Gaiseric Vandal
2016-May-11 15:52 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
I have a Synology NAS array appliance. It is linux based and uses
samba for file sharing. Normally the config is done via a gui
interface but you can ssh to the array. The domain controllers are
running Samba 3.6.x in classic domain mode. I have member servers
running 3.6.x and 4.3.8. no problem.
I recently updated the Synology "OS." The current version of samba is
Version 4.1.20. I don't know what the previous version was. After
the upgrade the NAS could not rejoin the domain.
From the command line "net rpc join" failed with a SIG errror. The
new
version of samba defaulted to requiring client and server signing. This
was easily fixed by updating the NAS smb.conf with
client signing=disabled
client ipc signing=disabled
server signing=disabled
The following also seemed legit
client signing=default
client ipc signing=default
server signing=default
If I deleted and recreated the machine account on the DC I could rejoin
the domain. However testing the join fails.
root at mynas:/# net rpc join -U
"MYDOMAIN\Administrator"
Joined domain MYDOMAIN.
root at mynas:/#net rpc testjoin
dcerpc_netr_LogonGetCapabilities_r_recv failed with
NT_STATUS_INVALID_PARAMETER
cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind
failed with error NT_STATUS_INVALID_PARAMETER
net_rpc_join_ok: failed to open schannel session on
netlogon pipe to server MYPDC for domain MYDOMAIN. Error was
NT_STATUS_INVALID_PARAMETER
Join to domain 'MYDOMAIN' is not valid:
NT_STATUS_INVALID_PARAMETER
root at mynas:/#
The \\netlogon share on the PDC is open to guest access.
log files on the PDC show
192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
smb_nobody (uid=90001, gid=90001) (pid 19408)
...
[2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
...
[2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req)
check_bind_req for \netlogon
[2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req)
check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482, 3]
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
named pipe command on <> name
[2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
So the NAS is authenticating to the domain controller.
On the PDC (Samba 3.6.x) , testparm -v shows
min protocol = CORE
max protocol = NT1
On the NAS , testparm -v shows
server min protocol = CORE
client min protocol = CORE
server max protocol = NT1
client max protocol = SMB3
client ipc signing = No
(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
shd support it.)
On my working samba 4.x system (on fedora core 23), testparm -v shows
server min protocol = LANMAN1
min protocol = LANMAN1
client min protocol = CORE
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
Appreciate any advice.
Thanks
henri transfert
2016-May-12 06:26 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
Hi, I am not sure it's the same issue, but I had a similar problem when upgrading from DSM 5.x to 6.0 : error after domain join : "Connection failed. Please check your network settings" . With the help of the (very efficient) Synology support, we solved the problem by uninstalling an old Cluster HA DSM package that was installed on the NAS but not used. Just in case it could help. Henri 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>:> I have a Synology NAS array appliance. It is linux based and uses samba > for file sharing. Normally the config is done via a gui interface but you > can ssh to the array. The domain controllers are running Samba 3.6.x in > classic domain mode. I have member servers running 3.6.x and 4.3.8. no > problem. > > > I recently updated the Synology "OS." The current version of samba is > Version 4.1.20. I don't know what the previous version was. After the > upgrade the NAS could not rejoin the domain. > > > From the command line "net rpc join" failed with a SIG errror. The new > version of samba defaulted to requiring client and server signing. This > was easily fixed by updating the NAS smb.conf with > > > > client signing=disabled > client ipc signing=disabled > > server signing=disabled > > > > The following also seemed legit > > client signing=default > client ipc signing=default > > server signing=default > > > > If I deleted and recreated the machine account on the DC I could rejoin > the domain. However testing the join fails. > > > > root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" > Joined domain MYDOMAIN. > > > > root at mynas:/#net rpc testjoin > dcerpc_netr_LogonGetCapabilities_r_recv failed with > NT_STATUS_INVALID_PARAMETER > cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed > with error NT_STATUS_INVALID_PARAMETER > net_rpc_join_ok: failed to open schannel session on netlogon > pipe to server MYPDC for domain MYDOMAIN. Error was > NT_STATUS_INVALID_PARAMETER > Join to domain 'MYDOMAIN' is not valid: > NT_STATUS_INVALID_PARAMETER > root at mynas:/# > > > > The \\netlogon share on the PDC is open to guest access. > > > log files on the PDC show > > 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user > smb_nobody (uid=90001, gid=90001) (pid 19408) > > ... > > [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: MYNAS$ > [2016/05/11 11:46:22.738212, 2] > passdb/pdb_ldap.c:2427(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 515 > > ... > > [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) > check_bind_req for \netlogon > [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) > check_bind_req: \PIPE\netlogon -> \PIPE\netlogon > [2016/05/11 11:46:22.741482, 3] > ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) > schannel_fetch_session_key_tdb: restored schannel info key > SECRETS/SCHANNEL/MYNAS > [2016/05/11 11:46:22.741539, 3] > rpc_server/srv_pipe_hnd.c:121(free_pipe_context) > free_pipe_context: destroying talloc pool of size 23 > [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) > Transaction 9 of length 328 (0 toread) > [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) > switch message SMBtrans (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) > trans <\PIPE\> data=240 params=0 setup=2 > [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) > named pipe command on <> name > [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) > Got API command 0x26 on pipe "netlogon" (pnum 281f) > [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) > api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES > [2016/05/11 11:46:22.743307, 3] > rpc_server/srv_pipe_hnd.c:121(free_pipe_context) > free_pipe_context: destroying talloc pool of size 23 > [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) > Transaction 10 of length 45 (0 toread) > [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) > switch message SMBclose (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) > close fd=-1 fnum=10271 (numopen=2) > [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) > Transaction 11 of length 45 (0 toread) > [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) > switch message SMBclose (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) > close fd=-1 fnum=10270 (numopen=1) > [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) > Transaction 12 of length 39 (0 toread) > [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) > switch message SMBtdis (pid 19408) conn 0x88830a8 > [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) > 192.168.3.216 (192.168.3.216) closed connection to service IPC$ > [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) > Yielding connection to IPC$ > [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) > Server exit (failed to receive smb request) > > > > So the NAS is authenticating to the domain controller. > > > > > On the PDC (Samba 3.6.x) , testparm -v shows > > min protocol = CORE > max protocol = NT1 > > On the NAS , testparm -v shows > > > server min protocol = CORE > client min protocol = CORE > server max protocol = NT1 > client max protocol = SMB3 > client ipc signing = No > > (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 > shd support it.) > > > On my working samba 4.x system (on fedora core 23), testparm -v shows > > > server min protocol = LANMAN1 > min protocol = LANMAN1 > client min protocol = CORE > client ipc max protocol = default > client ipc min protocol = default > client ipc signing = default > > > > > Appreciate any advice. > > > Thanks > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Gaiseric Vandal
2016-May-13 13:11 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
I don't see any cluster packages listed under the web gui interface. Is this one of the packages that can only be managed via the command line ipkg command, which is not installed by default? thanks On 05/12/16 02:26, henri transfert wrote:> Hi, > > I am not sure it's the same issue, but I had a similar problem when > upgrading from DSM 5.x to 6.0 : error after domain join : "Connection > failed. Please check your network settings" . > > With the help of the (very efficient) Synology support, we solved the > problem by uninstalling an old Cluster HA DSM package that was installed on > the NAS but not used. > > Just in case it could help. > > Henri > > > 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>: > >> I have a Synology NAS array appliance. It is linux based and uses samba >> for file sharing. Normally the config is done via a gui interface but you >> can ssh to the array. The domain controllers are running Samba 3.6.x in >> classic domain mode. I have member servers running 3.6.x and 4.3.8. no >> problem. >> >> >> I recently updated the Synology "OS." The current version of samba is >> Version 4.1.20. I don't know what the previous version was. After the >> upgrade the NAS could not rejoin the domain. >> >> >> From the command line "net rpc join" failed with a SIG errror. The new >> version of samba defaulted to requiring client and server signing. This >> was easily fixed by updating the NAS smb.conf with >> >> >> >> client signing=disabled >> client ipc signing=disabled >> >> server signing=disabled >> >> >> >> The following also seemed legit >> >> client signing=default >> client ipc signing=default >> >> server signing=default >> >> >> >> If I deleted and recreated the machine account on the DC I could rejoin >> the domain. However testing the join fails. >> >> >> >> root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" >> Joined domain MYDOMAIN. >> >> >> >> root at mynas:/#net rpc testjoin >> dcerpc_netr_LogonGetCapabilities_r_recv failed with >> NT_STATUS_INVALID_PARAMETER >> cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed >> with error NT_STATUS_INVALID_PARAMETER >> net_rpc_join_ok: failed to open schannel session on netlogon >> pipe to server MYPDC for domain MYDOMAIN. Error was >> NT_STATUS_INVALID_PARAMETER >> Join to domain 'MYDOMAIN' is not valid: >> NT_STATUS_INVALID_PARAMETER >> root at mynas:/# >> >> >> >> The \\netlogon