[Samba] Synology NAS looses connection to Samba AD
Alexander Harm
alexander.harm at apfelq.com
Wed Mar 25 10:36:13 UTC 2020
Samba DC:
# Global parameters
[global]
log level = 1 auth_audit:3
netbios name = KA-H9-DC01
realm = DS.EXAMPLE.COM
server role = active directory domain controller
workgroup = EXAMPLE
dns forwarder = 10.0.1.100 10.0.1.110
ntlm auth = mschapv2-and-ntlmv2-only
tls enabled = yes
tls keyfile = tls/ka-h9-dc01.key
tls certfile = tls/ka-h9-dc01.crt
tls cafile = tls/ds-ca.pem
[netlogon]
path = /var/lib/samba/sysvol/ds.EXAMPLE.COM/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
NAS
[global]
printcap name=cups
winbind enum groups=yes
include=/var/tmp/nginx/smb.netbios.aliases.conf
admin users=@EXAMPLE\Domain Admins, at EXAMPLE\Enterprise Admins
encrypt passwords=yes
min protocol=NT1
security=ads
local master=no
realm=DS.EXAMPLE.COM
syno sync dctime=no
passdb backend=smbpasswd
ldap timeout=60
printing=cups
max protocol=SMB3
winbind enum users=yes
load printers=yes
workgroup=EXAMPLE
and in a second file
[global]
follow symlinks=no
create mask=
log level=0
wide links=no
rpc_server:mdssvc=external
prev domain=EXAMPLE
server signing=no
msdfs root=no
vfs objects=
advanced_domain_option=yes
reset on zero vc=no
directory mask=
syno catia=no
veto files=
smb2 leases=no
btrfs clone=no
winbind expand groups=1
rpc_daemon:mdssd=fork
syno wildcard search=no
enable nt4 enum=no
allow insecure widelinks=no
enable veto files=no
disable shadow copy=no
On 25. March 2020 at 11:27:22, Rowland penny via samba (samba at lists.samba.org) wrote:
On 25/03/2020 10:01, Alexander Harm via samba wrote:
> We have to Samba DCs and a couple of Synology NAS connected/bound to the Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its connection to the AD outputting the error message, that the domain cannot be found. In the logs of the NAS I can only find the error message “synowin: domain_test_join.c:59 net ads test join fail”.
Well, that would seem to suggest that the NAS isn't joined to the domain
> In the logs of the DC I notice that from one second to the other the connection seems to fail:
>
> [2020/03/18 00:51:45.001044, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET] with [aes256-cts-hmac-sha1–96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$] [S–1–5–21–1451753080–565542361–3466525082–2103]. local host [NULL][2020/03/18 00:53:49.362120, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET] with [aes256-cts-hmac-sha1–96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$]. local host [NULL]
>
> Can anyone explain to me what happens and how to fix this?
It does look like your NAS isn't joined to the domain, this would
explain 'NT_STATUS_WRONG_PASSWORD'
Can you post the smb.conf from the DC and, if possible, from the NAS.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list