TeraStation Pro Accessed Over Multiple Domains

[aberlake]

   

Hi,

 

Had a dig through the forum on this but can't find any other references to this. We currently run three different W2K3 domains, Dom1 is the forest root, Dom2 and Dom3 are separate domains but within the Dom1 forest. We have a Terastation Pro  TS-RHTGL/R5 which is a member of Dom1 and is AD synchronised. Within Dom1 there is a univeral group that contains the names of users from Dom2 and Dom3 that should have access rights to a share on the TeraStation. However whenever one of these users attempts to access the TeraStation they get thrown a login screen, but they never get to authenticate as no matter what login is used it refuses to allow access. Users from Dom1 have no problems. anyone ever come across anything like this before? Should I be able to make this work? Any suggestions gratefully accepted. Running FW 1.26 if it makes any difference.

 

Richard

[Nox]

   How did you setup the access rights?  Are the users from DOM2 and DOM3 a member of any groups in DOM1?  Do those groups have access to the Terastation?

[aberlake]

   

Thanks for the reply

 

Dom1 (the domain the TS is a member of and synch's with) contains a group that has the access rights associated with it. It's a universal group that allows users from other domains in same forest to be granted rights via that group and users from Dom2 and Dom3 are in that group. Anyone in that group from Dom1 works as expected but users from Dom2 and Dom3 are refused access. Use the same scenario on CentOS and Win2k3 shares with no issues, but TeraStation isn't happy.

 

Richard

[Nox]

   

Can you confirm you are not using Groups within Groups?

 

Example a user being a member of a group in DOM2, and that group being a member of a group in DOM1?

[aberlake]

   

Hi Nox,

 

Yes I can confirm that it is single user accounts from Dom2 and Dom3 that are in the Dom1 group that controls access to the TS.

 

Good idea though :smileyhappy:

 

Thanks again

 

Richard

[aberlake]

   Forgot to say that the group in Dom1 definitely has correct rights for TS share :-) Users that belong to Dom1 work fine.

[Nox]

   

It sounds like the authentication token being passed to the NAS either contains only the user account information, or contains the wrong domain information, both of which would cause the NAS to not know who they were and prompt for credentials.

 

If you setup a dummy user account in DOM1, grant that dummy account access rights to the share, then try to hit the NAS as a person in DOM2 or DOM3, can you then provide alternate credentials and get into the share point?

[Nox]

   

Another thing to try is see if you can map a drive letter either through windows map network drive, or by command line:

 

net use z: \\nas\share /user:username@domain2.com password /persistent:yes

 

Maybe this will give your users the pre-authentication that the NAS is looking for?