× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Active Directory issues after 6.5 upgrade

fwdnetad
Aspirant

Active Directory issues after 6.5 upgrade

So after the the 6.5 update on our ReadyNAS 516 we are experiencing some weird issues with active directory permission to the NAS.  Some users can get right on while other users it just keeps prompting for a username and password.   When they type in there credentials it just asks them again.  While still some other users get an error that says "A device attached to the system is not funtioning".

 

I did an OS reinstall to see if that would help and it didn't.

Model: RN51600|ReadyNAS 516 6-Bay
Message 1 of 22

Accepted Solutions
BrianL2
NETGEAR Employee Retired

Re: Active Directory issues after 6.5 upgrade

Hi,

 

Try to load the latest RC Beta Firmware 6.5.1 and see if it resolves your AD issues. If you're hesitant, continue to work with our support team.

 

 

Kind regards,

 

BrianL
NETGEAR

 

 

 

View solution in original post

Message 16 of 22

All Replies
PascalN
Aspirant

Re: Active Directory issues after 6.5 upgrade

Hi,

I am facing exactly the same issue with a RN312.

 

Message 2 of 22
BrianL2
NETGEAR Employee Retired

Re: Active Directory issues after 6.5 upgrade

Hi fwdnetad & PascalN,

 

Kindly contact our support team through phone, chat or e-mail to report this AD issue after the update.

 

 

Kind regards,

 

BrianL
NETGEAR Community Team

Message 3 of 22
esbiete
Aspirant

Re: Active Directory issues after 6.5 upgrade

It seems I'm facing similar problems, but I have no user able to enter into the shared drives and continuously ask for credentials.

 

Doing some test, I've locally (ssh session in the ReadyNAS 314) simulated the connection by using smbclient and I was able to log in with no problem using remote AD authentication (password Ok, Session Ok) and enter into the shared folder BUT unable to do any action like 'ls', as it raises "NT_STATUS_ACCESS_DENIED". I've raised the log level but no significative message that can give me any clue of "who" is denying me access to list or do any action with the folder. In any case I've tried changing permissions to 777 and so, but the same result. It should be something related to smbd, nmbd or winbind...may be. 

 

Now I'm doing a full backup in a secondary storage USB disk and I will try to restore config backup I did when upgrading to 6.5.

Message 4 of 22
fwdnetad
Aspirant

Re: Active Directory issues after 6.5 upgrade

Brian,

 

I couldn't find a way to contact support without paying for support.

Message 5 of 22
fwdnetad
Aspirant

Re: Active Directory issues after 6.5 upgrade

So we have two domain controllers.  One is Microsoft Server 2012 and the other is a 2003 server.  No matter which I point to I still get the same issues.  So I decided to test something.

 

We have a Samba4 test domain controller on an Ubuntu server.  I pointed the NAS authentication to that active directory and there were no issues.  The computers that were on that test domain were all able to connect to the NAS with no problems. But as soon as I connect back to either of the Microsoft domain controllers the problems return.

Message 6 of 22
BrianL2
NETGEAR Employee Retired

Re: Active Directory issues after 6.5 upgrade

Hi fwdnetad,

 

Were the groups and users properly imported or remained after the Firmware update? Also, send me a PM together with the device ads log and systemd-journal log.

 

 

Kind regards,

 

BrianL
NETGEAR Community Team 

Message 7 of 22
fwdnetad
Aspirant

Re: Active Directory issues after 6.5 upgrade

I will send that PM to you tomorrow when I get back in the office.

 

I tried enabling the "do not cache accounts locally" option and I was then able to access the shared with any user.  Though using this method the permissions on the folders are messed up.  If I look at the security tab in the folder properties all the usernames now read "32982 (Unix User\32982)".  Of course the number is differnet with each user.

Message 8 of 22
BrianL2
NETGEAR Employee Retired

Re: Active Directory issues after 6.5 upgrade

Hi fwdnetad,

 

Alright, I'll wait for it. Just don't make any changes after you extract the logs.

