Project

General

Profile

Bug #18362

Add alert to indicate when AD is out of sync with NTP

Added by Joe Maloney over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Expected
Assignee:
Timur Bakeyev
Category:
OS
Target version:
Seen in:
TrueNAS - TrueNAS-9.10.1-U1
Severity:
New
Reason for Closing:
Duplicate
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Related projects 1 project

Description

Joining an AD when there is a clock skew will prevent AD from functioning. In past releases normally the webui would inform the user that an error occurred, and the enabled box would remain unchecked. As of our internal TN 9.10.1-U1 the user will not be informed there was an error, and the enabled box gets checked. However going to console, and running net ads join will show it is not working due to skew.

[root@fn910u2] ~# net ads join -S dc01.ad01.tn.ixsystems.com -U Administrator
Enter Administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
Failed to join domain: failed to connect to AD: An internal error occurred.


Related issues

Related to FreeNAS - Feature #21458: Provide alert if configured NTP server can not be contactedDone

Associated revisions

Revision a3cea7dd (diff)
Added by John Hixson almost 36 years ago

kinit: fail fast and hard Ticket: #18362

History

#1 Updated by Anonymous over 4 years ago

  • Status changed from Unscreened to Screened

#2 Updated by Vaibhav Chauhan over 4 years ago

  • Priority changed from No priority to Expected
  • Target version set to TrueNAS-9.10.1-U3

#3 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Target version changed from TrueNAS-9.10.1-U3 to TrueNAS-9.10.2

#4 Updated by Vaibhav Chauhan over 4 years ago

  • Project changed from TrueNAS to FreeNAS
  • Category changed from 130 to 36
  • Target version deleted (TrueNAS-9.10.2)

#5 Updated by Anonymous over 4 years ago

upon first glance I am not sure why it is letting this through nor does there appear to be a good place in the existing scripts to catch it, do you by chance recall which versions it did warn the user about clock skew being too great so i can figure out what changed?

#6 Updated by Joe Maloney over 4 years ago

  • File debug-freenas-20161127211051.tgz added

I want to say the release prior to TrueNAS-9.10.1-U1 should not exhibit the issue. Here is an attached debug from a failed join where NTP was in sync, klist, and kinit worked. The webui at this time still showed connected when wbinfo -t showed errors. So it seems to occur even when clock skew is not an issue. I am not sure where else to look yet in this case. Below is the output of ntpq, wbinfo -t, and /var/log/log.winbindd contents.

ntpq> peers
remote refid st t when poll reach delay offset jitter ==============================================================================
*10.20.20.122 104.156.99.226 3 u 52 128 377 0.573 -33.632 7.308

[root@freenas] /var/log/samba4# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret

[2016/11/27 20:26:27.904801, 1] ../source3/lib/tdb_validate.c:480(tdb_validate_and_backup)
tdb '/var/db/samba4/winbindd_cache.tdb' is valid
[2016/11/27 20:26:27.910618, 1] ../source3/lib/tdb_validate.c:490(tdb_validate_and_backup)
Created backup '/var/db/samba4/winbindd_cache.tdb.bak' of tdb '/var/db/samba4/winbindd_cache.tdb'
[2016/11/27 20:26:27.913799, 0] ../source3/winbindd/winbindd_util.c:869(init_domain_list)
Could not fetch our SID - did we join?
[2016/11/27 20:26:27.913834, 0] ../source3/winbindd/winbindd.c:1408(winbindd_register_handlers)
unable to initialize domain list

#7 Updated by Joe Maloney over 4 years ago

The net ads join -S ad01 -U Administrator command also succeeds. Looks like winbind fails, and nmbd gets killed after it tries to run.

#8 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Target version set to 9.10.2-U1

#9 Updated by John Hixson over 4 years ago

Joe: Put me on a system with this problem so I fix this.

#10 Updated by Anonymous over 4 years ago

  • Assignee changed from Anonymous to John Hixson

I'm going to give this to John if he wants to work on it

#11 Updated by Joe Maloney over 4 years ago

John,
just sent you the IP, and credentials in slack. You can easily reproduce on any by doing something like date to set the time incorrectly. If it's 3:31 just run date 1045 to make the time incorrect, and you will see the problem.

#12 Updated by Joe Maloney over 4 years ago

FYI I just set the time incorrect, tried to join AD, and it's in the broken state now where AD shows connected in the webui.

#13 Updated by John Hixson over 4 years ago

I briefly looked at this last week. From the command line, things work as expected. The UI is not reporting the error properly. This should be pretty easy to figure out. I'm pretty booked this week but will probably be able to find some time next week.

#14 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Target version changed from 9.10.2-U1 to 9.10.2-U2

#15 Avatar?id=14398&size=24x24 Updated by Kris Moore over 4 years ago

  • Target version changed from 9.10.2-U2 to 9.10.3

#16 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from 9.10.3 to 11.0

#18 Updated by Vaibhav Chauhan about 4 years ago

I will branch tonight for FreeNAS-11, can you tell me whats the status of the ticket?

#20 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Target version changed from 11.0 to 11.0-U1

Re-targeting for 11.0-U1

#21 Updated by John Hixson almost 4 years ago

  • Target version changed from 11.0-U1 to 11.0

I've done most of the legwork here and this should be pretty easy to do in time. If I can get it into 11.0 I will, if not I'll put back to U1 ;-)

#22 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Target version changed from 11.0 to 11.0-U1

#23 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U1 to 11.0-U2

#24 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U2 to 11.0-U3

#25 Updated by Timur Bakeyev almost 4 years ago

John, I'm working on an alerting plug-in that should raise alert if the box isn't in sync with the configured NTP server.

#26 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Assignee changed from John Hixson to Timur Bakeyev
  • Target version changed from 11.0-U3 to 11.1

#27 Updated by John Hixson almost 4 years ago

  • Assignee changed from Timur Bakeyev to John Hixson

Snatching the one back. I already did legwork for a fix for reporting this. Timur, this isn't quite your ntp alerting here. I wrote a sysctl module and have included buffers for things like this, and I plan to use that for propagating this error to the UI. I'm sorry i've slept on it, I just have so many other things I'm working on ;-)

#28 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version changed from 11.1 to 11.1-U1

#29 Avatar?id=13649&size=24x24 Updated by Ben Gadd over 3 years ago

RE Team: Do we need to push this to a later release?

#30 Updated by Dru Lavigne over 3 years ago

  • Category changed from OS to GUI (new)
  • Assignee changed from John Hixson to Anonymous
  • Target version changed from 11.1-U1 to 11.2-BETA1

This should be for the new UI. Erin, please ping John if your team needs anything in the backend to get this to work in the UI.

#31 Updated by Anonymous over 3 years ago

  • Related to Feature #21458: Provide alert if configured NTP server can not be contacted added

#32 Updated by Anonymous over 3 years ago

Timur and I discussed this a little, he is making an alert that should definitely give some indication that the time is off with ntp, as to what else the UI should do we may need to discuss this a little further.

#33 Updated by Dru Lavigne over 3 years ago

  • Subject changed from WebUI is not reporting correctly when AD cannot start due to skew to Add alert to indicate when AD is out of sync with NTP
  • Category changed from GUI (new) to OS
  • Status changed from Screened to Not Started
  • Assignee changed from Anonymous to Timur Bakeyev

#34 Updated by Dru Lavigne over 3 years ago

  • File deleted (debug-freenas-20161127211051.tgz)

#35 Updated by Dru Lavigne over 3 years ago

  • Status changed from Not Started to Closed
  • Target version changed from 11.2-BETA1 to N/A
  • Reason for Closing set to Duplicate

Also available in: Atom PDF