TS-459U won't connect to AD

Questions about using Windows AD service.

TS-459U won't connect to AD

Postby McReady » Tue Aug 17, 2010 8:54 pm

Hello everyone,

since this morning, my TS-459U (Current firmware version: 3.2.6 Build 0423T) is not more willing to connect/join our AD (SBS 2008).

Generel setup:
Network: 192.168.1.0/24
DNS & AD-Server: SERVER1-0 192.168.1.1
NAS: 192.168.1.7

Settings1 on MS Networking:
X AD-Dom. member
Domain NetBIOS Name: MCM
AD Server Name: SERVER1-0
Domain: mcm.local
User: mcmadmin
PW: guess ;)

Result:
Code: Select all
Microsoft network settings failed. Please check the DNS server, domain name, and user name and password for logging in the domain.

======== DEBUG START =======
/usr/local/samba/bin/net time set -S SERVER1-0.mcm.local
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"
Password for mcmadmin@mcm.LOCAL:
Specify WORKGROUP = mcm
[command] /usr/local/samba/bin/net ads join -S SERVER1-0 -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:57, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: Strong(er) authentication required
[command] /usr/local/samba/bin/net ads join -S SERVER1-0.mcm.local -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:58, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD: Strong(er) authentication required
[command] /usr/local/samba/bin/net ads join -U "mcmadmin%********" -s /etc/config/smb.conf
[2010/08/17 14:42:58, 0] libads/sasl.c:ads_sasl_spnego_bind(819)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Failed to join domain: failed to connect to AD:
(I can't say what's displayed from here because it is cut)


Settings2 on MS Networking:
X AD-Dom. member
Domain NetBIOS Name: MCM
AD Server Name: 192.168.1.1
Domain: mcm.local
User: mcmadmin
PW: guess ;)

Result:
Code: Select all
Microsoft Networking configured failed. Cannot resolve domain, please check DNS server, AD Server Name and Domain.

======== DEBUG START =======
/usr/local/samba/bin/net time set -S 192.168.1.1.mcm.local
Sync time with domain name fail, try to sync time with IP
/usr/local/samba/bin/net time set -S
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"
kinit(v5): Cannot resolve network address for KDC in realm mcm.LOCAL while getting initial credentials
[command] echo ******** | /usr/bin/kinit "mcmadmin@mcm.LOCAL"


The only change that I know is that I've installed KB982214 yesternday night:
http://support.microsoft.com/?scid=kb%3 ... 4&x=19&y=9

An update to FW 3.3.1 is not possible: Update failed. Please check the firmware version.

All other stuff like FTP, SSH, webmanagement is running.
I can connect with SSH to the TS and ping the AD-server using IP oder the servername, so network and name resolution seems to work.
Code: Select all
[/bin] # ping server1-0
PING server1-0 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=128 time=0.1 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=128 time=0.1 ms
^C
--- server1-0 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.1 ms


Any ideas what's wrong?
McReady
New here
 
Posts: 3
Joined: Tue Aug 17, 2010 8:33 pm
NAS Model: TS-559 Pro

Re: TS-459U won't connect to AD

Postby McReady » Wed Aug 18, 2010 2:32 am

OK, after a second download, the firmware upgrade has finished.
Current firmware version: 3.3.1 Build 0720T

Same procedure, new error message:

Code: Select all
Microsoft network settings failed. Please check the DNS server, domain name, and user name and password for logging in the domain.

======== DEBUG START =======


Well ... debug start = debug end.

I've checked the DNS server (it's running and the right IP is entered in "Network" and the rest, too. :-(

While trying to get into the AD, the computer-account is also created by the TS-459U in
mcm.local/MyBusiness/Computers/SBSComputers/nas.
So the login information is correct, otherwise I don't have writing access on the AD.

I've also manually added an DNS-entry incl. reverse-mapping, but that didn't made a change.

Any ideas?
McReady
New here
 
Posts: 3
Joined: Tue Aug 17, 2010 8:33 pm
NAS Model: TS-559 Pro

Re: TS-459U won't connect to AD

Postby QNAPJauss » Mon Aug 23, 2010 12:01 pm

Hi,

The "empty" debug message is a bug that will be fixed in 3.3.2 firmware.

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required


It is often cause when LDAP signing is required in your active directory (Maybe enabled by the update you installed).
In the Default Domain Controllers Policy, in Security seetings, Local policies, security option, check if you enabled :
Domain controller : LDAP server signing requirements --> to Require signing.

If yes, you need to connect to the NAS by SSH, edit the file /etc/smb.conf, and add the line after the [global] :
Code: Select all
client ldap sasl wrapping = sign


If you need help, tech support can connect remotely and do it for you.

BR,
Jauss
QNAPJauss
QNAP Staff
 
Posts: 496
Joined: Fri Oct 02, 2009 12:18 pm
Location: Taipei, TAIWAN
NAS Model: Not Selected

Re: TS-459U won't connect to AD

Postby McReady » Mon Sep 13, 2010 4:55 pm

Hi!

I've installed 3.3.2, added the line in smb.conf, restarted and ... it works! :)
Thank you!
McReady
New here
 
Posts: 3
Joined: Tue Aug 17, 2010 8:33 pm
NAS Model: TS-559 Pro

Re: TS-459U won't connect to AD

Postby bl4ckr4ptor » Thu Oct 06, 2011 11:55 pm

Hello all,

I had the same issue, so thanks for your help.

PS: Please, can somebody update the online tutorial? I mean it will be very useful for other qnap users too!

Regards,

Blacki
HP DL380G3: 16GB RAM; 4 x 72GB 15k HDDs
HP DL120: 12GB RAM; 2 x 136GB 15k HDDs
QNAP 559 Pro II: 1GB RAM; 4 x 2TB Hitachi on RAID 5 (1 x 2TB Hot Spare)
QNAP 419U: 512MB RAM; 3 x 2TB Hitachi on RAID 0
QNAP 219P+: 512 MB RAM; 2 x 2TB Hitachi on RAID 1
bl4ckr4ptor
First post
 
Posts: 1
Joined: Thu Oct 06, 2011 11:45 pm
NAS Model: TS-459 Pro+

Re: TS-459U won't connect to AD

Postby mchaggis » Thu Jun 14, 2012 9:04 pm

Hi all,

My 459 would connect to AD but would not pull down a list of users.

The issue turned out to be a GPO.

Computer Config > Windows Settings > Security Settings > Local Policies > Security Options

Set Domain Controller: LDAP server signing requirements to NONE.

I can now list domain users.
mchaggis
New here
 
Posts: 2
Joined: Thu Jun 14, 2012 7:54 pm
NAS Model: TS-859U-RP+


Return to Windows Domain & Active Directory

Who is online

Users browsing this forum: safetysci and 1 guest