Discussion:
[Samba] Synology NAS Samba Upgrade breaks "Classic" domain membership
Gaiseric Vandal
2016-05-11 15:52:47 UTC
Permalink
I have a Synology NAS array appliance. It is linux based and uses
samba for file sharing. Normally the config is done via a gui
interface but you can ssh to the array. The domain controllers are
running Samba 3.6.x in classic domain mode. I have member servers
running 3.6.x and 4.3.8. no problem.


I recently updated the Synology "OS." The current version of samba is
Version 4.1.20. I don't know what the previous version was. After
the upgrade the NAS could not rejoin the domain.


From the command line "net rpc join" failed with a SIG errror. The new
version of samba defaulted to requiring client and server signing. This
was easily fixed by updating the NAS smb.conf with



client signing=disabled
client ipc signing=disabled

server signing=disabled



The following also seemed legit

client signing=default
client ipc signing=default

server signing=default



If I deleted and recreated the machine account on the DC I could rejoin
the domain. However testing the join fails.



***@mynas:/# net rpc join -U "MYDOMAIN\Administrator"
Joined domain MYDOMAIN.



***@mynas:/#net rpc testjoin
dcerpc_netr_LogonGetCapabilities_r_recv failed with
NT_STATUS_INVALID_PARAMETER
cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind
failed with error NT_STATUS_INVALID_PARAMETER
net_rpc_join_ok: failed to open schannel session on
netlogon pipe to server MYPDC for domain MYDOMAIN. Error was
NT_STATUS_INVALID_PARAMETER
Join to domain 'MYDOMAIN' is not valid:
NT_STATUS_INVALID_PARAMETER
***@mynas:/#



The \\netlogon share on the PDC is open to guest access.


log files on the PDC show

192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
smb_nobody (uid=90001, gid=90001) (pid 19408)

...

[2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515

...

[2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req)
check_bind_req for \netlogon
[2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req)
check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482, 3]
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
named pipe command on <> name
[2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)



So the NAS is authenticating to the domain controller.




On the PDC (Samba 3.6.x) , testparm -v shows

min protocol = CORE
max protocol = NT1

On the NAS , testparm -v shows


server min protocol = CORE
client min protocol = CORE
server max protocol = NT1
client max protocol = SMB3
client ipc signing = No

(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
shd support it.)


On my working samba 4.x system (on fedora core 23), testparm -v shows


server min protocol = LANMAN1
min protocol = LANMAN1
client min protocol = CORE
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default




Appreciate any advice.


Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
henri transfert
2016-05-12 06:26:22 UTC
Permalink
Hi,

I am not sure it's the same issue, but I had a similar problem when
upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
failed. Please check your network settings" .

With the help of the (very efficient) Synology support, we solved the
problem by uninstalling an old Cluster HA DSM package that was installed on
the NAS but not used.

Just in case it could help.

