Open Daniel-dev22 opened 3 weeks ago
Hey there @hacf-fr, @quentame, @mib1185, mind taking a look at this issue as it has been labeled with an integration (synology_dsm
) you are listed as a code owner for? Thanks!
(message by CodeOwnersMention)
synology_dsm documentation synology_dsm source (message by IssueLinks)
after analyzing the logs, I think the Adaptive Multi-Factor Authentication (Adaptive MFA) kicks in :thinking: Please check if you've adaptive MFA enabled, if yes disable it and test again, thx
after analyzing the logs, I think the Adaptive Multi-Factor Authentication (Adaptive MFA) kicks in :thinking: Please check if you've adaptive MFA enabled, if yes disable it and test again, thx
Interesting I never thought of that.
I just disabled it but it still fails to setup a new integration.
mehhh :confused: the login process is as follows:
{'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False}
back from the nasdevice_id
and store it in HA (similar to "remember device" checkbox on login screen)device_id
, which should identify HA as known/remembered device, those skip 2fa and accept user+password as loginin your case the last step fails, since your NAS again returns with {'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False}
, which means you NAS does not trust the device_id
anymore or the source ip 192.168.15.1
is 192.168.15.1
the IP of your HA instance?
mehhh :confused: the login process is as follows:
- when adding the nas to HA, first trying to login with username and password
- if 2fa is enabled, we will get a
{'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False}
back from the nas- now we ask for the OTP and try to login again with user+password and the OTP
- when successful, we get back the
device_id
and store it in HA (similar to "remember device" checkbox on login screen)- if everything success, we are done with setting up the Synology DSM integration in HA
- now we are starting the Synology DSM integration in HA
- we try to login with username, password and provide the
device_id
, which should identify HA as known/remembered device, those skip 2fa and accept user+password as loginin your case the last step fails, since your NAS again returns with
{'error': {'code': 403, 'errors': {'token': '***', 'types': [{'type': 'otp'}]}}, 'success': False}
, which means you NAS does not trust thedevice_id
anymore or the source ip192.168.15.1
is
192.168.15.1
the IP of your HA instance?
I was checking the logs of trusted devices and ips and I didn't see anything as blocked.
I'm using traefik on DSM so all traffic goes through traefik which it's docker bridge network gateway IP is 192.168.15.1 Because traefik is using the host gateway to talk to dsm that's why it's showing up as the source being the bridge gateway ip.
What I can do is turn the traefik access log on and get additional insights potentially into the requests being made to Synology/from home assistant and replies.
Explaining the workflow was helpful as now I can try to do more digging to see where this is falling apart.
This setup worked before with traefik with the same nas at some point it stopped after an update or restart not sure so I deleted the integration thinking it would help to re-add but it didn't.
Interestingly it also doesn't work even if I have home assistant go direct to Synology IP and bypass traefik. So that's why I never went down the troubleshooting hole on the traefik side. I made sure not to check verify cert and I got the same 2fa error going direct to Synologyip:5001
I'm using traefik on DSM so all traffic goes through traefik which it's docker bridge network gateway IP is 192.168.15.1 Because traefik is using the host gateway to talk to dsm that's why it's showing up as the source being the bridge gateway ip.
this sounds to be an advanced network configuration, which not only touches layer 3/4, but also up to layer 6 :thinking:
did you add 192.168.15.1
to the list of trusted proxies_) in the nas?
Interestingly it also doesn't work even if I have home assistant go direct to Synology IP and bypass traefik.
did you delete the integration in HA first, so the stored device_id
gets removed from HA?
I made sure not to check verify cert and I got the same 2fa error going direct to Synologyip:5001
please provide new debug logs with this scenario (direct connection between HA and the nas)
I'm using traefik on DSM so all traffic goes through traefik which it's docker bridge network gateway IP is 192.168.15.1 Because traefik is using the host gateway to talk to dsm that's why it's showing up as the source being the bridge gateway ip.
this sounds to be an advanced network configuration, which not only touches layer 3/4, but also up to layer 6 🤔 did you add
192.168.15.1
to the list of trusted proxies_) in the nas?Interestingly it also doesn't work even if I have home assistant go direct to Synology IP and bypass traefik.
did you delete the integration in HA first, so the stored
device_id
gets removed from HA?I made sure not to check verify cert and I got the same 2fa error going direct to Synologyip:5001
please provide new debug logs with this scenario (direct connection between HA and the nas)
It is in the list of trusted proxies and yes I deleted the Ha integration completely.
Here's the logs of direct to Synology from home assistant.
Info
Connection
08/17/2024 09:40:44 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 09:40:42 am
homeassistant
User [homeassistant] from [192.168.4.62] signed in to [DSM] successfully via [password].
Info
Connection
08/17/2024 09:40:40 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 09:40:10 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
Info
Connection
08/17/2024 09:40:08 am
homeassistant
User [homeassistant] from [192.168.4.62] signed in to [DSM] successfully via [password].
