Gaiseric Vandal
2016-May-11 15:52 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
I have a Synology NAS array appliance. It is linux based and uses samba for file sharing. Normally the config is done via a gui interface but you can ssh to the array. The domain controllers are running Samba 3.6.x in classic domain mode. I have member servers running 3.6.x and 4.3.8. no problem. I recently updated the Synology "OS." The current version of samba is Version 4.1.20. I don't know what the previous version was. After the upgrade the NAS could not rejoin the domain. From the command line "net rpc join" failed with a SIG errror. The new version of samba defaulted to requiring client and server signing. This was easily fixed by updating the NAS smb.conf with client signing=disabled client ipc signing=disabled server signing=disabled The following also seemed legit client signing=default client ipc signing=default server signing=default If I deleted and recreated the machine account on the DC I could rejoin the domain. However testing the join fails. root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" Joined domain MYDOMAIN. root at mynas:/#net rpc testjoin dcerpc_netr_LogonGetCapabilities_r_recv failed with NT_STATUS_INVALID_PARAMETER cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed with error NT_STATUS_INVALID_PARAMETER net_rpc_join_ok: failed to open schannel session on netlogon pipe to server MYPDC for domain MYDOMAIN. Error was NT_STATUS_INVALID_PARAMETER Join to domain 'MYDOMAIN' is not valid: NT_STATUS_INVALID_PARAMETER root at mynas:/# The \\netlogon share on the PDC is open to guest access. log files on the PDC show 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user smb_nobody (uid=90001, gid=90001) (pid 19408) ... [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: MYNAS$ [2016/05/11 11:46:22.738212, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515 ... [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \netlogon [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\netlogon -> \PIPE\netlogon [2016/05/11 11:46:22.741482, 3] ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/MYNAS [2016/05/11 11:46:22.741539, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 23 [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) Transaction 9 of length 328 (0 toread) [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) switch message SMBtrans (pid 19408) conn 0x88830a8 [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=240 params=0 setup=2 [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "netlogon" (pnum 281f) [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES [2016/05/11 11:46:22.743307, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 23 [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) Transaction 10 of length 45 (0 toread) [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) switch message SMBclose (pid 19408) conn 0x88830a8 [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) close fd=-1 fnum=10271 (numopen=2) [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) Transaction 11 of length 45 (0 toread) [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) switch message SMBclose (pid 19408) conn 0x88830a8 [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) close fd=-1 fnum=10270 (numopen=1) [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) Transaction 12 of length 39 (0 toread) [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) switch message SMBtdis (pid 19408) conn 0x88830a8 [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) 192.168.3.216 (192.168.3.216) closed connection to service IPC$ [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) So the NAS is authenticating to the domain controller. On the PDC (Samba 3.6.x) , testparm -v shows min protocol = CORE max protocol = NT1 On the NAS , testparm -v shows server min protocol = CORE client min protocol = CORE server max protocol = NT1 client max protocol = SMB3 client ipc signing = No (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 shd support it.) On my working samba 4.x system (on fedora core 23), testparm -v shows server min protocol = LANMAN1 min protocol = LANMAN1 client min protocol = CORE client ipc max protocol = default client ipc min protocol = default client ipc signing = default Appreciate any advice. Thanks
henri transfert
2016-May-12 06:26 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
Hi, I am not sure it's the same issue, but I had a similar problem when upgrading from DSM 5.x to 6.0 : error after domain join : "Connection failed. Please check your network settings" . With the help of the (very efficient) Synology support, we solved the problem by uninstalling an old Cluster HA DSM package that was installed on the NAS but not used. Just in case it could help. Henri 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>:> I have a Synology NAS array appliance. It is linux based and uses samba > for file sharing. Normally the config is done via a gui interface but you > can ssh to the array. The domain controllers are running Samba 3.6.x in > classic domain mode. I have member servers running 3.6.x and 4.3.8. no > problem. > > > I recently updated the Synology "OS." The current version of samba is > Version 4.1.20. I don't know what the previous version was. After the > upgrade the NAS could not rejoin the domain. > > > From the command line "net rpc join" failed with a SIG errror. The new > version of samba defaulted to requiring client and