NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ReadNAS 2100 connection problem
I have a ReadyNAS 2100 set up with Active Directory in our domain security. This morning, about half of the building started complaining that they were being asked to log in when connecting to the de...
Welcome to WINDOWS Domain and squirelly Samba Behavior - this is always and always will be a heated subject on why these authentication bugs happen. Partly because of the complexity of Domains. This actually not at all an issue on the NAS. There are two layers of permissions on the NAS when joined to the domain
1. NAS Linux ACLs (THESE SHOULD BE ALL ACCESS ALWAYS)
2. NT Permissions from Domain (These are the ones you need to play with, and they are complex enough thats why you want Linux ACLs to be all access)
Now one thing you can do to fix a config issue is - Make the Linux ACLS all Access, the NT permissions are best handled by Windows Microsoft support but we can give you some tips. Let me cover number 1 first - just to rule out the NAS and make sure that layer 1 is working properly
#########################################################################################
How to make NAS Linux ACLS - all access - dont worry this will not mess with any of your domain settings
#########################################################################################
Also avail on my site: www.kossboss.com --> READYNAS Reset Permissions
How to reset permissions on a Readynas:
===================================
- gets access to all files, if you were in domain mode and your files are locked this will unlock them, and dont worry when you go back to domain mode, all your files will regain their permissions as they were before.. this is just for quick access to your files if they are locked some weird way
1) on the left side go tosecurity tab and security mode link/tab (the one where you hcange from work group to domain mode etc.)
2) change to user mode
3) hit okay or accept
4) on the left side go to SERVICES TAB -> STANDARD FILE PROTOCOLS link/tab
5) disable/uncheck CIFS
6) hit APPLY button at the bottom
7) enable/check CIFS
8) hit APPLY button at the bottom
9) on the left side go to Shares tab - > share listing link/tab
10) click on a share (example "backup") (the CIFS icon, the right most, looks likea notepad paper with a pencil to it)
11) you will be in the CIFS tab once you click that.. change the settings to:
* default access: read/write
===SHARE ACCESS RESTRICTIONS SECTION:===
* uncheck and blank out everything up to the allow guest access. (blank out meaning just erase everything in the text boxes)
* enable/check guest access.
===SHARE DISPLAY OPTION SECTION:===
* uncheck "hide this share...".
* disable recycle bin.
===ADVANCED CIFS PERMISSIONS SECTION:===
* check all (there are two options to check "automatically set permissions..." & "do not allow acl changes ...")
* in that same advanced cifs permissions section select all the drop down menus to say read/write.
===OPPORTUNISTIC LOCKING SECTION:===
* disable "enable oplocks".
* hit APPLY button at the bottom
12) go to the top of the CIFS page that your in and select the ADVANCED OPTIONS tab (you should still be in the settings for whatever share you selected, so the "backup" share for example, your just in a different sub-tab now). and in there just fill this out like so, make sure everything is lowercase like mine:
===ADVANCED SHARE PERMISSION:===
13) Do the appropriate 13a,13b, or 13c step depending on your security settings. 13a works generally. b is for user-mode and c is for domain mode
13a) Just a general setting to try
* Share Folder Owner: nobody
* Share Folder Group: nogroup
13b) If your in User/Volume Security Mode
* Share Folder Owner: admin
* Share Folder Group: nogroup
13c) If your in Domain Security Mode
* Share Folder Owner: administrator
* Share Folder Group: nogroup <-- or leave it as blank only works in this domain mode
14) Continue with these below it
* Share Folder Owner rights: should be greyed out but select read/write if you can
* Share Folder Group rights: read/write
* Share Folder Everyone rights: read/write
* check "set ownership and permission..." (this will actually reset the permissions and then when you hit apply at the end of the step it will uncheck it self, dont worry that it unchecked it self, it does that so that you can do that again)
* check the second one says that "grant rename..."
