Synology SAMBA stopped authenticating after a reboot

Question

Synology SAMBA stopped authenticating after a reboot

Closed this issue 2 months ago · 3 comments

Hi
We have a Synology NAS running DSM 7.2.1-690257 Update 5 with the latest docker release of the LDAP wrapper. After a reboot of the NAS (to implement ActiveBackup Agent but that should be unrelated) all user's credentials to SMB shares stopped working.

The credentials were good - the same user could log in to DSM (and therefre re-cache the credential if that was the issue). There were no errors with the wrapper debug logs.

The Synology /var/log/samba/smbd.log had

../../source3/auth/token_util.c:565: [2024/06/21 09:12:46.621240, all 0, pid=27755] add_local_groups
  add_local_groups: SID S-1-12-1-3288932778-1154570832-1460653469-268603384 -> getpwuid(9557117) failed, is nsswitch configured?
../../source3/auth/token_util.c:403: [2024/06/21 09:12:46.621276, all 3, pid=27755] create_local_nt_token_from_info3
  Failed to add local groups
../../source3/smbd/smb2_server.c:3970: [2024/06/21 09:12:46.621307, smb2 3, pid=27755] smbd_smb2_request_error_ex
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:156
../../source3/smbd/server_exit.c:247: [2024/06/21 09:12:46.623782, all 3, pid=27755] exit_server_common

Key settings in the wrapper are

LDAP_ALLOWCACHEDLOGIN  true
LDAP_SAMBANTPWD_MAXIMUM -1

"Enable UID/GID shifting" is on in DSM LDAP settings.

Permissions are done via AzureAD groups if that matters. Any ideas would be appreciated.

Thanks,
Damian

Answer 1 · 2024-06-21T13:55:40.000Z

@quog I have found that after a reboot i need to press the Refresh Cache under SMB settings in order to get the login / credentials working again.

Answer 2 · 2024-06-25T10:03:39.000Z

In one setup, I have not set the "Enable UID/GID shifting". I sometimes have to "refresh" the group permission there, after which it works again.

Answer 3 · 2024-07-18T08:41:41.000Z

@ahaenggli I see you have just closed this issue, but I wanted to leave feedback. We removed and rejoined the LDAP on the Synology without the UID/GID shifting but with the latest version. Currently testing with one real user and so far so good - will be rolling out further next week.