[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue May 17 20:16:00 UTC 2016
I stand corrected.
On the NAS, "net rpc testjoin" validates the domain. However , I can
not connect to shares on the NAS as a network user. Smbclient shows the
following:
-> smbclient -L \\mynas -U myname
Enter myname's password:
session setup failed: NT_STATUS_DOWNGRADE_DETECTED
->
The synology documentation does indicate recent patches were to fix
badlock. Presuming synology back ported the patch to an older
version or recompiled to mitigate.
mynas:/$ smbd -V
Version 4.1.20
Synology Build 7321, May 4 2016 11:48:15
mynas:/$
On 05/16/16 14:36, Gaiseric Vandal wrote:
> On both the synology (samba 4.1.20) and PDC (samba 3.6.25) testparm
> showed
>
> client schannel = Auto
> server schannel = Auto
>
>
> I don't know if the server even supports schannel. Maybe it
> doesn't any all the clients successfully negotiated not to use it.
> On the synology, I set
>
> client schannel = no
>
>
> This fixed my domain membership issue. Although possibly weakening
> security on the synology? Or possibly revealing a probably with
> schannel on my PDC. I realize both versions of Samba are end-of-life.
>
>
> On 05/12/16 02:26, henri transfert wrote:
>> Hi,
>>
>> I am not sure it's the same issue, but I had a similar problem when
>> upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
>> failed. Please check your network settings" .
>>
>> With the help of the (very efficient) Synology support, we solved the
>> problem by uninstalling an old Cluster HA DSM package that was
>> installed on
>> the NAS but not used.
>>
>> Just in case it could help.
>>
>> Henri
>>
>>
>> 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>:
>>
>>> I have a Synology NAS array appliance. It is linux based and uses samba
>>> for file sharing. Normally the config is done via a gui interface
>>> but you
>>> can ssh to the array. The domain controllers are running Samba
>>> 3.6.x in
>>> classic domain mode. I have member servers running 3.6.x and
>>> 4.3.8. no
>>> problem.
>>>
>>>
>>> I recently updated the Synology "OS." The current version of samba is
>>> Version 4.1.20. I don't know what the previous version was.
>>> After the
>>> upgrade the NAS could not rejoin the domain.
>>>
>>>
>>> From the command line "net rpc join" failed with a SIG errror. The new
>>> version of samba defaulted to requiring client and server signing.
>>> This
>>> was easily fixed by updating the NAS smb.conf with
>>>
>>>
>>>
>>> client signing=disabled
>>> client ipc signing=disabled
>>>
>>> server signing=disabled
>>>
>>>
>>>
>>> The following also seemed legit
>>>
>>> client signing=default
>>> client ipc signing=default
>>>
>>> server signing=default
>>>
>>>
>>>
>>> If I deleted and recreated the machine account on the DC I could rejoin
>>> the domain. However testing the join fails.
>>>
>>>
>>>
>>> root at mynas:/# net rpc join -U "MYDOMAIN\Administrator"
>>> Joined domain MYDOMAIN.
>>>
>>>
>>>
>>> root at mynas:/#net rpc testjoin
>>> dcerpc_netr_LogonGetCapabilities_r_recv failed with
>>> NT_STATUS_INVALID_PARAMETER
>>> cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind
>>> failed
>>> with error NT_STATUS_INVALID_PARAMETER
>>> net_rpc_join_ok: failed to open schannel session on
>>> netlogon
>>> pipe to server MYPDC for domain MYDOMAIN. Error was
>>> NT_STATUS_INVALID_PARAMETER
>>> Join to domain 'MYDOMAIN' is not valid:
>>> NT_STATUS_INVALID_PARAMETER
>>> root at mynas:/#
>>>
>>>
>>>
>>> The \\netlogon share on the PDC is open to guest access.
>>>
>>>
>>> log files on the PDC show
>>>
>>> 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
>>> smb_nobody (uid=90001, gid=90001) (pid 19408)
>>>
>>> ...
>>>
>>> [2016/05/11 11:46:22.733380, 2]
>>> passdb/pdb_ldap.c:553(init_sam_from_ldap)
>>> init_sam_from_ldap: Entry found for user: MYNAS$
>>> [2016/05/11 11:46:22.738212, 2]
>>> passdb/pdb_ldap.c:2427(init_group_from_ldap)
>>> init_group_from_ldap: Entry found for group: 515
>>>
>>> ...
>>>
>>> [2016/05/11 11:46:22.741400, 3]
>>> rpc_server/srv_pipe.c:339(check_bind_req)
>>> check_bind_req for \netlogon
>>> [2016/05/11 11:46:22.741423, 3]
>>> rpc_server/srv_pipe.c:346(check_bind_req)
>>> check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
>>> [2016/05/11 11:46:22.741482, 3]
>>> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
>>> schannel_fetch_session_key_tdb: restored schannel info key
>>> SECRETS/SCHANNEL/MYNAS
>>> [2016/05/11 11:46:22.741539, 3]
>>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>> free_pipe_context: destroying talloc pool of size 23
>>> [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
>>> Transaction 9 of length 328 (0 toread)
>>> [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
>>> switch message SMBtrans (pid 19408) conn 0x88830a8
>>> [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
>>> trans <\PIPE\> data=240 params=0 setup=2
>>> [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
>>> named pipe command on <> name
>>> [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
>>> Got API command 0x26 on pipe "netlogon" (pnum 281f)
>>> [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
>>> api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
>>> [2016/05/11 11:46:22.743307, 3]
>>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>> free_pipe_context: destroying talloc pool of size 23
>>> [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
>>> Transaction 10 of length 45 (0 toread)
>>> [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
>>> switch message SMBclose (pid 19408) conn 0x88830a8
>>> [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
>>> close fd=-1 fnum=10271 (numopen=2)
>>> [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
>>> Transaction 11 of length 45 (0 toread)
>>> [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
>>> switch message SMBclose (pid 19408) conn 0x88830a8
>>> [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
>>> close fd=-1 fnum=10270 (numopen=1)
>>> [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
>>> Transaction 12 of length 39 (0 toread)
>>> [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
>>> switch message SMBtdis (pid 19408) conn 0x88830a8
>>> [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
>>> 192.168.3.216 (192.168.3.216) closed connection to service IPC$
>>> [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
>>> Yielding connection to IPC$
>>> [2016/05/11 11:46:22.747527, 3]
>>> smbd/server_exit.c:181(exit_server_common)
>>> Server exit (failed to receive smb request)
>>>
>>>
>>>
>>> So the NAS is authenticating to the domain controller.
>>>
>>>
>>>
>>>
>>> On the PDC (Samba 3.6.x) , testparm -v shows
>>>
>>> min protocol = CORE
>>> max protocol = NT1
>>>
>>> On the NAS , testparm -v shows
>>>
>>>
>>> server min protocol = CORE
>>> client min protocol = CORE
>>> server max protocol = NT1
>>> client max protocol = SMB3
>>> client ipc signing = No
>>>
>>> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win
>>> 2008
>>> shd support it.)
>>>
>>>
>>> On my working samba 4.x system (on fedora core 23), testparm -v shows
>>>
>>>
>>> server min protocol = LANMAN1
>>> min protocol = LANMAN1
>>> client min protocol = CORE
>>> client ipc max protocol = default
>>> client ipc min protocol = default
>>> client ipc signing = default
>>>
>>>
>>>
>>>
>>> Appreciate any advice.
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
More information about the samba
mailing list