share on the PDC is open to guest access. >> >> >> log files on the PDC show >> >> 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user >> smb_nobody (uid=90001, gid=90001) (pid 19408) >> >> ... >> >> [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) >> init_sam_from_ldap: Entry found for user: MYNAS$ >> [2016/05/11 11:46:22.738212, 2] >> passdb/pdb_ldap.c:2427(init_group_from_ldap) >> init_group_from_ldap: Entry found for group: 515 >> >> ... >> >> [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) >> check_bind_req for \netlogon >> [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) >> check_bind_req: \PIPE\netlogon -> \PIPE\netlogon >> [2016/05/11 11:46:22.741482, 3] >> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) >> schannel_fetch_session_key_tdb: restored schannel info key >> SECRETS/SCHANNEL/MYNAS >> [2016/05/11 11:46:22.741539, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) >> Transaction 9 of length 328 (0 toread) >> [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) >> switch message SMBtrans (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) >> trans <\PIPE\> data=240 params=0 setup=2 >> [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) >> named pipe command on <> name >> [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) >> Got API command 0x26 on pipe "netlogon" (pnum 281f) >> [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) >> api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES >> [2016/05/11 11:46:22.743307, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) >> Transaction 10 of length 45 (0 toread) >> [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10271 (numopen=2) >> [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) >> Transaction 11 of length 45 (0 toread) >> [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10270 (numopen=1) >> [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) >> Transaction 12 of length 39 (0 toread) >> [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) >> switch message SMBtdis (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) >> 192.168.3.216 (192.168.3.216) closed connection to service IPC$ >> [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) >> Yielding connection to IPC$ >> [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) >> Server exit (failed to receive smb request) >> >> >> >> So the NAS is authenticating to the domain controller. >> >> >> >> >> On the PDC (Samba 3.6.x) , testparm -v shows >> >> min protocol = CORE >> max protocol = NT1 >> >> On the NAS , testparm -v shows >> >> >> server min protocol = CORE >> client min protocol = CORE >> server max protocol = NT1 >> client max protocol = SMB3 >> client ipc signing = No >> >> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 >> shd support it.) >> >> >> On my working samba 4.x system (on fedora core 23), testparm -v shows >> >> >> server min protocol = LANMAN1 >> min protocol = LANMAN1 >> client min protocol = CORE >> client ipc max protocol = default >> client ipc min protocol = default >> client ipc signing = default >> >> >> >> >> Appreciate any advice. >> >> >> Thanks >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Gaiseric Vandal
2016-May-16 18:36 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
On both the synology (samba 4.1.20) and PDC (samba 3.6.25) testparm showed
client schannel = Auto
server schannel = Auto
I don't know if the server even supports schannel. Maybe it
doesn't any all the clients successfully negotiated not to use it. On
the synology, I set
client schannel = no
This fixed my domain membership issue. Although possibly weakening
security on the synology? Or possibly revealing a probably with
schannel on my PDC. I realize both versions of Samba are end-of-life.
On 05/12/16 02:26, henri transfert wrote:> Hi,
>
> I am not sure it's the same issue, but I had a similar problem when
> upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
> failed. Please check your network settings" .
>
> With the help of the (very efficient) Synology support, we solved the
> problem by uninstalling an old Cluster HA DSM package that was installed on
> the NAS but not used.
>
> Just in case it could help.
>
> Henri
>
>
> 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at
gmail.com>:
>
>> I have a Synology NAS array appliance. It is linux based and uses
samba
>> for file sharing. Normally the config is done via a gui interface but
you
>> can ssh to the array. The domain controllers are running Samba 3.6.x
in
>> classic domain mode. I have member servers running 3.6.x and 4.3.8.
no
>> problem.
>>
>>
>> I recently updated the Synology "OS." The current version of
samba is
>> Version 4.1.20. I don't know what the previous version was.
After the
>> upgrade the NAS could not rejoin the domain.
>>
>>
>> From the command line "net rpc join" failed with a SIG
errror. The new
>> version of samba defaulted to requiring client and server signing.
This
>> was easily fixed by updating the NAS smb.conf with
>>
>>
>>
>> client signing=disabled
>> client ipc signing=disabled
>>
>> server signing=disabled
>>
>>
>>
>> The following also seemed legit
>>
>> client signing=default
>> client ipc signing=default
>>
>> server signing=default
>>
>>
>>
>> If I deleted and recreated the machine account on the DC I could rejoin
>> the domain. However testing the join fails.
>>
>>
>>
>> root at mynas:/# net rpc join -U
"MYDOMAIN\Administrator"
>> Joined domain MYDOMAIN.