server signing. This > was easily fixed by updating the NAS smb.conf with > > > > client signing=disabled > client ipc signing=disabled > > server signing=disabled > > > > The following also seemed legit > > client signing=default > client ipc signing=default > > server signing=default > > > > If I deleted and recreated the machine account on the DC I could rejoin > the domain. However testing the join fails. > > > > root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" > Joined domain MYDOMAIN. > > > > root at mynas:/#net rpc testjoin > dcerpc_netr_LogonGetCapabilities_r_recv failed with > NT_STATUS_INVALID_PARAMETER > cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed > with error NT_STATUS_INVALID_PARAMETER > net_rpc_join_ok: failed to open schannel session on netlogon > pipe to server MYPDC for domain MYDOMAIN. Error was > NT_STATUS_INVALID_PARAMETER > Join to domain 'MYDOMAIN' is not valid: > NT_STATUS_INVALID_PARAMETER > root at mynas:/# > > > > The \\netlogon share on the PDC is open to guest access. > > > log files on the PDC show > > 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user > smb_nobody (uid=90001, gid=90001) (pid 19408) > > ... > > [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: MYNAS$ > [2016/05/11 11:46:22.738212, 2] > passdb/pdb_ldap.c:2427(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 515 > > ... > > [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) > check_bind_req for \netlogon > [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) > check_bind_req: \PIPE\netlogon -> \PIPE\netlogon > [2016/05/11 11:46:22.741482, 3] > ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) > schannel_fetch_session_key_tdb: restored schannel info key > SECRETS/SCHANNEL/MYNAS > [2016/05/11 11:46:22.741539, 3] > rpc_server/srv_pipe_hnd.c:121(free_pipe_context) > free_pipe_context: destroying talloc pool of size 23 > [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) > Transaction 9 of length 328 (0 toread) > [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) > switch message SMBtrans (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) > trans <\PIPE\> data=240 params=0 setup=2 > [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) > named pipe command on <> name > [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) > Got API command 0x26 on pipe "netlogon" (pnum 281f) > [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) > api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES > [2016/05/11 11:46:22.743307, 3] > rpc_server/srv_pipe_hnd.c:121(free_pipe_context) > free_pipe_context: destroying talloc pool of size 23 > [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) > Transaction 10 of length 45 (0 toread) > [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) > switch message SMBclose (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) > close fd=-1 fnum=10271 (numopen=2) > [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) > Transaction 11 of length 45 (0 toread) > [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) > switch message SMBclose (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) > close fd=-1 fnum=10270 (numopen=1) > [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) > Transaction 12 of length 39 (0 toread) > [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) > switch message SMBtdis (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) > 192.168.3.216 (192.168.3.216) closed connection to service IPC$ > [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) > Yielding connection to IPC$ > [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) > Server exit (failed to receive smb request) > > > > So the NAS is authenticating to the domain controller. > > > > > On the PDC (Samba 3.6.x) , testparm -v shows > > min protocol = CORE > max protocol = NT1 > > On the NAS , testparm -v shows > > > server min protocol = CORE > client min protocol = CORE > server max protocol = NT1 > client max protocol = SMB3 > client ipc signing = No > > (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 > shd support it.) > > > On my working samba 4.x system (on fedora core 23), testparm -v shows > > > server min protocol = LANMAN1 > min protocol = LANMAN1 > client min protocol = CORE > client ipc max protocol = default > client ipc min protocol = default > client ipc signing = default > > > > > Appreciate any advice. > > > Thanks > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Gaiseric Vandal
2016-May-13 13:11 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
I don't see any cluster packages listed under the web gui interface. Is this one of the packages that can only be managed via the command line ipkg command, which is not installed by default? thanks On 05/12/16 02:26, henri transfert wrote:> Hi, > > I am not sure it's the same issue, but I had a similar problem when > upgrading from DSM 5.x to 6.0 : error after domain join : "Connection > failed. Please check your network settings" . > > With the help of the (very efficient) Synology support, we solved the > problem by uninstalling an old Cluster HA DSM package that was installed on > the NAS but not used. > > Just in case it could help. > > Henri > > > 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>: > >> I have a Synology NAS array appliance. It is linux based and uses samba >> for file sharing. Normally the config is done via a gui interface but you >> can ssh to the array. The domain controllers are running Samba 3.6.x in >> classic domain