Project

General

Profile

Bug #10202

Cannot connect to Active Directory

Added by Alain Aubord over 5 years ago. Updated about 3 years ago.

Status:
Closed: User Config Issue
Priority:
No priority
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Dear Madam, Dear Sir,
I have installed the Univention Corporate Server (basically a Debian Linux enhanced
see http://www.univention.de) with Imap and Active directory.

I have then tried to connect the freenas to the AD server without success.
With a laptop PC running Windows 7, I succeded immediately without any problem.

I have followed your instruction located at
http://doc.freenas.org/9.3/freenas_directoryservice.html#if-the-system-will-not-join-the-domain
but the commands failed:
service ix-activedirectory start
service ix-activedirectory status
echo $?

Until now the freenas was configured to use locally defined accounts (which still exist).
The freenas name is "FREENAS2".

Have you any ideas onwhat is wrong?

Thank you a lot for your help,

Yours sincerly,

soluf

--------------------------------------------transcript of the commands----------------------

FreeBSD 9.3-RELEASE-p8 (FREENAS.amd64) #0 r275790+153f322: Thu Feb  5 14:47:50 PST 2015

    FreeNAS (c) 2009-2015, The FreeNAS Development Team
    All rights reserved.
    FreeNAS is released under the modified BSD license.

    For more information, documentation, help or support, go here:
     http://freenas.org
Welcome to FreeNAS2
[root@freenas2] ~# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;" 
[root@freenas2] ~# echo $?
0
[root@freenas2] ~# service ix-kerberos start
[root@freenas2] ~# service ix-nsswitch start
[root@freenas2] ~# service ix-kinit start
[root@freenas2] ~# service ix-kinit status
[root@freenas2] ~# echo $?
0
[root@freenas2] ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: soluconf@SOLUPROD.INTRANET

  Issued           Expires          Principal
Jun 15 15:49:06  Jun 16 01:49:06  krbtgt/SOLUPROD.INTRANET@SOLUPROD.INTRANET
[root@freenas2] ~# python /usr/local/www/freenasUI/middleware/notifier.py start cifs
True
[root@freenas2] ~# service ix-activedirectory start
Failed to join domain: failed to connect to AD: Cannot read password
False
Deleted account for 'FREENAS2' in realm 'SOLUPROD.INTRANET'
winbindd not running? (check /var/run/samba/winbindd.pid).
smbd not running? (check /var/run/samba/smbd.pid).
nmbd not running? (check /var/run/samba/nmbd.pid).
Importing account for alain...ok
Importing account for nicolas...ok
Importing account for dotbase...ok

Granted SeTakeOwnershipPrivilege to FREENAS2\nicolas
Granted SeBackupPrivilege to FREENAS2\nicolas
Granted SeRestorePrivilege to FREENAS2\nicolas

Granted SeTakeOwnershipPrivilege to FREENAS2\dotbase
Granted SeBackupPrivilege to FREENAS2\dotbase
Granted SeRestorePrivilege to FREENAS2\dotbase

Granted SeTakeOwnershipPrivilege to FREENAS2\alain
Granted SeBackupPrivilege to FREENAS2\alain
Granted SeRestorePrivilege to FREENAS2\alain

[root@freenas2] ~# service ix-activedirectory status
[root@freenas2] ~# echo $?
1
[root@freenas2] ~# 

History

#1 Updated by John Hixson over 5 years ago

  • Target version set to Unspecified

Please go to system->advanced->"save debug" and attach to this ticket. Also, please specify the correct version of FreeNAS when opening tickets.

#2 Updated by John Hixson over 5 years ago

  • Status changed from Unscreened to 15

#3 Updated by Alain Aubord over 5 years ago

  • File debug-freenas2-20150616103844.tgz added

Hi,
Here is the result of the command "uname -a" which should give a good idea of OS version.

FreeBSD freenas2.soluprod.intranet 9.3-RELEASE-p8 FreeBSD 9.3-RELEASE-p8 #0 r275790+153f322: Thu Feb 5 14:47:50 PST 2015 :/tank/home/jkh/build/93/FN/objs/os-base/amd64/fusion/jkh/93/FN/FreeBSD/src/sys/FREENAS.amd64 amd64

and attached the debug logs.

best regards,

soluf

#4 Updated by John Hixson over 5 years ago

soluf,

Can you go into the advanced configuration for AD and set the timeout and dns timeout values to be 60 and see if that makes a difference here?

