NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

McLukic's avatar
McLukic
Star
Jun 22, 2016
Solved

RN 104 / OS 6.5 : AD group membership not synced for some users

Dear Communitiy members,   I started having an issue (or I just began noticing it, more realistically) regarding how changes in AD memberships are synchronised in the ReadyNas.   Of course AD mod...
Windows Domain and Active Directory
  • McLukic's avatar
    McLukic
    Jun 27, 2016

    Dear all,

     

    I am a bit disappointed that noone offered a structured solution for this issue.

     

    It seems that I was able to fix it myself. Here is what I did (please note that I lost the permissions on my shares ; this is not an issue since we know precisely what to set and how but otherwise it could have been a real problem) :

    (Some steps are maybe totally useless but I list them anyway) 

     

    • Set Authentication back to "local" 
    • Reboot device
    • Once the device is restarted, SSH to it and  :
      systemctl stop winbind
systemctl stop smb

net cache flush
rm -f /var/lib/samba/*.tdb
rm -rf /var/cache/samba/*

systemctl start smb
systemctl start winbind
    • Reboot the device
    • Once the device is restarted, in the Web Admin page, set Authentication to ADS again (with the standard options, i.e. "do not cache ADS accounts" NOT ticked
    • Restart the device

     

    --> Changes in group memberships reflected in the outputs of for instance "id -Gn <username>" within 5 minutes

    --> AD syncs launched from the Web Admin page do not yield errors anymore, new groups and users are visible and usable in the UI (to set permissions etc...), and objects removed from the AD are also deleted

     

    So, after months of despair, the 6.5.1 update finally seems to solve the AD issues and we can finally plan to use the device in production.

     

    It's great that at my company we can wait 6 months or one year to implement projects we were supposed to finish within one week, it allowed us to wait "a bit" until a proper firmware is released !

     

     

McLukic's avatar
McLukic
Star
Jun 23, 2016

Hi,

 

Thank you for this information. Great that the 6.5.1 update is out, I did install it but it does not solve the problem.

 

In fact for some of the user accounts which had the issue, their group membership was immediately updated.

 

However now, there are still users for which the problem persists.

 

To be more precise,

 

- The ADS account refresh yields an error every other time (that is really it : one error, then the next try is a success). In one case the ads.log shows following lines :

 

[16-06-23 10:04:33] 2753 rndb_account.c:2264 error: Error. Fail to insert $home_folder/$user/$group/$group_has_user: Internal DB error. (2245:19:UNIQUE constraint failed: $group_has_user.user_id, $group_has_user.group_id)
[16-06-23 10:04:33] 2753 rndb_account.c:2407 error: rndb_ads_account_import() ==> 3 (8614ms)
[16-06-23 10:04:33] 2753 rndb_api.c:956 error: rndb_import_nolock() ==> 3 (8617ms)

In the case of a "2nd attempt" there is nothing unusual in ads.log.

 

 

- Some "user account" infos are not correctly updated : When I issue following command on some users

 

id -Gn <username>

the group memberships stay the same and are never updated (I tried for several users, including some for which there wasn't any issue before).

 

 

 

I'm at a loss as to what could be the problem and how to have the sync function correctly...

 

Thanks to anyone would could help me !

 

McLukic's avatar
McLukic
Star
Jun 27, 2016

Dear all,

 

I am a bit disappointed that noone offered a structured solution for this issue.

 

It seems that I was able to fix it myself. Here is what I did (please note that I lost the permissions on my shares ; this is not an issue since we know precisely what to set and how but otherwise it could have been a real problem) :

(Some steps are maybe totally useless but I list them anyway) 

 

  • Set Authentication back to "local" 
  • Reboot device
  • Once the device is restarted, SSH to it and  :
    systemctl stop winbind
systemctl stop smb

net cache flush
rm -f /var/lib/samba/*.tdb
rm -rf /var/cache/samba/*

systemctl start smb
systemctl start winbind
  • Reboot the device
  • Once the device is restarted, in the Web Admin page, set Authentication to ADS again (with the standard options, i.e. "do not cache ADS accounts" NOT ticked
  • Restart the device

 

--> Changes in group memberships reflected in the outputs of for instance "id -Gn <username>" within 5 minutes

--> AD syncs launched from the Web Admin page do not yield errors anymore, new groups and users are visible and usable in the UI (to set permissions etc...), and objects removed from the AD are also deleted

 

So, after months of despair, the 6.5.1 update finally seems to solve the AD issues and we can finally plan to use the device in production.

 

It's great that at my company we can wait 6 months or one year to implement projects we were supposed to finish within one week, it allowed us to wait "a bit" until a proper firmware is released !

 

 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More