NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Active Directory issues after 6.5 upgrade
So after the the 6.5 update on our ReadyNAS 516 we are experiencing some weird issues with active directory permission to the NAS. Some users can get right on while other users it just keeps prompting for a username and password. When they type in there credentials it just asks them again. While still some other users get an error that says "A device attached to the system is not funtioning".
I did an OS reinstall to see if that would help and it didn't.
Hi,
Try to load the latest RC Beta Firmware 6.5.1 and see if it resolves your AD issues. If you're hesitant, continue to work with our support team.
Kind regards,
BrianL
NETGEAR
21 Replies
Replies have been turned off for this discussion
Hi,
I am facing exactly the same issue with a RN312.
It seems I'm facing similar problems, but I have no user able to enter into the shared drives and continuously ask for credentials.
Doing some test, I've locally (ssh session in the ReadyNAS 314) simulated the connection by using smbclient and I was able to log in with no problem using remote AD authentication (password Ok, Session Ok) and enter into the shared folder BUT unable to do any action like 'ls', as it raises "NT_STATUS_ACCESS_DENIED". I've raised the log level but no significative message that can give me any clue of "who" is denying me access to list or do any action with the folder. In any case I've tried changing permissions to 777 and so, but the same result. It should be something related to smbd, nmbd or winbind...may be.
Now I'm doing a full backup in a secondary storage USB disk and I will try to restore config backup I did when upgrading to 6.5.
So we have two domain controllers. One is Microsoft Server 2012 and the other is a 2003 server. No matter which I point to I still get the same issues. So I decided to test something.
We have a Samba4 test domain controller on an Ubuntu server. I pointed the NAS authentication to that active directory and there were no issues. The computers that were on that test domain were all able to connect to the NAS with no problems. But as soon as I connect back to either of the Microsoft domain controllers the problems return.
Hi fwdnetad,
Were the groups and users properly imported or remained after the Firmware update? Also, send me a PM together with the device ads log and systemd-journal log.
Kind regards,
BrianL
NETGEAR Community Team
As I couldn't have my users without access to their files I purchased a new server (from the competence) and installed it.
Next week I will do a full recovery of the netgear and probably starting from scratch with fw 6.5 so I should be available for testing.
I'm also having problems with Active Directory on my ReadyNAS 316 after upgrading to the 6.5.0 firmware. I was getting errors saying "Account: Failed to sync ADS account information for the realm." I unfortunately tried to re-enter the Authentication information, now the logs say "System: Authentication settings are updated" but the Authentication page says "Import error" and the Users tab is only displaying admin and none of the domain accounts. The end of the ads.log says:
[16-06-13 11:08:54] 2435 rndb_account.c:2374 error: ******************ADS Import Starts*********************.
[16-06-13 11:08:54] 2435 rndb_ads_utils.c:152 info: ADS CMD::get domain sid: net getdomainsid
[16-06-13 11:08:55] 2435 rndb_ads_utils.c:574 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName
[16-06-13 11:08:56] 2435 rndb_account.c:1262 info: 131 domain group found
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Users sid=S-1-5-32-545 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Network Configuration Operators sid=S-1-5-32-556 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Incoming Forest Trust Builders sid=S-1-5-32-557 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Performance Monitor Users sid=S-1-5-32-558 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Distributed COM Users sid=S-1-5-32-562 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Windows Authorization Access Group sid=S-1-5-32-560 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Guests sid=S-1-5-32-546 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Remote Desktop Users sid=S-1-5-32-555 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Terminal Server License Servers sid=S-1-5-32-561 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Pre-Windows 2000 Compatible Access sid=S-1-5-32-554 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Cryptographic Operators sid=S-1-5-32-569 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Event Log Readers sid=S-1-5-32-573 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Certificate Service DCOM Access sid=S-1-5-32-574 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=RDS Remote Access Servers sid=S-1-5-32-575 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=RDS Endpoint Servers sid=S-1-5-32-576 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=RDS Management Servers sid=S-1-5-32-577 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Hyper-V Administrators sid=S-1-5-32-578 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Access Control Assistance Operators sid=S-1-5-32-579 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Remote Management Users sid=S-1-5-32-580 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Performance Log Users sid=S-1-5-32-559 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=IIS_IUSRS sid=S-1-5-32-568 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Administrators sid=S-1-5-32-544 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Print Operators sid=S-1-5-32-550 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Replicator sid=S-1-5-32-552 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Backup Operators sid=S-1-5-32-551 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Account Operators sid=S-1-5-32-548 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Server Operators sid=S-1-5-32-549 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1283 info: 100/131 groups imported so far
[16-06-13 11:08:56] 2435 rndb_account.c:1398 info: 131/131 groups imported in 1327ms.
[16-06-13 11:08:56] 2435 rndb_ads_utils.c:574 info: ADS CMD::ldap search open: LANG=C net -P ads search \(\&\(objectClass=user\)\(\!\(sAMAccountType=805306369\)\)\(\!\(sAMAccountType=805306370\)\)\) sAMAccountName objectSid distinguishedName mail primaryGroupID memberOf cn
[16-06-13 11:08:58] 2435 rndb_account.c:963 info: 90 domain user found
[16-06-13 11:08:58] 2435 rndb_account.c:1204 info: 90/90 users imported in 1454ms.
[16-06-13 11:08:58] 2435 rndb_account.c:2262 error: Error. Fail to insert $home_folder/$user/$group/$group_has_user
[16-06-13 11:08:58] 2435 rndb_account.c:2405 error: rndb_ads_account_import() ==> 3 (3158ms)
[16-06-13 11:08:58] 2435 rndb_api.c:956 error: rndb_import_nolock() ==> 3 (3159ms)I am seeing the same as well, exactly as the last post described. FWIW - I am also seeing an enormous amount of DNS query traffic for non existant domains:
_kerberos-master._udp
_kerberos-master._tcp
lb._dns-sd._udp
It looks like the upgrade may have broken something specific to Kerberos for ADS authentication?
John
I currently have a thread open that describe issues similar to what's been experienced here. The issue was the dreaded "Import error", but that has since been resolved by having a Netgear engineer remote in and reset some "stuff".
I'm also having a second issue with my other RN 2120 related to my users' inability to access their Home folders (i.e., login prompts followed by "access denied" messages). Looking at the folder permissions, each Home folder has a numeric ID (Unix User, Unix Group) opposed to the domain user account name. These IDs likely reflect the correct user in Unix, but Windows does not know how to interpret them, thus the permissions issues. I have e-mailed my logs (ATTN to mdgm) and am awaiting feedback. In the meantime, manually setting the permissions has gotten me by for now, but that pretty much defeats the purpose of joining the NAS to the domain. At this point, it simply saved me time creating individual user folders.
- Chris
Hi,
Try to load the latest RC Beta Firmware 6.5.1 and see if it resolves your AD issues. If you're hesitant, continue to work with our support team.
Kind regards,
BrianL
NETGEAR
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
