Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NSS 6000 AD Users and Groups Missing

I have an NSS6000 that refuses to import AD users and groups for some reason.  It is joined to the domain but no domain users or groups show up.  The users did show up at one point prior to the firmware update.

To troubleshoot I have verified that the time is set properly (it uses the DC as NTP) and updated the firmware.  I have set the DC by IP everywhere so that a name resolution issue can be eliminated.

Any help with this issue is greatly appreciated.

Everyone's tags (2)
10 REPLIES

Re: NSS 6000 AD Users and Groups Missing

Hi,

How many AD users/groups are we talking about here? How large is the AD.

Please confirm that the f/w upgrade mentioned is the one we recently posted (1-2 weeks ago), 1.16.

Also, can you confirm if you are using Server 2003 or Server 2008?

Steve and team

Cisco Employee

Re: NSS 6000 AD Users and Groups Missing

To troubleshoot I have verified that the time is set properly (it uses
the DC as NTP) and updated the firmware.  I have set the DC by IP
everywhere so that a name resolution issue can be eliminated.

Other useful information would be logs. You can take a quick look at your "CIFS" log on the NSS and look for key words like "did we join?" and "logon server". If you copy and paste the CIFS log from the browser to wordpad or MS Word, it should help in finding those key words more easily.

Then on your DC go to event viewer and look at "Security" events for "Failed Authentication" errors. Those little events really assist in telling us what is going on (well most of the time).

As a personal rule I only specify DNS server by IP address in required IP fields, never for "Domain Controller". This so I can make sure that we are resolving DNS.

Along with your above stated steps, did you also make sure that your Search Domain under "DNS/WINS" is set to your FQDN? There are two big players when dealing with ADS, one is Time (for Kerberos) and the other is DNS. Since most ADS implementations are set for "AD" intergrated zones, DNS is the glue for that engine.

The more info you can post the better, but check these things and let us know what you find along with what Steve posted. For now do not try to disjoin and rejoin the NSS as it is obviously broken (permission wise that is). If you must; join the NSS to a workgroup, delete the AD computer account and try again; but not before you verify the above settings.

New Member

Re: NSS 6000 AD Users and Groups Missing

Sorry for the late reply.  I was unaware of the 1.16 firmware and decided to install it and attempt to configure again.  The issue has persisted though, so here's what I've got.

AD can't be over 100 users.  We're pretty small so I did not enable support for large active directories.  We are running with Server 2003.  The CIFS log shows several messages of note.  I've tried to remove duplication from the log.

Dec 2 10:26:20 NAS0018f805294d nmbd[13620]: [2009/12/02 10:26:20, 0] nmbd/nmbd.c:main(711)

Dec 2 10:26:20 NAS0018f805294d nmbd[13620]: Netbios nameserver version 3.0.28a started.

Dec 2 10:26:20 NAS0018f805294d nmbd[13620]: Copyright Andrew Tridgell and the Samba Team 1992-2008

Dec 2 10:26:21 NAS0018f805294d winbindd[13623]: [2009/12/02 10:26:21, 1] nsswitch/winbindd.c:main(990)

Dec 2 10:26:21 NAS0018f805294d winbindd[13623]: winbindd version 3.0.28a started.

Dec 2 10:26:21 NAS0018f805294d winbindd[13623]: Copyright Andrew Tridgell and the Samba Team 1992-2008

Dec 2 10:26:21 NAS0018f805294d winbindd[13624]: [2009/12/02 10:26:21, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2222)

Dec 2 10:26:21 NAS0018f805294d winbindd[13624]: initialize_winbindd_cache: clearing cache and re-creating with version number 1

Dec 2 10:26:50 NAS0018f805294d winbindd[13624]: [2009/12/02 10:26:50, 1] nsswitch/idmap.c:idmap_init(377)

Dec 2 10:26:50 NAS0018f805294d winbindd[13624]: Initializing idmap domains

Dec 2 10:27:45 NAS0018f805294d nmbd[13946]: [2009/12/02 10:27:45, 0] nmbd/nmbd.c:main(711)

Dec 2 10:27:45 NAS0018f805294d nmbd[13946]: Netbios nameserver version 3.0.28a started.

Dec 2 10:27:45 NAS0018f805294d nmbd[13946]: Copyright Andrew Tridgell and the Samba Team 1992-2008

Dec 2 10:27:45 NAS0018f805294d winbindd[13949]: [2009/12/02 10:27:45, 1] nsswitch/winbindd.c:main(990)

Dec 2 10:27:45 NAS0018f805294d winbindd[13949]: winbindd version 3.0.28a started.