Henri
I have a Synology NAS array appliance. It is linux based and uses samba
for file sharing. Normally the config is done via a gui interface but you
can ssh to the array. The domain controllers are running Samba 3.6.x in
classic domain mode. I have member servers running 3.6.x and 4.3.8. no
problem.
I recently updated the Synology "OS." The current version of samba is
Version 4.1.20. I don't know what the previous version was. After the
upgrade the NAS could not rejoin the domain.
From the command line "net rpc join" failed with a SIG errror. The new
version of samba defaulted to requiring client and server signing. This
was easily fixed by updating the NAS smb.conf with
client signing=disabled
client ipc signing=disabled
server signing=disabled
The following also seemed legit
client signing=default
client ipc signing=default
server signing=default
If I deleted and recreated the machine account on the DC I could rejoin
the domain. However testing the join fails.
Joined domain MYDOMAIN.
dcerpc_netr_LogonGetCapabilities_r_recv failed with
NT_STATUS_INVALID_PARAMETER
cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed
with error NT_STATUS_INVALID_PARAMETER
net_rpc_join_ok: failed to open schannel session on netlogon
pipe to server MYPDC for domain MYDOMAIN. Error was
NT_STATUS_INVALID_PARAMETER
NT_STATUS_INVALID_PARAMETER
The \\netlogon share on the PDC is open to guest access.
log files on the PDC show
192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
smb_nobody (uid=90001, gid=90001) (pid 19408)
...
[2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
...
[2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req)
check_bind_req for \netlogon
[2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req)
check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482, 3]
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
named pipe command on <> name
[2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
So the NAS is authenticating to the domain controller.
On the PDC (Samba 3.6.x) , testparm -v shows
min protocol = CORE
max protocol = NT1
On the NAS , testparm -v shows
server min protocol = CORE
client min protocol = CORE
server max protocol = NT1
client max protocol = SMB3
client ipc signing = No
(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
shd support it.)
On my working samba 4.x system (on fedora core 23), testparm -v shows
server min protocol = LANMAN1
min protocol = LANMAN1
client min protocol = CORE
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
Appreciate any advice.
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gaiseric Vandal
2016-05-13 13:11:51 UTC
Permalink
I don't see any cluster packages listed under the web gui interface. Is
this one of the packages that can only be managed via the command line
ipkg command, which is not installed by default?

thanks
Post by henri transfert
Hi,
I am not sure it's the same issue, but I had a similar problem when
upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
failed. Please check your network settings" .
With the help of the (very efficient) Synology support, we solved the
problem by uninstalling an old Cluster HA DSM package that was installed on
the NAS but not used.
Just in case it could help.
Henri
I have a Synology NAS array appliance. It is linux based and uses samba
for file sharing. Normally the config is done via a gui interface but you
can ssh to the array. The domain controllers are running Samba 3.6.x in
classic domain mode. I have member servers running 3.6.x and 4.3.8. no
problem.
I recently updated the Synology "OS." The current version of samba is
Version 4.1.20. I don't know what the previous version was. After the
upgrade the NAS could not rejoin the domain.
From the command line "net rpc join" failed with a SIG errror. The new
version of samba defaulted to requiring client and server signing. This
was easily fixed by updating the NAS smb.conf with
client signing=disabled
client ipc signing=disabled
server signing=disabled
The following also seemed legit
client signing=default
client ipc signing=default
server signing=default
If I deleted and recreated the machine account on the DC I could rejoin
the domain. However testing the join fails.
Joined domain MYDOMAIN.
dcerpc_netr_LogonGetCapabilities_r_recv failed with
NT_STATUS_INVALID_PARAMETER
cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed
with error NT_STATUS_INVALID_PARAMETER
net_rpc_join_ok: failed to open schannel session on netlogon
pipe to server MYPDC for domain MYDOMAIN. Error was
NT_STATUS_INVALID_PARAMETER
NT_STATUS_INVALID_PARAMETER
The \\netlogon share on the PDC is open to guest access.
log files on the PDC show
192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
smb_nobody (uid=90001, gid=90001) (pid 19408)
...
[2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
...
[2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req)
check_bind_req for \netlogon
[2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req)
check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482, 3]
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
named pipe command on <> name
[2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
So the NAS is authenticating to the domain controller.
On the PDC (Samba 3.6.x) , testparm -v shows
min protocol = CORE
max protocol = NT1
On the NAS , testparm -v shows
server min protocol = CORE
client min protocol = CORE
server max protocol = NT1
client max protocol = SMB3
client ipc signing = No
(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
shd support it.)
On my working samba 4.x system (on fedora core 23), testparm -v shows
server min protocol = LANMAN1
min protocol = LANMAN1
client min protocol = CORE
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
Appreciate any advice.
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gaiseric Vandal
2016-05-16 18:36:18 UTC
Permalink
On both the synology (samba 4.1.20) and PDC (samba 3.6.25) testparm showed

client schannel = Auto
server schannel = Auto


I don't know if the server even supports schannel. Maybe it
doesn't any all the clients successfully negotiated not to use it. On
the synology, I set

