SMB 2.0 / 3.0 doesnt work

[koos147]

Good afternoon,

As current urgent recomendations we disabled all SMB 1.0 support.
currently we are not able to access network shares on the qnap anymore.

I found some posts about a setting in network services > windows > advanced. However there is no option here in my nas.
I use multiple models with firmware fromt 4.2.2 to 4.2.5

Hope someone would point me to the right directions.

Mark

[schumaku]

Answered about every other week...

The tutorial is applicable to the newer and curent NAS models with the so called CAT2 feature set only.

The control has not made it to the UI of the CAT1 systems, you need to call the readily available smb[N|NN]enable, and check the current settings using smb2status form the NAS shell:

Up to QTS 4.2.x, SMB 2.1 is the max available:

[~] # smb21enable
...

QTS 4.3.x will bring SMB up to the 3.0 subset available in SAMBA 4.4 to all QNAP Marvell Kirkwood NAS.

[~] # smb3enable
...

Check status:

[~] # smb2status

smbd (samba daemon) Version 4.4.9
smbd (samba daemon) is running.
max protocol SMB 3.0 enabled.

[~] # smb<TAB>
smb21enable smb2disable smb2enable smb2status smb3enable smbtools

Enjoy!

-Kurt.

[koos147]

Goodafternoon Kurt,

Tanks for the quick response.
I did this and was direct abel to open a share.
After this i noticed that thee system was no longer abel to communicatie with the domaincontroller.
Alzo getting errors of thee ntp who is not abel to update.

With kinit i can authenticate as expected.
Do you have any idea.

Kind regards
Mark

[schumaku]

Hi Mark,

Probably somebody played on other security settings for SMB on the Windows ADDC side, ie. mandatory SMB signing, mandatory SMB encryption, ....?

-Kurt

[koos147]

Hi Kurt,

Actualy we have multiple completly seperated networks. so i think it is a small change someone has changed something in SMB signing.

this evening i spend some more time to troubleshoot.
Let start with the easy way.
go to domain security > quick config wizzard.
fill in the first page.
On the second page it actualy shows all domain controllers. (so at least something is working.)
Select a random domain controller (for now the closest one but i tried them all)
fill in the admin credentials and click join.

The error bellow (after some find/replace)

Code: Select all

Microsoft network settings failed. Please check the DNS server, domain name, and user name and password for logging in the domain.

======== DEBUG START =======

/usr/local/samba/bin/net time set -S SomeDC.contoso-Comp.local

Sync time with domain name fail, try to sync time with IP

Cannot find SomeDC.contoso-Comp.local's IP

[command] echo ******** | /usr/bin/kinit "administrator@contoso-Comp.LOCAL"

Password for administrator@contoso-Comp.LOCAL: 

Specify WORKGROUP = contoso

[command] /usr/local/samba/bin/net ads join -S SomeDC -U "administrator%********" -s /etc/config/smb.conf

Failed to join domain: failed to lookup DC info for domain 'contoso-Comp.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET

[command] /usr/local/samba/bin/net ads join -S SomeDC.contoso-Comp.local -U "administrator%********" -s /etc/config/smb.conf

Failed to join domain: failed to lookup DC info for domain 'contoso-Comp.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET

[command] /usr/local/samba/bin/net ads join -U "administrator%********" -s /etc/config/smb.conf

Failed to join domain: failed to lookup DC info for domain 'contoso-Comp.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET

[command] /usr/local/samba/bin/net rpc join -S SomeDC -U "administrator%********" -s /etc/config/smb.conf

Connection failed: NT_STATUS_CONNECTION_RESET

Could not connect to server SomeDC

Connection failed: NT_STATUS_CONNECTION_RESET

[command] /usr/local/samba/bin/net rpc join -S SomeDC.contoso-Comp.local -U "administrator%********" -s /etc/config/smb.conf

Connection failed: NT_STATUS_CONNECTION_RESET

Could not connect to server SomeDC.contoso-Comp.local

Connection failed: NT_STATUS_CONNECTION_RESET

[command] /usr/local/samba/bin/net rpc join -U "administrator%********" -s /etc/config/smb.conf

Connection failed: NT_STATUS_CONNECTION_RESET

Could not connect to server SomeDC

Connection failed: NT_STATUS_CONNECTION_RESET

As you can see the Kerberos is working fine after a kinit there is no error.

