TS-459U won't connect to AD

Questions about using Windows AD service.
Post Reply
McReady
New here
Posts: 3
Joined: Tue Aug 17, 2010 8:33 pm

TS-459U won't connect to AD

Post by McReady »

Hello everyone,

since this morning, my TS-459U (Current firmware version: 3.2.6 Build 0423T) is not more willing to connect/join our AD (SBS 2008).

Generel setup:
Network: 192.168.1.0/24
DNS & AD-Server: SERVER1-0 192.168.1.1
NAS: 192.168.1.7

Settings1 on MS Networking:
X AD-Dom. member
Domain NetBIOS Name: MCM
AD Server Name: SERVER1-0
Domain: mcm.local
User: mcmadmin
PW: guess ;)

Result:

Code: Select all

Microsoft network settings failed. Please check the DNS server, domain name, and user name and password for logging in the domain.

======== DEBUG START =======
/usr/local/samba/bin/net time set -S SERVER1-0.mcm.local
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"
Password for mcmadmin@mcm.LOCAL:
Specify WORKGROUP = mcm
[command] /usr/local/samba/bin/net ads join -S SERVER1-0 -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:57, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: Strong(er) authentication required
[command] /usr/local/samba/bin/net ads join -S SERVER1-0.mcm.local -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:58, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: Strong(er) authentication required
[command] /usr/local/samba/bin/net ads join -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:58, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: 
(I can't say what's displayed from here because it is cut)
Settings2 on MS Networking:
X AD-Dom. member
Domain NetBIOS Name: MCM
AD Server Name: 192.168.1.1
Domain: mcm.local
User: mcmadmin
PW: guess ;)

Result:

Code: Select all

Microsoft Networking configured failed. Cannot resolve domain, please check DNS server, AD Server Name and Domain.

======== DEBUG START =======
/usr/local/samba/bin/net time set -S 192.168.1.1.mcm.local
Sync time with domain name fail, try to sync time with IP
/usr/local/samba/bin/net time set -S
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"
kinit(v5): Cannot resolve network address for KDC in realm mcm.LOCAL while getting initial credentials
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL" 
The only change that I know is that I've installed KB982214 yesternday night:
http://support.microsoft.com/?scid=kb%3 ... 4&x=19&y=9

An update to FW 3.3.1 is not possible: Update failed. Please check the firmware version.

All other stuff like FTP, SSH, webmanagement is running.
I can connect with SSH to the TS and ping the AD-server using IP oder the servername, so network and name resolution seems to work.

Code: Select all

[/bin] # ping server1-0
PING server1-0 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=128 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=128 time=0.1 ms
^C
--- server1-0 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms
Any ideas what's wrong?
McReady
New here
Posts: 3
Joined: Tue Aug 17, 2010 8:33 pm

Re: TS-459U won't connect to AD

Post by McReady »

OK, after a second download, the firmware upgrade has finished.
Current firmware version: 3.3.1 Build 0720T

Same procedure, new error message:

Code: Select all

Microsoft network settings failed. Please check the DNS server, domain name, and user name and password for logging in the domain.

======== DEBUG START ======= 
Well ... debug start = debug end.

I've checked the DNS server (it's running and the right IP is entered in "Network" and the rest, too. :-(

While trying to get into the AD, the computer-account is also created by the TS-459U in
mcm.local/MyBusiness/Computers/SBSComputers/nas.
So the login information is correct, otherwise I don't have writing access on the AD.

I've also manually added an DNS-entry incl. reverse-mapping, but that didn't made a change.

Any ideas?
QNAPJauss
QNAP Staff
Posts: 499
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN

Re: TS-459U won't connect to AD

Post by QNAPJauss »

Hi,

The "empty" debug message is a bug that will be fixed in 3.3.2 firmware.
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
It is often cause when LDAP signing is required in your active directory (Maybe enabled by the update you installed).
In the Default Domain Controllers Policy, in Security seetings, Local policies, security option, check if you enabled :
Domain controller : LDAP server signing requirements --> to Require signing.

If yes, you need to connect to the NAS by SSH, edit the file /etc/smb.conf, and add the line after the [global] :

Code: Select all

client ldap sasl wrapping = sign
If you need help, tech support can connect remotely and do it for you.

BR,
Jauss
McReady
New here
Posts: 3
Joined: Tue Aug 17, 2010 8:33 pm

Re: TS-459U won't connect to AD

Post by McReady »

Hi!

I've installed 3.3.2, added the line in smb.conf, restarted and ... it works! :)
Thank you!
bl4ckr4ptor
First post
Posts: 1
Joined: Thu Oct 06, 2011 11:45 pm

Re: TS-459U won't connect to AD

Post by bl4ckr4ptor »

Hello all,

I had the same issue, so thanks for your help.

PS: Please, can somebody update the online tutorial? I mean it will be very useful for other qnap users too!

Regards,

Blacki
HP DL380G3: 16GB RAM; 4 x 72GB 15k HDDs
HP DL120: 12GB RAM; 2 x 136GB 15k HDDs
QNAP 559 Pro II: 1GB RAM; 4 x 2TB Hitachi on RAID 5 (1 x 2TB Hot Spare)
QNAP 419U: 512MB RAM; 3 x 2TB Hitachi on RAID 0
QNAP 219P+: 512 MB RAM; 2 x 2TB Hitachi on RAID 1
mchaggis
New here
Posts: 2
Joined: Thu Jun 14, 2012 7:54 pm

Re: TS-459U won't connect to AD

Post by mchaggis »

Hi all,

My 459 would connect to AD but would not pull down a list of users.

The issue turned out to be a GPO.

Computer Config > Windows Settings > Security Settings > Local Policies > Security Options

Set Domain Controller: LDAP server signing requirements to NONE.

I can now list domain users.
Post Reply

Return to “Windows Domain & Active Directory”