samba - May 2016 - Synology NAS Samba Upgrade breaks "Classic" domain membership

I have a Synology NAS array appliance.   It is linux based and uses 
samba for file sharing.   Normally the config is done via a gui 
interface but you can ssh to the array.   The domain controllers are 
running Samba 3.6.x in classic domain mode.  I have member servers 
running 3.6.x and 4.3.8.  no problem.


I recently updated the Synology "OS."  The current version of samba is
Version 4.1.20.    I don't know what the previous version was.    After 
the upgrade the  NAS could not rejoin the domain.


 From the command line "net rpc join" failed with a SIG errror. The
new
version of samba defaulted to requiring client and server signing.  This 
was easily fixed by updating the NAS smb.conf with



     client signing=disabled
     client ipc signing=disabled

     server signing=disabled



The following also seemed legit

     client signing=default
     client ipc signing=default

     server signing=default



If I deleted and recreated the machine account on the DC I could rejoin 
the domain.  However testing the join fails.



              root at mynas:/# net rpc join -U
"MYDOMAIN\Administrator"
             Joined domain MYDOMAIN.



             root at mynas:/#net rpc testjoin
             dcerpc_netr_LogonGetCapabilities_r_recv failed with 
NT_STATUS_INVALID_PARAMETER
             cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind 
failed with error NT_STATUS_INVALID_PARAMETER
             net_rpc_join_ok: failed to open schannel session on 
netlogon pipe to server MYPDC for domain MYDOMAIN. Error was 
NT_STATUS_INVALID_PARAMETER
             Join to domain 'MYDOMAIN' is not valid: 
NT_STATUS_INVALID_PARAMETER
             root at mynas:/#



The \\netlogon share on the PDC is open to guest access.


log files on the PDC show

   192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user 
smb_nobody (uid=90001, gid=90001) (pid 19408)

...

[2016/05/11 11:46:22.733380,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
   init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212,  2] 
passdb/pdb_ldap.c:2427(init_group_from_ldap)
   init_group_from_ldap: Entry found for group: 515

...

[2016/05/11 11:46:22.741400,  3] rpc_server/srv_pipe.c:339(check_bind_req)
   check_bind_req for \netlogon
[2016/05/11 11:46:22.741423,  3] rpc_server/srv_pipe.c:346(check_bind_req)
   check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482,  3] 
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
   schannel_fetch_session_key_tdb: restored schannel info key 
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539,  3] 
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
   free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059,  3] smbd/process.c:1609(process_smb)
   Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106,  3] smbd/process.c:1414(switch_message)
   switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133,  3] smbd/ipc.c:560(handle_trans)
   trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164,  3] smbd/ipc.c:511(named_pipe)
   named pipe command on <> name
[2016/05/11 11:46:22.743187,  3] smbd/ipc.c:475(api_fd_reply)
   Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
   api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307,  3] 
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
   free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850,  3] smbd/process.c:1609(process_smb)
   Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896,  3] smbd/process.c:1414(switch_message)
   switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929,  3] smbd/reply.c:4860(reply_close)
   close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251,  3] smbd/process.c:1609(process_smb)
   Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298,  3] smbd/process.c:1414(switch_message)
   switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322,  3] smbd/reply.c:4860(reply_close)
   close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790,  3] smbd/process.c:1609(process_smb)
   Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841,  3] smbd/process.c:1414(switch_message)
   switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879,  3] smbd/service.c:1378(close_cnum)
   192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906,  3] smbd/connection.c:35(yield_connection)
   Yielding connection to IPC$
[2016/05/11 11:46:22.747527,  3] smbd/server_exit.c:181(exit_server_common)
   Server exit (failed to receive smb request)



So the NAS is authenticating to the domain controller.




On the PDC (Samba 3.6.x)  , testparm -v shows

             min protocol = CORE
             max protocol = NT1

On the NAS , testparm -v shows


      server min protocol = CORE
     client min protocol = CORE
     server max protocol = NT1
     client max protocol = SMB3
     client ipc signing = No

(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 
shd support it.)


On my working samba 4.x system (on fedora core 23), testparm -v shows


     server min protocol = LANMAN1
     min protocol = LANMAN1
     client min protocol = CORE
     client ipc max protocol = default
     client ipc min protocol = default
     client ipc signing = default




Appreciate any advice.


