Cannot join QNAP to Domain

eitan · February 6, 2019, 3:09pm

Hi All,

I am trying to join my QNAP TS221 to my nethserver Domain with no success.
I was able to joint it once into the domain, but later the QNAP disks died and it was reinstalled.
nethserver is updated to the latest version:
System version: NethServer release 7.6.1810 (final)
Kernel release: 3.10.0-862.14.4.el7.x86_64
my domain account is:
NetBIOS domain name: mydomain
LDAP server: 192.168.10.31
LDAP server name: nsdc-dc.ad.mydomain.local
Realm: AD.mydomain.LOCAL
Bind Path: dc=AD,dc=mydomain,dc=LOCAL
LDAP port: 389
Server time: Wed, 06 Feb 2019 15:48:47 IST
KDC server: 192.168.10.31
Server time offset: 0
Last machine account password change: Mon, 06 Aug 2018 09:35:04 IDT

Join is OK

whenCreated: 20180806063503.0Z
name: DC
objectSid: S-1-5-21-1364839592-55747391-1094092716-1104
accountExpires: 9223372036854775807
sAMAccountName: DC$
pwdLastSet: 131780109042605860
dNSHostName: dc.mydomain.local
servicePrincipalName: HOST/DC
servicePrincipalName: HOST/dc.mydomain.local
whenChanged: 20190203074515.0Z
lastLogon: 131939338671395610
distinguishedName: CN=DC,CN=Computers,DC=ad,DC=mydomain,DC=local

When I try to connect the QNAP to the domain, it has a quick configuration wizard that helped me join the domain in the past.

When I run it now, it will ask for, the following:
Full DNS doamin name: I put: nsdc-dc.ad.mydomain.local
NEBIOS domain name: I put MYDOMAIN
Primary DNS server: 192.168.10.31
ThirdScreen

on the next stage it will show me the Domain server it found: nsdc-dc.ad.mydomain.local,
ForthScreen

I will add it to the the list, give an administrator user/password and click Join,

After a while, I will get a summarize screen that says it will join the domain: nsdc-dc.nsdc-dc.ad.mydomain.local

here I can see the problem, twice nsdc-dc.??
in the QNAP log I get the error:
[Security mode] Failed to join domain. Cannot resolve domain. Check DNS server, AD servewr name and Domain.
What do I need to do to fix this?
Thanks
Eitan

saitobenkei · February 6, 2019, 3:15pm

Do you have tried with

Full DNS Domain name: mydomain.local
DNS: the Nethserver IP (not the DC Container)

only?

eitan · February 6, 2019, 3:20pm

Hi,

Tried it with all options, only the option nsdc-dc.ad.mydomain.local will give me the server name to select as the domain to join.

federico.ballarini · February 6, 2019, 3:31pm

Is the software up to date?

Also you can try enabling SMB v1 and Join domain: then disable it.

flatspin · February 6, 2019, 3:45pm

3 hints I think I can give:

Your full domain fqdn ist “ad.mydomain.tld” without nsdc-dc. It’s the domain fqdn, not the server fqdn.
What happens if you try to use the IP instead?
Administator Username is “administrator” with it’s password.
AFAIK this comes from MS-compatibility.

Nothing to de with this, but your machine seems not to be fully udated:
kernel 862.14 is one/two steps behind. subscrition kernel is 957.1, normal repo is 957.5

fausp · February 6, 2019, 11:27pm

I did this a few weeks ago on a TS-863U-RP… Please try it with:

Full DNS domain name: ad.mydomain.local

NS was the DHCP and DNS-server for the NAS…

eitan · February 7, 2019, 7:20am

When I try using ad.mydomain.local I do not get a domain to connect to:

flatspin · February 7, 2019, 7:26am

Can you ping this domain? If not, there’s a problem with DNS resolution.
Set the DNS to your NS, not to the nsdc.
If I read it corectly, the 192.168.10.31 is the nsdc.

saitobenkei · February 7, 2019, 7:28am

I tried yesterday with a QNAP TS-459Pro+ and a Nethservice NG 7.6 (both fully updated).

