QNAP NAS with Samba Active Directory

While I have found most things to just work, the samba migration has yet to yield the desired results. I am presently stuck with being able to see users and groups but being unable to use them. Joining the domain was done with no apparent errors.

Using SSH I am able to run some commands and make changes.

> net getlocalsid 
SID for domain QNAP-ARTS is: S-1-5-21-3054616549-595454195-1147709163
> net getdomainsid
SID for local machine QNAP-ARTS is: S-1-5-21-3054616549-595454195-1147709163
SID for domain SAMDOM is: S-1-5-21-1705055176-644220441-5522801
> smbclient -L upinsmoke

WARNING: The "null passwords" option is deprecated
Enter admin's password:
session setup failed: NT_STATUS_LOGON_FAILURE

No surprise as “admin” is a local user on the QNAP.

> smbclient -L upinsmoke -UAdministrator

WARNING: The "null passwords" option is deprecated
Enter Administrator's password:
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.9.2-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
profiles Disk
userhome Disk
IPC$ IPC IPC Service (Samba 4.9.2-Debian)
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.9.2-Debian]
Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP UPINSMOKE

I did find out that QNAP is using a modified version of Samba 4.4.16. I say “modified” as they have backported various fixes according to their release notes. These fixes are not available for the 4.4 series since it reached End-Of-Life on 2017-Sep-21.

When running wbinfo -u and wbinfo -g I get the expected results. However getent passwd and getent group still only show the local accounts and groups. When using LDAP I was shown all domain users and groups as well as the local users and groups.

I see the following in the winbind-imap log file when running the getent command:

