[Samba] Windows clients connecting to SMB share differently over IP than DNS

Gavin Greenwalt im.thatoneguy at gmail.com
Thu Apr 8 16:27:32 UTC 2021 

I have received confirmation that this is a bug with Synology's
implementation and they've narrowed it down to apparently they are for some
reason querying Domain Computers and Domain Controllers for permissions not
just the user.  The temporary workaround is to add Domain Computers and
Domain Controllers explicitly to the share's permissions list.

- Gavin

On Mon, Apr 5, 2021 at 1:15 PM Gavin Greenwalt <im.thatoneguy at gmail.com>
wrote:

> > Not being a synology user, what does that actually mean ? Does it mean
> that it is impossible to upgrade Samba ?
>
> Yes, since Synology handles all of the config through their DSM web
> interface for domain joins and shares they have their own fork of 4.4 with
> security patches and features backported.  I spun up an old 2017 Ubuntu VM
> with Samba 4.4.5.  Recreated my Synology smb.conf file as closely as I
> could and tested that.  Performance was excellent. Looks like it's
> something specific to Synology's Samba backpatched fork combined with krb5
> and I will follow up with them.  Also why the config files don't have
> explicit includes since I imagine that's hard coded into their
> distribution.  I assume idmap is similarly being handled through their
> fork's domain join system. (And likely causing the problems it would seem)
>
> > the 'winbind enum' lines could be slowing things down.
>
> Would you still have support for Domain users\groups as folder
> permissions?
>
> > you have an include file
> called smb.netbios.aliases.conf, (you need SMBv1 for netbios), so what
> is in it ?
>
> Looks like it doesn't even exist.
>
> Ok, it looks pretty clearly like whatever the issue is, is completely
> isolated to whatever proprietary sauce Synology is doing with the Synology
> DSM 6.x distribution.  I feel competent defending Samba's innocence.
>
> Thank you for the expert insights!  I'll try removing the winbind enums
> after escalating my Synology support tickets so that they can't blame it on
> me for making non-UI configuration changes.  And of course if I learn
> anything that's applicable to vanilla Samba I'll report back what I learn
> from Synology's support team.
>
> - Gavin
>
>
> On Thu, Apr 1, 2021 at 11:36 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
>
>> On 01/04/2021 18:51, Gavin Greenwalt wrote:
>> > >It might help if the OP did two things:
>> > >Upgrade Samba, 4.4.16 is very old and EOL.
>> > >Post their smb.conf, at the moment we have no idea how they are
>> running Samba.
>> > >
>> > >Rowland
>> >
>> > Unfortunately I'm locked into 4.4 because that's what Synology is using
>> in DSM.
>>
>>
>> Not being a synology user, what does that actually mean ? Does it mean
>> that it is impossible to upgrade Samba ?
>>
>> >    But my next step will be to spin up a fresh VM of Ubuntu and compare
>> a clean installation of 4.4.16 to see if Synology DSM is somehow
>> introducing the slowdown.
>> I would also try a supported version of Samba.
>> >
>> > smb.conf (sanitized) >
>> > [global]
>> >          printcap name=cups
>> >          winbind enum groups=yes
>>
>>
>> the 'winbind enum' lines could be slowing things down.
>>
>> >          include=/var/tmp/nginx/smb.netbios.aliases.conf
>>
>>
>> Interesting, you have SMBv1 turned off, but you have an include file
>> called smb.netbios.aliases.conf, (you need SMBv1 for netbios), so what
>> is in it ?
>>
>> >          password server=3.3.3.100
>>
>> You should allow Samba to find the best password server
>>
>> >          encrypt passwords=yes
>> >          admin users=@DOM\Domain Admins, at DOM\Enterprise Admins
>> >          min protocol=SMB2_10
>> >          security=ads
>> >          local master=no
>> >          realm=DOMAIN.COM  <http://DOMAIN.COM>
>> >          syno sync dctime=yes
>> >          passdb backend=smbpasswd
>>
>>
>> Samba was telling people to not smbpasswd as the passdb backend way back
>> in the 3.x.x days, so why is your Synology device still using it ?
>>
>>
>> >          ldap timeout=60
>> >          printing=cups
>> >          max protocol=SMB3
>> >          winbind enum users=yes
>> >          load printers=yes
>> >          workgroup=DOM
>> >
>> > smbinfo.conf >
>> > [global]
>> >      rpc_server:mdssvc=external
>> >      prev domain=DOM
>> >      server signing=yes
>> >      veto files=
>> >      advanced_domain_option=yes
>> >      smb2 leases=yes
>> >      btrfs clone=no
>> >      winbind expand groups=1
>> >      register nic=bond1
>> >      rpc_daemon:mdssd=fork
>> >      enable nt4 enum=no
>> >      allow insecure widelinks=no
>> >      disable shadow copy=no
>> >
>> > smb.share.conf >
>> > [Share]
>> >          recycle bin admin only=yes
>> >          ftp disable modify=no
>> >          ftp disable download=no
>> >          write list=nobody,nobody
>> >          browseable=yes
>> >          mediaindex=no
>> >          hide unreadable=no
>> >          win share=yes
>> >          enable recycle bin=yes
>> >          invalid users=nobody,nobody
>> >          read list=nobody,nobody
>> >          ftp disable list=no
>> >          edit synoacl=yes
>> >          valid users=nobody,nobody
>> >          writeable=yes
>> >          guest ok=yes
>> >          path=/volume1/Share
>> >          skip smb perm=yes
>> >          comment="Share Directory"
>> >
>> What are 'smbinfo.conf' and 'smb.share.conf' , there doesn't seem to be
>> an 'include' for them.
>>
>> Now the big one, what is doing the ID mapping ? I do not see any 'idmap
>> config' or even any 'idmap uid' & 'idmap gid' lines.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list