We have to Samba DCs and a couple of Synology NAS connected/bound to the Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its connection to the AD outputting the error message, that the domain cannot be found. In the logs of the NAS I can only find the error message ?synowin: domain_test_join.c:59 net ads test join fail?. In the logs of the DC I notice that from one second to the other the connection seems to fail: [2020/03/18 00:51:45.001044, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$] [S?1?5?21?1451753080?565542361?3466525082?2103]. local host [NULL][2020/03/18 00:53:49.362120, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$]. local host [NULL] Can anyone explain to me what happens and how to fix this? Thanks a lot, Alexander
Am 3/25/20 um 11:01 AM schrieb Alexander Harm via samba:> Can anyone explain to me what happens and how to fix this?talk to Synology. Their NAS is *massively* modified compared to vanilla Samba, so this needs someone familiar with their modifications and systems. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20200325/9ad89fb7/signature.sig>
On 25/03/2020 10:01, Alexander Harm via samba wrote:> We have to Samba DCs and a couple of Synology NAS connected/bound to the Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its connection to the AD outputting the error message, that the domain cannot be found. In the logs of the NAS I can only find the error message ?synowin: domain_test_join.c:59 net ads test join fail?.Well, that would seem to suggest that the NAS isn't joined to the domain> In the logs of the DC I notice that from one second to the other the connection seems to fail: > > [2020/03/18 00:51:45.001044, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$] [S?1?5?21?1451753080?565542361?3466525082?2103]. local host [NULL][2020/03/18 00:53:49.362120, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$]. local host [NULL] > > Can anyone explain to me what happens and how to fix this?It does look like your NAS isn't joined to the domain, this would explain 'NT_STATUS_WRONG_PASSWORD' Can you post the smb.conf from the DC and, if possible, from the NAS. Rowland
Samba DC: # Global parameters [global] log level = 1 auth_audit:3 netbios name = KA-H9-DC01 realm = DS.EXAMPLE.COM server role = active directory domain controller workgroup = EXAMPLE dns forwarder = 10.0.1.100 10.0.1.110 ntlm auth = mschapv2-and-ntlmv2-only tls enabled = yes tls keyfile = tls/ka-h9-dc01.key tls certfile = tls/ka-h9-dc01.crt tls cafile = tls/ds-ca.pem [netlogon] path = /var/lib/samba/sysvol/ds.EXAMPLE.COM/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No NAS [global] printcap name=cups winbind enum groups=yes include=/var/tmp/nginx/smb.netbios.aliases.conf admin users=@EXAMPLE\Domain Admins, at EXAMPLE\Enterprise Admins encrypt passwords=yes min protocol=NT1 security=ads local master=no realm=DS.EXAMPLE.COM syno sync dctime=no passdb backend=smbpasswd ldap timeout=60 printing=cups max protocol=SMB3 winbind enum users=yes load printers=yes workgroup=EXAMPLE and in a second file [global] follow symlinks=no create mask log level=0 wide links=no rpc_server:mdssvc=external prev domain=EXAMPLE server signing=no msdfs root=no vfs objects advanced_domain_option=yes reset on zero vc=no directory mask syno catia=no veto files smb2 leases=no btrfs clone=no winbind expand groups=1 rpc_daemon:mdssd=fork syno wildcard search=no enable nt4 enum=no allow insecure widelinks=no enable veto files=no disable shadow copy=no On 25. March 2020 at 11:27:22, Rowland penny via samba (samba at lists.samba.org) wrote: On 25/03/2020 10:01, Alexander Harm via samba wrote:> We have to Samba DCs and a couple of Synology NAS connected/bound to the Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its connection to the AD outputting the error message, that the domain cannot be found. In the logs of the NAS I can only find the error message ?synowin: domain_test_join.c:59 net ads test join fail?.Well, that would seem to suggest that the NAS isn't joined to the domain> In the logs of the DC I notice that from one second to the other the connection seems to fail: > > [2020/03/18 00:51:45.001044, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$] [S?1?5?21?1451753080?565542361?3466525082?2103]. local host [NULL][2020/03/18 00:53:49.362120, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$]. local host [NULL] > > Can anyone explain to me what happens and how to fix this?It does look like your NAS isn't joined to the domain, this would explain 'NT_STATUS_WRONG_PASSWORD' Can you post the smb.conf from the DC and, if possible, from the NAS. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 25/03/2020 10:22, Ralph Boehme via samba wrote:> Am 3/25/20 um 11:01 AM schrieb Alexander Harm via samba: >> Can anyone explain to me what happens and how to fix this? > talk to Synology. Their NAS is *massively* modified compared to vanilla > Samba, so this needs someone familiar with their modifications and systems. > > -slowThanks Ralph, didn't know that, but shouldn't they provide source code somewhere ? Rowland