Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running time

All questions pertaining to Windows Active Directory Service can go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
GMD
I'm New!
I'm New!
Posts: 4
Joined: Wed Mar 08, 2017 7:16 am

Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running time

Postby GMD » Wed Mar 08, 2017 8:25 am

Already created “Synology Support Ticket: #1022038”

We have various problems with the connection to Active Directory after the update to DSM 6.1-15047.
Now we updated our DS1515+ to DSM 6.1-15047 Update 1...
Problems persists...

We observed missing AD Groups some time after 1-5h running time, after a reboot.
It is very curios, after a reboot the DS1515+ seems to work normal for a while.

The displayed groups are correctly for a while.
But after a while the AD groups and users changes to UNIX Groups and UNIX Users.

See:
Image

This causes errors with our software that uses the network shared folders.

Maybe the problem is not new, I found this. It is similar.
https://forum.synology.com/enu/viewtopic.php?t=42557

Synology please fix the problem ASAP.
DS1515+ is a certified product for Windows Server 2012r2.
This essential function seems be broken since the update.
We use the DS1515+ in our company and it disturbs now the production processes.


I have tried clearing the SMB cache, re-joining the domain, verifying the AD server.
The "Domain Status Check" mostly pass all steps on join the AD, and some tests fails on later following checks.
Rodeus
I'm New!
I'm New!
Posts: 2
Joined: Wed Mar 08, 2017 10:23 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby Rodeus » Wed Mar 08, 2017 11:58 pm

Hi,
Thanks google for indexing this post within 2 hours of it's creation...

Ok so we have the same kind of error, our User Share's can no longer be written by our AD Users.
SBS2011 Standard, using a DS1812+ (DSM 6.1-15047 Update 1)

Public share still can be written, but when there are AD Groups or Ad Users involved the restriction is always not able to write.
Image

We have a Main User folder, (that users can traverse) and then each user has it's own personal folder (created by the AD properties, at the account creation)
Then the script map's our user shares and voila. But since the update, it's no longer working.

We have attempted to reset rights, change owner, create new group, new user, ... No way to write in these user folders.
Even Domain Admin can't

Synology Support please act fast this is a major bug for your corporate users !!
We manage about 17 NAS although our client locations... Thankfully have only updated one site.

Thanks,
MD
Rodeus
I'm New!
I'm New!
Posts: 2
Joined: Wed Mar 08, 2017 10:23 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby Rodeus » Fri Mar 17, 2017 5:13 pm

Since there seems to be no reply or solution for this problem, I did opened a Synology support ticket #1030715
vfr800
I'm New!
I'm New!
Posts: 1
Joined: Mon Mar 20, 2017 9:19 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby vfr800 » Mon Mar 20, 2017 9:41 pm

Hi

I'm having similar issues with 6.1. "No data" is listed under domain users/groups when I try to add a domain permission to a share.

Liam
orttauq
I'm New!
I'm New!
Posts: 5
Joined: Thu Sep 19, 2013 6:49 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby orttauq » Mon Mar 20, 2017 10:39 pm

We are having this issue too and it is impacting operations now. Our backup applications can't authenticate to write files. We tried to create and use local user accounts to get around this but they fail too with "failed to load user data"

Control Panel | Domain/LDAP page gives a time out error after 4-5 hours after a reboot
Control Panel | User page gives "failed to load user data"

We are lucky at this point the our local admin account still works as well as our iSCSI LUN connections.
orttauq
I'm New!
I'm New!
Posts: 5
Joined: Thu Sep 19, 2013 6:49 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby orttauq » Tue Mar 21, 2017 12:25 am

Opened case with Synology Support re: this issue. Also talked to Support and got no real long term solution other than "reboot it"
chriskel
I'm New!
I'm New!
Posts: 1
Joined: Fri Mar 24, 2017 3:55 am

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby chriskel » Fri Mar 24, 2017 4:01 am

Just updated to the latest version along with Update 1 and now have AD connections as well. Adding new AD users to directories is no longer possible and those assigned writes via AD can no longer access their directories. Can we get some help here? :oops: :oops:
User avatar
jjb2
Enlightened
Enlightened
Posts: 445
Joined: Fri Feb 21, 2014 1:19 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby jjb2 » Fri Mar 24, 2017 12:49 pm

I believe update 2 released the other day has fixes for AD issues listed in its release notes. You might want to search the forums for the link and check it. Of course it could create other problems if you apply it but if you are so inclined and are desperate for a fix it's something to consider.
RS810+ RS810RP+ RS812+ RS812RP+ RS814+ RS814RP+ RS815+ RS815RP+ RS2212+ RS2212RP+ RS2416+ RS2416+ RS3614XS RS3614RPXS RS3617XS RS3617XS+ RS4017XS+, | DSM4 DSM5, DSM6 | Raid 1, Raid 5, Raid 6, Raid 10, Raid 50 | CMS, HA, HYPER Backup, iScsi, Mail Server, Mail Station, SSD, VPN, Web Hosting | Petabytes of storage with 2TB, 3TB, 4TB, 5TB, 6TB, 8TB, 10TB disks | RT1900ac, RT2600ac |
GMD
I'm New!
I'm New!
Posts: 4
Joined: Wed Mar 08, 2017 7:16 am

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby GMD » Mon Mar 27, 2017 7:36 am

Version: 6.1-15047-2 NOT FIXES our actual problems.
The same problem after the weekend....

