Domain name not being passed with Samba login

[bluisana]

I have a TS-531P NAS succesfully connected to a windows 2012 domain controller. As of yesterday all domain users credentials were properly being passed to the NAS and allowing file access. Last night something happened which broke AD authentication. I tried to reconnected domain authentication in the Control Panel --> Domain Security --> Active Directory authentication (Domain member). I was able to do this without a problem and I can see domain users in the users and shared folder settings of the NAS. I tried to remove all previous domain users and then add them back to the shared folders manually. This worked without any problems but domain users still aren't able to get their files using ipaddres, name or FQN. The one strange thing I noticed in the system connection logs is that now all users are not showing up with their domain prefix before their login name. Yesterday the logs had all login users names displaying like "domainname\username". Today the same users are showing in the log as just username. Does anyone know how to resolve this to make Samba calls receive the domainname and allow domain user access again?

[bluisana]

I never did get to the bottom of this and tech support took over 24 hours to respond to the help request. This was being used at a business and they couldn't wait that long to get to the their data. I also couldn't just open up all of the file shares to everyone because there was sensitive financial data on it.

I ended up backing up all of the data, doing a factory restore and drive format, and setting up the entire NAS from scratch.

[rwurttem]

Interesting... your post just led me to a temporary fix until QNAP fixes the issue. When the QNAP prompted me for my credentials. I typed:

myusername@mydomain.com (com, net, local... whatever you use.)
mypassword

It worked!! Something is definitely wrong with the QNAP.

/RajW

[rwurttem]

I think I fixed it... QNAP should validate. I ssh'd into the QNAP and adjusted a few things:

1) Edit the /etc/config/krb5.conf file

Code: Select all

[libdefaults]
 default_realm = MYDOMAIN.COM

[realms]
 MYDOMAIN.COM = {
  kdc = SERVER01.MYDOMAIN.COM
  kdc = SERVER02.MYDOMAIN.COM
  default_domain = MYDOMAIN.COM # I Added this
 }

[domain_realm]     # Took off the 's'... They had "[domain_realms]"
 .MYDOMAIN.COM = MYDOMAIN.COM    # Adjusted these 
 MYDOMAIN.COM = MYDOMAIN.COM     # two lines

2) Edit the /etc/config/smb.conf file. Added this line under [global]

Code: Select all

winbind use default domain = yes

Now my QNAP is behaving as expected.

/RajW

[Don]

Please open a ticket with QNAP and pass along this info.

[rwurttem]

Never mind... It's still messed up. I'm going to reinitialize the QNAP and get it back to defaults and start fresh in the morning.

/RajW

[rwurttem]

Update... I've been testing in a new environment (a.k.a. no users yet) and in my testing I've been using the IP address of the server instead of the DNS name.

- When I use the ip address, i.e. \\10.1.100.20\Group I get prompted for a password / Using 'username@mydomain.com' is the only way to be granted access
- When I use the servers name, i.e. \\servername\Group, everything works fine and I don't get prompted for a password

I'm guessing it's a Kerberos thing maybe? I wasn't expecting the above behavior since a true Windows file server would be fine with the IP or the name.

NOTE: I did still have to edit the krb5.conf file. This is my current krb5.conf file the "[domain_realms]" in the QNAP-created original is invalid:

Code: Select all

[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false

[realms]
MYDOMAIN.COM = {
admin_server = server01.mydomain.com
default_domain = MYDOMAIN.COM
kdc = server01.mydomain.com
kdc = server02.mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

/RajW