[2019/01/03 10:48:43.776162, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:304(check_domain_online_handler)
check_domain_online_handler: called for domain SAMDOM (online = False)
[2019/01/03 10:48:43.782606, 5, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:160(msg_try_to_go_online)
msg_try_to_go_online: received for domain SAMDOM.
[2019/01/03 10:48:43.782702, 3, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:2136(connection_ok)
connection_ok: Connection to upinsmoke.samdom.example.net for domain SAMDOM is not connected
[2019/01/03 10:48:43.782797, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1935(cm_open_connection)
cm_open_connection: dcname is 'upinsmoke.samdom.example.net' for domain SAMDOM
[2019/01/03 10:48:43.782902, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:43.785833, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.0.24
[2019/01/03 10:48:43.785943, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:43.786031, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:43.786381, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:43.786486, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:43.786595, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.0.24 at port 445
[2019/01/03 10:48:43.789481, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.0.24
[2019/01/03 10:48:43.789551, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1441(dcip_to_name)
dcip_to_name: flags = 0x3fd
[2019/01/03 10:48:43.789640, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:43.789726, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:43.790078, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection)
cm_prepare_connection: connecting to DC upinsmoke.samdom.example.net for domain SAMDOM
[2019/01/03 10:48:43.814686, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/01/03 10:48:43.814913, 5, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1111(cm_prepare_connection)
connecting to upinsmoke.samdom.example.net from QNAP-ARTS with kerberos principal [QNAP-ARTS$@SAMDOM.EXAMPLE.NET] and realm [SAMDOM.EXAMPLE.NET]
[2019/01/03 10:48:43.814971, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2019/01/03 10:48:43.815034, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2019/01/03 10:48:43.815075, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2019/01/03 10:48:43.815103, 3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal)
cli_session_setup_spnego: using target hostname not SPNEGO principal
[2019/01/03 10:48:43.815131, 3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal)
cli_session_setup_spnego: guessed server principal=cifs/upinsmoke.samdom.example.net@SAMDOM.EXAMPLE.NET
[2019/01/03 10:48:43.994528, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Indicates the SID structure is not valid.
[2019/01/03 10:48:43.994602, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1130(cm_prepare_connection)
Failed to use kerberos connecting to upinsmoke.samdom.example.net from QNAP-ARTS with kerberos principal [QNAP-ARTS$@SAMDOM.EXAMPLE.NET]
[2019/01/03 10:48:43.994636, 5, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1139(cm_prepare_connection)
connecting to upinsmoke.samdom.example.net from QNAP-ARTS using NTLMSSP with username [SAMDOM][QNAP-ARTS$]
[2019/01/03 10:48:43.994682, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2019/01/03 10:48:43.994745, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2019/01/03 10:48:43.994786, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2019/01/03 10:48:43.997872, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2019/01/03 10:48:43.997911, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2019/01/03 10:48:43.998114, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2019/01/03 10:48:43.998151, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2019/01/03 10:48:43.998178, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2019/01/03 10:48:43.998202, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2019/01/03 10:48:44.003867, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Indicates the SID structure is not valid.
[2019/01/03 10:48:44.003924, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1156(cm_prepare_connection)
Failed to use NTLMSSP connecting to upinsmoke.samdom.example.net from QNAP-ARTS with username [SAMDOM][QNAP-ARTS$]
[2019/01/03 10:48:44.003957, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection)
authenticated session setup to upinsmoke.samdom.example.net using SAMDOM\QNAP-ARTS$ failed with NT_STATUS_INVALID_SID
[2019/01/03 10:48:44.050369, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1318(cm_prepare_connection)
Failed to prepare SMB connection to upinsmoke.samdom.example.net: NT_STATUS_INVALID_SID
[2019/01/03 10:48:44.050587, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1935(cm_open_connection)
cm_open_connection: dcname is 'upinsmoke.samdom.example.net' for domain SAMDOM
[2019/01/03 10:48:44.050718, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.053159, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.0.24
[2019/01/03 10:48:44.053265, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.053352, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.053698, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.053826, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.053952, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.0.24 at port 445
[2019/01/03 10:48:44.056770, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.0.24
[2019/01/03 10:48:44.056826, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1441(dcip_to_name)
dcip_to_name: flags = 0x3fd
[2019/01/03 10:48:44.056914, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.057001, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.057348, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection)
cm_prepare_connection: connecting to DC upinsmoke.samdom.example.net for domain SAMDOM
[2019/01/03 10:48:44.108321, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/01/03 10:48:44.108546, 5, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1111(cm_prepare_connection)
connecting to upinsmoke.samdom.example.net from QNAP-ARTS with kerberos principal [QNAP-ARTS$@SAMDOM.EXAMPLE.NET] and realm [SAMDOM.EXAMPLE.NET]
[2019/01/03 10:48:44.108604, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2019/01/03 10:48:44.108668, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2019/01/03 10:48:44.108709, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2019/01/03 10:48:44.108752, 3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal)
cli_session_setup_spnego: using target hostname not SPNEGO principal
[2019/01/03 10:48:44.108781, 3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal)
cli_session_setup_spnego: guessed server principal=cifs/upinsmoke.samdom.example.net@SAMDOM.EXAMPLE.NET
[2019/01/03 10:48:44.213871, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Indicates the SID structure is not valid.
[2019/01/03 10:48:44.213941, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1130(cm_prepare_connection)
Failed to use kerberos connecting to upinsmoke.samdom.example.net from QNAP-ARTS with kerberos principal [QNAP-ARTS$@SAMDOM.EXAMPLE.NET]
[2019/01/03 10:48:44.213974, 5, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1139(cm_prepare_connection)
connecting to upinsmoke.samdom.example.net from QNAP-ARTS using NTLMSSP with username [SAMDOM][QNAP-ARTS$]