mode. I have member servers running 3.6.x and 4.3.8. no >> problem. >> >> >> I recently updated the Synology "OS." The current version of samba is >> Version 4.1.20. I don't know what the previous version was. After the >> upgrade the NAS could not rejoin the domain. >> >> >> From the command line "net rpc join" failed with a SIG errror. The new >> version of samba defaulted to requiring client and server signing. This >> was easily fixed by updating the NAS smb.conf with >> >> >> >> client signing=disabled >> client ipc signing=disabled >> >> server signing=disabled >> >> >> >> The following also seemed legit >> >> client signing=default >> client ipc signing=default >> >> server signing=default >> >> >> >> If I deleted and recreated the machine account on the DC I could rejoin >> the domain. However testing the join fails. >> >> >> >> root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" >> Joined domain MYDOMAIN. >> >> >> >> root at mynas:/#net rpc testjoin >> dcerpc_netr_LogonGetCapabilities_r_recv failed with >> NT_STATUS_INVALID_PARAMETER >> cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed >> with error NT_STATUS_INVALID_PARAMETER >> net_rpc_join_ok: failed to open schannel session on netlogon >> pipe to server MYPDC for domain MYDOMAIN. Error was >> NT_STATUS_INVALID_PARAMETER >> Join to domain 'MYDOMAIN' is not valid: >> NT_STATUS_INVALID_PARAMETER >> root at mynas:/# >> >> >> >> The \\netlogon share on the PDC is open to guest access. >> >> >> log files on the PDC show >> >> 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user >> smb_nobody (uid=90001, gid=90001) (pid 19408) >> >> ... >> >> [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) >> init_sam_from_ldap: Entry found for user: MYNAS$ >> [2016/05/11 11:46:22.738212, 2] >> passdb/pdb_ldap.c:2427(init_group_from_ldap) >> init_group_from_ldap: Entry found for group: 515 >> >> ... >> >> [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) >> check_bind_req for \netlogon >> [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) >> check_bind_req: \PIPE\netlogon -> \PIPE\netlogon >> [2016/05/11 11:46:22.741482, 3] >> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) >> schannel_fetch_session_key_tdb: restored schannel info key >> SECRETS/SCHANNEL/MYNAS >> [2016/05/11 11:46:22.741539, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) >> Transaction 9 of length 328 (0 toread) >> [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) >> switch message SMBtrans (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) >> trans <\PIPE\> data=240 params=0 setup=2 >> [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) >> named pipe command on <> name >> [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) >> Got API command 0x26 on pipe "netlogon" (pnum 281f) >> [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) >> api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES >> [2016/05/11 11:46:22.743307, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) >> Transaction 10 of length 45 (0 toread) >> [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10271 (numopen=2) >> [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) >> Transaction 11 of length 45 (0 toread) >> [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10270 (numopen=1) >> [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) >> Transaction 12 of length 39 (0 toread) >> [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) >> switch message SMBtdis (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) >> 192.168.3.216 (192.168.3.216) closed connection to service IPC$ >> [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) >> Yielding connection to IPC$ >> [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) >> Server exit (failed to receive smb request) >> >> >> >> So the NAS is authenticating to the domain controller. >> >> >> >> >> On the PDC (Samba 3.6.x) , testparm -v shows >> >> min protocol = CORE >> max protocol = NT1 >> >> On the NAS , testparm -v shows >> >> >> server min protocol = CORE >> client min protocol = CORE >> server max protocol = NT1 >> client max protocol = SMB3 >> client ipc signing = No >> >> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 >> shd support it.) >> >> >> On my working samba 4.x system (on fedora core 23), testparm -v shows >> >> >> server min protocol = LANMAN1 >> min protocol = LANMAN1 >> client min protocol = CORE >> client ipc max protocol = default >> client ipc min protocol = default >> client ipc signing = default >> >> >> >> >> Appreciate any advice. >> >> >> Thanks >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Gaiseric Vandal
2016-May-16 18:36 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
