We have to Samba DCs and a couple of Synology NAS connected/bound to the Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its connection to the AD outputting the error message, that the domain cannot be found. In the logs of the NAS I can only find the error message ?synowin: domain_test_join.c:59 net ads test join fail?. In the logs of the DC I notice that from one second to the other the connection seems to fail: [2020/03/18 00:51:45.001044, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$] [S?1?5?21?1451753080?565542361?3466525082?2103]. local host [NULL][2020/03/18 00:53:49.362120, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$]. local host [NULL] Can anyone explain to me what happens and how to fix this? Thanks a lot, Alexander
Am 3/25/20 um 11:01 AM schrieb Alexander Harm via samba:> Can anyone explain to me what happens and how to fix this?talk to Synology. Their NAS is *massively* modified compared to vanilla Samba, so this needs someone familiar with their modifications and systems. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20200325/9ad89fb7/signature.sig>
On 25/03/2020 10:01, Alexander Harm via samba wrote:> We have to Samba DCs and a couple of Synology NAS connected/bound to the Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its connection to the AD outputting the error message, that the domain cannot be found. In the logs of the NAS I can only find the error message ?synowin: domain_test_join.c:59 net ads test join fail?.Well, that would seem to suggest that the NAS isn't joined to the domain> In the logs of the DC I notice that from one second to the other the connection seems to fail: > > [2020/03/18 00:51:45.001044, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$] [S?1?5?21?1451753080?565542361?3466525082?2103]. local host [NULL][2020/03/18 00:53:49.362120, 2] ../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET] with [aes256-cts-hmac-sha1?96] status [NT_STATUS_WRONG_PASSWORD] workstation [(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$]. local host [NULL] > > Can anyone explain to me what happens and how to fix this?It does look like your NAS isn't joined to the domain, this would explain 'NT_STATUS_WRONG_PASSWORD' Can you post the smb.conf from the DC and, if possible, from the NAS. Rowland
Samba DC:
# Global parameters
[global]
log level = 1 auth_audit:3
netbios name = KA-H9-DC01
realm = DS.EXAMPLE.COM
server role = active directory domain controller
workgroup = EXAMPLE
dns forwarder = 10.0.1.100 10.0.1.110
ntlm auth = mschapv2-and-ntlmv2-only
tls enabled = yes
tls keyfile = tls/ka-h9-dc01.key
tls certfile = tls/ka-h9-dc01.crt
tls cafile = tls/ds-ca.pem
[netlogon]
path = /var/lib/samba/sysvol/ds.EXAMPLE.COM/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
NAS
[global]
printcap name=cups
winbind enum groups=yes
include=/var/tmp/nginx/smb.netbios.aliases.conf
admin users=@EXAMPLE\Domain Admins, at EXAMPLE\Enterprise Admins
encrypt passwords=yes
min protocol=NT1
security=ads
local master=no
realm=DS.EXAMPLE.COM
syno sync dctime=no
passdb backend=smbpasswd
ldap timeout=60
printing=cups
max protocol=SMB3
winbind enum users=yes
load printers=yes
workgroup=EXAMPLE
and in a second file
[global]
follow symlinks=no
create mask log level=0
wide links=no
rpc_server:mdssvc=external
prev domain=EXAMPLE
server signing=no
msdfs root=no
vfs objects advanced_domain_option=yes
reset on zero vc=no
directory mask syno catia=no
veto files smb2 leases=no
btrfs clone=no
winbind expand groups=1
rpc_daemon:mdssd=fork
syno wildcard search=no
enable nt4 enum=no
allow insecure widelinks=no
enable veto files=no
disable shadow copy=no
On 25. March 2020 at 11:27:22, Rowland penny via samba (samba at
lists.samba.org) wrote:
On 25/03/2020 10:01, Alexander Harm via samba wrote: > We have to Samba DCs and a couple of Synology NAS connected/bound to the
Samba AD. On regular basis the Synology NAS (I believe Samba 4.4.16) looses its
connection to the AD outputting the error message, that the domain cannot be
found. In the logs of the NAS I can only find the error message ?synowin:
domain_test_join.c:59 net ads test join fail?.
Well, that would seem to suggest that the NAS isn't joined to the domain
> In the logs of the DC I notice that from one second to the other the
connection seems to fail:
>
> [2020/03/18 00:51:45.001044, 3]
../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth:
[Kerberos KDC,ENC-TS Pre-authentication] user
[(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:51:45.001031 CET]
with [aes256-cts-hmac-sha1?96] status [NT_STATUS_OK] workstation [(null)] remote
host [ipv4:10.0.1.100:51352] became [EXAMPLE][FILESERVER$]
[S?1?5?21?1451753080?565542361?3466525082?2103]. local host [NULL][2020/03/18
00:53:49.362120, 2]
../../auth/auth_log.c:653(log_authentication_event_human_readable) Auth:
[Kerberos KDC,ENC-TS Pre-authentication] user
[(null)][FILESERVER$@DS.EXAMPLE.COM] at [Wed, 18 Mar 2020 00:53:49.362103 CET]
with [aes256-cts-hmac-sha1?96] status [NT_STATUS_WRONG_PASSWORD] workstation
[(null)] remote host [ipv4:10.0.1.100:51393] mapped to [EXAMPLE][FILESERVER$].
local host [NULL]
>
> Can anyone explain to me what happens and how to fix this?
It does look like your NAS isn't joined to the domain, this would
explain 'NT_STATUS_WRONG_PASSWORD'
Can you post the smb.conf from the DC and, if possible, from the NAS.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On 25/03/2020 10:22, Ralph Boehme via samba wrote:> Am 3/25/20 um 11:01 AM schrieb Alexander Harm via samba: >> Can anyone explain to me what happens and how to fix this? > talk to Synology. Their NAS is *massively* modified compared to vanilla > Samba, so this needs someone familiar with their modifications and systems. > > -slowThanks Ralph, didn't know that, but shouldn't they provide source code somewhere ? Rowland