>>
>>
>>
>> root at mynas:/#net rpc testjoin
>> dcerpc_netr_LogonGetCapabilities_r_recv failed with
>> NT_STATUS_INVALID_PARAMETER
>> cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind
failed
>> with error NT_STATUS_INVALID_PARAMETER
>> net_rpc_join_ok: failed to open schannel session on
netlogon
>> pipe to server MYPDC for domain MYDOMAIN. Error was
>> NT_STATUS_INVALID_PARAMETER
>> Join to domain 'MYDOMAIN' is not valid:
>> NT_STATUS_INVALID_PARAMETER
>> root at mynas:/#
>>
>>
>>
>> The \\netlogon share on the PDC is open to guest access.
>>
>>
>> log files on the PDC show
>>
>> 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
>> smb_nobody (uid=90001, gid=90001) (pid 19408)
>>
>> ...
>>
>> [2016/05/11 11:46:22.733380, 2]
passdb/pdb_ldap.c:553(init_sam_from_ldap)
>> init_sam_from_ldap: Entry found for user: MYNAS$
>> [2016/05/11 11:46:22.738212, 2]
>> passdb/pdb_ldap.c:2427(init_group_from_ldap)
>> init_group_from_ldap: Entry found for group: 515
>>
>> ...
>>
>> [2016/05/11 11:46:22.741400, 3]
rpc_server/srv_pipe.c:339(check_bind_req)
>> check_bind_req for \netlogon
>> [2016/05/11 11:46:22.741423, 3]
rpc_server/srv_pipe.c:346(check_bind_req)
>> check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
>> [2016/05/11 11:46:22.741482, 3]
>> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
>> schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/MYNAS
>> [2016/05/11 11:46:22.741539, 3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>> free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
>> Transaction 9 of length 328 (0 toread)
>> [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
>> switch message SMBtrans (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
>> trans <\PIPE\> data=240 params=0 setup=2
>> [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
>> named pipe command on <> name
>> [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
>> Got API command 0x26 on pipe "netlogon" (pnum 281f)
>> [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
>> api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
>> [2016/05/11 11:46:22.743307, 3]
>> rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
>> free_pipe_context: destroying talloc pool of size 23
>> [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
>> Transaction 10 of length 45 (0 toread)
>> [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
>> switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
>> close fd=-1 fnum=10271 (numopen=2)
>> [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
>> Transaction 11 of length 45 (0 toread)
>> [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
>> switch message SMBclose (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
>> close fd=-1 fnum=10270 (numopen=1)
>> [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
>> Transaction 12 of length 39 (0 toread)
>> [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
>> switch message SMBtdis (pid 19408) conn 0x88830a8
>> [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
>> 192.168.3.216 (192.168.3.216) closed connection to service IPC$
>> [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
>> Yielding connection to IPC$
>> [2016/05/11 11:46:22.747527, 3]
smbd/server_exit.c:181(exit_server_common)
>> Server exit (failed to receive smb request)
>>
>>
>>
>> So the NAS is authenticating to the domain controller.
>>
>>
>>
>>
>> On the PDC (Samba 3.6.x) , testparm -v shows
>>
>> min protocol = CORE
>> max protocol = NT1
>>
>> On the NAS , testparm -v shows
>>
>>
>> server min protocol = CORE
>> client min protocol = CORE
>> server max protocol = NT1
>> client max protocol = SMB3
>> client ipc signing = No
>>
>> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win
2008
>> shd support it.)
>>
>>
>> On my working samba 4.x system (on fedora core 23), testparm -v shows
>>
>>
>> server min protocol = LANMAN1
>> min protocol = LANMAN1
>> client min protocol = CORE
>> client ipc max protocol = default
>> client ipc min protocol = default
>> client ipc signing = default
>>
>>
>>
>>
>> Appreciate any advice.
