samba - Jul 2023 - Synology shares not accessible...

Hi Vincent,

in my case access via hostname doesn't work. That seems to be a Kerberos 
problem, as access via IP works. IP access uses NTLM authentication.

With SMB-Service 4.15.9-0619 (was the Beta) it worked, with the released 
version 4.15.9-0632 not anymore.

If you change one library in the released version to the one from Beta 
(libidmap-samba4.so) then the released version works again.

They claim it's because of one SID which can't be dissolved by winbind: 
S-1-18-1. As I wrote in my last mail, this SID don't exist under 2008R2 
and earlier.

I'm afraid you have to read the hole trail to get all informations.

So do you use IP addresses or hostnames for access?

Regards
Ingo
https://github.com/WAdama

vincent at cojot.name schrieb am 07.07.2023 um 02:42:
>
> Hi Ingo,
> Sorry for the late reply but I just gave it a test tonight and 
> everything worked fine for me:
> - Domain Controllers run RHEL8.8 + samba 4.17.8
> - DSM 7.1.1 VM and DSM 7.2 physical box (DS3622xs)
> I can give rights to domain groups in the Syno UI for shares hosted on 
> the Syno and things work just fine. Of course both DSM units (VM + 
> 3617xs) are joined to my AD domain using the Synology UI.
>
> What problem were you experiencing?
>
> Vincent
>
>
> On Thu, 13 Apr 2023, Ingo Asche via samba wrote:
>
>> Hi,
>>
>> to all of you which are using Synology NAS systems.
>>
>> With SMB-Service 4.15.9-0631 no longer shares are accessible via 
>> domain group rights from a Samba 4.17.7 domain.
>>
>> It seems the same error described in the following mail trails:
>> "No longer access to shares after upgrade to 4.17.3"
>> "File server joined to a samba domain accessed by windows 10-11 
>> clients, works via ip no via dns name"
>>
>> I've already openend a ticket with Synology.
>>
>> So be careful before updating the SMB-Service, maybe test it first on 
>> a not so important system.
>>
>> Regard
>> Ingo
>>
>> -- 
>> Regards
>> Ingo
>> https://github.com/WAdama
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:? https://lists.samba.org/mailman/options/samba
>>

Hi all,

good news...

Synology fixed the problem at least for DSM 7.2 with SMB-Service 
4.13.15-0795.

I quote the answer from them:

"/Our developer team re-considered and fixed the problem at DSM 7.2 0795 
in the end./

/This is the reason why he saw the problem fixed in the latest version. 
Again, we remained our standpoint (same problem, same issue)/

/to this problem, but we find a way to fix it for Samba 4.17. Thanks for 
you and User's time for cooperation. /"

I hope this will last. But we will see...

Regards
Ingo
https://github.com/WAdama

Ingo Asche via samba schrieb am 07.07.2023 um 08:49:
> Hi Vincent,
>
> in my case access via hostname doesn't work. That seems to be a 
> Kerberos problem, as access via IP works. IP access uses NTLM 
> authentication.
>
> With SMB-Service 4.15.9-0619 (was the Beta) it worked, with the 
> released version 4.15.9-0632 not anymore.
>
> If you change one library in the released version to the one from Beta 
> (libidmap-samba4.so) then the released version works again.
>
> They claim it's because of one SID which can't be dissolved by 
> winbind: S-1-18-1. As I wrote in my last mail, this SID don't exist 
> under 2008R2 and earlier.
>
> I'm afraid you have to read the hole trail to get all informations.
>
> So do you use IP addresses or hostnames for access?
>
> Regards
> Ingo
> https://github.com/WAdama
>
> vincent at cojot.name schrieb am 07.07.2023 um 02:42:
>>
>> Hi Ingo,
>> Sorry for the late reply but I just gave it a test tonight and 
>> everything worked fine for me:
>> - Domain Controllers run RHEL8.8 + samba 4.17.8
>> - DSM 7.1.1 VM and DSM 7.2 physical box (DS3622xs)
>> I can give rights to domain groups in the Syno UI for shares hosted 
>> on the Syno and things work just fine. Of course both DSM units (VM + 
>> 3617xs) are joined to my AD domain using the Synology UI.
>>
>> What problem were you experiencing?
>>
>> Vincent
>>
>>
>> On Thu, 13 Apr 2023, Ingo Asche via samba wrote:
>>
>>> Hi,
>>>
>>> to all of you which are using Synology NAS systems.
>>>
>>> With SMB-Service 4.15.9-0631 no longer shares are accessible via 
>>> domain group rights from a Samba 4.17.7 domain.
>>>
>>> It seems the same error described in the following mail trails:
>>> "No longer access to shares after upgrade to 4.17.3"
>>> "File server joined to a samba domain accessed by windows
10-11
>>> clients, works via ip no via dns name"
>>>
>>> I've already openend a ticket with Synology.
>>>
>>> So be careful before updating the SMB-Service, maybe test it first 
>>> on a not so important system.
>>>
>>> Regard
>>> Ingo
>>>
>>> -- 
>>> Regards
>>> Ingo
>>> https://github.com/WAdama
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
>