client schannel = no


This fixed my domain membership issue. Although possibly weakening
security on the synology? Or possibly revealing a probably with
schannel on my PDC. I realize both versions of Samba are end-of-life.
Post by henri transfert
Hi,
I am not sure it's the same issue, but I had a similar problem when
upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
failed. Please check your network settings" .
With the help of the (very efficient) Synology support, we solved the
problem by uninstalling an old Cluster HA DSM package that was installed on
the NAS but not used.
Just in case it could help.
Henri
I have a Synology NAS array appliance. It is linux based and uses samba
for file sharing. Normally the config is done via a gui interface but you
can ssh to the array. The domain controllers are running Samba 3.6.x in
classic domain mode. I have member servers running 3.6.x and 4.3.8. no
problem.
I recently updated the Synology "OS." The current version of samba is
Version 4.1.20. I don't know what the previous version was. After the
upgrade the NAS could not rejoin the domain.
From the command line "net rpc join" failed with a SIG errror. The new
version of samba defaulted to requiring client and server signing. This
was easily fixed by updating the NAS smb.conf with
client signing=disabled
client ipc signing=disabled
server signing=disabled
The following also seemed legit
client signing=default
client ipc signing=default
server signing=default
If I deleted and recreated the machine account on the DC I could rejoin
the domain. However testing the join fails.
Joined domain MYDOMAIN.
dcerpc_netr_LogonGetCapabilities_r_recv failed with
NT_STATUS_INVALID_PARAMETER
cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed
with error NT_STATUS_INVALID_PARAMETER
net_rpc_join_ok: failed to open schannel session on netlogon
pipe to server MYPDC for domain MYDOMAIN. Error was
NT_STATUS_INVALID_PARAMETER
NT_STATUS_INVALID_PARAMETER
The \\netlogon share on the PDC is open to guest access.
log files on the PDC show
192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
smb_nobody (uid=90001, gid=90001) (pid 19408)
...
[2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
...
[2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req)
check_bind_req for \netlogon
[2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req)
check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482, 3]
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
named pipe command on <> name
[2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
So the NAS is authenticating to the domain controller.
On the PDC (Samba 3.6.x) , testparm -v shows
min protocol = CORE
max protocol = NT1
On the NAS , testparm -v shows
server min protocol = CORE
client min protocol = CORE
server max protocol = NT1
client max protocol = SMB3
client ipc signing = No
(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
shd support it.)
On my working samba 4.x system (on fedora core 23), testparm -v shows
server min protocol = LANMAN1
min protocol = LANMAN1
client min protocol = CORE
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
Appreciate any advice.
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gaiseric Vandal
2016-05-17 20:16:00 UTC
Permalink
I stand corrected.

On the NAS, "net rpc testjoin" validates the domain. However , I can
not connect to shares on the NAS as a network user. Smbclient shows the
following:

-> smbclient -L \\mynas -U myname

Enter myname's password:

session setup failed: NT_STATUS_DOWNGRADE_DETECTED

->





The synology documentation does indicate recent patches were to fix
badlock. Presuming synology back ported the patch to an older
version or recompiled to mitigate.