 

 

Kind regards,

 

BrianL
NETGEAR Community Team

Message 9 of 22
fwdnetad
Aspirant

Re: Active Directory issues after 6.5 upgrade

I already sent it to the email address with ATTN: BrianL in the subject.

Message 10 of 22
esbiete
Aspirant

Re: Active Directory issues after 6.5 upgrade

As I couldn't have my users without access to their files I purchased a new server (from the competence) and installed it.

 

Next week I will do a full recovery of the netgear and probably starting from scratch with fw 6.5 so I should be available for testing.

Message 11 of 22
BrianL2
NETGEAR Employee Retired

Re: Active Directory issues after 6.5 upgrade

Hi fwdnetad,

 

I will look into it and get back to you as soon as possible.

 

@esbiete Just let us know what happens by updating this thread.

 

 

Kind regards,

 

BrianL
NETGEAR Community Team

Message 12 of 22
Scirocco16V
Guide

Re: Active Directory issues after 6.5 upgrade

I'm also having problems with Active Directory on my ReadyNAS 316 after upgrading to the 6.5.0 firmware. I was getting errors saying "Account: Failed to sync ADS account information for the realm." I unfortunately tried to re-enter the Authentication information, now the logs say "System: Authentication settings are updated" but the Authentication page says "Import error" and the Users tab is only displaying admin and none of the domain accounts. The end of the ads.log says:

 

[16-06-13 11:08:54] 2435 rndb_account.c:2374 error: ******************ADS Import Starts*********************.
[16-06-13 11:08:54] 2435 rndb_ads_utils.c:152 info: ADS CMD::get domain sid: net getdomainsid
[16-06-13 11:08:55] 2435 rndb_ads_utils.c:574 info: ADS CMD::ldap search open: LANG=C net -P ads search \(objectClass=group\) sAMAccountName objectSid distinguishedName
[16-06-13 11:08:56] 2435 rndb_account.c:1262 info: 131 domain group found
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Users sid=S-1-5-32-545 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Network Configuration Operators sid=S-1-5-32-556 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Incoming Forest Trust Builders sid=S-1-5-32-557 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Performance Monitor Users sid=S-1-5-32-558 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Distributed COM Users sid=S-1-5-32-562 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Windows Authorization Access Group sid=S-1-5-32-560 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Guests sid=S-1-5-32-546 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Remote Desktop Users sid=S-1-5-32-555 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Terminal Server License Servers sid=S-1-5-32-561 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Pre-Windows 2000 Compatible Access sid=S-1-5-32-554 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Cryptographic Operators sid=S-1-5-32-569 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Event Log Readers sid=S-1-5-32-573 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Certificate Service DCOM Access sid=S-1-5-32-574 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=RDS Remote Access Servers sid=S-1-5-32-575 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=RDS Endpoint Servers sid=S-1-5-32-576 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=RDS Management Servers sid=S-1-5-32-577 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Hyper-V Administrators sid=S-1-5-32-578 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Access Control Assistance Operators sid=S-1-5-32-579 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Remote Management Users sid=S-1-5-32-580 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Performance Log Users sid=S-1-5-32-559 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=IIS_IUSRS sid=S-1-5-32-568 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Administrators sid=S-1-5-32-544 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Print Operators sid=S-1-5-32-550 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Replicator sid=S-1-5-32-552 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Backup Operators sid=S-1-5-32-551 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Account Operators sid=S-1-5-32-548 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1299 debug: sAMAccountName=Server Operators sid=S-1-5-32-549 is not domain object. domain sid is ...
[16-06-13 11:08:56] 2435 rndb_account.c:1283 info: 100/131 groups imported so far
[16-06-13 11:08:56] 2435 rndb_account.c:1398 info: 131/131 groups imported in 1327ms.
[16-06-13 11:08:56] 2435 rndb_ads_utils.c:574 info: ADS CMD::ldap search open: LANG=C net -P ads search \(\&\(objectClass=user\)\(\!\(sAMAccountType=805306369\)\)\(\!\(sAMAccountType=805306370\)\)\) sAMAccountName objectSid distinguishedName mail primaryGroupID memberOf cn
[16-06-13 11:08:58] 2435 rndb_account.c:963 info: 90 domain user found
[16-06-13 11:08:58] 2435 rndb_account.c:1204 info: 90/90 users imported in 1454ms.
[16-06-13 11:08:58] 2435 rndb_account.c:2262 error: Error. Fail to insert $home_folder/$user/$group/$group_has_user
[16-06-13 11:08:58] 2435 rndb_account.c:2405 error: rndb_ads_account_import() ==> 3 (3158ms)
[16-06-13 11:08:58] 2435 rndb_api.c:956 error: rndb_import_nolock() ==> 3 (3159ms)