>>
>>
>> Thanks
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Gaiseric Vandal
2016-May-27 16:30 UTC
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
I rolled my appliance back to DSM 6 (no updates) which resolved the issue. The BADLOCK update was applied in DSM 6u1. On 05/12/16 02:26, henri transfert wrote:> Hi, > > I am not sure it's the same issue, but I had a similar problem when > upgrading from DSM 5.x to 6.0 : error after domain join : "Connection > failed. Please check your network settings" . > > With the help of the (very efficient) Synology support, we solved the > problem by uninstalling an old Cluster HA DSM package that was installed on > the NAS but not used. > > Just in case it could help. > > Henri > > > 2016-05-11 19:52 GMT+04:00 Gaiseric Vandal <gaiseric.vandal at gmail.com>: > >> I have a Synology NAS array appliance. It is linux based and uses samba >> for file sharing. Normally the config is done via a gui interface but you >> can ssh to the array. The domain controllers are running Samba 3.6.x in >> classic domain mode. I have member servers running 3.6.x and 4.3.8. no >> problem. >> >> >> I recently updated the Synology "OS." The current version of samba is >> Version 4.1.20. I don't know what the previous version was. After the >> upgrade the NAS could not rejoin the domain. >> >> >> From the command line "net rpc join" failed with a SIG errror. The new >> version of samba defaulted to requiring client and server signing. This >> was easily fixed by updating the NAS smb.conf with >> >> >> >> client signing=disabled >> client ipc signing=disabled >> >> server signing=disabled >> >> >> >> The following also seemed legit >> >> client signing=default >> client ipc signing=default >> >> server signing=default >> >> >> >> If I deleted and recreated the machine account on the DC I could rejoin >> the domain. However testing the join fails. >> >> >> >> root at mynas:/# net rpc join -U "MYDOMAIN\Administrator" >> Joined domain MYDOMAIN. >> >> >> >> root at mynas:/#net rpc testjoin >> dcerpc_netr_LogonGetCapabilities_r_recv failed with >> NT_STATUS_INVALID_PARAMETER >> cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed >> with error NT_STATUS_INVALID_PARAMETER >> net_rpc_join_ok: failed to open schannel session on netlogon >> pipe to server MYPDC for domain MYDOMAIN. Error was >> NT_STATUS_INVALID_PARAMETER >> Join to domain 'MYDOMAIN' is not valid: >> NT_STATUS_INVALID_PARAMETER >> root at mynas:/# >> >> >> >> The \\netlogon share on the PDC is open to guest access. >> >> >> log files on the PDC show >> >> 192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user >> smb_nobody (uid=90001, gid=90001) (pid 19408) >> >> ... >> >> [2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) >> init_sam_from_ldap: Entry found for user: MYNAS$ >> [2016/05/11 11:46:22.738212, 2] >> passdb/pdb_ldap.c:2427(init_group_from_ldap) >> init_group_from_ldap: Entry found for group: 515 >> >> ... >> >> [2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req) >> check_bind_req for \netlogon >> [2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req) >> check_bind_req: \PIPE\netlogon -> \PIPE\netlogon >> [2016/05/11 11:46:22.741482, 3] >> ../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb) >> schannel_fetch_session_key_tdb: restored schannel info key >> SECRETS/SCHANNEL/MYNAS >> [2016/05/11 11:46:22.741539, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb) >> Transaction 9 of length 328 (0 toread) >> [2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message) >> switch message SMBtrans (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans) >> trans <\PIPE\> data=240 params=0 setup=2 >> [2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe) >> named pipe command on <> name >> [2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply) >> Got API command 0x26 on pipe "netlogon" (pnum 281f) >> [2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) >> api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES >> [2016/05/11 11:46:22.743307, 3] >> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) >> free_pipe_context: destroying talloc pool of size 23 >> [2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb) >> Transaction 10 of length 45 (0 toread) >> [2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10271 (numopen=2) >> [2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb) >> Transaction 11 of length 45 (0 toread) >> [2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message) >> switch message SMBclose (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close) >> close fd=-1 fnum=10270 (numopen=1) >> [2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb) >> Transaction 12 of length 39 (0 toread) >> [2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message) >> switch message SMBtdis (pid 19408) conn 0x88830a8 >> [2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum) >> 192.168.3.216 (192.168.3.216) closed connection to service IPC$ >> [2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection) >> Yielding connection to IPC$ >> [2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common) >> Server exit (failed to receive smb request) >> >> >> >> So the NAS is authenticating to the domain controller. >> >> >> >> >> On the PDC (Samba 3.6.x) , testparm -v shows >> >> min protocol = CORE >> max protocol = NT1 >> >> On the NAS , testparm -v shows >> >> >> server min protocol = CORE >> client min protocol = CORE >> server max protocol = NT1 >> client max protocol = SMB3 >> client ipc signing = No >> >> (I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008 >> shd support it.) >> >> >> On my working samba 4.x system (on fedora core 23), testparm -v shows >> >> >> server min protocol = LANMAN1 >> min protocol = LANMAN1 >> client min protocol = CORE >> client ipc max protocol = default >> client ipc min protocol = default >> client ipc signing = default >> >> >> >> >> Appreciate any advice. >> >> >> Thanks >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
Reasonably Related Threads
- Synology NAS Samba Upgrade breaks "Classic" domain membership
- Synology NAS Samba Upgrade breaks "Classic" domain membership
- Fwd: samba 3.6.24 domain member as printserver in win2008/2012 domain: Access denied
- Problem printing from one user only
- Can't add machines to domain after Debian-Update