Also checked the ntp part wich according to the debug output isn't using the ntp protocol but using SMB (wich explains why the problems started after changing the smb protocol)

Code: Select all

/usr/local/samba/bin/net time set -S somedc.contoso-comp.local -d 10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
params.c:pm_process() - Processing configuration file "/etc/config/smb.conf"
Processing section "[global]"
doing parameter passdb backend = smbpasswd
doing parameter workgroup = 
doing parameter security = USER
doing parameter server string = QNAP-1
doing parameter encrypt passwords = Yes
doing parameter username level = 0
doing parameter map to guest = Bad User
doing parameter null passwords = yes
WARNING: The "null passwords" option is deprecated
doing parameter max log size = 10
doing parameter socket options = TCP_NODELAY SO_KEEPALIVE
doing parameter os level = 20
doing parameter preferred master = no
doing parameter dns proxy = No
doing parameter smb passwd file = /etc/config/smbpasswd
doing parameter username map = /etc/config/smbusers
doing parameter guest account = guest
doing parameter directory mask = 0777
doing parameter create mask = 0777
doing parameter oplocks = yes
doing parameter locking = yes
doing parameter disable spoolss = yes
doing parameter load printers = no
doing parameter display charset = UTF8
doing parameter force directory security mode = 0000
doing parameter veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/.@__qini/.Qsync/.@upload_cache/.qsync/.qsync_sn/.@qsys/.digest/
doing parameter delete veto files = yes
doing parameter map archive = no
doing parameter map system = no
doing parameter map hidden = no
doing parameter map read only = no
doing parameter deadtime = 10
doing parameter use sendfile = yes
doing parameter unix extensions = no
doing parameter store dos attributes = yes
doing parameter client ntlmv2 auth = yes
doing parameter dos filetime resolution = no
doing parameter inherit acls = yes
doing parameter wide links = yes
doing parameter min receivefile size = 8192
doing parameter case sensitive = auto
doing parameter domain master = auto
doing parameter local master = yes
doing parameter dos charset = ISO8859-1
doing parameter wins support = no
doing parameter force unknown acl user = yes
doing parameter template homedir = /share/homes/DOMAIN=%D/%U
doing parameter domain logons = no
doing parameter enhance acl v1 = yes
doing parameter remove everyone = yes
doing parameter kernel oplocks = no
doing parameter mangled names = no
doing parameter printcap cache time = 0
doing parameter conn log = no
doing parameter max protocol = SMB2_10
doing parameter pid directory = /var/lock
pm_process() returned Yes
lp_servicenumber: couldn't find samba_default_home
set_server_role: role = ROLE_STANDALONE
Netbios name list:-
my_netbios_names[0]="QNAP-1"
added interface eth0 ip=10.1.1.15 bcast=10.1.3.255 netmask=255.255.252.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Opening cache file at /usr/local/samba/var/locks/gencache.tdb
Opening cache file at /usr/local/samba/var/locks/gencache_notrans.tdb
sitename_fetch: No stored sitename for 
internal_resolve_name: looking up somedc.contoso-comp.local#20 (sitename (null))
Adding cache entry with key = NBT/somedc.contoso-comp.LOCAL#20 and timeout = Thu Jan  1 01:00:00 1970
 (-1494966743 seconds in the past)
no entry for somedc.contoso-comp.local#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name somedc.contoso-comp.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name somedc.contoso-comp.local<0x20>
startlmhosts: Can't open lmhosts file /etc/config/lmhosts. Error was No such file or directory
resolve_wins: Attempting wins lookup for name somedc.contoso-comp.local<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name somedc.contoso-comp.local<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for somedc.contoso-comp.local#20: 10.1.1.5
Adding cache entry with key = NBT/somedc.contoso-comp.LOCAL#20 and timeout = Tue May 16 22:43:23 2017
 (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 10.1.1.5:0 
Running timed event "tevent_req_timedout" 0x9c26518
Connecting to 10.1.1.5 at port 445
Socket options:
SO_KEEPALIVE = 1
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_SNDBUF = 23080
SO_RCVBUF = 87380
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
Could not test socket option SO_SNDTIMEO.
Could not test socket option SO_RCVTIMEO.
TCP_QUICKACK = 1
Protocol negotiation failed: NT_STATUS_CONNECTION_RESET
return code = -1