I was unable to join QNAP to the domain too.

DNS: ip.of.my.nethserver
Full DNS domain name: ad.mydomain.tld (but I have tested mydomain.tld and nsdc-master.ad.mydomain.tld)
user: root (but I have tested root@domain.tld administrator administrator@mydomain.tld)

eitan · February 7, 2019, 7:59am

Hi,

Yes I can Ping the domain:
**nsdc-dc.ad.mydomain.local
_ad.mydomain.local__** - both replay with 192.168.10.31
dc.mydomain.local , that is the NS server name, replay with 192.168.10.30

flatspin · February 7, 2019, 8:08am

Do you ping from qnap or NS?
The DNS server should be the 192.168.10.30, this is your NS-instance.
Above I saw the DNS set to 192.168.10.31, this is the IP of the nsdc-container.

davidep · February 7, 2019, 8:20am

In NethServer administrator is disabled by default.

@eitan You should have set the password for admin instead and use his credentials, or any other member of the Domain Admins group to join the domain.

And NetBIOS domain name: TELEM (…or whatever)

They should both work! If the DHCP server is NethServer i’d go with .30 (or keep the default from DHCP), otherwise .31.

@eitan, your secondary DNS 0.0.0.0 is suspect. I’d clear the input fields just to be sure it’s not a bug of the qnap.

To check if the domain is reachable, from a QNAP shell run

$ host ad.telem.local
$ ping ad.telem.local

AD has always an “A” record for the domain name itself that resolves to all DCs IP addresses.

flatspin · February 7, 2019, 8:32am

Just tried. You’re right, they work both.

eitan · February 7, 2019, 8:37am

@ federico.ballarini
How do I go about enabling (and disabling)SMB v1?

eitan · February 7, 2019, 8:41am

@ flatspin Ralf Jeckel
I can ping it from any machine in that network

davidep · February 7, 2019, 8:45am

…weird but why is it mixed case? Please try to enter the domain name exactly as it was printed by Samba…

Kerberos is case sensitive, DNS not. Windows is usually case insensitive, Linux not.

robb · February 7, 2019, 8:49am

It has been mentioned, but after you activated Samba4 AD accountprovider, you have to enable administrator and admin accounts by giving them a password.
When you join the domain, use either one of them. Root is a local account of the server and has no rights adding users or machines to the domain.

eitan · February 7, 2019, 8:52am

@ davidep
No problem pinging ad.telem.local

eitan · February 7, 2019, 9:01am

@robb
I do not think it is a user issue, more of a DNS issue.
first, only the FQDN nsdc-dc.ad.mydomain.local will give me the option to select a domina to join to: https://community.nethserver.org/uploads/db8506/original/2X/4/416c438a210e8d940a5789a30b3c5e2a4700511c.gif
after that, in the final “domain connection” screen, I get the bad domain name of: nsdc-dc.nsdc-dc.ad.mydomain.local
https://community.nethserver.org/uploads/db8506/original/2X/5/530fb7d661ddb85776ebbe3c545f7062797f633a.gif
Any other DNS name , ad.mydomain.local or dc.mydomain.local will fail to give a domain to connect to
https://community.nethserver.org/uploads/db8506/original/2X/9/9862ddd1b1b9373c94933489c9b9757d7b1f5ab0.gif

robb · February 7, 2019, 9:05am

That is expected behaviour because ad.mydomain.local is the name of your domain, not your AD domain controller and dc.mydomain.local does not exist since your domain is ad.mydomain.local. NethServer is dc.ad.mydomain.local and the NSDC container where Samba4 AD resides is nsdc-dc.ad.mydomain.local.

If you think it is a DNS problem, make sure your clients use NS as DNS server to resolve ip addresses on your local LAN. If you think NS can’t resolve an IP address automagically, just add the IP address in NethServer DNS.