QNAP NAS Community Forum


https://forum.qnap.com/

TS-459U won't connect to AD

https://forum.qnap.com/viewtopic.php?t=33469

Page 1 of 1

TS-459U won't connect to AD

Posted: Tue Aug 17, 2010 8:54 pm
by McReady
Hello everyone,

since this morning, my TS-459U (Current firmware version: 3.2.6 Build 0423T) is not more willing to connect/join our AD (SBS 2008).

Generel setup:
Network: 192.168.1.0/24
DNS & AD-Server: SERVER1-0 192.168.1.1
NAS: 192.168.1.7

Settings1 on MS Networking:
X AD-Dom. member
Domain NetBIOS Name: MCM
AD Server Name: SERVER1-0
Domain: mcm.local
User: mcmadmin
PW: guess ;)

Result:

Code: Select all

Microsoft network settings failed. Please check the DNS server, domain name, and user name and password for logging in the domain.

======== DEBUG START =======
/usr/local/samba/bin/net time set -S SERVER1-0.mcm.local
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"
Password for mcmadmin@mcm.LOCAL:
Specify WORKGROUP = mcm
[command] /usr/local/samba/bin/net ads join -S SERVER1-0 -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:57, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: Strong(er) authentication required
[command] /usr/local/samba/bin/net ads join -S SERVER1-0.mcm.local -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:58, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: Strong(er) authentication required
[command] /usr/local/samba/bin/net ads join -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:58, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: 
(I can't say what's displayed from here because it is cut)
Settings2 on MS Networking:
X AD-Dom. member
Domain NetBIOS Name: MCM
AD Server Name: 192.168.1.1
Domain: mcm.local
User: mcmadmin
PW: guess ;)

Result:

Code: Select all

Microsoft Networking configured failed. Cannot resolve domain, please check DNS server, AD Server Name and Domain.

======== DEBUG START =======
/usr/local/samba/bin/net time set -S 192.168.1.1.mcm.local
Sync time with domain name fail, try to sync time with IP
/usr/local/samba/bin/net time set -S
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"
kinit(v5): Cannot resolve network address for KDC in realm mcm.LOCAL while getting initial credentials
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"
The only change that I know is that I've installed KB982214 yesternday night:
http://support.microsoft.com/?scid=kb%3 ... 4&x=19&y=9

An update to FW 3.3.1 is not possible: Update failed. Please check the firmware version.

All other stuff like FTP, SSH, webmanagement is running.
I can connect with SSH to the TS and ping the AD-server using IP oder the servername, so network and name resolution seems to work.

Code: Select all

[/bin] # ping server1-0
PING server1-0 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=128 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=128 time=0.1 ms
^C
--- server1-0 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms
Any ideas what's wrong?

Re: TS-459U won't connect to AD

Posted: Wed Aug 18, 2010 2:32 am
by McReady
OK, after a second download, the firmware upgrade has finished.
Current firmware version: 3.3.1 Build 0720T

Same procedure, new error message:

Code: Select all

Microsoft network settings failed. Please check the DNS server, domain name, and user name and password for logging in the domain.

======== DEBUG START =======
Well ... debug start = debug end.

I've checked the DNS server (it's running and the right IP is entered in "Network" and the rest, too. :-(

While trying to get into the AD, the computer-account is also created by the TS-459U in
mcm.local/MyBusiness/Computers/SBSComputers/nas.
So the login information is correct, otherwise I don't have writing access on the AD.

I've also manually added an DNS-entry incl. reverse-mapping, but that didn't made a change.

Any ideas?

Re: TS-459U won't connect to AD

Posted: Mon Aug 23, 2010 12:01 pm
by QNAPJauss
Hi,

The "empty" debug message is a bug that will be fixed in 3.3.2 firmware.
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
It is often cause when LDAP signing is required in your active directory (Maybe enabled by the update you installed).
In the Default Domain Controllers Policy, in Security seetings, Local policies, security option, check if you enabled :
Domain controller : LDAP server signing requirements --> to Require signing.

If yes, you need to connect to the NAS by SSH, edit the file /etc/smb.conf, and add the line after the [global] :

Code: Select all

client ldap sasl wrapping = sign
If you need help, tech support can connect remotely and do it for you.

BR,
Jauss

Re: TS-459U won't connect to AD

Posted: Mon Sep 13, 2010 4:55 pm
by McReady
Hi!

I've installed 3.3.2, added the line in smb.conf, restarted and ... it works! :)
Thank you!

Re: TS-459U won't connect to AD

Posted: Thu Oct 06, 2011 11:55 pm
by bl4ckr4ptor
Hello all,

I had the same issue, so thanks for your help.

PS: Please, can somebody update the online tutorial? I mean it will be very useful for other qnap users too!

Regards,

Blacki

Re: TS-459U won't connect to AD

Posted: Thu Jun 14, 2012 9:04 pm
by mchaggis
Hi all,

My 459 would connect to AD but would not pull down a list of users.

The issue turned out to be a GPO.

Computer Config > Windows Settings > Security Settings > Local Policies > Security Options

Set Domain Controller: LDAP server signing requirements to NONE.

I can now list domain users.
All times are UTC+08:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited