Can't get TS-EC879U joined to SBS 2011 domain (AD)

Questions about using Windows AD service.
Post Reply
DazOG
New here
Posts: 4
Joined: Tue Mar 26, 2019 7:49 pm

Can't get TS-EC879U joined to SBS 2011 domain (AD)

Post by DazOG » Tue Mar 26, 2019 9:27 pm

Hi,

Hoping someone can help me, as I'm at my wits end with this..

We've got a TS-809U running the latest firmware available for it (4.2.6 Build 20181227) which is joined to our Windows SBS 2011 based domain. This works fine, shared folders have domain users & group permissions on them, users can connect to them using Macs and Windows computers. I'll call this MY-NAS1.

I bought another QNAP NAS, a TS-EC879U to replace it. This is running the latest firmware available (4.3.6.0883) and is connected to the same switch on the same network. I'll call this MY-NAS2.

Both NASs have static IP addresses, MY-NAS1 is 10.1.0.45, MY-NAS2 is 10.1.0.40. For the purposes of this thread I'll call the DC (the only one on the network) MY-DC, and the domain mycompany.local. There is one DNS server (the SBS server/DC) - 10.1.0.10.

When I try and connect MY-NAS2 to our domain, using exactly the same details as MY-NAS1, both the Quick Configuration Wizard and Manual Configuration options sit there on "Processing" for an extended period of time (i'd guess 3 minutes or so) before that window disappears and leaves me to click Finish. At no point does it say that the NAS has been successfully joined to the domain in green lettering, as shown in this QNAP help video - https://youtu.be/KFvAGWVRqMs?t=164

After I have tried and failed to join MY-NAS2 to the domain, I CAN see domain users and groups, and assign domain users and groups to any shared folder I create, so it would appear to be joined in some form or another. But I CANNOT access any share using domain credentials, only a local user (e.g. admin).

After Googling and finding various threads about things to look for I SSH'd into both NASs to compare the results from them. Here is some of the output - let me know if any more is required:

Code: Select all

[~] # cat /var/log/setup_smb.debug
======== DEBUG START =======
/usr/local/samba/bin/net time set -S MY-DC.my-company.local
[command] echo ******** | /usr/bin/kinit "sysadmin2#MYCOMPANY.LOCAL"
Password for sysadmin2#MY-COMPANY.LOCAL:
Specify WORKGROUP = MY-COMPANY
[command] /usr/local/samba/bin/net ads join -S MY-DC -U "sysadmin2%********" -s /etc/config/smb.conf
Failed to join domain: Failed to set password for machine account (NT_STATUS_IO_TIMEOUT)

[command] /usr/local/samba/bin/net ads join -S MY-DC.my-company.local -U "sysadmin2%********" -s /etc/config/smb.conf
Failed to join domain: Failed to set password for machine account (NT_STATUS_IO_TIMEOUT)

[command] /usr/local/samba/bin/net ads join -U "sysadmin2%********" -s /etc/config/smb.conf
Failed to join domain: Failed to set password for machine account (NT_STATUS_IO_TIMEOUT)

[command] /usr/local/samba/bin/net rpc join -S MY-DC -U "sysadmin2%********" -s /etc/config/smb.conf
Failed to join domain: Failed to set password for machine account (NT_STATUS_IO_TIMEOUT)

[command] /usr/local/samba/bin/net rpc join -S MY-DC.my-company.local -U "sysadmin2%********" -s /etc/config/smb.conf
The above just seems to keep repeating different variations of the above command, never succeeding...

Code: Select all

[~] # wbinfo -u
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

Code: Select all

[~] # smb2status

smbd (samba daemon) Version 4.4.16
smbd (samba daemon) is not running.
max protocol SMB 3 enabled.
/etc/config/krb5.conf:

Code: Select all

[libdefaults]
 default_realm = MY-COMPANY.LOCAL

[realms]
 MY-COMPANY.LOCAL = {
  kdc = MY-DC.my-company.local
 }

[domain_realms]
 .MY-DC.my-company.local = MY-COMPANY.LOCAL
/etc/config/smb.conf:

Code: Select all

[global]
passdb backend = smbpasswd
workgroup = MY-COMPANY
security = ADS
server string=NAS Server
encrypt passwords = Yes
username level = 0
map to guest = Never
null passwords = yes
max log size = 10
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers = yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.#__thumb/.#__desc/:2e*/.#__qini/.Qsync/.#upload_cache/.qsync/.qsync_sn/.#qsys/.streams/.digest/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
restrict anonymous = 2
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
follow symlinks = yes
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = no
domain logons = no
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = no
conn log = no
kernel oplocks = no
min protocol = LANMAN1
smb2 leases = yes
durable handles = yes
kernel share modes = no
posix locking = no
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
server signing = disabled
aio read size = 1
aio write size = 0
streams_depot:delete_lost = yes
streams_depot:check_valid = no
fruit:nfs_aces = no
fruit:veto_appledouble = no
winbind expand groups = 1
winbind scan trusted domains = no
pid directory = /var/lock
printcap name = /etc/printcap
printing = cups
show add printer wizard = no
vfs objects =  shadow_copy2 catia fruit qnap_macea streams_depot aio_pthread
realm = on-group.local
ldap timeout = 5
password server = MY-DC.my-company.local
pam password change = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 3600
allow trusted domains = yes

[printers]
use client driver = yes
writable = no
browsable = no
printable = yes
guest ok = yes
path = /var/spool/smb

[Web]
comment = System default share
path = /share/CACHEDEV1_DATA/Web
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
timemachine = no
public = yes
invalid users = guest
read list =
write list = admin
valid users = root,admin
inherit permissions = yes
shadow:snapdir = N/A
shadow:basedir = /share/CACHEDEV1_DATA/Web
shadow:sort = desc
shadow:format = #GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
aio read size on sequential = 4097
mangled names = yes
hide unreadable = no
access based share enum = no

[Public]
comment = System default share
path = /share/CACHEDEV1_DATA/Public
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
timemachine = no
public = yes
invalid users = guest
read list = #"everyone"
write list = admin
valid users = root,#"everyone",admin
inherit permissions = yes
shadow:snapdir = N/A
shadow:basedir = /share/CACHEDEV1_DATA/Public
shadow:sort = desc
shadow:format = #GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
strict allocate = yes
streams_depot:check_valid = yes
aio read size on sequential = 4097
mangled names = yes
hide unreadable = no
access based share enum = no

[homes]
comment = System default share
path = /share/CACHEDEV1_DATA/homes
browsable = yes
oplocks = yes
ftp write only = no
recycle bin = yes
recycle bin administrators only = no
qbox = no
timemachine = no
public = yes
invalid users =
read list =
write list = admin
valid users = root,admin
inherit permissions = yes
shadow:snapdir = N/A
shadow:basedir = /share/CACHEDEV1_DATA/homes
shadow:sort = desc
shadow:format = #GMT-%Y.%m.%d-%H:%M:%S
smb encrypt = disabled
mangled names = yes
hide unreadable = no
access based share enum = no

[home]
comment = Home
path = %H
browsable = yes
oplocks = yes
ftp write only = no
inherit permissions = yes
invalid users = guest
writable = yes
read list = "%u"
write list = "%u"
valid users = "%u"
root preexec = /sbin/create_home -u '%q'
shadow:snapdir = /share/CACHEDEV1_DATA/homes/../_.share/homes/.snapshot
shadow:basedir = %H
shadow:sort = desc
shadow:format = #GMT-%Y.%m.%d-%H:%M:%S
/var/log/log.smbd:

Code: Select all

[~] # more /var/log/log.smbd
[2019/03/26 09:07:26.956736,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2019/03/26 09:19:05.648049,  0] ../source3/rpc_server/mdssd.c:96(mdssd_sig_term_handler)
  termination signal
[2019/03/26 09:19:19.510651,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2019/03/26 09:20:02.715417,  0] ../source3/rpc_server/mdssd.c:96(mdssd_sig_term_handler)
  termination signal
[2019/03/26 09:20:15.857199,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2019/03/26 11:46:31.504476,  0] ../source3/rpc_server/mdssd.c:96(mdssd_sig_term_handler)
  termination signal
[2019/03/26 11:46:46.552652,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2019/03/26 11:47:01.615189,  0] ../source3/rpc_server/mdssd.c:96(mdssd_sig_term_handler)
  termination signal
/usr/local/samba/var/locks/log.winbindd:

Code: Select all

[~] # cat /usr/local/samba/var/locks/log.winbindd
[2019/03/26 12:29:22.012586,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:29:28.627609,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:29:28.627665,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:29:52.805991,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:29:59.532790,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:29:59.532849,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:30:23.601157,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:30:29.884083,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:30:29.884139,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:30:54.857968,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:30:59.208947,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:30:59.209005,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:31:25.664650,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:31:28.529282,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:31:28.529338,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:31:56.465390,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:32:00.881805,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:32:00.881853,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:32:28.344595,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:32:30.939968,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:32:30.940026,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:32:59.153941,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2019/03/26 12:33:00.540330,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list)
  Could not fetch our SID - did we join?
[2019/03/26 12:33:00.540372,  0] ../source3/winbindd/winbindd.c:1409(winbindd_register_handlers)
  unable to initialize domain list
[2019/03/26 12:33:32.547671,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[~] #
Some things I have observed:

- winbindd is not running on MY-NAS2, it is running on MY-NAS1.
- /etc/resolv.conf on MY-NAS2 inexplicably has nameserver 127.0.1.1 in it. /etc/resolv.dnsmasq (which doesn't exist on MY-NAS1) has 10.1.0.10 in it and 8.8.8.8.
- On MY-NAS2 I CAN NOT ping MY-DC (reports bad address), but I CAN ping MY-DC.my-company.local. On MY-NAS1 (the one that works) I can ping MY-DC. I have tried different permutations of resolv.conf, including copying the one on MY-NAS1, restarting network services, to no avail.
- There is a AD computer account (called MY-NAS2) created by the NAS trying to join the domain. This exists in the same place as MY-NAS1, at my-company.local/MyBusiness/Computers/SBSComputers.

I am completely lost for ideas on how to fix this. As said previously I have never had to edit any of these configuration files by hand, it has just worked. Any help gratefully received!

EDIT: Can I also just say how stupid it is that the forum doesn't let you use the AT symbol in a post?? It is forbidden apparently ("Contains contacts"). I have replaced every instance of the AT symbol with # above.

DazOG
New here
Posts: 4
Joined: Tue Mar 26, 2019 7:49 pm

Re: Can't get TS-EC879U joined to SBS 2011 domain (AD)

Post by DazOG » Wed Mar 27, 2019 6:39 am

Hi,

Just to update this thread. I think I have solved the problem. I added another account to the "Domain Admins" group on the DC, and used that with the Quick Configuration Wizard, and got the following in setup_smb.debug:

Code: Select all

[~] # cat /var/log/setup_smb.debug
======== DEBUG START =======
/usr/local/samba/bin/net time set -S MY-DC.my-company.local
[command] echo ******** | /usr/bin/kinit "anotheradmin@MY-COMPANY.LOCAL"
Password for anotheradmin@MY-COMPANY.LOCAL:
Specify WORKGROUP = MY-COMPANY
[command] /usr/local/samba/bin/net ads join -S MY-DC -U "anotheradmin%********" -s /etc/config/smb.conf
Using short domain name -- MY-COMPANY
Joined 'MY-NAS2' to dns domain 'my-company.local'
wbinfo -u now returns all of the domain users, and I can access shares.

The solution? The admin user I was using had a question mark and an exclamation mark in the password. I don't know which of these caused the problem, but either/both of them did. Using another domain admin with a regular alphanumberic password worked first time with no other changes.

EDIT: Turns out also that another admin changed the forest and domain functional level from 2003 to 2008R2. So it could've been that instead... grrr.. either way its fixed now.

DazOG
New here
Posts: 4
Joined: Tue Mar 26, 2019 7:49 pm

Re: Can't get TS-EC879U joined to SBS 2011 domain (AD)

Post by DazOG » Wed Mar 27, 2019 11:16 pm

Looks like I spoke too soon.. the NAS dropped off the domain earlier today and I haven't been able to reconnect it since. It's doing exactly what it did in the first post.

DazOG
New here
Posts: 4
Joined: Tue Mar 26, 2019 7:49 pm

Re: Can't get TS-EC879U joined to SBS 2011 domain (AD)

Post by DazOG » Thu Mar 28, 2019 3:14 am

Can anyone help me with this please?

dolbyman
Guru
Posts: 18981
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Can't get TS-EC879U joined to SBS 2011 domain (AD)

Post by dolbyman » Thu Mar 28, 2019 3:19 am

most of us use QNAP at home, so no AD with QNAP experience

maybe open a ticket with qnap for help

Post Reply

Return to “Windows Domain & Active Directory”