Add alert to indicate when AD is out of sync with NTP
Joining an AD when there is a clock skew will prevent AD from functioning. In past releases normally the webui would inform the user that an error occurred, and the enabled box would remain unchecked. As of our internal TN 9.10.1-U1 the user will not be informed there was an error, and the enabled box gets checked. However going to console, and running net ads join will show it is not working due to skew.
[root@fn910u2] ~# net ads join -S dc01.ad01.tn.ixsystems.com -U Administrator
Enter Administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Failed to join domain: failed to connect to AD: An internal error occurred.
#5 Updated by Anonymous over 4 years ago
upon first glance I am not sure why it is letting this through nor does there appear to be a good place in the existing scripts to catch it, do you by chance recall which versions it did warn the user about clock skew being too great so i can figure out what changed?
#6 Updated by Joe Maloney over 4 years ago
- File debug-freenas-20161127211051.tgz added
I want to say the release prior to TrueNAS-9.10.1-U1 should not exhibit the issue. Here is an attached debug from a failed join where NTP was in sync, klist, and kinit worked. The webui at this time still showed connected when wbinfo -t showed errors. So it seems to occur even when clock skew is not an issue. I am not sure where else to look yet in this case. Below is the output of ntpq, wbinfo -t, and /var/log/log.winbindd contents.
remote refid st t when poll reach delay offset jitter ==============================================================================
*10.20.20.122 188.8.131.52 3 u 52 128 377 0.573 -33.632 7.308
[root@freenas] /var/log/samba4# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret
[2016/11/27 20:26:27.904801, 1] ../source3/lib/tdb_validate.c:480(tdb_validate_and_backup)
tdb '/var/db/samba4/winbindd_cache.tdb' is valid
[2016/11/27 20:26:27.910618, 1] ../source3/lib/tdb_validate.c:490(tdb_validate_and_backup)
Created backup '/var/db/samba4/winbindd_cache.tdb.bak' of tdb '/var/db/samba4/winbindd_cache.tdb'
[2016/11/27 20:26:27.913799, 0] ../source3/winbindd/winbindd_util.c:869(init_domain_list)
Could not fetch our SID - did we join?
[2016/11/27 20:26:27.913834, 0] ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
unable to initialize domain list
#27 Updated by John Hixson almost 4 years ago
- Assignee changed from Timur Bakeyev to John Hixson
Snatching the one back. I already did legwork for a fix for reporting this. Timur, this isn't quite your ntp alerting here. I wrote a sysctl module and have included buffers for things like this, and I plan to use that for propagating this error to the UI. I'm sorry i've slept on it, I just have so many other things I'm working on ;-)
#30 Updated by Dru Lavigne over 3 years ago
- Category changed from OS to GUI (new)
- Assignee changed from John Hixson to Anonymous
- Target version changed from 11.1-U1 to 11.2-BETA1
This should be for the new UI. Erin, please ping John if your team needs anything in the backend to get this to work in the UI.
#33 Updated by Dru Lavigne over 3 years ago
- Subject changed from WebUI is not reporting correctly when AD cannot start due to skew to Add alert to indicate when AD is out of sync with NTP
- Category changed from GUI (new) to OS
- Status changed from Screened to Not Started
- Assignee changed from Anonymous to Timur Bakeyev