[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri May 27 16:30:59 UTC 2016


I rolled my appliance back to DSM 6 (no updates) which resolved the 
issue.    The BADLOCK update was applied in DSM 6u1.

On 05/12/16 02:26, henri transfert wrote:
> Hi,
>
> I am not sure it's the same issue, but I had a similar problem when
> upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
> failed. Please check your network settings" .
>
> With the help of the (very efficient) Synology support, we solved the
> problem by uninstalling an old Cluster HA DSM package that was installed on
> the NAS but not used.
>
> Just in case it could help.
>
> Henri
>
>
> 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>:
>
>> I have a Synology NAS array appliance.   It is linux based and uses samba
>> for file sharing.   Normally the config is done via a gui interface but you
>> can ssh to the array.   The domain controllers are running Samba 3.6.x in
>> classic domain mode.  I have member servers running 3.6.x and 4.3.8.  no
>> problem.
>>
>>
>> I recently updated the Synology "OS."  The current version of samba is
>> Version 4.1.20.    I don't know what the previous version was.    After the
>> upgrade the  NAS could not rejoin the domain.
>>
>>
>>  From the command line "net rpc join" failed with a SIG errror. The new
>> version of samba defaulted to requiring client and server signing.  This
>> was easily fixed by updating the NAS smb.conf with
>>
>>
>>
>>      client signing=disabled
>>      client ipc signing=disabled
>>
>>      server signing=disabled
>>
>>
>>
>> The following also seemed legit
>>
>>      client signing=default
>>      client ipc signing=default
>>
>>      server signing=default
>>
>>
>>
>> If I deleted and recreated the machine account on the DC I could rejoin
>> the domain.  However testing the join fails.
>>
>>
>>
>>               root at mynas:/# net rpc join -U "MYDOMAIN\Administrator"
>>              Joined domain MYDOMAIN.
>>
>>
>>
>>              root at mynas:/#net rpc testjoin
>>              dcerpc_netr_LogonGetCapabilities_r_recv failed with
>> NT_STATUS_INVALID_PARAMETER
>>              cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed
>> with error NT_STATUS_INVALID_PARAMETER
>>              net_rpc_join_ok: failed to open schannel session on netlogon
>> pipe to server MYPDC for domain MYDOMAIN. Error was
>> NT_STATUS_INVALID_PARAMETER
>>              Join to domain 'MYDOMAIN' is not valid:
>> NT_STATUS_INVALID_PARAMETER
>>              root at mynas:/#
>>
>>
>>
>> The \\netlogon share on the PDC is open to guest access.
>>
>>
>> log files on the PDC show
>>
>>    192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
>> smb_nobody (uid=90001, gid=90001) (pid 19408)
>>
>> ...
>>
>> [2016/05/11 11:46:22.733380,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
>>    init_sam_from_ldap: Entry found for user: MYNAS$
>> [2016/05/11 11:46:22.738212,  2]
>> passdb/pdb_ldap.c:2427(init_group_from_ldap)
>>    init_group_from_ldap: Entry found for group: 515
>>
>> ...
>>
>> [2016/05/11 11:46:22.741400,  3] rpc_server/srv_pipe.c:339(check_bind_req)
>>    check_bind_req for \netlogon
>> [2016/05/11 11:46:22.741423,  3] rpc_server/srv_pipe.c:346(check_bind_req)
>>    check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
>> [2016/05/11 11:46:22.741482,  3]
>> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
>>    schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/MYNAS
>> [2016/05/11 11:46:22.741539,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.743059,  3] smbd/process.c:1609(process_smb)
>>    Transaction 9 of length 328 (0 toread)
>> [2016/05/11 11:46:22.743106,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtrans (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.743133,  3] smbd/ipc.c:560(handle_trans)
>>    trans <\PIPE\> data=240 params=0 setup=2
>> [2016/05/11 11:46:22.743164,  3] smbd/ipc.c:511(named_pipe)
>>    named pipe command on <> name
>> [2016/05/11 11:46:22.743187,  3] smbd/ipc.c:475(api_fd_reply)
>>    Got API command 0x26 on pipe "netlogon" (pnum 281f)
>> [2016/05/11 11:46:22.743235,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
>>    api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
>> [2016/05/11 11:46:22.743307,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.744850,  3] smbd/process.c:1609(process_smb)
>>    Transaction 10 of length 45 (0 toread)
>> [2016/05/11 11:46:22.744896,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.744929,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10271 (numopen=2)
>> [2016/05/11 11:46:22.746251,  3] smbd/process.c:1609(process_smb)
>>    Transaction 11 of length 45 (0 toread)
>> [2016/05/11 11:46:22.746298,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746322,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10270 (numopen=1)
>> [2016/05/11 11:46:22.746790,  3] smbd/process.c:1609(process_smb)
>>    Transaction 12 of length 39 (0 toread)
>> [2016/05/11 11:46:22.746841,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtdis (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746879,  3] smbd/service.c:1378(close_cnum)
>>    192.168.3.216 (192.168.3.216) closed connection to service IPC$
>> [2016/05/11 11:46:22.746906,  3] smbd/connection.c:35(yield_connection)
>>    Yielding connection to IPC$
>> [2016/05/11 11:46:22.747527,  3] smbd/server_exit.c:181(exit_server_common)
>>    Server exit (failed to receive smb request)
>>
>>
>>
>> So the NAS is authenticating to the domain controller.
>>
>>
>>
>>
>> On the PDC (Samba 3.6.x)  , testparm -v shows
>>
>>              min protocol = CORE
>>              max protocol = NT1
>>
>> On the NAS , testparm -v shows
>>
>>
>>       server min protocol = CORE
>>      client min protocol = CORE
>>      server max protocol = NT1
>>      client max protocol = SMB3
>>      client ipc signing = No
>>
>> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
>> shd support it.)
>>
>>
>> On my working samba 4.x system (on fedora core 23), testparm -v shows
>>
>>
>>      server min protocol = LANMAN1
>>      min protocol = LANMAN1
>>      client min protocol = CORE
>>      client ipc max protocol = default
>>      client ipc min protocol = default
>>      client ipc signing = default
>>
>>
>>
>>
>> Appreciate any advice.
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list