[Samba] Synology NAS looses connection to Samba AD

Alexander Harm alexander.harm at apfelq.com
Wed Mar 25 10:36:13 UTC 2020 

Samba DC:

# Global parameters
[global]
    log level = 1 auth_audit:3
    netbios name = KA-H9-DC01
    realm = DS.EXAMPLE.COM
    server role = active directory domain controller
    workgroup = EXAMPLE

    dns forwarder = 10.0.1.100 10.0.1.110

    ntlm auth = mschapv2-and-ntlmv2-only

    tls enabled = yes
    tls keyfile = tls/ka-h9-dc01.key
    tls certfile = tls/ka-h9-dc01.crt
    tls cafile = tls/ds-ca.pem

[netlogon]
    path = /var/lib/samba/sysvol/ds.EXAMPLE.COM/scripts
    read only = No

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No
NAS

[global]
    printcap name=cups
    winbind enum groups=yes
    include=/var/tmp/nginx/smb.netbios.aliases.conf
    admin users=@EXAMPLE\Domain Admins, at EXAMPLE\Enterprise Admins
    encrypt passwords=yes
    min protocol=NT1
    security=ads
    local master=no
    realm=DS.EXAMPLE.COM
    syno sync dctime=no
    passdb backend=smbpasswd
    ldap timeout=60
    printing=cups
    max protocol=SMB3
    winbind enum users=yes
    load printers=yes
    workgroup=EXAMPLE
and in a second file

[global]
    follow symlinks=no
    create mask=
    log level=0
    wide links=no
    rpc_server:mdssvc=external
    prev domain=EXAMPLE
    server signing=no
    msdfs root=no
    vfs objects=
    advanced_domain_option=yes
    reset on zero vc=no
    directory mask=
    syno catia=no
    veto files=
    smb2 leases=no
    btrfs clone=no
    winbind expand groups=1
    rpc_daemon:mdssd=fork
    syno wildcard search=no
    enable nt4 enum=no
    allow insecure widelinks=no
    enable veto files=no
    disable shadow copy=no



On 25. March 2020 at 11:27:22, Rowland penny via samba (samba at lists.samba.org) wrote:

On 25/03/2020 10:01, Alexander Harm via samba wrote:  
> We have to Samba DCs and a couple of Synology NAS connected/bound to the Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its connection to the AD outputting the error message, that the domain cannot be found. In the logs of the NAS I can only find the error message “synowin: domain_test_join.c:59 net ads test join fail”.  
Well, that would seem to suggest that the NAS isn't joined to the domain  
> In the logs of the DC I notice that from one second to the other the connection seems to fail:  
>  
> [2020/03/18 00:51:45.001044, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET] with [aes256-cts-hmac-sha1–96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$] [S–1–5–21–1451753080–565542361–3466525082–2103]. local host [NULL][2020/03/18 00:53:49.362120, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET] with [aes256-cts-hmac-sha1–96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$]. local host [NULL]  
>  
> Can anyone explain to me what happens and how to fix this?  

It does look like your NAS isn't joined to the domain, this would  
explain 'NT_STATUS_WRONG_PASSWORD'  

Can you post the smb.conf from the DC and, if possible, from the NAS.  

Rowland  



--  
To unsubscribe from this list go to the following URL and read the  
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list