AD Authentication stops working until reboot

[bradray]

We setup a QNAP TS-431 on a customer's network to act at a file archive location. The wizard didn't work to join it to the AD, but the manual settings did. Everything is setup just how we want it to work.

The only problem is that after a couple of days, the end users start getting prompted for credentials when mapping their drive letter through the login script. Also, from the server that we usually use to administer the network if we open up:
\\[IPDADDRESS]
OR
\\[DEVICENAME]

We are immediately prompted for login credentials. It should automatically use our AD credentials but doesn't for some reason. If I reboot the QNAP, it starts working immediately (without prompting credentials).

Please advise. I didn't see anything addressing this specifically in the forums, but there is another post about how someone has 2 QNAPS and one of them is setup to be a DC. They also mentionned that things work fine for a few days and then stop working until a reboot (or in their case they said changing the SMB level also temporarily resolves the issue).

Please advise.

[wjason]

Having the exact same issue with a TS-453U (Latest OS as of a week ago)

AD auth stops working after a few days. Reboot fixes temporarily. Turning ACLs on or off does not fix. Deleting computer account for the NAS and re-joining the domain does not fix issue either.

Submitted a ticket but no reply after a few days. Would really love to hear something on this issue.

[johnripper]

Please always state your QTS version. Anything else is sensless otherwise.

Gesendet von meinem SM-G920F mit Tapatalk

[oreymann]

Same with my TS-569L with QTS 4.2.1 build 20160601

[Milenko]

Hi.

I can add a little bit more info to the problem. I have that issue with a TS-453Pro QTS 4.2.1 July 2016
The TS-453A worked fine until i migrated the customers 2008R2 DC to W2012R2 10 days ago. Now from time to time it will act like bradray describes it, but only for some users. Other AD-users can still use the NAS in that state. I found out that you can temporarily fix the problem restarting the smb/samba service ( ssh into the nas and call /etc/init.d/smb.sh restart ). A colleague of mine (same problem but with a TS-231+) says you dont have to restart smb, but only winbind with "/etc/init.d/winbind restart" but i didnt verify that.
Since im using the nas as a depot for my backups i can easily workaround by using local auth./ local users, but in the long run id like that problem fixed too.

[johnripper]

Looks like a fix is comming: viewtopic.php?f=142&t=124491

[bassiedude]

Same issue here. Had troubles with the NAS from the start. Joined the domain successfully using manual mode, although it used a different domain controller than I specified which I find very weird. It now uses a domain controller in germany instead of our own DC located in The Netherlands. Other QNAP NAS devices we have use our local DC. After that, I was unable to add domain users to a share via the web interface. Domain users are not listed in the shared folder section when trying to set permissions on a folder. Domain groups are shown by the way. When trying to view domain users in the users section it would take some minutes and then one page of domain users was displayed. When trying to go to the second page it would take forever and nothing would work. We have around 30.000 AD users. Eventually I learned how to add users by editing smb.conf. This worked perfectly. Although quite a hassle of course. But okay. Now a week later, I try to access the NAS and it asks for credentials. And when providing them it does not work. When using the IP address instead of the nodename of the NAS I manage to go to the root showing all shares. But still it is asking for credentials when trying to open one of these shared folders. Restarting the samba service fixed the problem instantly.

This is simply a disaster. Is a solution for this problem coming? By the way, like a miracle, all of a suddent when viewing domain users in the user section all are listed and it works fast. I can assign folders to them there. But when going to the folder section and then trying to set permissions, the domain user list is still empty. How come?

We have a TVS-871 with firmware 4.2.1

[kuste]

Had the same problem as well. But only with TS-420. TS-412 worked like a charm.

Have a look at your system time. It seems, that the update overwrites the NTP-settings. My system time jumped up to 30 minutes into future and back. (The system log was not chronolical anymore, that is why I recognized it).
After enabling NTP-settings again and synching every hour the problem didn't occur anymore.
It is a know issue, that the AD authentication does not work, if the the time between client and server lacks too much.
Maybe it will help you.

[bassiedude]

Thank you for the hint. Indeed, although I enabled the system to use the internet time service it was changed back to manual mode. Time however was in sync with actual time, so I'm not sure this was causing the problem. It is running okay for four days now, hopefully it will stay like that. Thanks again!

[cpjones131]

Have the same issue on a TVS-871 16 GB Firmware version 4.2.2 Build 20160901. Find the issue appears mostly early in the morning when notching has accessed the drive in a few hours. Qnap is connected to a 2012 R2 DC, DNS is pointing to the DNS. What i find is the first user gets prompted to connect to the drive and when I view the User account in Qnap Domain Users I notice the "Description" for that user is blank. All other users will look fine. Usually if I reset the password to the user in a few minutes the issue resolves itself. That's the only way I've been able to resolve the issue.

[hagrun]

Same. I rely heavily on the domain integration.

I used mine to run my lab which I occasionally demo out of for my customers. When I have to stop what I'm doing to reboot my NAS, which takes a while, it hurts my credibility. This issue is a complete deal breaker for me and I will not recommend these products to anyone. QNAP needs to step up their testing, and get this resolved since it is OS wide.



4.2.2 Build 20160823

[primey2000]

Could it be anything to do with the domain/forest functional level? I dont remember having any issues on Windows 2008 but I think my problems started raising the function levels to 2012 R2. Im about to raise to 2016 so lets see what else breaks

[soosp]

We have same issue with a TS-EC880U unit joined a Wondows 2008R2 AD. The Windows ACL Support are set. I had problems set permissions via AD groups. Only grant permissions to users worked. After I set and tested all setting I had to reboot the unit. After reboot granted rights do not work. It seems that there is no proper idmap settings in the internal samba software of the NAS.

[stefano.pederzani]

It can not be neither a functional level issue nor a time issue, otherwise you had problem immediately, not after days.
I am not an expert of AD, but it seems like samba (samba suite, likely winbind) loses sync with the server about the token.
The authentication token is released by the DC to a user. It has an expiring time.
I agree to those who say it is a bug.
If a patch does not solve the problem, in your shoes I would try a workaround, like saving the password when the connection to the share asks for it.

Not always problems can be fixed. Sometimes you have to find a remedy.

[cotefr]

I have the same issue with a TS-231+ and firmware 4.2.2. The shortest interval before needing to reboot was 3h, the longest interval was 3 days. Unfortunately, saving the password as proposed doesn't work, because you can't connect even by entering to correct credential. The only solution is to reboot the NAS and everything starts working fine again.