Thanks

Hi,

I am not sure it's the same issue, but I had a similar problem when
upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
failed. Please check your network settings" .

With the help of the (very efficient) Synology support, we solved the
problem by uninstalling an old Cluster HA DSM package that was installed on
the NAS but not used.

Just in case it could help.

Henri


2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>:
> I have a Synology NAS array appliance.   It is linux based and uses samba
> for file sharing.   Normally the config is done via a gui interface but you
> can ssh to the array.   The domain controllers are running Samba 3.6.x in
> classic domain mode.  I have member servers running 3.6.x and 4.3.8.  no
> problem.
>
>
> I recently updated the Synology "OS."  The current version of
samba is
> Version 4.1.20.    I don't know what the previous version was.    After
the
> upgrade the  NAS could not rejoin the domain.
>
>
> From the command line "net rpc join" failed with a SIG errror.
The new
> version of samba defaulted to requiring client and server signing.  This
> was easily fixed by updating the NAS smb.conf with
>
>
>
>     client signing=disabled
>     client ipc signing=disabled
>
>     server signing=disabled
>
>
>
> The following also seemed legit
>
>     client signing=default
>     client ipc signing=default
>
>     server signing=default
>
>
>
> If I deleted and recreated the machine account on the DC I could rejoin
> the domain.  However testing the join fails.
>
>
>
>              root at mynas:/# net rpc join -U
"MYDOMAIN\Administrator"
>             Joined domain MYDOMAIN.
>
>
>
>             root at mynas:/#net rpc testjoin
>             dcerpc_netr_LogonGetCapabilities_r_recv failed with
> NT_STATUS_INVALID_PARAMETER
>             cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed
> with error NT_STATUS_INVALID_PARAMETER
>             net_rpc_join_ok: failed to open schannel session on netlogon
> pipe to server MYPDC for domain MYDOMAIN. Error was
> NT_STATUS_INVALID_PARAMETER
>             Join to domain 'MYDOMAIN' is not valid:
> NT_STATUS_INVALID_PARAMETER
>             root at mynas:/#
>
>
>
> The \\netlogon share on the PDC is open to guest access.
>
>
> log files on the PDC show
>
>   192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
> smb_nobody (uid=90001, gid=90001) (pid 19408)
>
> ...
>
> [2016/05/11 11:46:22.733380,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
>   init_sam_from_ldap: Entry found for user: MYNAS$
> [2016/05/11 11:46:22.738212,  2]
> passdb/pdb_ldap.c:2427(init_group_from_ldap)
>   init_group_from_ldap: Entry found for group: 515
>
> ...
>
> [2016/05/11 11:46:22.741400,  3] rpc_server/srv_pipe.c:339(check_bind_req)
>   check_bind_req for \netlogon
> [2016/05/11 11:46:22.741423,  3] rpc_server/srv_pipe.c:346(check_bind_req)
>   check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
> [2016/05/11 11:46:22.741482,  3]
> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
>   schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/MYNAS
> [2016/05/11 11:46:22.741539,  3]
> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>   free_pipe_context: destroying talloc pool of size 23
