Project

General

Profile

Bug #24444

Filter out non-domain results for Active Directory

Added by Stefan Rubner almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
No priority
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

We've been successfully running FreeNAS 11.0RC3 successfully but after upgrading to RC4 we're unable to use AD authentication against our Univention Corparate Server 4.2 anymore. The errors we're seeing are always like this:

Jun 9 18:25:59 freenas ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Jun 9 18:26:00 freenas /cachetool.py: [common.freenasusers:354] Directory Users could not be retrieved: 'nETBIOSName'
Traceback (most recent call last):
File "/usr/local/www/freenasUI/common/freenasusers.py", line 351, in __init__
self.__users = dir(**kwargs)
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2586, in __init__
n = d['nETBIOSName']
KeyError: 'nETBIOSName'
Jun 9 18:26:01 freenas /cachetool.py: [common.freenasusers:232] Directory Groups could not be retrieved: 'nETBIOSName'

From looking at the code path I assume that d[] isn't initialised properly when being called from ix-cache.
If more input is needed I'll gladly provide whatever you need.

Associated revisions

Revision 8ed78268 (diff)
Added by John Hixson almost 4 years ago

Only grab domain NC's Ticket: #24444

Revision 3a1ed896 (diff)
Added by John Hixson almost 4 years ago

Only grab domain NC's Ticket: #24444 (cherry picked from commit 8ed78268707701dad96df5f32a176c913d5d34e2)

Revision 841ddf79 (diff)
Added by John Hixson almost 4 years ago

Only grab domain NC's Ticket: #24444

History

#1 Updated by John Hixson almost 4 years ago

  • Status changed from Unscreened to Screened
  • Target version set to 11.0-U1

#2 Updated by John Hixson almost 4 years ago

  • Status changed from Screened to 15

I recently introduced some Berkeley DB changes that might have cause this. Is rebooting out of the question? If so, how about nuking your cache path? (/var/tmp/.cache), and re-enabling the AD service? That should clear up any issues if that is indeed the problem.

#3 Updated by Stefan Rubner almost 4 years ago

I already tried rebooting. Will try nuking the cache path and see what happens.

#4 Updated by Stefan Rubner almost 4 years ago

Here's what I did:
  • Disabled AD
  • Nuked /var/tmp/.cache
  • Re-enabled AD

Unfortunately the result stays the same. Funny thing is that when I run "wbinfo -u" or "wbinfo -g" on the command line I see all users and groups just fine.

#5 Updated by John Hixson almost 4 years ago

Yeah, this code path is just for the cache (users/groups in the UI). It shouldn't affect the way the system sees the users and groups. It does however need to be fixed.

#6 Updated by John Hixson almost 4 years ago

Can you attach a debug please? system->advanced->save debug

#7 Updated by Stefan Rubner almost 4 years ago

  • File debug-freenas-20170611172353.tgz added

Sure.

#8 Updated by John Hixson almost 4 years ago

I'd like to take a look at your system, would that be possible? I usually use teamviewer or SSH. Whatever works for you.

#9 Updated by Sam Hoffman almost 4 years ago

I'm having the same problem, AD will work with RC4 but it eventually fails. RC3 works great. I'm currently on RC3 after reverting back.

#10 Updated by John Hixson almost 4 years ago

Sam Hoffman wrote:

I'm having the same problem, AD will work with RC4 but it eventually fails. RC3 works great. I'm currently on RC3 after reverting back.

If you are having this exact problem, I would be interested in looking at your system as well. The sooner I can look at someones system having this issue, the sooner I can fix it ;-)

#11 Updated by Stefan Rubner almost 4 years ago

Sorry, was out of town for a bit. Let me know what would be the best time for you.

#12 Updated by John Hixson almost 4 years ago

Stefan Rubner wrote:

Sorry, was out of town for a bit. Let me know what would be the best time for you.

I'm fairly flexible. If you can give me a time slot when you are available, I can pick something out of that ;-)

#13 Updated by Stefan Rubner almost 4 years ago

Life interfered again. I could be available daily from 14:00 to 15:00 MEST or later in the evening starting from 21:00 MEST.

#14 Updated by John Hixson almost 4 years ago

Stefan Rubner wrote:

Life interfered again. I could be available daily from 14:00 to 15:00 MEST or later in the evening starting from 21:00 MEST.

How does 21:00 MEST tomorrow sound?

#15 Updated by Stefan Rubner almost 4 years ago

Sounds good to me. So that'll be 21:00 MEST today.

#16 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U1 to 11.0-U2

#17 Updated by Stefan Rubner almost 4 years ago

Just for completeness: Upgraded to 11.0 Release, problem persists.

#18 Updated by John Hixson almost 4 years ago

Stefan Rubner wrote:

Just for completeness: Upgraded to 11.0 Release, problem persists.

Looks like we missed each other. Let's try to schedule something this week. If you are available today, email me john at ixsystems dot com. Otherwise, how does Tuesday, June 27 @ 21:00 MEST sound?

#19 Updated by Stefan Rubner almost 4 years ago

@Sam Hoffmann: Did you get your problem resolved? I'm back at RC3 now as well.

#20 Updated by John Hixson almost 4 years ago

Stefan Rubner wrote:

@Sam Hoffmann: Did you get your problem resolved? I'm back at RC3 now as well.

Stefan, email sent. We need to schedule a time so that I can look at your system.

#21 Updated by Sam Hoffman almost 4 years ago

Stefan Rubner wrote:

@Sam Hoffmann: Did you get your problem resolved? I'm back at RC3 now as well.