On both the synology (samba 4.1.20) and PDC (samba 3.6.25) testparm showed client schannel = Auto server schannel = Auto I don't know if the server even supports schannel. Maybe it doesn't any all the clients successfully negotiated not to use it. On the synology, I set client schannel = no This fixed my domain membership issue. Although possibly weakening security on the synology? Or possibly revealing a probably with schannel on my PDC. I realize both versions of Samba are end-of-life. On 05/12/16 02:26, henri transfert wrote:> Hi, > > I am not sure it's the same issue, but I had a similar problem when > upgrading from DSM 5.x to 6.0 : error after domain join : "Connection > failed. Please check your network settings" . > > With the help of the (very efficient) Synology support, we solved the > problem by uninstalling an old Cluster HA DSM package that was installed on > the NAS but not used. > > Just in case it could help. > > Henri > > > 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>: > >> I have a Synology NAS array appliance. It is linux based and uses samba >> for file sharing. Normally the config is done via a gui interface but you >> can ssh to the array. The domain controllers are running Samba 3.6.x in >> classic domain mode. I have member servers running 3.6.x and 4.3.8. no >> problem. >> >> >> I recently updated the Synology "OS." The current version of samba is >> Version 4.1.20. I don't know what the previous version was. After the >> upgrade the NAS could not rejoin the domain. >> >> >> From the command line "net rpc join" failed with a SIG errror. The new >> version of samba defaulted to requiring client and server signing. This >> was easily fixed by updating the NAS smb.conf with >> >> >> >> client signing=disabled >> client ipc signing=disabled >> >> server signing=disabled >> >> >> >> The following also seemed legit >> >> client signing=default >> client ipc signing=default >> >> server signing=default >> >> >> >> If I deleted and recreated the machine account on the DC I could rejoin >> the domain. However testing the join fails. >> >> >> >> root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" >> Joined domain MYDOMAIN. >> >> >> >> root at mynas:/#net rpc testjoin >> dcerpc_netr_LogonGetCapabilities_r_recv failed with >> NT_STATUS_INVALID_PARAMETER >> cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed >> with error NT_STATUS_INVALID_PARAMETER >> net_rpc_join_ok: failed to open schannel session on netlogon >> pipe to server MYPDC for domain MYDOMAIN. Error was >> NT_STATUS_INVALID_PARAMETER >> Join to domain 'MYDOMAIN' is not valid: >> NT_STATUS_INVALID_PARAMETER >> root at mynas:/# >> >> >> >> The \\netlogon share on the PDC is open to guest access. >> >> >> log files on the PDC show >> >> 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user >> smb_nobody (uid=90001, gid=90001) (pid 19408) >> >> ... >> >> [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) >> init_sam_from_ldap: Entry found for user: MYNAS$ >> [2016/05/11 11:46:22.738212, 2] >> passdb/pdb_ldap.c:2427(init_group_from_ldap) >> init_group_from_ldap: Entry found for group: 515 >> >> ... >> >> [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) >> check_bind_req for \netlogon >> [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) >> check_bind_req: \PIPE\netlogon -> \PIPE\netlogon >> [2016/05/11 11:46:22.741482, 3] >> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) >> schannel_fetch_session_key_tdb: restored schannel info key >> SECRETS/SCHANNEL/MYNAS >> [2016/05/11 11:46:22.741539, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) >> Transaction 9 of length 328 (0 toread) >> [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) >> switch message SMBtrans (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) >> trans <\PIPE\> data=240 params=0 setup=2 >> [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) >> named pipe command on <> name >> [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) >> Got API command 0x26 on pipe "netlogon" (pnum 281f) >> [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) >> api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES >> [2016/05/11 11:46:22.743307, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) >> Transaction 10 of length 45 (0 toread) >> [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10271 (numopen=2) >> [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) >> Transaction 11 of length 45 (0 toread) >> [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10270 (numopen=1) >> [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) >> Transaction 12 of length 39 (0 toread) >> [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) >> switch message SMBtdis (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) >> 192.168.3.216 (192.168.3.216) closed connection to service IPC$ >> [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) >> Yielding connection to IPC$ >> [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) >> Server exit (failed to receive smb request) >> >> >> >> So the NAS is authenticating to the domain controller. >> >> >> >> >> On the PDC (Samba 3.6.x) , testparm -v shows >> >> min protocol = CORE >> max protocol = NT1 >> >> On the NAS , testparm -v shows >> >> >> server min protocol = CORE >> client min protocol = CORE >> server max protocol = NT1 >> client max protocol = SMB3 >> client ipc signing = No >> >> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 >> shd support it.) >> >> >> On my working samba 4.x system (on fedora core 23), testparm -v shows >> >> >> server min protocol = LANMAN1 >> min protocol = LANMAN1 >> client min protocol = CORE >> client ipc max protocol = default >> client ipc min protocol = default >> client ipc signing = default >> >> >> >> >> Appreciate any advice. >> >> >> Thanks >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Gaiseric Vandal
2016-May-27 16:30 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