> [2016/05/11 11:46:22.743059,  3] smbd/process.c:1609(process_smb)
>   Transaction 9 of length 328 (0 toread)
> [2016/05/11 11:46:22.743106,  3] smbd/process.c:1414(switch_message)
>   switch message SMBtrans (pid 19408) conn 0x88830a8
> [2016/05/11 11:46:22.743133,  3] smbd/ipc.c:560(handle_trans)
>   trans <\PIPE\> data=240 params=0 setup=2
> [2016/05/11 11:46:22.743164,  3] smbd/ipc.c:511(named_pipe)
>   named pipe command on <> name
> [2016/05/11 11:46:22.743187,  3] smbd/ipc.c:475(api_fd_reply)
>   Got API command 0x26 on pipe "netlogon" (pnum 281f)
> [2016/05/11 11:46:22.743235,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
>   api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
> [2016/05/11 11:46:22.743307,  3]
> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>   free_pipe_context: destroying talloc pool of size 23
> [2016/05/11 11:46:22.744850,  3] smbd/process.c:1609(process_smb)
>   Transaction 10 of length 45 (0 toread)
> [2016/05/11 11:46:22.744896,  3] smbd/process.c:1414(switch_message)
>   switch message SMBclose (pid 19408) conn 0x88830a8
> [2016/05/11 11:46:22.744929,  3] smbd/reply.c:4860(reply_close)
>   close fd=-1 fnum=10271 (numopen=2)
> [2016/05/11 11:46:22.746251,  3] smbd/process.c:1609(process_smb)
>   Transaction 11 of length 45 (0 toread)
> [2016/05/11 11:46:22.746298,  3] smbd/process.c:1414(switch_message)
>   switch message SMBclose (pid 19408) conn 0x88830a8
> [2016/05/11 11:46:22.746322,  3] smbd/reply.c:4860(reply_close)
>   close fd=-1 fnum=10270 (numopen=1)
> [2016/05/11 11:46:22.746790,  3] smbd/process.c:1609(process_smb)
>   Transaction 12 of length 39 (0 toread)
> [2016/05/11 11:46:22.746841,  3] smbd/process.c:1414(switch_message)
>   switch message SMBtdis (pid 19408) conn 0x88830a8
> [2016/05/11 11:46:22.746879,  3] smbd/service.c:1378(close_cnum)
>   192.168.3.216 (192.168.3.216) closed connection to service IPC$
> [2016/05/11 11:46:22.746906,  3] smbd/connection.c:35(yield_connection)
>   Yielding connection to IPC$
> [2016/05/11 11:46:22.747527,  3] smbd/server_exit.c:181(exit_server_common)
>   Server exit (failed to receive smb request)
>
>
>
> So the NAS is authenticating to the domain controller.
>
>
>
>
> On the PDC (Samba 3.6.x)  , testparm -v shows
>
>             min protocol = CORE
>             max protocol = NT1
>
> On the NAS , testparm -v shows
>
>
>      server min protocol = CORE
>     client min protocol = CORE
>     server max protocol = NT1
>     client max protocol = SMB3
>     client ipc signing = No
>
> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
> shd support it.)
>
>
> On my working samba 4.x system (on fedora core 23), testparm -v shows
>
>
>     server min protocol = LANMAN1
>     min protocol = LANMAN1
>     client min protocol = CORE
>     client ipc max protocol = default
>     client ipc min protocol = default
>     client ipc signing = default
>
>
>
>
> Appreciate any advice.
>
>
> Thanks
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I don't see any cluster packages listed under the web gui interface.  Is 
this one of the packages that can only be managed via the command line 
ipkg command, which is not installed by default?

