LS-WTGL Domain Authentication Fails

[CLS]

Hello,

 

 

Issue: I do not have any trouble getting it to connect to active directory, or getting group and user names from active directory. I have had shares created for awhile now and am able to assign users to the control and read groups on the linkstation.

What I can't do is access the share by IP or DNS when using domain authentication. Get access denied everytime. 

When mapping by dns name "It works!" (meaning the nas users can access and read items on the nas)

Model Number : LS-WTGL/R1-V3 

F/W : 3.10

Notes: 

The time is correct.

It is on the same switch as our AD server

Our AD server is our DNS server

The linkstation is on the same subnet and it's DNS ip is the AD server.

Domain Controller OS: Windows Server 2008 R2 Ent.

 

Appreciate any help you can provide. 

 

[CLS]

Bump

[Jotin]

Any 2k8 servers, Windows 7 and Vista professional or higher need to have their NTLM settings changed to "Send LM & NTLM, use NTLMv2 session security if negotiated". This should fix that issue. 

[CLS]

Hi Jotin, 

 

Thanks for your response. Please see the link below which shows some screenshots I took of our Domain Controller. The setting you refer to was enabled prior to my post. I am happy to try anything else you suggest. I really appreciate you giving this a stab. 

 

ScreenShots

 

 

[Jotin]

Are you using a user credentials of a user that has been assigned read/write access to that folder through the buffalo interface? 

[CLS]

Its actually every domain user that has this issue. I am in the group for read/write access. "Domain Users"  - 

 

Just added a screenshot (to the previous link) of a specific folder we are trying to access - shows users and groups.

[CLS]

Happy to try any other suggestions. Thanks to anyone's help. 

 

[Jotin]

I would try flashing the firmware and then restoring the interface. This will probably clear up any configuration error in the interface. 

[CLS]

I called support on Friday and went through these steps. Still with no avail. Honestly I can make suthentication work. 

 

The issue I have now is that the Linkstation cannot be accessed from our vpn or any users not on the domain. So if anyone has a VM on the network but not on the domain they cant even connect to the nas. 

 

Any ideas you can throw at me? 

 

[etaylor]

I have the exact issue. You can join the 2008 R2 domain, you can enumerate users within the buffalo web config, but passthrough authentication doesn't work, nor does putting the credentials every time. I have been through this with several support people, the last time, the tech on the phone admitted that a) the firmware doesn't go through complete testing until several months after release (yes he did say that to me). b)They know that there is a problem and that it might take months to fix it. It took quit a few calls to get this info. I have gone into AD as per the wiki and tried all of the security changes, GPO settings, ect to no avail. Come on Buffalo!

[Jotin]

@ etaylor.... What number did you give when you called in? Did you call the American support line? I can guarantee you that we do test out or units. What firmware are you running on the LS WTGL? 

[sublaner]

Here's something I found testing Windows Server 2008 Domain Authentication for another vendor's NAS. I was having problems with 2008 AD, while everything worked fine with Server 2003 AD.

 

To successfully join the 2k8 domain changed these GP settings affecting the domain controllers, under Windows Settings\Security Settings\Local Policies\Security Options:

-Domain Controller: LDAP server signing requirements - change from Require Signing to NONE (the Server 2003 default, I think)

-Microsoft network server: Digitally sign communications (always) - change from ENABLED to DISABLED (also the default in my old 2k3 domain).

 

Once that was done I had to make the following additional changes affecting clients back to 2k3 defaults so they could actually access the NAS, also under 'Security Options:

-Domain Member: Digitally encrypt or sign secure channel data (always) - change from ENABLED to DISABLED.

-Microsoft Network Client: Digitally sign communications (always) - same change.

 

Had to make a couple more changes to get access in workgroup mode, but that defeats the purpose. None of this helps me much, as our product is a secure network package and the purpose of my search is to find a small NAS that does not need these changes in order to work.

 

Near as I can tell, most of these NAS devices are Linux-something based and use Samba to emulate SMB servers. Probably saves royalties? Have heard that at least Samba 3.4 is needed to (probably) interact well with Server 2k8. Samba 4 is supposed to answer everyone's prayers, but that is still experimantal so don't hold your breath waiting for it from NAS vendors.

 

Had an experience like this years ago, ended up returning the bleeping thing to trade for a Windows Server Storage Edition device.

 

 

 

 

[CLS]

Sublaner, 

 

Incredibly helpful. I will try those items out and follow up. ----  Anyone else please let me know if you have success.