Model: RN31661D|ReadyNAS 316 6-Bay
Message 13 of 22
jjmb
Aspirant

Re: Active Directory issues after 6.5 upgrade

I am seeing the same as well, exactly as the last post described.  FWIW - I am also seeing an enormous amount of DNS query traffic for non existant domains:

 

_kerberos-master._udp

_kerberos-master._tcp

lb._dns-sd._udp

 

It looks like the upgrade may have broken something specific to Kerberos for ADS authentication?

 

John

Message 14 of 22
CRPearce
Aspirant

Re: Active Directory issues after 6.5 upgrade

I currently have a thread open that describe issues similar to what's been experienced here.  The issue was the dreaded "Import error", but that has since been resolved by having a Netgear engineer remote in and reset some "stuff".

 

https://community.netgear.com/t5/ReadyNAS-in-Business/RN-2120-Active-Directory-quot-Import-Error-quo...

 

I'm also having a second issue with my other RN 2120 related to my users' inability to access their Home folders (i.e., login prompts followed by "access denied" messages).  Looking at the folder permissions, each Home folder has a numeric ID (Unix User, Unix Group) opposed to the domain user account name.  These IDs likely reflect the correct user in Unix, but Windows does not know how to interpret them, thus the permissions issues.  I have e-mailed my logs (ATTN to mdgm) and am awaiting feedback.  In the meantime, manually setting the permissions has gotten me by for now, but that pretty much defeats the purpose of joining the NAS to the domain.  At this point, it simply saved me time creating individual user folders.

 

- Chris

Message 15 of 22
BrianL2
NETGEAR Employee Retired

Re: Active Directory issues after 6.5 upgrade

Hi,

 

Try to load the latest RC Beta Firmware 6.5.1 and see if it resolves your AD issues. If you're hesitant, continue to work with our support team.

 

 

Kind regards,

 

BrianL
NETGEAR

 

 

 

Message 16 of 22
fwdnetad
Aspirant

Re: Active Directory issues after 6.5 upgrade

This worked.

Message 17 of 22
esbiete
Aspirant

Re: Active Directory issues after 6.5 upgrade

Message 18 of 22
Scirocco16V
Guide

Re: Active Directory issues after 6.5 upgrade

Worked for me. Problems seem to be fixed.

Model: RN31661D|ReadyNAS 316 6-Bay
Message 19 of 22
jjmb
Aspirant

Re: Active Directory issues after 6.5 upgrade

User accounts now load, DNS query volume is nearly back to normal.  However, Time Machine backups for the user accounts are still not working.  My system was setup to allow per user Time Machine.

Message 20 of 22
BrianL2
NETGEAR Employee Retired

Re: Active Directory issues after 6.5 upgrade

Hi fwdnetad, jjmb & Scirocco16V,

 

Thanks for your positive feedback. Continue to monitor and report if there will be further issues.

 

@esbiete I suggest that you report your issue to our support team so it can be escalated to one of our Tier 3 Engineers.

 

@jjmb Create a new thread about your Time Machine problem.

 

 

Kind regards,

 

BrianL
NETGEAR Community Team

Message 21 of 22
jjmb
Aspirant

Re: Active Directory issues after 6.5 upgrade

Message 22 of 22
Top Contributors
Discussion stats
  • 21 replies
  • 9995 views
  • 2 kudos
  • 7 in conversation
Announcements