thanks



On 05/12/16 02:26, henri transfert wrote:
> Hi,
>
> I am not sure it's the same issue, but I had a similar problem when
> upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
> failed. Please check your network settings" .
>
> With the help of the (very efficient) Synology support, we solved the
> problem by uninstalling an old Cluster HA DSM package that was installed on
> the NAS but not used.
>
> Just in case it could help.
>
> Henri
>
>
> 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at
gmail.com>:
>
>> I have a Synology NAS array appliance.   It is linux based and uses
samba
>> for file sharing.   Normally the config is done via a gui interface but
you
>> can ssh to the array.   The domain controllers are running Samba 3.6.x
in
>> classic domain mode.  I have member servers running 3.6.x and 4.3.8. 
no
>> problem.
>>
>>
>> I recently updated the Synology "OS."  The current version of
samba is
>> Version 4.1.20.    I don't know what the previous version was.   
After the
>> upgrade the  NAS could not rejoin the domain.
>>
>>
>>  From the command line "net rpc join" failed with a SIG
errror. The new
>> version of samba defaulted to requiring client and server signing. 
This
>> was easily fixed by updating the NAS smb.conf with
>>
>>
>>
>>      client signing=disabled
>>      client ipc signing=disabled
>>
>>      server signing=disabled
>>
>>
>>
>> The following also seemed legit
>>
>>      client signing=default
>>      client ipc signing=default
>>
>>      server signing=default
>>
>>
>>
>> If I deleted and recreated the machine account on the DC I could rejoin
>> the domain.  However testing the join fails.
>>
>>
>>
>>               root at mynas:/# net rpc join -U
"MYDOMAIN\Administrator"
>>              Joined domain MYDOMAIN.
>>
>>
>>
>>              root at mynas:/#net rpc testjoin
>>              dcerpc_netr_LogonGetCapabilities_r_recv failed with
>> NT_STATUS_INVALID_PARAMETER
>>              cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind
failed
>> with error NT_STATUS_INVALID_PARAMETER
>>              net_rpc_join_ok: failed to open schannel session on
netlogon
>> pipe to server MYPDC for domain MYDOMAIN. Error was
>> NT_STATUS_INVALID_PARAMETER
>>              Join to domain 'MYDOMAIN' is not valid:
>> NT_STATUS_INVALID_PARAMETER
>>              root at mynas:/#
>>
>>
>>
>> The \\netlogon share on the PDC is open to guest access.
>>
>>
>> log files on the PDC show
>>
>>    192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
>> smb_nobody (uid=90001, gid=90001) (pid 19408)
>>
>> ...
>>
>> [2016/05/11 11:46:22.733380,  2]
passdb/pdb_ldap.c:553(init_sam_from_ldap)
>>    init_sam_from_ldap: Entry found for user: MYNAS$
>> [2016/05/11 11:46:22.738212,  2]
>> passdb/pdb_ldap.c:2427(init_group_from_ldap)
>>    init_group_from_ldap: Entry found for group: 515
>>
>> ...
>>
>> [2016/05/11 11:46:22.741400,  3]
rpc_server/srv_pipe.c:339(check_bind_req)
>>    check_bind_req for \netlogon
>> [2016/05/11 11:46:22.741423,  3]
rpc_server/srv_pipe.c:346(check_bind_req)
>>    check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
>> [2016/05/11 11:46:22.741482,  3]
>> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
>>    schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/MYNAS
>> [2016/05/11 11:46:22.741539,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.743059,  3] smbd/process.c:1609(process_smb)
