[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed May 11 15:52:47 UTC 2016 

I have a Synology NAS array appliance.   It is linux based and uses 
samba for file sharing.   Normally the config is done via a gui 
interface but you can ssh to the array.   The domain controllers are 
running Samba 3.6.x in classic domain mode.  I have member servers 
running 3.6.x and 4.3.8.  no problem.


I recently updated the Synology "OS."  The current version of samba is  
Version 4.1.20.    I don't know what the previous version was.    After 
the upgrade the  NAS could not rejoin the domain.


 From the command line "net rpc join" failed with a SIG errror. The new 
version of samba defaulted to requiring client and server signing.  This 
was easily fixed by updating the NAS smb.conf with



     client signing=disabled
     client ipc signing=disabled

     server signing=disabled



The following also seemed legit

     client signing=default
     client ipc signing=default

     server signing=default



If I deleted and recreated the machine account on the DC I could rejoin 
the domain.  However testing the join fails.



              root at mynas:/# net rpc join -U "MYDOMAIN\Administrator"
             Joined domain MYDOMAIN.



             root at mynas:/#net rpc testjoin
             dcerpc_netr_LogonGetCapabilities_r_recv failed with 
NT_STATUS_INVALID_PARAMETER
             cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind 
failed with error NT_STATUS_INVALID_PARAMETER
             net_rpc_join_ok: failed to open schannel session on 
netlogon pipe to server MYPDC for domain MYDOMAIN. Error was 
NT_STATUS_INVALID_PARAMETER
             Join to domain 'MYDOMAIN' is not valid: 
NT_STATUS_INVALID_PARAMETER
             root at mynas:/#



The \\netlogon share on the PDC is open to guest access.


log files on the PDC show

   192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user 
smb_nobody (uid=90001, gid=90001) (pid 19408)

...

[2016/05/11 11:46:22.733380,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
   init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212,  2] 
passdb/pdb_ldap.c:2427(init_group_from_ldap)
   init_group_from_ldap: Entry found for group: 515

...

[2016/05/11 11:46:22.741400,  3] rpc_server/srv_pipe.c:339(check_bind_req)
   check_bind_req for \netlogon
[2016/05/11 11:46:22.741423,  3] rpc_server/srv_pipe.c:346(check_bind_req)
   check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482,  3] 
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
   schannel_fetch_session_key_tdb: restored schannel info key 
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539,  3] 
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
   free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059,  3] smbd/process.c:1609(process_smb)
   Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106,  3] smbd/process.c:1414(switch_message)
   switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133,  3] smbd/ipc.c:560(handle_trans)
   trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164,  3] smbd/ipc.c:511(named_pipe)
   named pipe command on <> name
[2016/05/11 11:46:22.743187,  3] smbd/ipc.c:475(api_fd_reply)
   Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
   api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307,  3] 
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
   free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850,  3] smbd/process.c:1609(process_smb)
   Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896,  3] smbd/process.c:1414(switch_message)
   switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929,  3] smbd/reply.c:4860(reply_close)
   close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251,  3] smbd/process.c:1609(process_smb)
   Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298,  3] smbd/process.c:1414(switch_message)
   switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322,  3] smbd/reply.c:4860(reply_close)
   close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790,  3] smbd/process.c:1609(process_smb)
   Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841,  3] smbd/process.c:1414(switch_message)
   switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879,  3] smbd/service.c:1378(close_cnum)
   192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906,  3] smbd/connection.c:35(yield_connection)
   Yielding connection to IPC$
[2016/05/11 11:46:22.747527,  3] smbd/server_exit.c:181(exit_server_common)
   Server exit (failed to receive smb request)



So the NAS is authenticating to the domain controller.




On the PDC (Samba 3.6.x)  , testparm -v shows

             min protocol = CORE
             max protocol = NT1

On the NAS , testparm -v shows


      server min protocol = CORE
     client min protocol = CORE
     server max protocol = NT1
     client max protocol = SMB3
     client ipc signing = No

(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 
shd support it.)


On my working samba 4.x system (on fedora core 23), testparm -v shows


     server min protocol = LANMAN1
     min protocol = LANMAN1
     client min protocol = CORE
     client ipc max protocol = default
     client ipc min protocol = default
     client ipc signing = default




Appreciate any advice.


Thanks

More information about the samba mailing list