Post by: belz_investco on May 26, 2009, 07:26:26 PM
I have a LS-WTGL/R1-V3, running firmware 3.09. I followed the steps and set up the computer object in AD as a pre-2000 computer, and went through the steps under Network to attach it to AD. I can see the users and groups when I go into the share to set up permissions. They show up as BEI+GroupName(DOMAIN). When I add a user or a group to the proper access levels, and hit apply, they show up in that access list box as BEI(DOMAIN) only, and no users or users in groups can access the share.
NTP has been set up, and time is with in 5 minutes of the AD server.
What am I missing?
Post by: PCPiranha on May 26, 2009, 10:10:49 PM
Post by: belz_investco on May 27, 2009, 09:28:10 AM
The AD server is a Windows 2008 server, AD is running in 2003 compatibility mode.
Post by: PCPiranha on May 27, 2009, 03:00:00 PM
Well, that's definitely a problem. I'll pass the info up to our corporate office. In the meantime, try the Delegate Authority method:
There is another option to use Domain users. This option does notintegrate the Buffalo to Active Directory, but uses the DelegateAuthority to an external SMB Server option. To do this, selectWorkgroup and put a checkmark in the "Delegate Authority to ExternalSMB Server", "Use Windows Domain Controller as Authentication Server","Automatic User Registration", and "Authentication Shared Folder" andenter the required information. The "Authentication Shared Folder"option will create an open share. Have the domain users that are toaccess the unit login to that share. This will register those users onthe Buffalo. Afterwards, you can set Access Restrictions on the sharesusing those users and remove the "Authentication Shared Folder".
Post by: dannyc on August 05, 2009, 12:47:00 PM
I have the same issue with a TeraStation Pro II. In my case, the domain groups display just as described above, but the users list says it can't be obtained (less than 1000). If I assign a domain group to have read permissions, it does the exact same thing described above (takes out the group name and just leaves the generic domain name).
Since this was originally posted on 2-19-2009, has there been any fix for the problem?
Post by: belz_investco on August 05, 2009, 01:54:37 PM
Post by: Mortigan on August 27, 2009, 04:58:26 PM
Post by: belz_investco on August 27, 2009, 05:03:09 PM
It would appear that Buffalo does not have any interest in fixing the issue. Since I can not even get Support to give me a status update, I will just have to take this to the next level - posting this information on as many Google indexed tech boards as I can find. This way, when prospective purchasers search for information, they will find this issue as well.
Post by: Mortigan on September 02, 2009, 04:39:27 PM
OK, I seem to have solved the issue and worked out some of what was causing the problem, maybe this post will help the rest of you.
I found another post with the same symptoms and in the post the following instructions were provided:
Workgroup and Domain Properties:
- Network Type: "Active Directory"
- Active Directory Domain Name (NetBIOS Name): NETBIOS Legacy Domain name, ex. "DOMAIN"
- Active Directory Domain Name (DNS/Realm Name): Full Domain name, ex. "domain.com"
- Active Directory Domain controller Name: Domain Controller name, ex. "server"
- AD Administrator Name & AD Administrator Password: The user name and password of an account with administration privileges so the Buffalo can properly be added to the network. This information will not be stored.
- WINS Server IP Address: IP address of the WINS server (if not using WINS, enter domain controller's IP address)
I went through all of my setting and found only 1 item that was not exactly as described in these instructions. The Active Directory Domain Name field MUST BE THE NETBIOS DOMAIN NAME. In my configuration I had entered the full domain name, for example under the NETBIOS field, I previously had "DOMAIN.LOCAL" when it should have just been "DOMAIN". The next field should be "DOMAIN.LOCAL" or whatever your full domain name is. Make sure all of the settings are EXACTLY as described in this list and it should stop exhibiting the strange behavior described by several of us above. The reason that this is confusing is that it will seem to work even if you have the full domain name (DOMAIN.LOCAL) in both fields. Even though it seems to work, pulls the AD groups, and you can see the device in AD, it will not work unless you have all fields configured EXACTLY as described.
The final issue that I was having was that even after getting the AD security settings to retain I would still periodically have the security fail when trying to access the security-enabled shares. When I would verify the settings through the web console they would still appear correct. After some troubleshooting I realized that this happens anytime I access the web console using FIREFOX. If I used Internet Explorer all of the settings remained correct and I was able to access the security-enabled shares. As a precaution I would only manage this device with IE from now on.
I hope this set of steps/checks will help the rest of you. While I still think that this issue is too widespread for Buffalo to ignore, I also think that most of the problems could be fixed with some careful examination of each individual configuration.
Post by: JoshC on September 03, 2009, 01:50:36 AM
Also check to see what your NTLM policy is and change it if need to be
1.Go to Start->Programs->Administrative Tools->Active Directory Users and Computers
2. Right click on Domain Name->Properties
3. Click on the group policy tab
4. Highlight Default Domain Policy and click 'Edit'
5. -Go to Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options
-Double-click Network security: LAN manager authentication level
6. -Toggle define this policy setting to be enabled
-Choose Send LM & NTLM - use NTLMv2 session security if negotiated
7. -Open Command Prompt
-Enter 'gpupdate' (Group Policy Update) in the command line to refresh the Group Policies