>>    Transaction 9 of length 328 (0 toread)
>> [2016/05/11 11:46:22.743106,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtrans (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.743133,  3] smbd/ipc.c:560(handle_trans)
>>    trans <\PIPE\> data=240 params=0 setup=2
>> [2016/05/11 11:46:22.743164,  3] smbd/ipc.c:511(named_pipe)
>>    named pipe command on <> name
>> [2016/05/11 11:46:22.743187,  3] smbd/ipc.c:475(api_fd_reply)
>>    Got API command 0x26 on pipe "netlogon" (pnum 281f)
>> [2016/05/11 11:46:22.743235,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
>>    api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
>> [2016/05/11 11:46:22.743307,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.744850,  3] smbd/process.c:1609(process_smb)
>>    Transaction 10 of length 45 (0 toread)
>> [2016/05/11 11:46:22.744896,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.744929,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10271 (numopen=2)
>> [2016/05/11 11:46:22.746251,  3] smbd/process.c:1609(process_smb)
>>    Transaction 11 of length 45 (0 toread)
>> [2016/05/11 11:46:22.746298,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746322,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10270 (numopen=1)
>> [2016/05/11 11:46:22.746790,  3] smbd/process.c:1609(process_smb)
>>    Transaction 12 of length 39 (0 toread)
>> [2016/05/11 11:46:22.746841,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtdis (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746879,  3] smbd/service.c:1378(close_cnum)
>>    192.168.3.216 (192.168.3.216) closed connection to service IPC$
>> [2016/05/11 11:46:22.746906,  3] smbd/connection.c:35(yield_connection)
>>    Yielding connection to IPC$
>> [2016/05/11 11:46:22.747527,  3]
smbd/server_exit.c:181(exit_server_common)
>>    Server exit (failed to receive smb request)
>>
>>
>>
>> So the NAS is authenticating to the domain controller.
>>
>>
>>
>>
>> On the PDC (Samba 3.6.x)  , testparm -v shows
>>
>>              min protocol = CORE
>>              max protocol = NT1
>>
>> On the NAS , testparm -v shows
>>
>>
>>       server min protocol = CORE
>>      client min protocol = CORE
>>      server max protocol = NT1
>>      client max protocol = SMB3
>>      client ipc signing = No
>>
>> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win
2008
>> shd support it.)
>>
>>
>> On my working samba 4.x system (on fedora core 23), testparm -v shows
>>
>>
>>      server min protocol = LANMAN1
>>      min protocol = LANMAN1
>>      client min protocol = CORE
>>      client ipc max protocol = default
>>      client ipc min protocol = default
>>      client ipc signing = default
>>
>>
>>
>>
>> Appreciate any advice.
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

On both the synology (samba 4.1.20) and PDC (samba 3.6.25)  testparm showed

         client schannel = Auto
         server schannel = Auto


I don't know if the server even supports schannel.       Maybe it 
doesn't any all the clients successfully negotiated not to use it.   On 
the synology, I set

         client schannel = no


This fixed my domain membership issue.   Although possibly weakening 
security on the synology?  Or possibly revealing a probably with 
schannel on my PDC.  I realize both versions of Samba are end-of-life.


