Project

General

Profile

Bug #13319

Issues with active directory

Added by Gary Williams over 4 years ago. Updated about 4 years ago.

Status:
Closed: User Config Issue
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

So I've got a mixed 2008 R2/ windows 2012 R2 domain, the forest level is 2008 R2 and I've got two freenas boxes configured the same way. One works and one doesn't.

On the FreeNAS box that doesn't work (FreeNAS-9.3-STABLE-201512121950) I get this:

net ads status -U administrator
Enter administrator's password:
ads_connect: No logon servers

kinit prompts for a password and keeps telling me that my password is wrong. I know it's not because I've tripled checked it and used it on other servers.

DNS is correct, I can ping the domain name and both AD servers so I'm a bit confused as to why this FreeNAS box won't talk to AD.

I've triple checked NTP and the time on the box is correct.

I've done a full upgrade and I still have the same issues. this is in the logs:

Jan 24 10:50:30 store05 winbindd95361: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jan 24 10:50:30 store05 winbindd95361: [2016/01/24 10:50:30.589762, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Jan 24 10:50:30 store05 winbindd95365: STATUS=daemon 'winbindd' finished starting up and ready to serve connections95361: list trusted domains
Jan 24 10:50:30 store05 ActiveDirectory: /usr/sbin/service ix-kinit forcestop
Jan 24 10:50:31 store05 ActiveDirectory: /usr/sbin/service ix-hostname quietstart

The weird thing is that it starts up AD and works for about a minute and then stops.

History

#1 Updated by John Hixson over 4 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Nice to have
  • Target version set to 261

Gary Williams wrote:

So I've got a mixed 2008 R2/ windows 2012 R2 domain, the forest level is 2008 R2 and I've got two freenas boxes configured the same way. One works and one doesn't.

On the FreeNAS box that doesn't work (FreeNAS-9.3-STABLE-201512121950) I get this:

net ads status -U administrator
Enter administrator's password:
ads_connect: No logon servers

kinit prompts for a password and keeps telling me that my password is wrong. I know it's not because I've tripled checked it and used it on other servers.

Well,

I can confirm that the reason things aren't working for you is indeed the fact that you are unable to get a kerberos ticket. If kinit is failing when you do it manually and telling you your password is incorrect, well, it most likely is.

DNS is correct, I can ping the domain name and both AD servers so I'm a bit confused as to why this FreeNAS box won't talk to AD.

I've triple checked NTP and the time on the box is correct.

I've done a full upgrade and I still have the same issues. this is in the logs:

Jan 24 10:50:30 store05 winbindd95361: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jan 24 10:50:30 store05 winbindd95361: [2016/01/24 10:50:30.589762, 0] ../lib/util/become_daemon.c:136(daemon_ready)
Jan 24 10:50:30 store05 winbindd95365: STATUS=daemon 'winbindd' finished starting up and ready to serve connections95361: list trusted domains
Jan 24 10:50:30 store05 ActiveDirectory: /usr/sbin/service ix-kinit forcestop
Jan 24 10:50:31 store05 ActiveDirectory: /usr/sbin/service ix-hostname quietstart

The weird thing is that it starts up AD and works for about a minute and then stops.

#2 Updated by Gary Williams over 4 years ago

John Hixson wrote:

Well,

I can confirm that the reason things aren't working for you is indeed the fact that you are unable to get a kerberos ticket. If kinit is failing when you do it manually and telling you your password is incorrect, well, it most likely is.

Fair enough, I've done some more testing and I can see that kinit does work but only if I don't specify the domain:

[root@store05] ~# kinit
's Password:
kinit: Password incorrect
[root@store05] ~# kinit administrator
's Password:
[root@store05] ~#

As I said above, it's weird that when I do this via the Active Directory GUI in FreeNAS, it all starts up and actually works for a minute and then it does a force stop. I cannot figure out why it does the stop.

#3 Updated by John Hixson over 4 years ago

Gary Williams wrote:

John Hixson wrote:

Well,

I can confirm that the reason things aren't working for you is indeed the fact that you are unable to get a kerberos ticket. If kinit is failing when you do it manually and telling you your password is incorrect, well, it most likely is.

Fair enough, I've done some more testing and I can see that kinit does work but only if I don't specify the domain:

[root@store05] ~# kinit
's Password:
kinit: Password incorrect
[root@store05] ~# kinit administrator
's Password:
[root@store05] ~#

As I said above, it's weird that when I do this via the Active Directory GUI in FreeNAS, it all starts up and actually works for a minute and then it does a force stop. I cannot figure out why it does the stop.