For this specific qnap there is currently no option to revert the change.
(since there is no sensitive data on the nas we enabled guest access for the shares)

For the other qnaps the authentication is not working. however we don't want to run the wizzard since the qnap will remove all existing share permissions after a failed join attempt (really annoying bug but that is offtopic)

Hope someone can point me in the right direction to get this solved.

Regards
Mark

[schumaku]

Hi Mark,

Just one to start with ... almost on the way to some days off, sorry... Does the NAS have multiple DNS servers configured, ie. some ADDC-DNS, and some on the router or on a public DNS - where some can't resolve your .local domain - neither for contoso-Comp.local (what must return a list of IP addresses for the ADDC, or all the ADDC in your forest) nor for the designated SomeDC.contoso-Comp.local ?

-Kurt

[nthkmf]

Answered about every other week...

The tutorial is applicable to the newer and curent NAS models with the so called CAT2 feature set only.

The control has not made it to the UI of the CAT1 systems, you need to call the readily available smb[N|NN]enable, and check the current settings using smb2status form the NAS shell:

Up to QTS 4.2.x, SMB 2.1 is the max available:

[~] # smb21enable
...

QTS 4.3.x will bring SMB up to the 3.0 subset available in SAMBA 4.4 to all QNAP Marvell Kirkwood NAS.

[~] # smb3enable
...

Check status:

[~] # smb2status

smbd (samba daemon) Version 4.4.9
smbd (samba daemon) is running.
max protocol SMB 3.0 enabled.

[~] # smb<TAB>
smb21enable smb2disable smb2enable smb2status smb3enable smbtools

Enjoy!

-Kurt.

This thread works for me.
I've 2 Windows Server 2012 R2 - with SMB1.0 disabled - and I cannot access my QNAP, so I follows this and It works.
Thank you very much! <3

Regards,
Hoc Nguyen from Vietnam.

[koos147]

Hi Mark,

Just one to start with ... almost on the way to some days off, sorry... Does the NAS have multiple DNS servers configured, ie. some ADDC-DNS, and some on the router or on a public DNS - where some can't resolve your .local domain - neither for contoso-Comp.local (what must return a list of IP addresses for the ADDC, or all the ADDC in your forest) nor for the designated SomeDC.contoso-Comp.local ?

-Kurt

Hi Kurt,

the dns servers are both domain controllers. i can ping the domain and the servers without any problem. nothing changed on this side.
Otherwise the kinit shouldn't work either. if you have more idea's please let me know.

@nthkmf
is the qnap domain joined?
I can access the qnap with local user accounts or guest access without problems.


Regards
Mark

[mahanes75@gmail.com]

I am having the same issue that I can't see the shares on my QNAP running 4.3.3.

[koos147]

I am having the same issue that I can't see the shares on my QNAP running 4.3.3.

by running the commands from Kurt your shares will re-appear.
however the qnap will no longer join to a Windows server 2012 R2 domain.

I currently have worked around this for one of the nas systems. i was able to join this to a windows server 2008 domain controller.

However for the other nasses there is still no solution.

[Tattoofreak]

however the qnap will no longer join to a Windows server 2012 R2 domain.

Any news about this?

[koos147]

Hey,

A verry short time after my message Qnap released another firmware.
So on my side everything is working exactly as it should do now.

So please update your nas and try it again.

Kind regards
Mark