On 05/12/16 02:26, henri transfert wrote:
> Hi,
>
> I am not sure it's the same issue, but I had a similar problem when
> upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
> failed. Please check your network settings" .
>
> With the help of the (very efficient) Synology support, we solved the
> problem by uninstalling an old Cluster HA DSM package that was installed on
> the NAS but not used.
>
> Just in case it could help.
>
> Henri
>
>
> 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at
gmail.com>:
>
>> I have a Synology NAS array appliance.   It is linux based and uses
samba
>> for file sharing.   Normally the config is done via a gui interface but
you
>> can ssh to the array.   The domain controllers are running Samba 3.6.x
in
>> classic domain mode.  I have member servers running 3.6.x and 4.3.8. 
no
>> problem.
>>
>>
>> I recently updated the Synology "OS."  The current version of
samba is
>> Version 4.1.20.    I don't know what the previous version was.   
After the
>> upgrade the  NAS could not rejoin the domain.
>>
>>
>>  From the command line "net rpc join" failed with a SIG
errror. The new
>> version of samba defaulted to requiring client and server signing. 
This
>> was easily fixed by updating the NAS smb.conf with
>>
>>
>>
>>      client signing=disabled
>>      client ipc signing=disabled
>>
>>      server signing=disabled
>>
>>
>>
>> The following also seemed legit
>>
>>      client signing=default
>>      client ipc signing=default
>>
>>      server signing=default
>>
>>
>>
>> If I deleted and recreated the machine account on the DC I could rejoin
>> the domain.  However testing the join fails.
>>
>>
>>
>>               root at mynas:/# net rpc join -U
"MYDOMAIN\Administrator"
>>              Joined domain MYDOMAIN.
>>
>>
>>
>>              root at mynas:/#net rpc testjoin
>>              dcerpc_netr_LogonGetCapabilities_r_recv failed with
>> NT_STATUS_INVALID_PARAMETER
>>              cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind
failed
>> with error NT_STATUS_INVALID_PARAMETER
>>              net_rpc_join_ok: failed to open schannel session on
netlogon
>> pipe to server MYPDC for domain MYDOMAIN. Error was
>> NT_STATUS_INVALID_PARAMETER
>>              Join to domain 'MYDOMAIN' is not valid:
>> NT_STATUS_INVALID_PARAMETER
>>              root at mynas:/#
>>
>>
>>
>> The \\netlogon share on the PDC is open to guest access.
>>
>>
>> log files on the PDC show
>>
>>    192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
>> smb_nobody (uid=90001, gid=90001) (pid 19408)
>>
>> ...
>>
>> [2016/05/11 11:46:22.733380,  2]
passdb/pdb_ldap.c:553(init_sam_from_ldap)
>>    init_sam_from_ldap: Entry found for user: MYNAS$
>> [2016/05/11 11:46:22.738212,  2]
>> passdb/pdb_ldap.c:2427(init_group_from_ldap)
>>    init_group_from_ldap: Entry found for group: 515
>>
>> ...
>>
>> [2016/05/11 11:46:22.741400,  3]
rpc_server/srv_pipe.c:339(check_bind_req)
>>    check_bind_req for \netlogon
>> [2016/05/11 11:46:22.741423,  3]
rpc_server/srv_pipe.c:346(check_bind_req)
>>    check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
>> [2016/05/11 11:46:22.741482,  3]
>> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
>>    schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/MYNAS
>> [2016/05/11 11:46:22.741539,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.743059,  3] smbd/process.c:1609(process_smb)
>>    Transaction 9 of length 328 (0 toread)
>> [2016/05/11 11:46:22.743106,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtrans (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.743133,  3] smbd/ipc.c:560(handle_trans)
>>    trans <\PIPE\> data=240 params=0 setup=2
>> [2016/05/11 11:46:22.743164,  3] smbd/ipc.c:511(named_pipe)
>>    named pipe command on <> name
>> [2016/05/11 11:46:22.743187,  3] smbd/ipc.c:475(api_fd_reply)
>>    Got API command 0x26 on pipe "netlogon" (pnum 281f)
>> [2016/05/11 11:46:22.743235,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
>>    api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
>> [2016/05/11 11:46:22.743307,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.744850,  3] smbd/process.c:1609(process_smb)
>>    Transaction 10 of length 45 (0 toread)
>> [2016/05/11 11:46:22.744896,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.744929,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10271 (numopen=2)
>> [2016/05/11 11:46:22.746251,  3] smbd/process.c:1609(process_smb)
>>    Transaction 11 of length 45 (0 toread)
>> [2016/05/11 11:46:22.746298,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746322,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10270 (numopen=1)
>> [2016/05/11 11:46:22.746790,  3] smbd/process.c:1609(process_smb)
>>    Transaction 12 of length 39 (0 toread)
>> [2016/05/11 11:46:22.746841,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtdis (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746879,  3] smbd/service.c:1378(close_cnum)
>>    192.168.3.216 (192.168.3.216) closed connection to service IPC$
>> [2016/05/11 11:46:22.746906,  3] smbd/connection.c:35(yield_connection)
>>    Yielding connection to IPC$
>> [2016/05/11 11:46:22.747527,  3]
smbd/server_exit.c:181(exit_server_common)
>>    Server exit (failed to receive smb request)
>>
>>
>>
>> So the NAS is authenticating to the domain controller.
>>
>>
>>
>>
>> On the PDC (Samba 3.6.x)  , testparm -v shows
>>
>>              min protocol = CORE
>>              max protocol = NT1
>>
>> On the NAS , testparm -v shows
>>
>>
>>       server min protocol = CORE
>>      client min protocol = CORE
>>      server max protocol = NT1
>>      client max protocol = SMB3
>>      client ipc signing = No
>>
>> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win
2008
>> shd support it.)
>>
>>
>> On my working samba 4.x system (on fedora core 23), testparm -v shows
>>
>>
>>      server min protocol = LANMAN1
>>      min protocol = LANMAN1
>>      client min protocol = CORE
>>      client ipc max protocol = default
>>      client ipc min protocol = default
>>      client ipc signing = default
>>
>>
>>
>>
>> Appreciate any advice.
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