"SMB-Cache löschen" / "Flusch SMB Cache" from the SMB settings menu fixes the Users and Groups for a while again...

My older DS215J is connected to the same AD and working without any problems!

See:
Image

and

Image
GMD
I'm New!
I'm New!
Posts: 4
Joined: Wed Mar 08, 2017 7:16 am

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby GMD » Mon Mar 27, 2017 7:46 am

jjb2 wrote:I believe update 2 released the other day has fixes for AD issues listed in its release notes. You might want to search the forums for the link and check it. Of course it could create other problems if you apply it but if you are so inclined and are desperate for a fix it's something to consider.


Did you mean a new not released version?

Or the already released?

Version: 6.1-15047-2

(2017/03/22)
Fixed Issues
Fixed an issue where a high-availability cluster might unexpectedly switch over when the active server is busy.
Fixed an issue where SHA alternatively displays the message of availability/unavailability due to false alarm.
Fixed an issue where DSM cannot be joined into Windows AD domains after upgrading to version 6.1.
Fixed an issue where domain users cannot be edited on DSM after enabling Windows AD services.
Fixed an issue where LDAP users could fail to access files via the SMB protocol.
Fixed the compatibility issue of VMware with some file LUNs created on DSM 6.0 Beta.
Fixed an issue where an encrypted shared folder cannot be decrypted when the encryption key is set to maximum length.
Enhanced the stability of the iSCSI service.
Fixed an issue where Auto Block might fail to block addresses when the Allow List is set as an IP range.
Fixed an incorrect volume display on some models where RAID Groups are supported and SHR has been enabled.
Fixed an issue where Microsoft Office and Adobe documents cannot be opened on Windows after being accessed on macOS via the AFP protocol.
Improved the write performance of fragmented Btrfs volumes.
Added Seagate IronWolf Health Management (IHM) support on Broadwell-DE models.
Fixed the compatibility issue of WD WD8001FFWX with the DX1215 expansion unit.
User avatar
jjb2
Enlightened
Enlightened
Posts: 445
Joined: Fri Feb 21, 2014 1:19 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby jjb2 » Mon Mar 27, 2017 11:32 am

The already released Update 2 - there isn't another I am aware of "yet"



GMD wrote:
jjb2 wrote:I believe update 2 released the other day has fixes for AD issues listed in its release notes. You might want to search the forums for the link and check it. Of course it could create other problems if you apply it but if you are so inclined and are desperate for a fix it's something to consider.


Did you mean a new not released version?

Or the already released?

Version: 6.1-15047-2

(2017/03/22)
Fixed Issues
Fixed an issue where a high-availability cluster might unexpectedly switch over when the active server is busy.
Fixed an issue where SHA alternatively displays the message of availability/unavailability due to false alarm.
Fixed an issue where DSM cannot be joined into Windows AD domains after upgrading to version 6.1.
Fixed an issue where domain users cannot be edited on DSM after enabling Windows AD services.
Fixed an issue where LDAP users could fail to access files via the SMB protocol.
Fixed the compatibility issue of VMware with some file LUNs created on DSM 6.0 Beta.
Fixed an issue where an encrypted shared folder cannot be decrypted when the encryption key is set to maximum length.
Enhanced the stability of the iSCSI service.
Fixed an issue where Auto Block might fail to block addresses when the Allow List is set as an IP range.
Fixed an incorrect volume display on some models where RAID Groups are supported and SHR has been enabled.
Fixed an issue where Microsoft Office and Adobe documents cannot be opened on Windows after being accessed on macOS via the AFP protocol.
Improved the write performance of fragmented Btrfs volumes.
Added Seagate IronWolf Health Management (IHM) support on Broadwell-DE models.
Fixed the compatibility issue of WD WD8001FFWX with the DX1215 expansion unit.
RS810+ RS810RP+ RS812+ RS812RP+ RS814+ RS814RP+ RS815+ RS815RP+ RS2212+ RS2212RP+ RS2416+ RS2416+ RS3614XS RS3614RPXS RS3617XS RS3617XS+ RS4017XS+, | DSM4 DSM5, DSM6 | Raid 1, Raid 5, Raid 6, Raid 10, Raid 50 | CMS, HA, HYPER Backup, iScsi, Mail Server, Mail Station, SSD, VPN, Web Hosting | Petabytes of storage with 2TB, 3TB, 4TB, 5TB, 6TB, 8TB, 10TB disks | RT1900ac, RT2600ac |
Lemahasta
I'm New!
I'm New!
Posts: 3
Joined: Mon Mar 27, 2017 4:44 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby Lemahasta » Mon Mar 27, 2017 5:13 pm