I rolled my appliance back to DSM 6 (no updates) which resolved the issue. The BADLOCK update was applied in DSM 6u1. On 05/12/16 02:26, henri transfert wrote:> Hi, > > I am not sure it's the same issue, but I had a similar problem when > upgrading from DSM 5.x to 6.0 : error after domain join : "Connection > failed. Please check your network settings" . > > With the help of the (very efficient) Synology support, we solved the > problem by uninstalling an old Cluster HA DSM package that was installed on > the NAS but not used. > > Just in case it could help. > > Henri > > > 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>: > >> I have a Synology NAS array appliance. It is linux based and uses samba >> for file sharing. Normally the config is done via a gui interface but you >> can ssh to the array. The domain controllers are running Samba 3.6.x in >> classic domain mode. I have member servers running 3.6.x and 4.3.8. no >> problem. >> >> >> I recently updated the Synology "OS." The current version of samba is >> Version 4.1.20. I don't know what the previous version was. After the >> upgrade the NAS could not rejoin the domain. >> >> >> From the command line "net rpc join" failed with a SIG errror. The new >> version of samba defaulted to requiring client and server signing. This >> was easily fixed by updating the NAS smb.conf with >> >> >> >> client signing=disabled >> client ipc signing=disabled >> >> server signing=disabled >> >> >> >> The following also seemed legit >> >> client signing=default >> client ipc signing=default >> >> server signing=default >> >> >> >> If I deleted and recreated the machine account on the DC I could rejoin >> the domain. However testing the join fails. >> >> >> >> root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" >> Joined domain MYDOMAIN. >> >> >> >> root at mynas:/#net rpc testjoin >> dcerpc_netr_LogonGetCapabilities_r_recv failed with >> NT_STATUS_INVALID_PARAMETER >> cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed >> with error NT_STATUS_INVALID_PARAMETER >> net_rpc_join_ok: failed to open schannel session on netlogon >> pipe to server MYPDC for domain MYDOMAIN. Error was >> NT_STATUS_INVALID_PARAMETER >> Join to domain 'MYDOMAIN' is not valid: >> NT_STATUS_INVALID_PARAMETER >> root at mynas:/# >> >> >> >> The \\netlogon share on the PDC is open to guest access. >> >> >> log files on the PDC show >> >> 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user >> smb_nobody (uid=90001, gid=90001) (pid 19408) >> >> ... >> >> [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) >> init_sam_from_ldap: Entry found for user: MYNAS$ >> [2016/05/11 11:46:22.738212, 2] >> passdb/pdb_ldap.c:2427(init_group_from_ldap) >> init_group_from_ldap: Entry found for group: 515 >> >> ... >> >> [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) >> check_bind_req for \netlogon >> [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) >> check_bind_req: \PIPE\netlogon -> \PIPE\netlogon >> [2016/05/11 11:46:22.741482, 3] >> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) >> schannel_fetch_session_key_tdb: restored schannel info key >> SECRETS/SCHANNEL/MYNAS >> [2016/05/11 11:46:22.741539, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) >> Transaction 9 of length 328 (0 toread) >> [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) >> switch message SMBtrans (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) >> trans <\PIPE\> data=240 params=0 setup=2 >> [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) >> named pipe command on <> name >> [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) >> Got API command 0x26 on pipe "netlogon" (pnum 281f) >> [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) >> api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES >> [2016/05/11 11:46:22.743307, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) >> Transaction 10 of length 45 (0 toread) >> [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10271 (numopen=2) >> [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) >> Transaction 11 of length 45 (0 toread) >> [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10270 (numopen=1) >> [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) >> Transaction 12 of length 39 (0 toread) >> [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) >> switch message SMBtdis (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) >> 192.168.3.216 (192.168.3.216) closed connection to service IPC$ >> [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) >> Yielding connection to IPC$ >> [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) >> Server exit (failed to receive smb request) >> >> >> >> So the NAS is authenticating to the domain controller. >> >> >> >> >> On the PDC (Samba 3.6.x) , testparm -v shows >> >> min protocol = CORE >> max protocol = NT1 >> >> On the NAS , testparm -v shows >> >> >> server min protocol = CORE >> client min protocol = CORE >> server max protocol = NT1 >> client max protocol = SMB3 >> client ipc signing = No >> >> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 >> shd support it.) >> >> >> On my working samba 4.x system (on fedora core 23), testparm -v shows >> >> >> server min protocol = LANMAN1 >> min protocol = LANMAN1 >> client min protocol = CORE >> client ipc max protocol = default >> client ipc min protocol = default >> client ipc signing = default >> >> >> >> >> Appreciate any advice. >> >> >> Thanks >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Reasonably Related Threads
- Synology NAS Samba Upgrade breaks "Classic" domain membership
- Synology NAS Samba Upgrade breaks "Classic" domain membership
- Fwd: samba 3.6.24 domain member as printserver in win2008/2012 domain: Access denied
- Problem printing from one user only
- Can't add machines to domain after Debian-Update