I rolled my appliance back to DSM 6 (no updates) which resolved the 
issue.    The BADLOCK update was applied in DSM 6u1.

On 05/12/16 02:26, henri transfert wrote:
> Hi,
>
> I am not sure it's the same issue, but I had a similar problem when
> upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
> failed. Please check your network settings" .
>
> With the help of the (very efficient) Synology support, we solved the
> problem by uninstalling an old Cluster HA DSM package that was installed on
> the NAS but not used.
>
> Just in case it could help.
>
> Henri
>
>
> 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at
gmail.com>:
>
>> I have a Synology NAS array appliance.   It is linux based and uses
samba
>> for file sharing.   Normally the config is done via a gui interface but
you
>> can ssh to the array.   The domain controllers are running Samba 3.6.x
in
>> classic domain mode.  I have member servers running 3.6.x and 4.3.8. 
no
>> problem.
>>
>>
>> I recently updated the Synology "OS."  The current version of
samba is
>> Version 4.1.20.    I don't know what the previous version was.   
After the
>> upgrade the  NAS could not rejoin the domain.
>>
>>
>>  From the command line "net rpc join" failed with a SIG
errror. The new
>> version of samba defaulted to requiring client and server signing. 
This
>> was easily fixed by updating the NAS smb.conf with
>>
>>
>>
>>      client signing=disabled
>>      client ipc signing=disabled
>>
>>      server signing=disabled
>>
>>
>>
>> The following also seemed legit
>>
>>      client signing=default
>>      client ipc signing=default
>>
>>      server signing=default
>>
>>
>>
>> If I deleted and recreated the machine account on the DC I could rejoin
>> the domain.  However testing the join fails.
>>
>>
>>
>>               root at mynas:/# net rpc join -U
"MYDOMAIN\Administrator"
>>              Joined domain MYDOMAIN.
>>
>>
>>
>>              root at mynas:/#net rpc testjoin
>>              dcerpc_netr_LogonGetCapabilities_r_recv failed with
>> NT_STATUS_INVALID_PARAMETER
>>              cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind
failed
>> with error NT_STATUS_INVALID_PARAMETER
>>              net_rpc_join_ok: failed to open schannel session on
netlogon
>> pipe to server MYPDC for domain MYDOMAIN. Error was
>> NT_STATUS_INVALID_PARAMETER
>>              Join to domain 'MYDOMAIN' is not valid:
>> NT_STATUS_INVALID_PARAMETER
>>              root at mynas:/#
>>
>>
>>
>> The \\netlogon share on the PDC is open to guest access.
>>
>>
>> log files on the PDC show
>>
>>    192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
>> smb_nobody (uid=90001, gid=90001) (pid 19408)
>>
>> ...
>>
>> [2016/05/11 11:46:22.733380,  2]
passdb/pdb_ldap.c:553(init_sam_from_ldap)
>>    init_sam_from_ldap: Entry found for user: MYNAS$
>> [2016/05/11 11:46:22.738212,  2]
>> passdb/pdb_ldap.c:2427(init_group_from_ldap)
>>    init_group_from_ldap: Entry found for group: 515
>>
>> ...
>>
>> [2016/05/11 11:46:22.741400,  3]
rpc_server/srv_pipe.c:339(check_bind_req)
>>    check_bind_req for \netlogon
>> [2016/05/11 11:46:22.741423,  3]
rpc_server/srv_pipe.c:346(check_bind_req)
>>    check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
>> [2016/05/11 11:46:22.741482,  3]
>> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
>>    schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/MYNAS
>> [2016/05/11 11:46:22.741539,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.743059,  3] smbd/process.c:1609(process_smb)
>>    Transaction 9 of length 328 (0 toread)
>> [2016/05/11 11:46:22.743106,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtrans (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.743133,  3] smbd/ipc.c:560(handle_trans)
>>    trans <\PIPE\> data=240 params=0 setup=2
>> [2016/05/11 11:46:22.743164,  3] smbd/ipc.c:511(named_pipe)
>>    named pipe command on <> name
>> [2016/05/11 11:46:22.743187,  3] smbd/ipc.c:475(api_fd_reply)
>>    Got API command 0x26 on pipe "netlogon" (pnum 281f)
>> [2016/05/11 11:46:22.743235,  3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
>>    api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
>> [2016/05/11 11:46:22.743307,  3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>>    free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.744850,  3] smbd/process.c:1609(process_smb)
>>    Transaction 10 of length 45 (0 toread)
>> [2016/05/11 11:46:22.744896,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.744929,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10271 (numopen=2)
>> [2016/05/11 11:46:22.746251,  3] smbd/process.c:1609(process_smb)
>>    Transaction 11 of length 45 (0 toread)
>> [2016/05/11 11:46:22.746298,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746322,  3] smbd/reply.c:4860(reply_close)
>>    close fd=-1 fnum=10270 (numopen=1)
>> [2016/05/11 11:46:22.746790,  3] smbd/process.c:1609(process_smb)
>>    Transaction 12 of length 39 (0 toread)
>> [2016/05/11 11:46:22.746841,  3] smbd/process.c:1414(switch_message)
>>    switch message SMBtdis (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746879,  3] smbd/service.c:1378(close_cnum)
>>    192.168.3.216 (192.168.3.216) closed connection to service IPC$
>> [2016/05/11 11:46:22.746906,  3] smbd/connection.c:35(yield_connection)
>>    Yielding connection to IPC$
>> [2016/05/11 11:46:22.747527,  3]
smbd/server_exit.c:181(exit_server_common)
>>    Server exit (failed to receive smb request)
>>
>>
>>
>> So the NAS is authenticating to the domain controller.
>>
>>
>>
>>
>> On the PDC (Samba 3.6.x)  , testparm -v shows
>>
>>              min protocol = CORE
>>              max protocol = NT1
>>
>> On the NAS , testparm -v shows
>>
>>
>>       server min protocol = CORE
>>      client min protocol = CORE
>>      server max protocol = NT1
>>      client max protocol = SMB3
>>      client ipc signing = No
>>
>> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win
2008
>> shd support it.)
>>
>>
>> On my working samba 4.x system (on fedora core 23), testparm -v shows
>>
>>
>>      server min protocol = LANMAN1
>>      min protocol = LANMAN1
>>      client min protocol = CORE
>>      client ipc max protocol = default
>>      client ipc min protocol = default
>>      client ipc signing = default
>>
>>
>>
>>
>> Appreciate any advice.
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>