Project

General

Profile

Bug #26552

FreeNAS as domain controller - cannot add group policy objects

Added by Patrick M. Hausen almost 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Nice to have
Assignee:
Timur Bakeyev
Category:
OS
Target version:
Seen in:
Severity:
Reason for Closing:
Duplicate Issue
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

VMware Fusion, 8 GB installation disk, 8 GB RAM, 2x 20 GB data disks

ChangeLog Required:
No

Description

1. New installation of FreeNAS 11.0U4 followed update to 11.1RC1 - problem is identical in 11.0U4
2. Create domain controller as in the attached screenshot.
3. Trying to use the group policy management tool from Windows RSAT gives a cryptic error message without detail ("invalid parameter")
4. Some more detail as available from the command line:

root@freenas:~ # net ads info
LDAP server: 192.168.2.149
LDAP server name: freenas.test.lan
Realm: TEST.LAN
Bind Path: dc=TEST,dc=LAN
LDAP port: 389
Server time: Wed, 08 Nov 2017 15:15:43 CET
KDC server: 192.168.2.149
Server time offset: 0
Last machine account password change: Wed, 08 Nov 2017 15:10:09 CET

root@freenas:~ #  samba-tool gpo create Test-Object -U Administrator
Password for [TEST\Administrator]:
ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was passed to a service or function.')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 1000, in run
    conn.set_acl(sharepath, fs_sd, sio)

Kind regards,
Patrick

DC.png (110 KB) DC.png Patrick M. Hausen, 11/08/2017 06:23 AM
12959

Related issues

Is duplicate of FreeNAS - Bug #28932: Set correct parameters for domain controller roleDone

History

#2 Updated by Bonnie Follweiler almost 3 years ago

  • Assignee changed from Release Council to William Grzybowski

#3 Updated by William Grzybowski almost 3 years ago

  • Assignee changed from William Grzybowski to John Hixson

#4 Updated by Dru Lavigne almost 3 years ago

  • Target version set to 11.1

#5 Updated by John Hixson almost 3 years ago

  • Status changed from Unscreened to Screened
  • Target version changed from 11.1 to 11.1-U1

#6 Avatar?id=13649&size=24x24 Updated by Ben Gadd almost 3 years ago

  • Assignee changed from John Hixson to Andrew Walker

#7 Updated by Dru Lavigne almost 3 years ago

  • Status changed from Screened to 15

Patrick: is this still an issue in 11.1? If so, please attach a debug from the 11.1 system.

#8 Updated by Patrick M. Hausen almost 3 years ago

  • File debug-freenas-20171219083256.tgz added

Fresh installation of 11.1 RELEASE:

[root@freenas ~]#  samba-tool gpo create Test-Object -U Administrator           
Password for [TEST\Administrator]:                                              
ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was pas
sed to a service or function.')                                                 
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 1
76, in _run                                                                     
    return self.run(*args, **kwargs)                                            
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 1000, 
in run                                                                          
    conn.set_acl(sharepath, fs_sd, sio)                                         
[root@freenas ~]# ^C                                                            
[root@freenas ~]#  

What precisely did you change that made you expect the problem to be fixed?

Kind regards,
Patrick

#9 Updated by Dru Lavigne almost 3 years ago

  • Status changed from 15 to Investigation
  • Assignee changed from Andrew Walker to John Hixson
  • Private changed from No to Yes

#10 Updated by Patrick M. Hausen over 2 years ago

Hi Dru and colleagues,

what I found with some search engine abuse seems like Samba fundamentally does not work with respect to group policies if the sysvol is on ZFS.
So I see two courses of action:
  • fix it in Samba and upstream the changes
  • work around the problem by using an UFS formatted md device for the sysvol

I'm not involved in actual FreeNAS development, so this is of course entirely up to you. But the second option does look like a pretty ugly hack to me ;)

Kind regards,
Patrick

#11 Avatar?id=14398&size=24x24 Updated by Kris Moore over 2 years ago

  • Target version changed from 11.1-U1 to 11.2-BETA1

#12 Updated by Dru Lavigne over 2 years ago

  • Status changed from Investigation to Not Started

#13 Avatar?id=14398&size=24x24 Updated by Kris Moore over 2 years ago

  • Assignee changed from John Hixson to Timur Bakeyev
  • Priority changed from No priority to Nice to have
  • Target version changed from 11.2-BETA1 to 11.2-U2

#14 Updated by Timur Bakeyev over 2 years ago

  • Status changed from Not Started to Blocked
  • Reason for Blocked set to Need additional information

Need to verify current state of ACLs on SysVol and recent GPO patches.

#15 Updated by Patrick M. Hausen over 2 years ago

Any ETA for this? My wife's not-for-profit organisation bought a server for their office which is sitting idly on the shelf since August 2017 due to this bug. A Windows-only environment and the plan was to use FreeNAS as the DC, server based profiles and server based home directories for all users - not going to work without group policies :(

Patrick

#16 Updated by Timur Bakeyev over 2 years ago

Hi, Patrick!

Sorry for the delay with this matter, there are both issues with xattr handling, on which I'm working now and with GPO objects in Samba, patches for which are now discussed on Samba ML for inclusion into Samba 4.8. I can't give you definite dates right now, but I hope to finish at least xattr staff this week and then it'll be more clear what is still missing.

#17 Updated by Patrick M. Hausen over 2 years ago

Thanks for the update! :)

#18 Updated by Andrew Walker over 2 years ago

Patrick M. Hausen wrote:

Thanks for the update! :)

Hi Patrick,
I just posted a patched generate_smb4_conf.py file in a separate bug ticket related to Samba DCs. https://redmine.ixsystems.com/issues/28932

The file resides on your system under /usr/local/libexec/nas/generate_smb4_conf.py

If you feel comfortable with it, try replacing that file on a test system, then provision a domain and try to edit group policies.

#19 Updated by Dru Lavigne over 2 years ago

  • Related to Bug #28932: Set correct parameters for domain controller role added

#20 Updated by Dru Lavigne over 2 years ago

  • File deleted (debug-freenas-20171219083256.tgz)

#21 Updated by Dru Lavigne over 2 years ago

  • Related to deleted (Bug #28932: Set correct parameters for domain controller role)

#22 Updated by Dru Lavigne over 2 years ago

  • Is duplicate of Bug #28932: Set correct parameters for domain controller role added

#23 Updated by Dru Lavigne over 2 years ago

  • Status changed from Blocked to Closed
  • Target version changed from 11.2-U2 to N/A
  • Private changed from Yes to No
  • Reason for Closing set to Duplicate Issue
  • Reason for Blocked deleted (Need additional information)

Patrick: closing this one out as the patch in the duplicate ticket should resolve this. If you get a chance to test it before release, please leave a comment in this ticket.

Also available in: Atom PDF