mynas:/$ smbd -V
Version 4.1.20
Synology Build 7321, May 4 2016 11:48:15
mynas:/$
Post by Gaiseric Vandal
On both the synology (samba 4.1.20) and PDC (samba 3.6.25) testparm showed
client schannel = Auto
server schannel = Auto
I don't know if the server even supports schannel. Maybe it
doesn't any all the clients successfully negotiated not to use it.
On the synology, I set
client schannel = no
This fixed my domain membership issue. Although possibly weakening
security on the synology? Or possibly revealing a probably with
schannel on my PDC. I realize both versions of Samba are end-of-life.
Post by henri transfert
Hi,
I am not sure it's the same issue, but I had a similar problem when
upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
failed. Please check your network settings" .
With the help of the (very efficient) Synology support, we solved the
problem by uninstalling an old Cluster HA DSM package that was installed on
the NAS but not used.
Just in case it could help.
Henri
I have a Synology NAS array appliance. It is linux based and uses samba
for file sharing. Normally the config is done via a gui interface but you
can ssh to the array. The domain controllers are running Samba 3.6.x in
classic domain mode. I have member servers running 3.6.x and 4.3.8. no
problem.
I recently updated the Synology "OS." The current version of samba is
Version 4.1.20. I don't know what the previous version was.
After the
upgrade the NAS could not rejoin the domain.
From the command line "net rpc join" failed with a SIG errror. The new
version of samba defaulted to requiring client and server signing.
This
was easily fixed by updating the NAS smb.conf with
client signing=disabled
client ipc signing=disabled
server signing=disabled
The following also seemed legit
client signing=default
client ipc signing=default
server signing=default
If I deleted and recreated the machine account on the DC I could rejoin
the domain. However testing the join fails.
Joined domain MYDOMAIN.
dcerpc_netr_LogonGetCapabilities_r_recv failed with
NT_STATUS_INVALID_PARAMETER
cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed
with error NT_STATUS_INVALID_PARAMETER
net_rpc_join_ok: failed to open schannel session on netlogon
pipe to server MYPDC for domain MYDOMAIN. Error was
NT_STATUS_INVALID_PARAMETER
NT_STATUS_INVALID_PARAMETER
The \\netlogon share on the PDC is open to guest access.
log files on the PDC show
192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
smb_nobody (uid=90001, gid=90001) (pid 19408)
...
[2016/05/11 11:46:22.733380, 2]
passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
...
[2016/05/11 11:46:22.741400, 3]
rpc_server/srv_pipe.c:339(check_bind_req)
check_bind_req for \netlogon
[2016/05/11 11:46:22.741423, 3]
rpc_server/srv_pipe.c:346(check_bind_req)
check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482, 3]
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
named pipe command on <> name
[2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2016/05/11 11:46:22.747527, 3]
smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
So the NAS is authenticating to the domain controller.
On the PDC (Samba 3.6.x) , testparm -v shows
min protocol = CORE
max protocol = NT1
On the NAS , testparm -v shows
server min protocol = CORE
client min protocol = CORE
server max protocol = NT1
client max protocol = SMB3
client ipc signing = No
(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
shd support it.)
On my working samba 4.x system (on fedora core 23), testparm -v shows
server min protocol = LANMAN1
min protocol = LANMAN1
client min protocol = CORE
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
Appreciate any advice.
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gaiseric Vandal
2016-05-27 16:30:59 UTC
Permalink
I rolled my appliance back to DSM 6 (no updates) which resolved the
issue. The BADLOCK update was applied in DSM 6u1.
Post by henri transfert
Hi,
I am not sure it's the same issue, but I had a similar problem when
upgrading from DSM 5.x to 6.0 : error after domain join : "Connection
failed. Please check your network settings" .
With the help of the (very efficient) Synology support, we solved the
problem by uninstalling an old Cluster HA DSM package that was installed on
the NAS but not used.
Just in case it could help.
Henri
I have a Synology NAS array appliance. It is linux based and uses samba
for file sharing. Normally the config is done via a gui interface but you
can ssh to the array. The domain controllers are running Samba 3.6.x in
classic domain mode. I have member servers running 3.6.x and 4.3.8. no
problem.
I recently updated the Synology "OS." The current version of samba is
Version 4.1.20. I don't know what the previous version was. After the
upgrade the NAS could not rejoin the domain.
From the command line "net rpc join" failed with a SIG errror. The new
version of samba defaulted to requiring client and server signing. This
was easily fixed by updating the NAS smb.conf with
client signing=disabled
client ipc signing=disabled
server signing=disabled
The following also seemed legit
client signing=default
client ipc signing=default
server signing=default
If I deleted and recreated the machine account on the DC I could rejoin
the domain. However testing the join fails.
Joined domain MYDOMAIN.
dcerpc_netr_LogonGetCapabilities_r_recv failed with
NT_STATUS_INVALID_PARAMETER
cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed
with error NT_STATUS_INVALID_PARAMETER
net_rpc_join_ok: failed to open schannel session on netlogon
pipe to server MYPDC for domain MYDOMAIN. Error was
NT_STATUS_INVALID_PARAMETER
NT_STATUS_INVALID_PARAMETER
The \\netlogon share on the PDC is open to guest access.
log files on the PDC show
192.168.x.x (192.168.x.x ) connect to service IPC$ initially as user
smb_nobody (uid=90001, gid=90001) (pid 19408)
...
[2016/05/11 11:46:22.733380, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: MYNAS$
[2016/05/11 11:46:22.738212, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
...
[2016/05/11 11:46:22.741400, 3] rpc_server/srv_pipe.c:339(check_bind_req)
check_bind_req for \netlogon
[2016/05/11 11:46:22.741423, 3] rpc_server/srv_pipe.c:346(check_bind_req)
check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2016/05/11 11:46:22.741482, 3]
../libcli/auth/schannel_state_tdb.c:179(schannel_fetch_session_key_tdb)
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/MYNAS
[2016/05/11 11:46:22.741539, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.743059, 3] smbd/process.c:1609(process_smb)
Transaction 9 of length 328 (0 toread)
[2016/05/11 11:46:22.743106, 3] smbd/process.c:1414(switch_message)
switch message SMBtrans (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.743133, 3] smbd/ipc.c:560(handle_trans)
trans <\PIPE\> data=240 params=0 setup=2
[2016/05/11 11:46:22.743164, 3] smbd/ipc.c:511(named_pipe)
named pipe command on <> name
[2016/05/11 11:46:22.743187, 3] smbd/ipc.c:475(api_fd_reply)
Got API command 0x26 on pipe "netlogon" (pnum 281f)
[2016/05/11 11:46:22.743235, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP)
api_rpcTNP: rpc command: NETR_LOGONGETCAPABILITIES
[2016/05/11 11:46:22.743307, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
free_pipe_context: destroying talloc pool of size 23
[2016/05/11 11:46:22.744850, 3] smbd/process.c:1609(process_smb)
Transaction 10 of length 45 (0 toread)
[2016/05/11 11:46:22.744896, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.744929, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10271 (numopen=2)
[2016/05/11 11:46:22.746251, 3] smbd/process.c:1609(process_smb)
Transaction 11 of length 45 (0 toread)
[2016/05/11 11:46:22.746298, 3] smbd/process.c:1414(switch_message)
switch message SMBclose (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746322, 3] smbd/reply.c:4860(reply_close)
close fd=-1 fnum=10270 (numopen=1)
[2016/05/11 11:46:22.746790, 3] smbd/process.c:1609(process_smb)
Transaction 12 of length 39 (0 toread)
[2016/05/11 11:46:22.746841, 3] smbd/process.c:1414(switch_message)
switch message SMBtdis (pid 19408) conn 0x88830a8
[2016/05/11 11:46:22.746879, 3] smbd/service.c:1378(close_cnum)
192.168.3.216 (192.168.3.216) closed connection to service IPC$
[2016/05/11 11:46:22.746906, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2016/05/11 11:46:22.747527, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
So the NAS is authenticating to the domain controller.
On the PDC (Samba 3.6.x) , testparm -v shows
min protocol = CORE
max protocol = NT1
On the NAS , testparm -v shows
server min protocol = CORE
client min protocol = CORE
server max protocol = NT1
client max protocol = SMB3
client ipc signing = No
(I have had problems with SMB2 even tho samba 3.6.x , Win 7 and Win 2008
shd support it.)
On my working samba 4.x system (on fedora core 23), testparm -v shows
server min protocol = LANMAN1
min protocol = LANMAN1
client min protocol = CORE
client ipc max protocol = default
client ipc min protocol = default
client ipc signing = default
Appreciate any advice.
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...