to use a firewall, it should be a software type running on each DC/AD client. Rowland