Dec 2 10:27:45 NAS0018f805294d winbindd[13949]: Copyright Andrew Tridgell and the Samba Team 1992-2008

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: [2009/12/02 10:27:45, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2222)

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: initialize_winbindd_cache: clearing cache and re-creating with version number 1

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: [2009/12/02 10:27:45, 0] nsswitch/winbindd_util.c:init_domain_list(505)

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: Could not fetch our SID - did we join?

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: [2009/12/02 10:27:45, 0] nsswitch/winbindd.c:main(1091)

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: unable to initalize domain list

Dec 2 10:28:03 NAS0018f805294d nmbd[14041]: [2009/12/02 10:28:03, 0] nmbd/nmbd.c:main(711)

Dec 2 10:28:03 NAS0018f805294d nmbd[14041]: Netbios nameserver version 3.0.28a started.

Dec 2 10:28:03 NAS0018f805294d nmbd[14041]: Copyright Andrew Tridgell and the Samba Team 1992-2008

Dec 2 10:28:03 NAS0018f805294d winbindd[14044]: [2009/12/02 10:28:03, 1] nsswitch/winbindd.c:main(990)

Dec 2 10:28:03 NAS0018f805294d winbindd[14044]: winbindd version 3.0.28a started.

Dec 2 10:28:03 NAS0018f805294d winbindd[14044]: Copyright Andrew Tridgell and the Samba Team 1992-2008

Dec 2 10:28:03 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:03, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2222)

Dec 2 10:28:03 NAS0018f805294d winbindd[14045]: initialize_winbindd_cache: clearing cache and re-creating with version number 1

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_ads.c:query_user_list(209)

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: Not a user account? atype=0x30000000

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_ads.c:query_user_list(209)

"

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/idmap.c:idmap_init(377)

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: Initializing idmap domains

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: error getting user id for sid S-1-5-21-12604286-625437779-553267192-1346

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: could not lookup domain user postmaster

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: error getting user id for sid S-1-5-21-12604286-625437779-553267192-1236

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: could not lookup domain user TsInternetUser

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: error getting user id for sid S-1-5-21-12604286-625437779-553267192-501

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: [2009/12/02 10:28:58, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)

"

The DC security log shows:

Pre-authentication failed:

User Name: gwnas01$

User ID: DOMAIN\gwnas01$

Service Name: krbtgt/DOMAIN.COM

Pre-Authentication Type: 0x0

Failure Code: 0x19

Client Address: 10.1.1.13

I appreciate the assistance.

Cisco Employee

Re: NSS 6000 AD Users and Groups Missing

          ...................................................

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: Could not fetch our SID - did we join?

          ...................................................

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: [2009/12/02 10:27:45, 0] nsswitch/winbindd.c:main(1091)

Dec 2 10:27:45 NAS0018f805294d winbindd[13950]: unable to initalize domain list

          ...................................................

Dec 2 10:26:50 NAS0018f805294d winbindd[13624]: Initializing idmap domains

          ...................................................

Dec 2 10:28:58 NAS0018f805294d winbindd[14045]: error getting user id for sid S-1-5-21-12604286-625437779-553267192-501

---------------------------------------------------------------------

The big problem I see is the last line above. Either, you tried to rejoin the NSS without deleting the old AD computer account or it tried to use its existing AD computer account but was not able to map the SID to the account. Either way those accounts (you may have multiple at this point) need to be removed.

Make sure you follow the steps below and post again, and please inlcude both sets of logs as I describe.

A couple of key things to note:

  1. Make sure you always run the firmware update twice back to back. This will ensure that all code from previous FW is completely removed. Also, it is important to follow the screen prompts after the FW update is complete. Which includes clearing all cookies and browser cache.
  2. Before you attempt to rejoin, delete the existing AD computer account (if multiple, remove them).
  3. Rename the NSS while joined to WORKGROUP and "Update"; do this before you attempt to re-join.
  4. Ensure that you are able to resolve DNS from everywhere.
  5. Create a DHCP reservation for the NSS and place the NSS into DHCP mode. The point of this is to ensure that an "A" record and a "PTR" record; if DNS is configured to create one, is correctly made in DNS.
  6. Ensure that you have the correct DNS information stated on the NSS, including time, Home Directory Location, and Search Domain.
  7. Once the above is complete, download all logs and save them.
  8. Delete all logs (after you have downloaded them).
  9. Rejoin, but use the Primary DC (if you have a forest or multiple DCs) hostname, NOT the IP address.
  10. Ensure the user account for Domain authentication is a "Domain Administrator" account.
  11. If join is OK, take a look at CIFS logs again and ensure that the join is reflected.
  12. Look at your DC's event logs "Security" and look for errors.
  13. Download all logs, rename file to "__.tar.gz"
  14. Post results.

We will get this thing joined in no time.

New Member

Re: NSS 6000 AD Users and Groups Missing

Thank you for your assistance on this issue.  On step #6 you specify to verify the search domain, but I am unable to locate this setting.  Otherwise, I followed your steps and ended with the same result.  Attached is my log file.

I did initially have issues pinging the device by name and resolved that first.  There is now an A and PTR record on my DNS server for the device.

New Member

Re: NSS 6000 AD Users and Groups Missing

Hi,

   To work with ADS, please make sure following settings is correct:

1. NTP Time to use with the ADS server (The NTP services is turned ON by default for Server)

   - At GUI: Admin=>Time: Enter all field with the IP address for ADS server (Check Automatically (via NTP) and uncheck "Assign automatically vi DHCP)

2. Set the DNS point to ADS server

  - At GUI: Network=>DNS/WINS ==> Search Domain= (If you don't know where it is, open the Active Directory User & Computer. You 'll see the name with "name.com" and there are are many folders under this main component- The icon look like a share drive).  Primary DNS Server= ADS Server IP Address.

  - Uncheck both "Assign automaticall via DHCP from this screen

3. Increase the range ID number from the NSS to cover higher range ID sent by ADS server (The ADS server added userID and GroupID in sequencial and therefore, in some cases UserID and GroupID range from ADS server is much higher than the NSS 's UserID and GroupID. If this is the case, NSS will ignored to translate UserID or GroupID and user won't be able to see wither users or groups).

  - At GUI: Access=>Options ==> Increase field "Windows Domain Users and Groups ID range" max from 40,000 to 100,000 or much higher ( Microsoft UserID and GroupID can go up to 128,000.)

4. Rejoin the ADS server with administration privilege

Make sure you are saved the data in each step. Please let me know if this is working for you.

- You are correct. You don't need to enable toe large ADS server if there is only 100 users or groups. Ideally this would be enable when there are more than 3000 users in the company to use with the NSS6000.

- The log you 've attached is the bootup log and it is looking fine to me. I just don't see any problem with it.

- The log that you have with the message for ID error. Step #3 will fix that error.

Hope that helps.

Good lucks!

New Member

Re: NSS 6000 AD Users and Groups Missing

Thanks for all the help.

I followed your instructions.  I verified that NTP was turned on for the DC/ADS server.  The NSS has modified its time to match, so I am certain that this is working.  The DNS search domain was set properly with the AD name and the DC's IP as primary DNS.  I initially increased the User and Group ID range to 100000 but after receiving the same result I pushed it to 128000.  Domain Groups and Users are still not showing properly.

The DC security log still shows the single failure posted above (Failure Code 0x19).  I've attached the NSS log.

If we could even get pass-through authentication functioning, I would be insanely happy.  I would assume that only works Windows to Windows though since I've had no success.

Look forward to anything else to try.

Cisco Employee

Re: NSS 6000 AD Users and Groups Missing

I guess its that time of the year! For some reason this past week everyone has decided to do the same thing.

This is the problem:

Your FQDN is: gatewayhomes.com

BUT, you changed the NETBIOS name to: GW

Because of the above SAMBA gets confused (kind of) and it has no way to map all your users to its self. This is because it is trying to resolve directly "GW \ " to gatewayhomes.com. It is not that this is invalid, its that there is no code in samba.conf to reflect the NETBIOS name. It only knows "gatewayhomes.com" and is expecting to see users from that domain "gatewayhomes\".

So, what to do now?!

What I have found is this, if you add support for large ADS domains you will see all your users populate; which is good, but unfortunately we still get stuck with no authentication and no SIDs. Well if you have a Windows server 2003 running native or not, we can actually join the NSS as a NTv4 domain. Doing this, will allow the NSS to resolve all the users via NETBIOS and all seems good so far. Great, no! Because now we run into a problem with our DC; it wants to use DNS and Kerberos. So I have noticed some random minor issues when attaching to shares. So far as of the past three days of working on this problem my lab seems happy, but I am not completely confident all is good. Seems to be though, eventhough I do get an event error now and then.

If you have a 2008 server as DC, well.... we are out of luck as far as I have been able to figure out.

New Member

Re: NSS 6000 AD Users and Groups Missing

Thank you very much for the help.  Joining as an NT4 domain did fix the issue.  I now have users and groups showing up and I have tested rights successfully.  I really appreciate the persistence in helping me resolve this issue.:)

Cisco Employee

Re: NSS 6000 AD Users and Groups Missing

Awesome, glad to hear that worked out. Please keep us posted if you begin to get random behavior. So far from what I am seeing this should be fine as a permanent solution, I have not seen any problems with the NSS or the DC even after the NSS loses connection to AD for extended period of time.

Thanks for posting, and Merry Christmas!

2458
Views
0
Helpful
10
Replies