Installing DSM 7.3.2-86009 caused ActiveDirectory sync issues

[Hein]

We installed 7.3.2-86009 on our nas devices and at first it all seemed ok. Running smoothly, no problems in sight.
After about an hour we started getting messages active directory users were unable to login using their credentials.
We checked and were unable to login ourselves and had to resort to the local admin account to gain access.
Manually synching the domain helped but after an hour it came back. Our automatic sync was set to once every hour and we changed that to 12 hours.
Which seems, for now, to help somewhat.

But then i stumbled upon this reddit page describing my situation.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

View: https://www.reddit.com/r/synology/comments/1o5mje3/update_to_dsm_73_introduced_ad_domain_issues/

Anybody else notice odd synching problems with AD after installing 7.3.2-86009?

 

[Hein]

So i did some more testing (i am going to need a LOT of coffee in a few hours)

Turns out that part of our network switches etc have had a update. Aruba sdbranch switches had a update to be exact.
Funny thing is that all the nas devices that are now having this weird sync problem are connected to older switches not yet swapped out for new aruba sdbranch ones.

When a nas is connected to a older switch the following happens. You login with your AD credentials. The nas seems to let you in but without any rights. You cannot select any menu or options. Once you login with the local admin account and do a full AD sync your AD credentials work again and rights are restored.

Our HA cluster also had that same problem. But it turned out the Active server was in a datacentre with older switches and the Passive server is in a datacentre where they had recently installed new switches.

I switched the HA cluster over to the Passive server and for now it seems login has been working like it should.

 

[Hein]

No luck yet. Seems we are alone is this OU sync problem. We've been unlucky thus far to find a source of this problem but it is clear that it started after installing 7.3 latest version.

Setting the auto sync to 3 6 or 12 hours did not work.

Removed a not so important server from the domain and manually removed its entry in AD and then re-added it to see if that does anything.

Nobody else is experiencing this weird domain users/group login problem?

 

[Hein]

Well it turns out that nasses are failing on new switches and older types. So that cannot be it.

We narrowed it down, so far, to it having something to do with the new OU selection you get when joining a domain.
Nas devices already part of a domain are synching with the domain but then the local AD copy get stale or broken and domain users cannot login. Manually resynching fixes that but only for a while.

The earlier mentioned nas that was removed from AD and then added again is still running but there's no telling for how long. So far so good. If this turns out to be the solution i am not looking forward to readding 70 nas devices.

 

[Hein]

We have apparently a bit of a weird problem. So weird im in a meeting with Synology tomorrow.

Meanwhile i cobbled together a script which can be run from Task Scheduler as a User-defined script.
It automagically determines domain and domain controller and then starts a manual AD sync.

#!/bin/bash

# --- CONFIGURATION ---
DRY_RUN=false
LOG_DIR="/volume1/AdminData/AdSyncLogs"
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
LOG_FILE="$LOG_DIR/AD_Sync_HA_$TIMESTAMP.log"

# Verified Paths
SMB_PATH="/usr/local/packages/@appstore/SMBService/usr/bin"
WBINFO="$SMB_PATH/wbinfo"
NET="$SMB_PATH/net"
SYNOWIN="/usr/syno/sbin/synowin"

mkdir -p "$LOG_DIR"
START_TIME=$(date +%s)

# 1. TRUST-BASED DISCOVERY
# Pulls the live netlogon status: domain[NAME] dc connection to "SERVER"
TRUST_DATA=$($WBINFO -P 2>&1)

# Extract info using sed
DOMAIN_NAME=$(echo "$TRUST_DATA" | sed -n 's/.domain\[\([^]]\)\].*/\1/p')
CURRENT_DC=$(echo "$TRUST_DATA" | sed -n 's/.connection to "\([^"]\)".*/\1/p')

# Fallbacks if extraction fails
[ -z "$DOMAIN_NAME" ] && DOMAIN_NAME="Unknown"
[ -z "$CURRENT_DC" ] && CURRENT_DC="Disconnected/Searching"

# --- 2. LOGGING HEADER ---
{
echo "DSM 7.3 Active Directory Sync - High Availability"
echo "Detected Domain: $DOMAIN_NAME"
echo "Detected DC: $CURRENT_DC"
echo "Mode: $( [ "$DRY_RUN" = true ] && echo "DRY RUN" || echo "LIVE" )"
echo "-------------------------------------------"
} > "$LOG_FILE"

# --- 3. EXECUTION ---
if [ "$DRY_RUN" = true ]; then
echo "MODE: DRY RUN - No changes applied." >> "$LOG_FILE"
EXIT_CODE=0
else
# Verify Trust
echo "Verifying Domain Trust..." >> "$LOG_FILE"
echo "$TRUST_DATA" >> "$LOG_FILE"

# Flush Samba Cache
echo "Flushing Samba Cache..." >> "$LOG_FILE"
$NET cache flush >> "$LOG_FILE" 2>&1

# Trigger DSM UI Update
echo "Triggering DSM UI Update..." >> "$LOG_FILE"
if [ -f "$SYNOWIN" ]; then
$SYNOWIN --update >> "$LOG_FILE" 2>&1
EXIT_CODE=$?
else
echo "ERROR: $SYNOWIN not found." >> "$LOG_FILE"
EXIT_CODE=1
fi
fi

# --- 4. OBJECT TOTALS ---
{
echo "-------------------------------------------"
echo "AD OBJECT TOTALS:"
echo "Total Domain Users: $(timeout 15s $WBINFO -u | wc -l)"
echo "Total Domain Groups: $(timeout 15s $WBINFO -g | wc -l)"
} >> "$LOG_FILE"

# --- 5. CLEANUP & SUMMARY ---
END_TIME=$(date +%s)
ELAPSED=$((END_TIME - START_TIME))
find "$LOG_DIR" -name "AD_Sync_*.log" -mtime +7 -delete >> "$LOG_FILE" 2>&1

{
echo "-------------------------------------------"
echo "Total Sync Time: $ELAPSED seconds"
echo "RESULT: Sync Finished at $(date)"
} >> "$LOG_FILE"

exit $EXIT_CODE

 

[sebo2i]

Hi Hein,

I have the same behavior on a recently updated NAS to 7.3.2.
Did you had solution ?

Regards.

 

[Hein]

Hi Hein,

I have the same behavior on a recently updated NAS to 7.3.2.
Did you had solution ?

Regards.

Yes. I got a custom smb package from Synology which fixes the problem for domain users.
I'll attach the package here. Please use at your own risk. Test it first before deploying!

The fix will be added into DSM 7.3.3.

 

[sebo2i]

Yes. I got a custom smb package from Synology which fixes the problem for domain users.
I'll attach the package here. Please use at your own risk. Test it first before deploying!

The fix will be added into DSM 7.3.3.

Hi Hein,

What is the version of the SMB packages Synology support gave to you ?

 

[Hein]

Hi Hein,

What is the version of the SMB packages Synology support gave to you ?

It has 4.15.13-3045 is installed version number.