===ADVANCED SHARE UTILITIES:===
* Shift share content timestamps by: 0 minutes
* hit APPLY button at the bottom
* NOTE IF THAT DIDNT WORK RETRY 13A, 13B or 13C DEPENDING ON THE NETWORK SECURITY SETTING AND HIT APPLY
15) thats it just repeat steps 10 thru 12 for each share
####################################
Layer 2 Windows NT Things you can do
####################################
Best solution Call MS as there experts are experts on all the quirks
However here is what I do
cmd->net use /delete *
hit y and enter
Log in to NAS
use the following username and password
username: netbios-name-of-domain\username
username: domain-name.com\username
username: username
username: [email protected]
username: ip-address-of-active-directory-server\username
username: username@ip-address-of-active-directory-server
examples of above in same order
netgear\somedude
netgear.com\somedude
somedude
[email protected]
10.11.12.13\somedude
[email protected]
The password will be the same.
Another thing you can try and do is force windows to use more different types of authentication through the nas (the nas proxys the authentication thru kerberos to the domain):
-Start . Run . secpol.msc
-Expand the Local Settings tree then select Security Settings
-Local and right click on the Network Security: LAN Manager authentication level
-Change the authentication level from “NTLMv2 only” to “LM and NTLM, NTLMv2 if security is negotiated”
-Go into Registry editor (cmd-regedit)
-Look up HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters
-Change RequiredSecuritySignature to 0
MAKE SURE TO BACKUP YOUR REGISTRY BEFORE YOU DO THIS
I usually get this to work by trying the different combinations of username
Also one more thing
Windows File Sharing Connections prefer less alyers
==ANOTHER TIP1:==
* Note actually sometimes \\ip\ or \\ip\share works better than using domain name. If this is the case check Time settings on NAS and point em to your NTP server (your DC usually)
==ANOTHER TIP2:==
* When you do \\Ip\Share or \\domainname\share
* It uses more layers
* When you connect to your share like this - by mapping a drive - it uses less layers and works better:
"net use"
# net use \\123.456.789.00 password /user:username
# net use h: \\server\share /user:username
Also for username try the different combinations I listed above if those dont work
Told ya its complex and thus squirelly
1. NAS Linux ACLs (THESE SHOULD BE ALL ACCESS ALWAYS)
2. NT Permissions from Domain (These are the ones you need to play with, and they are complex enough thats why you want Linux ACLs to be all access)
Now one thing you can do to fix a config issue is - Make the Linux ACLS all Access, the NT permissions are best handled by Windows Microsoft support but we can give you some tips. Let me cover number 1 first - just to rule out the NAS and make sure that layer 1 is working properly
#########################################################################################
How to make NAS Linux ACLS - all access - dont worry this will not mess with any of your domain settings
#########################################################################################
Also avail on my site: www.kossboss.com --> READYNAS Reset Permissions
How to reset permissions on a Readynas:
===================================
- gets access to all files, if you were in domain mode and your files are locked this will unlock them, and dont worry when you go back to domain mode, all your files will regain their permissions as they were before.. this is just for quick access to your files if they are locked some weird way
1) on the left side go tosecurity tab and security mode link/tab (the one where you hcange from work group to domain mode etc.)
2) change to user mode
3) hit okay or accept
4) on the left side go to SERVICES TAB -> STANDARD FILE PROTOCOLS link/tab
5) disable/uncheck CIFS
6) hit APPLY button at the bottom
7) enable/check CIFS
8) hit APPLY button at the bottom
9) on the left side go to Shares tab - > share listing link/tab
10) click on a share (example "backup") (the CIFS icon, the right most, looks likea notepad paper with a pencil to it)
11) you will be in the CIFS tab once you click that.. change the settings to:
* default access: read/write
===SHARE ACCESS RESTRICTIONS SECTION:===
* uncheck and blank out everything up to the allow guest access. (blank out meaning just erase everything in the text boxes)
* enable/check guest access.
