Project

General

Profile

Bug #30678

Active Directory Service Failing II

Added by Michael Schefczyk over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
No priority
Assignee:
John Hixson
Category:
Services
Target version:
Seen in:
Severity:
Low Medium
Reason for Closing:
Not Applicable
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz, 65385MB Memory

ChangeLog Required:
No

Description

Dear All,

I find the issue & bug reported by Fraser Glynn (https://forums.freenas.org/index.php?threads/active-directory-service-keeps-failing.59797/#post-423882 and https://redmine.ixsystems.com/issues/27321) extremely real and I would be glad if I could determine where the user configuration error for which the previous ticked was closed might be located and how it can be resolved.

I have a SOHO LAN with 5 Domain Controllers, 2 x Windows Server 2012 R2 plus 3 x Windows Server 2016. Clients are Windows 10, Windows Server 2016, and Debian Stretch. I have been using two Freenas servers in the linux backend of our systems for a long time. I have been replacing two more user facing Qnap servers for Freenas last month and the trouble stated with SMB.

I see frequent directory recoveries. Almost always after root GUI logon, for example. Then, one often sees a blank password (instead of dots) in directory GUI config and "Enable" unchecked. Then wbinfo -u not working. Otherwise, SMB almost always works when client computer is started fresh and fails sometime thereafter, even though wbinfo -u may be populated.

Kerberos Realms contains lists of all DCs in my network under KDC, Admin Server and Password Server. Is that OK? Getting tickets (kinit/klist) is never a problem.

Domain name is lastname.local. It has been that for years and it has been working with Qnap SMB for years.

I did try many combinations of settings, but it is plainly impossible to enumerate all combinations. Hence, where the documentation is not really rich, questions do remain. N.B. I did read a lot about samba considering it as alternative DC until noticing that compatiblity when using it as a DC basically ends at Windows Server 2008 R2 (plus Server 2012 as experimental).

Open questions on settings under directory:
- How many recovery attemts set to 0 - OK?
- Enable Monitoring is on. Keeping it off does not seem to be a sufficient workaround.
- Encryption Mode set to off. Is there best practice documentation available on encryption?
- Is it OK to leave user/group base, site name, domain controller and global catalog server empty, if Kerberos Realms to contain everything? Otherwise one would have to pick one single DC, correct? Did try single DC but did not work better.
- AD and DNS timeout left at 60 - OK?
- Idmap backend rid at defailt - OK?
- Winbind NSS Info rfc23077 - OK?
- SASL wrapping seal - OK?

Is the NetBIOS Alias a significant setting unter directory and/or service?

Open questions on settings under service:
- Charsets CP437 and UTF-8 OK?
- Allow Empty Password significant?
- NTLMv1 auth significant?
- Idmap Range significant?

I would like to use Kerboros Keytabs but description in section 9.5 of the documentation does not work with my DCs.

I can send logs like log.nmbd, log.smbd, log.wb, log-winbindd from /var/log/samba4/ plus anything else which may be required. However, at verbose/debug logging levels, there is just a heavy load of information. I did not find the needle in the stack, yet.

Are workarounds required like mount nfs on Windows server and share from there or is a solution possible?

Regards,

Michael


Related issues

Related to FreeNAS - Bug #33453: Fix unnecessary AD restarts caused by enabling service monitorDone

History

#1 Updated by Dru Lavigne over 2 years ago

  • Private changed from No to Yes
  • Reason for Blocked set to Need additional information

Michael: please attach a debug to this ticket (System -> Advanced -> Save Debug). The dev will need that to figure out what the issue is.

#2 Updated by Michael Schefczyk over 2 years ago

  • File debug-NAS1S10-20180326161450.tgz added

#3 Updated by Dru Lavigne over 2 years ago

  • Assignee changed from Release Council to Timur Bakeyev
  • Target version set to 11.2-RC2
  • Reason for Blocked deleted (Need additional information)

#4 Updated by Timur Bakeyev over 2 years ago

  • Severity set to Low Medium

#5 Updated by John Hixson over 2 years ago

  • Assignee changed from Timur Bakeyev to John Hixson

#6 Updated by John Hixson over 2 years ago

  • Status changed from Unscreened to Screened

#7 Updated by John Hixson over 2 years ago

  • Status changed from Screened to In Progress

Hi Michael,

Can you disable the AD monitoring and reboot and run with that configuration for a while and let me know if you see the same problems?

#8 Updated by Michael Schefczyk over 2 years ago

Hi John,

In the meantime, I did get the reliabiliy to improve significantly to a high - just slightly below optimum - level.

AD monitoring is still on. The key seems to have been to disable unix extensions under directory as well as service. In addition, I did set 10 recovery attempts. I also did change SASL wrapping from seal to sign.

Is there anything else I should try?

How should I set the system when multiple DCs are present? At the moment, I did specify just one. This is problematical as SMB does not really work when rebooting that specific DC. Even short interruptions of DC connectivity seem to be sigificant. Am I safe to enter a list of DCs?

Regards,

Michael

#9 Updated by Dru Lavigne over 2 years ago

  • Related to Bug #33453: Fix unnecessary AD restarts caused by enabling service monitor added

#10 Updated by John Hixson over 2 years ago

  • Category changed from OS to Services

#11 Updated by Dru Lavigne over 2 years ago

  • Target version changed from 11.2-RC2 to 11.2-BETA3

#12 Updated by John Hixson over 2 years ago

  • Target version changed from 11.2-BETA3 to 11.2-U2

Since we have made several changes to the Ad monitoring code, I'm punting this.

Michael, when we release BETA2, please give it a try since I believe you shouldn't have any more problems at that point.

As for the problem with having multiple DC's, that is something we will be looking at and target for 11.3.

#13 Updated by Dru Lavigne over 2 years ago

  • File deleted (debug-NAS1S10-20180326161450.tgz)

#14 Updated by Dru Lavigne over 2 years ago

  • Target version changed from 11.2-U2 to N/A
  • Private changed from Yes to No
  • Reason for Closing set to Not Applicable

Michael: I'll close this out for now. If you still experience this after updating to 11.2, attach a new debug to this ticket.

#15 Updated by Dru Lavigne over 2 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF