I have the same issue - users can log into the DSM web interface without issue but cannot access any SMB shares.

[ahaenggli]

I have the same issue - users can log into the DSM web interface without issue but cannot access any SMB shares. Running DSM 7.1-42661 Update 1, groups all synced up and can log into the web interface no problems but SMB authentication isn't working.

DSM7 var is set to true/ports correctly set. User has access to SMB application. User has access to fileshare/can access it via the DSM web interface. DEBUG is on, but don't see anything in the logs to indicate any kind of SMB activity.

I have no idea, what can I change to get SMB working.

Originally posted by @gili98 in https://github.com/ahaenggli/AzureAD-LDAP-wrapper/issues/12#issuecomment-1140298195

[ahaenggli]

I have no idea either @gili98 :/ Does SMB work with a regular local User?

[gili98]

Yes with local users - SMB worked without problems

[ahaenggli]

Maybe there is someting in the samba log. Can you try this to get more informations?

• enable "collect debug logs"

• try the access on a share two or three times

• ssh into your nas

• run cat /var/log/samba/log.smbd and copy the latest error/fail/... message

• disable "collect debug logs"

I hope there is something helpful in it.

[gili98]

Thank you for the manual. I did not find an entry with the user I wanted to connect. I can not share the log file to anyone because of the usernames and password. Is there another way to share the file private?

[ahaenggli]

Passwords shouldn't be in the log file. At least I never saw one in mine... Could you share here just the day (the last few lines in the file) when you collected the debug logs? You can replace the usernames/domains with [name] and passwords - if any - with [secret].

[gili98]

OK, here is the log file: [edit]: a bit shortend:

../../auth/ntlmssp/ntlmssp_server.c:556: [2022/06/02 21:18:45.122155, auth 3, pid=27083] ntlmssp_server_preauth
  Got user=[XXXXX@outlook.com] domain=[MicrosoftAccount] workstation=[PC7] len1=24 len2=254
../../lib/param/loadparm.c:1895: [2022/06/02 21:18:45.123137, all 1, pid=27083] lpcfg_do_global_parameter
  WARNING: The "ldap ssl ads" option is deprecated
../../source3/param/loadparm.c:757: [2022/06/02 21:18:45.123277, syno 3, pid=27083] SynoLoadCustomizeConfs
  Cannot opendir for custom conf
../../source3/param/loadparm.c:3610: [2022/06/02 21:18:45.123316, all 3, pid=27083] lp_do_section
  Processing section "[global]"
../../source3/param/loadparm.c:3165: [2022/06/02 21:18:45.123399, all 2, pid=27083] lp_include
  Can't find include file /var/tmp/nginx/smb.netbios.aliases.conf
../../source3/param/loadparm.c:3627: [2022/06/02 21:18:45.124076, all 2, pid=27083] lp_do_section
  Processing section "[backup]"
../../source3/param/loadparm.c:3627: [2022/06/02 21:18:45.124507, all 2, pid=27083] lp_do_section
  Processing section "[docker]"
../../source3/param/loadparm.c:757: [2022/06/02 21:18:45.130026, syno 3, pid=27083] SynoLoadCustomizeConfs
  Cannot opendir for custom conf
../../source3/auth/auth.c:189: [2022/06/02 21:18:45.130114, auth 3, pid=27083] auth_check_ntlm_password
  check_ntlm_password:  Checking password for unmapped user [MicrosoftAccount]\[XXXXX@outlook.com]@[PC7] with the new password interface
../../source3/auth/auth.c:192: [2022/06/02 21:18:45.130137, auth 3, pid=27083] auth_check_ntlm_password
  check_ntlm_password:  mapped user is: [MicrosoftAccount]\[XXXXX@outlook.com]@[PC7]
../../source3/passdb/pdb_interface.c:341: [2022/06/02 21:18:45.135177, syno 3, pid=27083] pdb_getsampwnam
  getsampwnam account XXXXX@outlook.com fail NT_STATUS_NO_SUCH_USER
../../source3/auth/check_samsec.c:458: [2022/06/02 21:18:45.135281, auth 3, pid=27083] check_sam_security
  check_sam_security: Couldn't find user 'XXXXX@outlook.com' in passdb.
../../source3/auth/auth.c:361: [2022/06/02 21:18:45.135305, auth 2, pid=27083] auth_check_ntlm_password
  check_ntlm_password:  Authentication for user [XXXXX@outlook.com] -> [XXXXX@outlook.com] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
../../auth/auth_log.c:812: [2022/06/02 21:18:45.135355, auth_audit 2, pid=27083] log_authentication_event_human_readable
  Auth: [SMB2,(null)] user [MicrosoftAccount]\[XXXXX@outlook.com] at [Thu, 02 Jun 2022 21:18:45.135331 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [PC7] remote host [ipv4:172.16.30.7:50259] mapped to [MicrosoftAccount]\[XXXXX@outlook.com]. local host [ipv4:172.16.99.99:445]
  {"timestamp":"2022-06-02T21:18:45.135414+0200","type":"Authentication","Authentication":{"version":{"major":1,"minor":1},"eventId":4625,"logonType":3,"status":"NT_STATUS_NO_SUCH_USER","localAddress":"ipv4:172.16.99.99:445","remoteAddress":"ipv4:172.16.30.7:50259","serviceDescription":"SMB2","authDescription":null,"clientDomain":"MicrosoftAccount","clientAccount":"XXXXX@outlook.com","workstation":"PC7","becameAccount":null,"becameDomain":null,"becameSid":null,"mappedAccount":"XXXXX@outlook.com","mappedDomain":"MicrosoftAccount","netlogonComputer":null,"netlogonTrustAccount":null,"netlogonNegotiateFlags":"0x00000000","netlogonSecureChannelType":0,"netlogonTrustAccountSid":null,"passwordType":"NTLMv2","duration":18667}}
../../source3/auth/auth_ntlmssp.c:218: [2022/06/02 21:18:45.135495, syno 0, pid=27083] auth3_check_password
  The LDAP suffix it not the same as system bind, [[name]] / [outlook.com]
../../source3/auth/auth_util.c:2482: [2022/06/02 21:18:45.135518, auth 3, pid=27083] do_map_to_guest_server_info
  No such user XXXXX@outlook.com [MicrosoftAccount] - using guest account
../../source3/smbd/smb2_server.c:2796: [2022/06/02 21:18:45.135729, syno 3, pid=27083] smbd_smb2_request_dispatch
  SMB2: cmd=SMB2_OP_SESSSETUP [NT_STATUS_OK]

