[Samba] Very strange behaviour of the NAS

Lars Hanke debian at lhanke.de
Mon Jan 26 11:37:00 MST 2015 

Recently I suddenly lose all permissions both for SMB and NFS4 on my 
Synology NAS.And similarly after poking some time in muddy waters, it 
suddenly works again. The NAS runs Samba 3.6.9.

What I found, when the permissions were gone:

1. id user still working, didn't work last time so I assume a caching 
issue here

2. wbinfo -u same as above. This time still worked, last time only 
reported local accounts

3. wbinfo -t
checking the trust secret for domain AD via RPC calls failed
error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

4. net ads testjoin
kerberos_kinit_password URDABORN$@AD.MICROSULT.DE failed: Client not 
found in Kerberos database
kerberos_kinit_password URDABORN$@AD.MICROSULT.DE failed: Client not 
found in Kerberos database
Join to domain is not valid: Improperly formed account name

5. kinit Administrator
Password for Administrator at AD.MICROSULT.DE:
Warning: Your password will expire in 2 hours on Mon Jan 26 21:38:17 2015

Oops, so I changed the password using a different client, which was OK 
during that time. After I tried on that client:

6. kinit -c tmp.tkt Administrator
Password for Administrator at AD.MICROSULT.DE:
Warning: Your password will expire in 41 days on Mon Mar  9 19:07:20 2015

Alright, this was to expect. Back on the NAS even after restarting Samba:

7. kinit Administrator
Password for Administrator at AD.MICROSULT.DE:
Warning: Your password will expire in 2 hours on Mon Jan 26 21:38:17 2015

Oops - well, close eyes and continue. We have a valid password for 
another 2 hours ...:(


8. net ads leave -U Administrator
Enter Administrator's password:
Failed to leave domain: failed to leave realm: No such file or directory

Which directory is ittalking about? So we try to join, since it might 
take over the account.

9. net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- AD
Joined 'URDABORN' to realm 'ad.microsult.de'
DNS Update for urdaborn.ad.microsult.de failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed!

Well, checked the DNS that it still serves forward and reverse mapping 
of the NAS and it does. The NAS unfortunately neither has hst nor dig.

10. kinit Administrator
Password for Administrator at AD.MICROSULT.DE:
Warning: Your password will expire in 2 hours on Mon Jan 26 21:38:17 2015

11. net ads testjoin
Join is OK

12. wbinfo -t
checking the trust secret for domain AD via RPC calls succeeded

Okay,write this question to the list ...

13. kinit Administrator
Password for Administrator at AD.MICROSULT.DE:
Warning: Your password will expire in 41 days on Mon Mar  9 19:07:20 2015

This log is somewhat shortened. I iterated the commands shown here and 
several restarts of samba. 8.-13. are exactly how I typed.

This is not solved, since something quite similar happened yesterday. I 
may have fixed it by joining the domain using the DSM GUI. If this now 
happens every day or each lifetime of a ticket, I'm in deep trouble. 
Moreover the NAS worked flawlessly for a couple of months until 
yesterday. I'm not aware of any recent changes before yesterday.

Any ideas how to circle the issue?

Thanks,
  - lars.

More information about the samba mailing list