I'd like to contribute to this thread a bit. At my company we are faced with exact same issue. Synology RS815rp+ is joined into AD (actually run purely by Samba 4.5.3 DC's). It was working well for almost a year, but after upgarde to 6.1 update 2 (I read about bugs with AD in 6.1 release so I waited until some of them were - supposedly - fixed) I have exact same error.

The error is in my opinion related to winbind and the way synology does domain idmapping. I've setup classic samba 4 file servers as domain members, and crucial bit to get it working properly with AD is how idmapping is done. Samba documentation shows a few ways, I've been doing it usually using backend = ad and setting a UID range from wchich users are to be treated as "domain" instead of local.

Behaviour of synology in 6.1 is as follows: at first (after reboot for example) everything seems fine, when browsing security settings on files or folders I see domain-user SID's and they're properly translated into domain usernames or group names. Of course in web-interface I see all domain users and groups. But when users (it's pretty random - every 20 or 30 or even 40 minutes) access shares synology shows error in log and is unable to correctly identify domain user and instead creates it as own local, switching SID. This in turn corrupts file permissions and windows client are unable to use them in certain scenarios, like roaming profiles, which require logging user to be the "owner" of the folder.

What I know so far:
winbindd works in a way correctly:
wbinfo -u correctly gets domain user list
wbinfo -n <domain username> CORRECTLY returns domain SID

in /var/log/samba there is "log.winbindd-idmap" file which every random time interval writes new error, that didn't appear earlier and IMO it's directly connected to the issue. It seems that winbind is unable to write somewhere (wrong permissions, or file path or whatever) and creates this bug:

../source3/winbindd/winbindd_dual.c:107: [2017/03/26 19:48:11.881104, winbind 0, pid=3929] child_write_response
Could not write result
../source3/winbindd/winbindd_dual.c:107: [2017/03/26 20:06:24.143303, winbind 0, pid=24276] child_write_response
Could not write result
../source3/winbindd/winbindd_dual.c:107: [2017/03/26 20:06:24.582678, winbind 0, pid=24470] child_write_response
Could not write result
../source3/winbindd/winbindd_dual.c:107: [2017/03/26 20:06:28.428570, winbind 0, pid=24487] child_write_response
Could not write result
../source3/winbindd/winbindd_dual.c:107: [2017/03/26 20:17:40.141930, winbind 0, pid=24601] child_write_response
Could not write result

this error appears in semi-random intervals and is connected with users accessing shares. That is with absolutely 0 samba activity nothing happens, as soon as users Begin to use file shares, log starts to fill up with entries such as those above.

What else is obviously related:
id <domain username> it returns UID numb.er pretty, and same num.ber is used in folder/permisions as local SID when synology ecnounters bug for this user.

Everything points to error with idmapping.

It's very, very annoying having to deal with such issues - since I can't simply downgrade, I had to move everything from synology to new samba 4 fileserver - waste of time. Now i';m gonna simply reset to factory, install 6.0 and wait until this issue will be fixed. Also I created a ticket, but no answer so far, though I guess they need to take their time.
q16marvin
I'm New!
I'm New!
Posts: 4
Joined: Wed Mar 22, 2017 9:00 am

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby q16marvin » Thu Mar 30, 2017 10:13 am

We have exaktly the same Problem...

Our Users have Problems to load there windows roaming profiles...

we see the same errors:

Code: Select all

../source3/winbindd/winbindd_dual.c:107: [2017/03/30 08:26:30.310881, winbind 0, pid=10360] child_write_response
  Could not write result
../source3/winbindd/winbindd_dual.c:107: [2017/03/30 08:33:13.834910, winbind 0, pid=10363] child_write_response
  Could not write result
../source3/winbindd/winbindd_dual.c:107: [2017/03/30 09:50:21.187565, winbind 0, pid=25131] child_write_response
  Could not write result
Lemahasta
I'm New!
I'm New!
Posts: 3
Joined: Mon Mar 27, 2017 4:44 pm

Re: Active Directory Bugs after update to DSM 6.1-15047 Update 1, AD Groups missing or not correct after some running ti

Postby Lemahasta » Fri Mar 31, 2017 1:31 pm

As an update:
I opened ticket with this issue and after sending some logs and explaining when the issue occurs I got today reply that they managed to reproduce error and are working on fix for this issue. So I guess it'll get fixed sooner than later.

Return to “Windows AD Domain”

Who is online

Users browsing this forum: No registered users and 2 guests