===SHARE DISPLAY OPTION SECTION:===
* uncheck "hide this share...".
* disable recycle bin.
===ADVANCED CIFS PERMISSIONS SECTION:===
* check all (there are two options to check "automatically set permissions..." & "do not allow acl changes ...")
* in that same advanced cifs permissions section select all the drop down menus to say read/write.
===OPPORTUNISTIC LOCKING SECTION:===
* disable "enable oplocks".
* hit APPLY button at the bottom
12) go to the top of the CIFS page that your in and select the ADVANCED OPTIONS tab (you should still be in the settings for whatever share you selected, so the "backup" share for example, your just in a different sub-tab now). and in there just fill this out like so, make sure everything is lowercase like mine:
===ADVANCED SHARE PERMISSION:===
13) Do the appropriate 13a,13b, or 13c step depending on your security settings. 13a works generally. b is for user-mode and c is for domain mode
13a) Just a general setting to try
* Share Folder Owner: nobody
* Share Folder Group: nogroup
13b) If your in User/Volume Security Mode
* Share Folder Owner: admin
* Share Folder Group: nogroup
13c) If your in Domain Security Mode
* Share Folder Owner: administrator
* Share Folder Group: nogroup <-- or leave it as blank only works in this domain mode
14) Continue with these below it
* Share Folder Owner rights: should be greyed out but select read/write if you can
* Share Folder Group rights: read/write
* Share Folder Everyone rights: read/write
* check "set ownership and permission..." (this will actually reset the permissions and then when you hit apply at the end of the step it will uncheck it self, dont worry that it unchecked it self, it does that so that you can do that again)
* check the second one says that "grant rename..."
===ADVANCED SHARE UTILITIES:===
* Shift share content timestamps by: 0 minutes
* hit APPLY button at the bottom
* NOTE IF THAT DIDNT WORK RETRY 13A, 13B or 13C DEPENDING ON THE NETWORK SECURITY SETTING AND HIT APPLY
15) thats it just repeat steps 10 thru 12 for each share
####################################
Layer 2 Windows NT Things you can do
####################################
Best solution Call MS as there experts are experts on all the quirks
However here is what I do
cmd->net use /delete *
hit y and enter
Log in to NAS
use the following username and password
username: netbios-name-of-domain\username
username: domain-name.com\username
username: username
username: [email protected]
username: ip-address-of-active-directory-server\username
username: username@ip-address-of-active-directory-server
examples of above in same order
netgear\somedude
netgear.com\somedude
somedude
[email protected]
10.11.12.13\somedude
[email protected]
The password will be the same.
Another thing you can try and do is force windows to use more different types of authentication through the nas (the nas proxys the authentication thru kerberos to the domain):
-Start . Run . secpol.msc
-Expand the Local Settings tree then select Security Settings
-Local and right click on the Network Security: LAN Manager authentication level
-Change the authentication level from “NTLMv2 only” to “LM and NTLM, NTLMv2 if security is negotiated”
-Go into Registry editor (cmd-regedit)
-Look up HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters
-Change RequiredSecuritySignature to 0
MAKE SURE TO BACKUP YOUR REGISTRY BEFORE YOU DO THIS
I usually get this to work by trying the different combinations of username
Also one more thing
Windows File Sharing Connections prefer less alyers
==ANOTHER TIP1:==
* Note actually sometimes \\ip\ or \\ip\share works better than using domain name. If this is the case check Time settings on NAS and point em to your NTP server (your DC usually)
==ANOTHER TIP2:==
* When you do \\Ip\Share or \\domainname\share
* It uses more layers
* When you connect to your share like this - by mapping a drive - it uses less layers and works better:
"net use"
# net use \\123.456.789.00 password /user:username
# net use h: \\server\share /user:username
Also for username try the different combinations I listed above if those dont work
Told ya its complex and thus squirelly
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