I think we need to start at the beginning here since I don't think I understood that this works from the UI. Can you explain your problem again? In detail? As for trying these things from the command line, they won't work like you think they work since most of the environment isn't configured for AD unless it is working. When you enable AD, everything is setup for it. When it fails to work, everything is reverted to a known state so you can't just go to the command line and try to join your domain with samba since smb4.conf won't be configured for it. As for the different with the kinit that you see, the capitalization does indeed make a difference which most likely explains the failure.

#4 Updated by Gary Williams over 4 years ago

I think we need to start at the beginning here since I don't think I understood that this works from the UI. Can you explain your problem again? In detail? As for trying these things from the command line, they won't work like you think they work since most of the environment isn't configured for AD unless it is working. When you enable AD, everything is setup for it. When it fails to work, everything is reverted to a known state so you can't just go to the command line and try to join your domain with samba since smb4.conf won't be configured for it. As for the different with the kinit that you see, the capitalization does indeed make a difference which most likely explains the failure.

Sure.

Simply put, I have a FreeNAS server that is having problems talking to my active directory domain controllers. I have everything configured in the FreeNAS GUI. I enter the logon details and the domain account password, tick the box to enable AD and FreeNAS goes through it's whole routine of talking to AD.

I have full syslog data from the FreeNAS box and the domain controller. I can see the traffic from FreeNAS hitting the domain controller and the domain controller replying but I cannot see why FreeNAS doesn't complete the AD process.

The FreeNAS box is called STORE05

On the domain controller I see the request for a Kerberos ticket arrive:

A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: store05$ Supplied Realm Name: GDWNET.COM User ID: S-1-5-21-2064460077-687277434-1777090905-11403 Service Information: Service Name: krbtgt Service ID: S-1-5-21-2064460077-687277434-1777090905-502 Network Information: Client Address: 10.253.1.152 Client Port: 61512 Additional Information: Ticket Options: 0x40000000 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

FreeNAS goes through the whole process and then does this:

store05 ActiveDirectory: /usr/sbin/service ix-activedirectory forcestop

store05 nmbd43349: Got SIGTERM: going down...

but I have no idea why, a few seconds later, I see the computer account get disabled on the domain controller.

What I don't see is any smoking gun as to why AD happily starts up and then shuts down.

#5 Updated by Gary Williams over 4 years ago

One other comment, just in case it's related to case sensitivity, on the Kerberos realms tab I have typed in the domain name "gdwnet.com" in lower case. This automatically goes uppercase. I have deleted and re-entered it as lowercase and again, it goes uppercase.

#6 Updated by John Hixson over 4 years ago

  • Status changed from Screened to 15

Gary Williams wrote:

One other comment, just in case it's related to case sensitivity, on the Kerberos realms tab I have typed in the domain name "gdwnet.com" in lower case. This automatically goes uppercase. I have deleted and re-entered it as lowercase and again, it goes uppercase.

Can you try deleting the entry altogether ? Afterwards, click save again in your AD configuration. It will automagically create the entry. Let me know how that works out for you.

#7 Updated by Gary Williams over 4 years ago

I've tried that, same problem and it recreates the Kerberos realm entry in capitals.

#8 Updated by John Hixson over 4 years ago

Gary Williams wrote:

I've tried that, same problem and it recreates the Kerberos realm entry in capitals.

Hi Gary,

I'd like to troubleshoot this some more. Do you have teamviewer? Would you be willing to let me look around using it? When would you be available?

#9 Updated by Gary Williams over 4 years ago

John Hixson wrote:

Gary Williams wrote:

I've tried that, same problem and it recreates the Kerberos realm entry in capitals.

Hi Gary,

I'd like to troubleshoot this some more. Do you have teamviewer? Would you be willing to let me look around using it? When would you be available?

Hi John,

You're more than welcome to, however, I've done some digging on the host and found two hardware issues. One of the sticks of RAM has gone bad and the USB drive FreeNAS is on is showing errors so the current place is to replace all the RAM in the box and do a fresh install to a new USB stick and try AD again from there.

#10 Updated by John Hixson over 4 years ago

  • Status changed from 15 to Closed: User Config Issue

Hi Gary,

This doesn't surprise me ;-) If there are still issues once you have replaced the faulty hardware, please open a new ticket.

#11 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from 261 to N/A

#12 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-store05-20160124164355..tgz)

Also available in: Atom PDF