Info
Connection
08/17/2024 09:40:05 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
Log file from ha Synology 2fa log direct ip.txt
The log of the nas says, login succesful :
Info
Connection
08/17/2024 09:40:10 am
homeassistant
User [homeassistant] from [192.168.4.62] has successfully passed the first authentication of 2FA via [password]
but the nas response with "otp needed"
2024-08-17 09:40:09.894 DEBUG (MainThread) [synology_dsm.synology_dsm] API: SYNO.API.Auth
2024-08-17 09:40:09.894 DEBUG (MainThread) [synology_dsm.synology_dsm] Request Method: GET
2024-08-17 09:40:10.243 DEBUG (MainThread) [synology_dsm.synology_dsm] Request url: https://192.168.4.197:5001/webapi/entry.cgi?account=*********&passwd=*********&enable_device_token=yes&device_name=ubuntu&device_id=*********&api=SYNO.API.Auth&version=7&method=login
2024-08-17 09:40:10.243 DEBUG (MainThread) [synology_dsm.synology_dsm] Response status_code: 200
2024-08-17 09:40:10.243 DEBUG (MainThread) [synology_dsm.synology_dsm] Response headers: {'Date': 'Sat, 17 Aug 2024 13:40:10 GMT', 'Content-Type': 'application/json; charset="UTF-8"', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=20', 'Vary': 'Accept-Encoding', 'X-Content-Type-Options': 'nosniff', 'X-XSS-Protection': '1; mode=block', 'Cache-Control': 'max-age=0, no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Encoding': 'gzip'}
2024-08-17 09:40:10.245 DEBUG (MainThread) [synology_dsm.synology_dsm] Successful returned data
2024-08-17 09:40:10.245 DEBUG (MainThread) [synology_dsm.synology_dsm] RESPONSE: {'error': {'code': 403, 'errors': {'token': '*****', 'types': [{'type': 'otp'}]}}, 'success': False}
i don't have any explanation for this and for now i'm on the track, that there is something wrong with the nas itself. But i'm not a Synology support engineer, so i don't know how to analyse this deeper on the nas
This setup worked before with traefik with the same nas at some point it stopped after an update or restart not sure so I deleted the integration thinking it would help to re-add but it didn't.
maybe an update of the nas or some component of it causes this issue or any other 3rd party installed app on the nas.
You can try to install another HA instance with an older version and check if the issue is still there. But as long as we do not know, what was the last working HA core version, i'm unable to check for differences in the code. As far as I can say for now, the code in HA works as expected, but the nas seems to not trust the device_id
Thank you for the quick responses. I'm going to keep digging and potentially open a Synology ticket. I do recall in previous issues with Synology people had the same 2fa error and unfortunately their solution that worked for them was disabling 2fa for the user which isn't ideal so I will keep digging and post any updates here.
Thanks again!
i've removed the needs-more-information tag, so this issue keeps open longer and added the "problem in device" to mark it properly for now
i've removed the needs-more-information tag, so this issue keeps open longer and added the "problem in device" to mark it properly for now
@mib1185
I'm wondering if it's not Synology that's the issue here.
I used this command I saw used in a previous 2fa Synology issue in this repo and it was successful. Logs on Synology looked the same with the way it logs successful login. So this works but not the integration? What does the integration do that's different?
curl 'https://synology.domain.com/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&account=homeassistant&passwd=<password>&otp_code=<otp>&enable_device_token=yes&device_name=postman&format=sid'
{"data":{"account":"homeassistant","device_id":"hMEGQkK2ewXVqTTYsVRiJybrqcIxOHHrhQnupxvRFunzCj9aMJusSVSm01CHZvlY0gBOgGMVXYBF0DN8RDkZ5A","ik_message":"","is_portal_port":false,"sid":"s13AHMIcChWHH4GAahKOx2J4xk-KlMP1NSil-6S_BzIdepaXc5gCNuQuiu__zXppZzi8MYrgDHQ_fOXO-VtFl0","synotoken":"--------"},"success":true}
with curl 'https://synology.domain.com/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&account=homeassistant&passwd=<password>&otp_code=<otp>&enable_device_token=yes&device_name=postman&format=sid'
you're using the OTP to pass the 2fa, which would mean to enter an valid OTP each time you restart HA or the Synology integration - to avoid this, we use the returned device_id
(same as you would check the "remember device" on login via UI) so the nas will remeber HA as a trusted device and with providing the deive_id
during login (eq. restart HA) the 2fa is fulfilled
with
curl 'https://synology.domain.com/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&account=homeassistant&passwd=<password>&otp_code=<otp>&enable_device_token=yes&device_name=postman&format=sid'
you're using the OTP to pass the 2fa, which would mean to enter an valid OTP each time you restart HA or the Synology integration - to avoid this, we use the returneddevice_id
(same as you would check the "remember device" on login via UI) so the nas will remeber HA as a trusted device and with providing thedeive_id
during login (eq. restart HA) the 2fa is fulfilled
I think all the API calls are in the debug logs? I'll try to call them 1 by 1 and see if I get anything different compared to ha.
I realized this was the issue all along.
On the security page.
Allow users on web browsers to skip 2-factor authentication by trusting devices
Once I enabled that it worked. Could be good to note for the next time someone runs into this lol.
Where did you find this option? Maybe we can add a note to our docs and point to some official synology documentation 🤔
Where did you find this option? Maybe we can add a note to our docs and point to some official synology documentation 🤔
The option is here.
control panel -> security and under login settings right above trusted proxies.
could show me a screenshot or better a link to official Synology docs about this? Or at the best do you mind to add a proper note to the synology_dsm documentation? 🙂
The problem
The Synology DSM integration fails to setup a new integration entry with
Failed to set up: reason: Two-step authentication required for account: homeassistant
It was thought that this would fix it however it didn't unfortunately for me. https://github.com/home-assistant/core/issues/110848#issuecomment-2286382116
I have tried restarting ha, and also checked the Synology logs and saw that all attempts were successful by the homeassistant user.
Synology information Model: DS220+ Software version: DSM 7.2.1-69057 Update 5
Synology logs
Attached is the logs from Synology integration and synology_dsm library. synology 2fa logs.txt
What version of Home Assistant Core has the issue?
2024.8.2
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Container
Integration causing the issue
synology_dsm
Link to integration documentation on our website
No response
Diagnostics information
No response
Example YAML snippet
No response
Anything in the logs that might be useful for us?
Additional information
No response