Sorry been away from my desk for while. I just upgraded to 11.0 release and it hasn't disconnected from the domain yet. I'll let you know if it does.

#22 Updated by John Hixson almost 4 years ago

Spent a few hours on this with Stefan. The particular AD he is using is something based on Samba 4. I noticed several weird objects in the results from the get_domains() function. I wrote some code to filter out non domain results and it works now.

#23 Updated by John Hixson almost 4 years ago

  • Status changed from 15 to Needs Developer Review
  • Assignee changed from John Hixson to Vaibhav Chauhan
  • Target version changed from 11.0-U2 to 11.0-U1

#24 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Assignee changed from Vaibhav Chauhan to Timur Bakeyev

#25 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U1 to 11.0-U2

this is retargeted to U2 as QA will not be able to verify the fix works or not before planned U1 release. Please review the code regardless

#26 Updated by Timur Bakeyev almost 4 years ago

  • Status changed from Needs Developer Review to Reviewed
  • Assignee changed from Timur Bakeyev to Vaibhav Chauhan
  • Target version changed from 11.0-U2 to 11.0-U1
  • Private changed from No to Yes

#27 Updated by Timur Bakeyev almost 4 years ago

  • Target version changed from 11.0-U1 to 11.0-U2

Dunno, how it got reverted from U2 to U1...

#28 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 4 years ago

  • Status changed from Reviewed to Reviewed by Developer

#29 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U2 to 11.0-U3

#30 Updated by Vaibhav Chauhan over 3 years ago

please publish your changes in a PR which will be merged against stable branch, also please let us know here when you have PR ready.

#31 Updated by Vaibhav Chauhan over 3 years ago

  • Status changed from Reviewed by Developer to 47

#32 Updated by Dru Lavigne over 3 years ago

  • File deleted (debug-freenas-20170611172353.tgz)

#33 Updated by Dru Lavigne over 3 years ago

  • Private changed from Yes to No

#34 Updated by Vaibhav Chauhan over 3 years ago

  • Assignee changed from Vaibhav Chauhan to Joe Maloney

#35 Updated by Dru Lavigne over 3 years ago

  • Subject changed from 11.0 RC4 Upgrade - Active Directory: Directory Users could not be retrieved: 'nETBIOSName' to Filter out non-domain results for Active Directory

#36 Updated by Joe Maloney over 3 years ago

  • Status changed from 47 to Ready For Release
  • Needs QA changed from Yes to No
  • QA Status Test Passes added
  • QA Status deleted (Not Tested)
Univention DC Master 4.2-1. 

Bind with TLS off using:

ucr set samba/ldap/server/require/strong/auth='no'

root@bonniemini:/var/db/samba4 # wbinfo -u
SAMDOM-LOCAL\administrator
SAMDOM-LOCAL\dns-ucs-8701
SAMDOM-LOCAL\join-backup
SAMDOM-LOCAL\join-slave
SAMDOM-LOCAL\krbtgt
SAMDOM-LOCAL\guest

Bind with TLS on by copying contents of CA certificate into a new CA certificate within FreeNAS:

cat /etc/univention/ssl/ucsCA/CAcert.pem
root@bonniemini:/var/db/samba4 # python /usr/local/www/freenasUI/middleware/notifier.py start cifs
True
root@bonniemini:/var/db/samba4 # service ix-activedirectory start
'dict' object has no attribute 'certfile'
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 163, in call_method
    result = self.middleware.call_method(self, message)
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 580, in call_method
    return self._call(message['method'], methodobj, params, app=app)
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 568, in _call
    return methodobj(*args)
  File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/etc.py", line 101, in generate
    rendered = renderer.render(path)
  File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/etc.py", line 18, in render
    return tmpl.render(middleware=self.service.middleware)
  File "/usr/local/lib/python3.6/site-packages/mako/template.py", line 462, in render
    return runtime._render(self, self.callable_, args, data)
  File "/usr/local/lib/python3.6/site-packages/mako/runtime.py", line 838, in _render
    **_kwargs_for_callable(callable_, data))
  File "/usr/local/lib/python3.6/site-packages/mako/runtime.py", line 873, in _render_context
    _exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
  File "/usr/local/lib/python3.6/site-packages/mako/runtime.py", line 899, in _exec_template
    callable_(context, *args, **kwargs)
  File "_usr_local_lib_python3_6_site_packages_middlewared_etc_files_local_openldap_ldap_conf", line 52, in render_body
AttributeError: 'dict' object has no attribute 'certfile'

Unknown parameter encountered: "allow_sasl_over_tls" 
Ignoring unknown parameter "allow_sasl_over_tls" 
Unknown parameter encountered: "allow_sasl_over_tls" 
Ignoring unknown parameter "allow_sasl_over_tls" 
Join to domain is not valid: NT code 0xfffffff6
Unknown parameter encountered: "allow_sasl_over_tls" 
Ignoring unknown parameter "allow_sasl_over_tls" 
Unknown parameter encountered: "allow_sasl_over_tls" 
Ignoring unknown parameter "allow_sasl_over_tls" 
Failed to join domain: failed to connect to AD: Cannot read password
False

This is most likely due to #24212 which has https://github.com/freenas/freenas/pull/298 yet to be merged.

Marking this fix as ready since it does the right thing now otherwise.

#37 Updated by Vaibhav Chauhan over 3 years ago

  • Status changed from Ready For Release to Resolved

#38 Updated by Joe Maloney over 3 years ago

  • Assignee changed from Joe Maloney to John Hixson

Also available in: Atom PDF