[ahaenggli]

Wow, that's more entries than expected. Those successful [outlook.com] entries are bit irritating. Microsoft doesn't support those personal account in the ROPC flow...

Are you perhaps also running the Synology Directory Service or the Synology LDAP server? It somehow doesn't look like the Docker container is being used by samba.

[gili98]

The Outlook.com connect is from an PC which wants to connect with GPO to the SMB share. It only runs the Domain/LDAP Service with connect to the Docker:

[ahaenggli]

Oh, Deutsch. Das machts einfacher in der Unterhaltung xD Kannst du mal im Paket-Zentrum schauen, ob nicht doch noch eines dieser Pakete installiert ist? Auch wenn die Verbindung in Domain/LDAP auf den Docker-Container läuft, überschreiben die beiden Pakete gewisse Samba-Einstellungen. Nur gestoppt sein, würde die Einstellungen aber nicht zurücksetzen. Erst die Deinstallation.

Nur um sicher zu gehen, die Verbindung bei Domain/LDAP hast du mit einem User aus der Umgebungsvariable gemacht, nicht mit einem, der wirklich existiert? Langsam bin ich sonst ideenlos...

[gili98]

Definitiv einfacher :-) Nein die beiden Pakete sind nicht installiert:

Zu Punkt zwei: Gute Frage - weiß ich nicht mehr ganz ehrlich gesagt, sieht man den Usernamen in einem Log?

[ahaenggli]

So gut kenne ich die Logs leider nicht. Du kannst jedoch den User aus deiner Umgebungsvariable neu setzen für die Verbindung (Bearbeiten > LDAP erneut beitreten):

[gili98]

Ich habe jetzt den connect neu gemacht mit username und password - ist also definitiv kein bestehender Benutzer. Ich denke vorher habe ich einen Bestehenden verwendet. Der Zugriff klappt aber trotzdem nicht. Interessant ist, dass ich im Logfile keine Eintrag von den beiden E-Mail Adressen finde, welche auf den SMB Share zugreifen möchten.

[ahaenggli]

So, letzter Versuch, danach muss ich leider aufgeben...

• Mit einem User im DSM verbinden (so ist der Passwort-Hash sicher gesetzt)
• Auf dem Windows PC ins PowerShell und versuchen das Home-Verzeichnis zu mappen über die IP vom NAS

  $Name="username@tld.de"
  echo $Name
  net use T: \\192.168.1.2\home /persistent:yes /user:$Name

  Bei $Name wieder denselben User verwenden wie beim DSM-Login... Vielleicht erscheint hier noch eine andere Fehlermeldung, die weiterhilft.

[gili98]

Ich habe jetzt den Fehler gefunden. Man muss mit dem neuen LDAP Benutzer einmal über DSM einsteigen - dann klappt auch der SMB Share Zugriff. Drauf gekommen bin ich, weil Du geschrieben hast, zuerst über DSM einsteigen. Dann hat es auf einmal mit dem Benutzer geklappt.

[ahaenggli]

Super, freut mich wenn es jetzt klappt! Ich ergänze die Doku noch etwas. So wird es für andere hoffentlich einfacher.