#5 Updated by Alain Aubord over 5 years ago

Unfortunately, the result seems to be worse since
I get a return code of 1 after the command "service ix-kinit status
------------------------------------------------------------------------
solu-mac002:~ alainaubord$ ssh -l root freenas2
root@freenas2's password:
Last login: Tue Jun 16 10:33:31 2015 from 192.168.16.66
FreeBSD 9.3-RELEASE-p8 (FREENAS.amd64) #0 r275790+153f322: Thu Feb 5 14:47:50 PST 2015

FreeNAS (c) 2009-2015, The FreeNAS Development Team
All rights reserved.
FreeNAS is released under the modified BSD license.
For more information, documentation, help or support, go here:
http://freenas.org
Welcome to FreeNAS2
[root@freenas2] ~# nslookup www.ibm.com
Server: 192.168.16.3
Address: 192.168.16.3#53

Non-authoritative answer:
www.ibm.com canonical name = www.ibm.com.cs186.net.
www.ibm.com.cs186.net canonical name = global.ibm.com.edgekey.net.
global.ibm.com.edgekey.net canonical name = global.ibm.com.edgekey.net.globalredir.akadns.net.
global.ibm.com.edgekey.net.globalredir.akadns.net canonical name = e2898.x.akamaiedge.net.
Name: e2898.x.akamaiedge.net
Address: 172.229.187.219

[root@freenas2] ~# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"
[root@freenas2] ~# echo $?
0
[root@freenas2] ~# service ix-kerberos start
[root@freenas2] ~# service ix-nsswitch start
[root@freenas2] ~# service ix-kinit start
[root@freenas2] ~# service ix-kinit status
[root@freenas2] ~# echo $?
1
[root@freenas2] ~#


the kerberos ticket has expired:
[root@freenas2] ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires        Principal
Jun 16 10:36:50 >>>Expired<<<

#6 Updated by Alain Aubord over 5 years ago

Hi,

In fact, after a reboot the situation is much better.

From the command line (after connecting on freenas with ssh),
I can pass with success the commands "wbinfo -u", "wbinfo -g" and
"wbinfo -t".

Unfortunately, I don't get the correct answer for the group ID and userid
(when I use the command "getent"). What I get is (for one group)
SOLUPROD\toto:*:21166:21165:toto:/home/SOLUPROD/toto:/bin/sh

But since I have the Unix extensions on the server and that the group "toto" on SOLUPROD
has the gid 8020, I should get that number instead of the number
21166 (which is probably related to Windows protocols).

The second problem is that I have no display of the group in the Web interface.
When displaying users and groups in the Web interfaces, I get only the local
groups and users.

Do you have any ideas on these both problems?

thanks for your help.

#7 Updated by Alain Aubord over 5 years ago

Hi,
I have tried to change the value "Idmap Backend" and
"Windbind NSS Info" to set the value "rfc2307" (which I think
is to have Unix schema in AD) but the result is surprising:
the command "getent" does not display anymore the users and groups
from the AD directory, only the local users and groups.

If, instead, I let the default "rid" for "Idmap Backend"
and nothing (-------) for "Windbind NSS Info", the command
"getent" display global users and groups but with the
wrong uid and gid.

kind regards

#8 Updated by John Hixson over 5 years ago

Alain Aubord wrote:

Hi,
I have tried to change the value "Idmap Backend" and
"Windbind NSS Info" to set the value "rfc2307" (which I think
is to have Unix schema in AD) but the result is surprising:
the command "getent" does not display anymore the users and groups
from the AD directory, only the local users and groups.

If, instead, I let the default "rid" for "Idmap Backend"
and nothing (-------) for "Windbind NSS Info", the command
"getent" display global users and groups but with the
wrong uid and gid.

kind regards

Yes. You probably have your idmap backend set to 'rid' and not 'ad'. It also is clear from the debug you've attached that you are running a very old version of FreeNAS. I highly recommend you go to system->update and update your system. Many bugs have since been fixed.

#9 Updated by Jordan Hubbard over 5 years ago

  • Status changed from 15 to Closed: User Config Issue

#10 Updated by Alain Aubord over 5 years ago

  • File debug-freenas2-20150618105552.tgz added

Hi,
I have installed the last version of Freenas OS but I have still problems with
the configuration of the Active Directory:
1) I can't see in WEB interface the AD groups and users
2) I can't have the AD groups and password with the command "getent passwd/group"
(at least when I set "IDmap Backend" to "AD")
3) I can't use the user name from shell (i.e. "chown 'SOLUPROD\toto' /tmp/test")
when I set "IDmap Backend" to "AD")

If I set "IDmap Backend" to "Rid", the problems of the points 2 and 3 are solved but
the one from point 1 remains.
I have attached to this mail a debug log done after the upgrade of the Freenas OS.
How is it possible to display the users and groups with command "wbinfo" ? "wbinfo -u" works in
all cases (when "IDmap backend" has the value "AD" or "Rid") but
"wbinfo --user-info='SOLUPROD\toto'" works only when "IDmap backend" has the value "rid".
Any ideas would be greatly appreciated.
Thanks for your help.
kind regards
soluf

#11 Avatar?id=14398&size=24x24 Updated by Kris Moore about 3 years ago

  • Target version changed from Unspecified to N/A

#12 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-freenas2-20150616103844.tgz)

#13 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-freenas2-20150618105552.tgz)

Also available in: Atom PDF