Project

General

Profile

Bug #56751

Validate AD config file before trying to configure Kerberos

Added by Ocular Insanity about 2 years ago. Updated almost 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Hi

As per the documentation https://doc.freenas.org/11.2/directoryservice.html#if-the-system-will-not-join-the-domain I am lodging this bug around the service ix-kerberos not starting.

root@tank:~ #  host -t srv _ldap._tcp.domain
_ldap._tcp.domain has SRV record 0 100 389 dc02.domain.
_ldap._tcp.domain has SRV record 0 100 389 dc03.domain.
_ldap._tcp.domain has SRV record 0 100 389 dc01.domain.
root@tank:~ # sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;" 
root@tank:~ # echo $?
0
root@tank:~ # service ix-kerberos start
ERROR: {'desc': "Can't contact LDAP server", 'errno': 57, 'info': 'Socket is not connected'}

Traceback (most recent call last):
  File "/usr/local/libexec/nas/generate_krb5_conf.py", line 549, in <module>
    main()
  File "/usr/local/libexec/nas/generate_krb5_conf.py", line 480, in main
    timeout=fs().directoryservice.kerberos.timeout.start))
  File "/usr/local/lib/python3.6/site-packages/middlewared/client/client.py", line 447, in call
    raise CallTimeout("Call timeout")
middlewared.client.client.CallTimeout: Call timeout

I am suspecting this is more of a troubleshooting issue than a bug... but I'm following the documentation.


Related issues

Copied to FreeNAS - Bug #58788: Validate AD config file before trying to configure KerberosDone

History

#1 Updated by Dru Lavigne about 2 years ago

  • Private changed from No to Yes
  • Reason for Blocked set to Need additional information from Author

Ocular: please attach a debug (System -> Advanced -> Save debug) to this ticket.

#2 Updated by Ocular Insanity about 2 years ago

  • File debug.tgz added

Please see attached as requested.

#3 Updated by Dru Lavigne about 2 years ago

  • Category changed from Middleware to Services
  • Assignee changed from Release Council to William Grzybowski
  • Reason for Blocked deleted (Need additional information from Author)

#4 Updated by William Grzybowski about 2 years ago

  • Assignee changed from William Grzybowski to Andrew Walker

Andrew, I see many DNS errors in the logs, can you verify if there is something left on our side here, please?

#5 Updated by Ocular Insanity about 2 years ago

If this helps, I ended up rebuilding my domain (its small, not a huge effort) from scratch and it still has the same errors.
As far as DNS goes, the primary DNS set in the Global Config is pointing to two of the AD DCs.

#6 Updated by Andrew Walker about 2 years ago

Can you please try the following

rm /etc/directoryservice/ActiveDirectory/config
service ix-kerberos start

#7 Updated by Bug Clerk about 2 years ago

  • Status changed from Unscreened to In Progress

#8 Updated by Ocular Insanity about 2 years ago

  • File debug (1).tgz added

Same issue.
Debug log attached.

#9 Updated by Andrew Walker about 2 years ago

Okay. now I see the following in your output:

Nov 13 15:30:01 anita /adtool: [common.freenasldap:1165] FreeNAS_ActiveDirectory_Base.get_SRV_records: looking up SRV records for _ldap._tcp.dc._msdcs.kaos.erebusnyx.net
Nov 13 15:31:16 anita /adtool: [common.freenasldap:1165] FreeNAS_ActiveDirectory_Base.get_SRV_records: looking up SRV records for _kerberos._tcp.kaos.erebusnyx.net
Nov 13 15:32:31 anita /adtool: [common.freenasldap:1165] FreeNAS_ActiveDirectory_Base.get_SRV_records: looking up SRV records for _kpasswd._tcp.kaos.erebusnyx.net
Nov 13 15:33:46 anita /adtool: [common.freenasldap:132] FreeNAS_LDAP_Directory.__init__: enter
Nov 13 15:33:46 anita /adtool: [common.frenascache:307] FreeNAS_LDAP_QueryCache.__init__: enter
Nov 13 15:33:46 anita /adtool: [common.frenascache:89] FreeNAS_BaseCache._init__: enter
Nov 13 15:33:46 anita /adtool: [common.frenascache:110] FreeNAS_BaseCache._init__: cachedir = /var/tmp/.cache/.query
Nov 13 15:33:46 anita /adtool: [common.frenascache:113] FreeNAS_BaseCache._init__: cachefile = /var/tmp/.cache/.query/.cache.db
Nov 13 15:33:46 anita /adtool: [common.frenascache:115] FreeNAS_BaseCache._init__: leave
Nov 13 15:33:46 anita /adtool: [common.frenascache:315] FreeNAS_LDAP_QueryCache.__init__: leave
Nov 13 15:33:46 anita /adtool: [common.freenasldap:178] FreeNAS_LDAP_Directory.__init__: host = claudia.kaos.erebusnyx.net, port = 389, binddn = administrator@KAOS.EREBUSNYX.NET, basedn = None, ssl = off
Nov 13 15:33:46 anita /adtool: [common.freenasldap:180] FreeNAS_LDAP_Directory.__init__: leave
Nov 13 15:33:46 anita /adtool: [common.freenasldap:278] FreeNAS_LDAP_Directory.open: enter
Nov 13 15:33:46 anita /adtool: [common.freenasldap:285] FreeNAS_LDAP_Directory.open: uri = ldap://claudia.kaos.erebusnyx.net:389
Nov 13 15:33:46 anita /adtool: [common.freenasldap:288] FreeNAS_LDAP_Directory.open: initialized
Nov 13 15:33:46 anita /adtool: [common.freenasldap:328] FreeNAS_LDAP_Directory.open: trying to bind
Nov 13 15:33:46 anita /adtool: [common.freenasldap:233] FreeNAS_LDAP_Directory.open: (authenticated bind) trying to bind to claudia.kaos.erebusnyx.net:389
Nov 13 15:35:01 anita /adtool: [common.freenasldap:336] FreeNAS_LDAP_Directory.open: could not bind to claudia.kaos.erebusnyx.net:389 ({'desc': "Can't contact LDAP server", 'errno': 57, 'info': 'Socket is not connected'})

