× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

There is no access to the NAS which is a member of AD from computers not in the domain

uuuserrrr
Aspirant
Aspirant
‎2018-03-15 01:35 AM
‎2018-03-15 01:35 AM

There is no access to the NAS which is a member of AD from computers not in the domain

Hello.

My NAS is member AD domain 2008R2

I removed the checkbox allow anonimus access, and my domain users from windows pc which in domain have access well.

But i have several win and linux pc and MFU (which should save scans in smb folder) which not in domain. I used domain user's credentials (like domain\user), but dont got acces to share.

On linux i tried several methods (fstab, in filemanager in smbclient) to check access, but without success.

smbclient -W domain -U user //nas/test

session setup failed: NT_STATUS_LOGON_FAILURE

How can I access from a computer that is not in the domain?

Model: RN214D41|ReadyNAS 214 Series 4-Bay
Message 1 of 5
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2018-03-15 03:26 AM
‎2018-03-15 03:26 AM

Re: There is no access to the NAS which is a member of AD from computers not in the domain

The acceptance of the logon from a computer not in the domain is up to the AD server, not the NAS.  So you might look into the policies there.

 

Message 2 of 5
0 Kudos
Reply
uuuserrrr
Aspirant
Aspirant
‎2018-03-16 06:21 AM
‎2018-03-16 06:21 AM

Re: There is no access to the NAS which is a member of AD from computers not in the domain

II can log on to other computers on the network by just entering the domain/username and password of the domain users or administrator. 

//nas/test - anonymous access is disabled
smbclient -U username (domain's username) //nas/test
Domain=[DOMAIN] OS=[Windows 6.1 (why?)] Server=[Samba 4.7.0]
tree connect failed: NT_STATUS_ACCESS_DENIED

smbclient -U domain/username //nas/test
session setup failed: NT_STATUS_LOGON_FAILURE

smbclient -U domain/domainadmin //nas/test
session setup failed: NT_STATUS_LOGON_FAILURE

smbclient -U nas/local_nas_admin //nas/test
OK

//nas/test1 - anonymous access is enabled
smbclient -U domain/username //nas/test1
session setup failed: NT_STATUS_LOGON_FAILURE

smbclient -U nas/anyname //nas/test1
OK

smbclient -U anyname //nas/test1
OK

Work with local account of nas, but setup local accounts disabled when nas is domain's member.

I think the case may be in the authorized authorization methods for NAS, but where and what to change I do not know.

Experimenting with configs of samba I'm afraid

Message 3 of 5
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2018-03-16 07:03 AM
‎2018-03-16 07:03 AM

Re: There is no access to the NAS which is a member of AD from computers not in the domain

When you have AD enabled on the NAS, it asks the AD for authentication.  So I don't think this is related to the NAS authentication policies, it would have to be in the domain controller.  Are the other computers you are testing with in the domain?  (which is different from the user account being a domain account).

 

You could also check to see if your smbclient is up to date.  One setting you could check on the NAS is whether SMB encryption is required.  If it is, you might try resetting that to desired or enabled.  Go into the share settings for Test, select Network Access, and then click on the advanced control on the bottom left.  That will show you the encryption setting.

 

Another approach is to enable NFS on the NAS, and use that instead of SMB.  You'd change the mount point to data/test (assuming your volume name is the default name data).

Message 4 of 5
0 Kudos
Reply
uuuserrrr
Aspirant
Aspirant
‎2018-03-16 09:58 AM
‎2018-03-16 09:58 AM

Re: There is no access to the NAS which is a member of AD from computers not in the domain

 

When you have AD enabled on the NAS, it asks the AD for authentication. 

He can not do this. To verify access, it must take the login and hash of the password from the client and send it to AD. I think this mechanism is simply disabled and does not work even if anonymous access is granted. See the message above.
For computers in the domain, another mechanism is an authentication without sending a password hash, by ticket kerberos.

On other pc all OK. I can browse domain pc's shares and system shares (like C$) from my linux simple with the help of a regular file manager (dolphin in KDE).

I can not go to //nas/test from any windows PC too, which are not in the domain.

I use smbclient as example.

I don't know  what change in AD setting. Now all defaults. Any ideas?

My MFU Kyocera don't support NFS. Besides, he's dead and insecure.

smb encryption disabled. share test maked with defaults settings.

Message 5 of 5
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 4 replies
  • ‎2018-03-15 01:35 AM
  • 1316 views
  • 0 kudos
  • 2 in conversation
Announcements