[2019/01/03 10:48:44.214019, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2019/01/03 10:48:44.214083, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2019/01/03 10:48:44.214124, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2019/01/03 10:48:44.216751, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2019/01/03 10:48:44.216789, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2019/01/03 10:48:44.216996, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2019/01/03 10:48:44.217023, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2019/01/03 10:48:44.217050, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2019/01/03 10:48:44.217075, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2019/01/03 10:48:44.221351, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Indicates the SID structure is not valid.
[2019/01/03 10:48:44.221395, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1156(cm_prepare_connection)
Failed to use NTLMSSP connecting to upinsmoke.samdom.example.net from QNAP-ARTS with username [SAMDOM][QNAP-ARTS$]
[2019/01/03 10:48:44.221428, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection)
authenticated session setup to upinsmoke.samdom.example.net using SAMDOM\QNAP-ARTS$ failed with NT_STATUS_INVALID_SID
[2019/01/03 10:48:44.221559, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1318(cm_prepare_connection)
Failed to prepare SMB connection to upinsmoke.samdom.example.net: NT_STATUS_INVALID_SID
[2019/01/03 10:48:44.221727, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1935(cm_open_connection)
cm_open_connection: dcname is 'upinsmoke.samdom.example.net' for domain SAMDOM
[2019/01/03 10:48:44.221848, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.225960, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.0.24
[2019/01/03 10:48:44.226065, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.226179, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.226494, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.226593, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.226745, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.0.24 at port 445
[2019/01/03 10:48:44.229456, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.0.24
[2019/01/03 10:48:44.229511, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1441(dcip_to_name)
dcip_to_name: flags = 0x3fd
[2019/01/03 10:48:44.229599, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.229686, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: ", UPINSMOKE.samdom.example.net"
[2019/01/03 10:48:44.230020, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection)
cm_prepare_connection: connecting to DC upinsmoke.samdom.example.net for domain SAMDOM
[2019/01/03 10:48:44.267876, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/01/03 10:48:44.268100, 5, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1111(cm_prepare_connection)
connecting to upinsmoke.samdom.example.net from QNAP-ARTS with kerberos principal [QNAP-ARTS$@SAMDOM.EXAMPLE.NET] and realm [SAMDOM.EXAMPLE.NET]
[2019/01/03 10:48:44.268179, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2019/01/03 10:48:44.268244, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2019/01/03 10:48:44.268284, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2019/01/03 10:48:44.268312, 3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal)
cli_session_setup_spnego: using target hostname not SPNEGO principal
[2019/01/03 10:48:44.268341, 3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal)
cli_session_setup_spnego: guessed server principal=cifs/upinsmoke.samdom.example.net@SAMDOM.EXAMPLE.NET
[2019/01/03 10:48:44.374073, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Indicates the SID structure is not valid.
[2019/01/03 10:48:44.374157, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1130(cm_prepare_connection)
Failed to use kerberos connecting to upinsmoke.samdom.example.net from QNAP-ARTS with kerberos principal [QNAP-ARTS$@SAMDOM.EXAMPLE.NET]
[2019/01/03 10:48:44.374194, 5, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1139(cm_prepare_connection)
connecting to upinsmoke.samdom.example.net from QNAP-ARTS using NTLMSSP with username [SAMDOM][QNAP-ARTS$]
[2019/01/03 10:48:44.374239, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=96)
[2019/01/03 10:48:44.374303, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
[2019/01/03 10:48:44.374343, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2019/01/03 10:48:44.377797, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2019/01/03 10:48:44.377835, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2019/01/03 10:48:44.378036, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2019/01/03 10:48:44.378063, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2019/01/03 10:48:44.378090, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2019/01/03 10:48:44.378114, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2019/01/03 10:48:44.382475, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Indicates the SID structure is not valid.
[2019/01/03 10:48:44.382540, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1156(cm_prepare_connection)
Failed to use NTLMSSP connecting to upinsmoke.samdom.example.net from QNAP-ARTS with username [SAMDOM][QNAP-ARTS$]
[2019/01/03 10:48:44.382573, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1184(cm_prepare_connection)
authenticated session setup to upinsmoke.samdom.example.net using SAMDOM\QNAP-ARTS$ failed with NT_STATUS_INVALID_SID
[2019/01/03 10:48:44.382707, 1, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1318(cm_prepare_connection)
Failed to prepare SMB connection to upinsmoke.samdom.example.net: NT_STATUS_INVALID_SID
[2019/01/03 10:48:44.382885, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:398(set_domain_offline)
set_domain_offline: called for domain SAMDOM
[2019/01/03 10:48:44.382919, 10, pid=13285, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:442(set_domain_offline)
set_domain_offline: added event handler for domain SAMDOM
[/var/log/samba] #

This morning I restarted the samba-ad-dc and now I see the “offline” entries in the log file that were not there before.

Some of my manual changes are being reset every time I restart the samba services. The deprecated option “null passwords” is being forced to “yes” by QNAP among others.

After several days of frustration I finally got it working.

Turns out to be an “error” in the AD-DC configuration that seemed fine but ended up causing issues. The issue was RPC failing on the server. It was not until I came upon the right error message that Google led me to the needed bug report with a discussion that was very close to my issue.

Removing the offending lines from the smb.conf on my AD-DC, and restarting the samba-ad-dc service made the QNAP behave properly. The offending entries were:

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 100000-179999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 1000-99999
idmap config SAMDOM:unix_nss_info = yes

Once those entries were removed getent passwd on the QNAP worked as expected and returned all known users.

I now have to go and test the use of these users and groups in the permissions assignments as that is where things failed before as well. Then I’ll have to “clean up” my custom work on the QNAP.

Bookmark the permalink.

Comments are closed.