Project

General

Profile

Bug #27898

Active Directory integration broken if domain name contains more than 2 domain name parts like "sub.domain.etx"

Added by Peter NESWAL over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
No priority
Assignee:
Timur Bakeyev
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
User Configuration Error
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

MB:
Supermicro H8SCM-F
MEM:
32GB ECC
CPU:
Opteron 4334
NET:
2x Intel 82574L 1GBE (onboard)
2x Mellanox Connect X-2 10GBE
BOOT Device:
1 x HW Raid 1 (2x64GB SSD) on SATA
SSD:
4 x 240GB NVME/PCIe x4
HDD:
10x 2TB WD Gold
SAS Controller:
1x LSI 9211-4i (Firmware: IT/P20)
SAS Expander:
1x RES2SV240NC

ChangeLog Required:
No

Description

If the active directory domain is not "domain.ext" but something like "sub.domain.ext" domain integration is broken.

Note: No problem joining FreeNAS-9.10.2-U6 with the same config works without problems!

Try to join "sub.domain.ext":

seems partly during the configuration/join process only "domain.ext" is recognized but not "sub.domain.ext"
errors when try to join a member server:

Jan 22 14:15:23 fvi-sst-10001 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jan 22 14:15:24 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Jan 22 14:15:24 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-kerberos quietstart default SUB.DOMAIN.EXT
Jan 22 14:15:25 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Jan 22 14:15:26 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-ldap quietstart
Jan 22 14:15:26 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Jan 22 14:15:28 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-kinit status
Jan 22 14:15:28 fvi-sst-10001 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jan 22 14:15:34 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Jan 22 14:15:36 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-activedirectory status
Jan 22 14:15:38 fvi-sst-10001 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jan 22 14:15:39 fvi-sst-10001 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jan 22 14:15:45 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-pam quietstart
Jan 22 14:15:47 fvi-sst-10001 ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Jan 22 14:15:51 fvi-sst-10001 /cachetool.py: [common.freenasusers:335] Directory Users could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://domain.ext/DC=domain,DC=ext'}
Traceback (most recent call last):
  File "/usr/local/www/freenasUI/common/freenasusers.py", line 332, in __init__
    self.__users = dir(**kwargs)
  File "/usr/local/www/freenasUI/common/freenasldap.py", line 2594, in __init__
    self.__get_users()
  File "/usr/local/www/freenasUI/common/freenasldap.py", line 2697, in __get_users
    ad_users = self.get_users()
  File "/usr/local/www/freenasUI/common/freenasldap.py", line 2187, in get_users
    self.dchandle, self.basedn, scope, filter, self.attributes
  File "/usr/local/www/freenasUI/common/freenasldap.py", line 1848, in _search
    clientctrls, timeout, sizelimit
  File "/usr/local/www/freenasUI/common/freenasldap.py", line 428, in _search
    id, resp_ctrl_classes=paged_ctrls
  File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.
Jan 22 14:15:51 fvi-sst-10001 /cachetool.py: py", line 714, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 721, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 294, in _ldap_call
    result = func(*args,**kwargs)
ldap.REFERRAL: {'desc': 'Referral', 'info': 'Referral:\nldap://domain.ext/DC=domain,DC=ext'}
Jan 22 14:15:51 fvi-sst-10001 /cachetool.py: [common.freenasusers:217] Directory Groups could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://domain.ext/DC=domain,DC=ext'}

after join the UI shows "enabled" and klist shows a valid KERBEROS ticket, but calling "wbinfo" returns errors:

[root@fvi-sst-10001 ~]# wbinfo -u                                               
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE       
could not obtain winbind domain name!                                           
Error looking up domain users                                                   
[root@fvi-sst-10001 ~]# wbinfo -g                                               
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE       
could not obtain winbind domain name!                                           
failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE                     
Error looking up domain groups

History

#1 Updated by Dru Lavigne over 2 years ago

  • Assignee changed from Release Council to Timur Bakeyev
  • Target version set to 11.2-BETA1
  • Private changed from No to Yes
  • Seen in changed from 11.1-U1 to 11.1-U1

Peter: please attach a debug to this ticket: System -> Advanced -> Save Debug.

#2 Updated by Peter NESWAL over 2 years ago

  • File debug-fvi-sst-10001-20180122210950.tgz added

#3 Updated by Dru Lavigne over 2 years ago

  • Status changed from Unscreened to Not Started

#4 Updated by Timur Bakeyev over 2 years ago

  • Status changed from Not Started to Closed
  • Target version changed from 11.2-BETA1 to N/A
  • Reason for Closing set to User Configuration Error

Hi, Peter!

Luckily, FN works fine with multiple levels of the domain names, so your problem lays somewhere else.

The error message you see is the result of the presence of the referral to other resource present in the LDAP output and FN is configured not to follow the referrals. You MAY try to enable the follow-up by adding to the /etc/directoryservice/rc.LDAP at the very end of the file line FREENAS_LDAP_REFERRALS=1 and check if that error would disappear.

But that's all shouldn't be relevant to the problem with joining your domain. In the smb4.conf I see:

    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
...
    idmap config 1V-ITMS: backend = rid
    idmap config 1V-ITMS: range = 90000001-100000000
...
    log level = 1
    idmap config 1V-ROOT: backend = rid
    idmap config 1V-ROOT: range = 50000-59999

That's a broken configuration and is not supposed to work. I'm wondering how you could even start Samba service with such a config set as it won't let you start the service:

# testparm -vs > /dev/null
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[one]" 
Loaded services file OK.
ERROR: The idmap range for the domain * (tdb) overlaps with the range of 1V-ITMS (rid)!

Server role: ROLE_DOMAIN_MEMBER

The bad news here is that your SID mappings are entirely broken now and the best thing you can do is to start from scratch.

You can consult the #26479 ticket for the right sequence of resetting IDMAPs.

So, keep in mind - you can't have overlapping IDMAP ranges for any of the backends. Also, it seems that you are manually adding yet another IDMAP range for 1V-ROOT domain, as such configuration not supported by FN. If you really need to do something like this I'd advise you to use autorid backend instead for all the domains. See: http://samba.org.ru/samba/docs/man/manpages/idmap_autorid.8.html

But again, that's officially not supported.

#5 Updated by Dru Lavigne over 2 years ago

  • File deleted (debug-fvi-sst-10001-20180122210950.tgz)

#6 Updated by Dru Lavigne over 2 years ago

  • Private changed from Yes to No

Also available in: Atom PDF