We look up SRV records for ldap servers for _ldap._tcp.dc._msdcs.kaos.erebusnyx.net and get a response from DNS for the host claudia.kaos.erebusnyx.net. We then fail to bind to that host, and so we're still failing to generate a config file. Unfortunately, this is a required step for getting a kerberos ticket.

I recommend closely reviewing your DNS configuration, and looking for anything that might be preventing us from performing LDAP queries on the DCs in question.

#10 Updated by Ocular Insanity about 2 years ago

FreeNAS has the following set in the global config for networking:

Nameserver1: 10.254.254.66
Nameserver2: 10.254.254.67

claudia.kaos.erebusnyx.net, which is a DC, has the IP address 10.254.254.66. raina.kaos.erebusnyx.net has the IP 10.254.254.67. Both are Global Catalogs and both are running MS DNS.

And as I wrote this and looked into my Global Config and saw I had entries in the host name database... sigh.

Thank you. That was the issue. Thank you for your time and I apologise for wasting it.

I appreciate it.

#11 Updated by Ocular Insanity about 2 years ago

Forgot to add this - you can close this one out.

#12 Updated by Andrew Walker about 2 years ago

Ocular Insanity wrote:

Forgot to add this - you can close this one out.

No worries. Regardless, it was actually good that posted this bug report because I found a way to reproduce your issue without the hosts entry.

#13 Updated by Dru Lavigne about 2 years ago

  • File deleted (debug.tgz)

#14 Updated by Dru Lavigne about 2 years ago

  • File deleted (debug (1).tgz)

#15 Updated by Dru Lavigne about 2 years ago

  • Target version changed from Backlog to TrueNAS 11.1-U6.2
  • Private changed from Yes to No

#16 Updated by Dru Lavigne about 2 years ago

#17 Updated by Dru Lavigne about 2 years ago

  • Subject changed from service ix-kerberos will not start to Validate AD config file before trying to configure Kerberos
  • Needs Doc changed from Yes to No

#18 Updated by Bug Clerk about 2 years ago

  • Status changed from In Progress to Ready for Testing

#19 Updated by Dru Lavigne about 2 years ago

  • Copied to Bug #58788: Validate AD config file before trying to configure Kerberos added

#20 Updated by Dru Lavigne about 2 years ago

  • Target version changed from TrueNAS 11.1-U6.2 to 11.1-U7

#21 Updated by Bug Clerk about 2 years ago

  • Status changed from Ready for Testing to In Progress

#22 Updated by Bug Clerk about 2 years ago

  • Status changed from In Progress to Ready for Testing

#23 Updated by Bug Clerk about 2 years ago

  • Target version changed from 11.1-U7 to 11.3

#24 Updated by Dru Lavigne about 2 years ago

  • Target version changed from 11.3 to 11.1-U7

#29 Updated by Bonnie Follweiler almost 2 years ago

  • Status changed from Ready for Testing to Passed Testing

Test Passed in FreeNAS-11.1-U7-INTERNAL6

#30 Updated by Dru Lavigne almost 2 years ago

  • Status changed from Passed Testing to Done
  • Needs QA changed from Yes to No
  • Needs Merging changed from Yes to No

Also available in: Atom PDF