Project

General

Profile

Bug #7181

Unable to join Active Directory

Added by Dave Butwell almost 6 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
No priority
Assignee:
Erin Clark
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

After configuring the CIFS server and Active Directory settings in the same way as I have on a 9.2.1.7 install I am unable to join or read from AD (member server join not DC). This happens on both a fresh 9.3 install and on an upgrade from 9.2.1.7 where it was working correctly before the upgrade.

Error dumped to console when starting the AD service:

Dec 13 13:17:21 fresh93 winbindd18131: [2014/12/13 13:17:21.707863, 0] ../source3/winbindd/winbindd_util.c:634(init_domain_list)
Dec 13 13:17:21 fresh93 winbindd18131: Could not fetch our SID - did we join?
Dec 13 13:17:21 fresh93 winbindd18131: [2014/12/13 13:17:21.708322, 0] ../source3/winbindd/winbindd.c:1240(winbindd_register_handlers)
Dec 13 13:17:21 fresh93 winbindd18131: unable to initialize domain list

After which the ix and winbind services stop gracefully and an error is displayed that the service could not be started. The standalone CIFS service seems to work fine, just the AD integration and authentication.

Associated revisions

Revision 47e4e182 (diff)
Added by John Hixson almost 6 years ago

Set a default port Ticket: #7181 Ticket: #7034

Revision 78a5ef44 (diff)
Added by John Hixson almost 6 years ago

Set a default port Ticket: #7181 Ticket: #7034

History

#1 Updated by Dave Butwell almost 6 years ago

  • File messages added

#2 Updated by Rickard Olsson almost 6 years ago

I think I have the same issue, although I have managed to get a little further.

[root@freenas] ~# service ix-pre-samba restart
Importing account for root...ok

Granted SeTakeOwnershipPrivilege to FREENAS\root
Granted SeBackupPrivilege to FREENAS\root
Granted SeRestorePrivilege to FREENAS\root

looks like it runs successfully, but it changes the smb4.conf file.

Before:

    idmap config *: backend = rid
    server role = member server
    netbios name = FREENAS
    workgroup = STOCKHOLM
    security = ADS
    realm = stockholm.domain.com

After:

    idmap config *: backend = tdb
    server role = standalone
    netbios name = FREENAS
    workgroup = STOCKHOLM
    security = user

Tested in 9.3 Release, latest nightly and 10 alpha - same behaviour. This used to work in a 9.2.x.

#3 Updated by Jordan Hubbard almost 6 years ago

  • Category set to 36
  • Assignee set to John Hixson
  • Target version set to Unspecified

#4 Updated by John Hixson almost 6 years ago

  • Status changed from Unscreened to Screened

Dave Butwell wrote:

After configuring the CIFS server and Active Directory settings in the same way as I have on a 9.2.1.7 install I am unable to join or read from AD (member server join not DC). This happens on both a fresh 9.3 install and on an upgrade from 9.2.1.7 where it was working correctly before the upgrade.

Error dumped to console when starting the AD service:

Dec 13 13:17:21 fresh93 winbindd18131: [2014/12/13 13:17:21.707863, 0] ../source3/winbindd/winbindd_util.c:634(init_domain_list)
Dec 13 13:17:21 fresh93 winbindd18131: Could not fetch our SID - did we join?
Dec 13 13:17:21 fresh93 winbindd18131: [2014/12/13 13:17:21.708322, 0] ../source3/winbindd/winbindd.c:1240(winbindd_register_handlers)
Dec 13 13:17:21 fresh93 winbindd18131: unable to initialize domain list

After which the ix and winbind services stop gracefully and an error is displayed that the service could not be started. The standalone CIFS service seems to work fine, just the AD integration and authentication.

It's failing when ix-activedirectory runs. I'd be interested in seeing /var/log/debug.log when trying to join as well. After I see that perhaps there will be a better idea of what's going on. Can you attach it please ? You can also try joining from the CLI by doing this:

sh /etc/directoryservice/ActiveDirectory/ctl start

Perhaps that will spit out some errors if something is totally wrong.

#5 Updated by Jordan Hubbard almost 6 years ago

  • Status changed from Screened to 15

#6 Updated by Dave Butwell almost 6 years ago

Will try and get this done for you tomorrow - have been ill so no progress to date - sorry.

#7 Updated by Dave Butwell almost 6 years ago

  • File messages added
  • File debug.log added

Messages and debug.log from attempted join via GUI

#8 Updated by Dave Butwell almost 6 years ago

  • File messages added
  • File debug.log added
  • File putty.log added

messages, debug and shell output from 'sh /etc/directoryservice/ActiveDirectory/ctl start'

#9 Updated by John Hixson almost 6 years ago

Dave Butwell wrote:

messages, debug and shell output from 'sh /etc/directoryservice/ActiveDirectory/ctl start'

looking at your putty.log, the net ads join is failing due to -p having no argument. This means the DC port is missing. Can you attach your /etc/directoryservice/ActiveDirectory/config file to this ticket? If you'd rather not disclose that on the internet, you can send it to my email as well ().

#10 Updated by Dave Butwell almost 6 years ago

  • File config added

config file attached - there is no dc_port specified in it.

The dc listed - dc.loki.local - is actually a DNS record that points to the domain loki.local and so resolves to all dc's. This is to prevent authentication issues where the samba server binds to a named dc and that dc is offline. I have retested with a real dc name in for completeness, but the result is the same - no dc_port in the config file and a failed bind.

#11 Updated by John Hixson almost 6 years ago

Dave Butwell wrote:

config file attached - there is no dc_port specified in it.

The dc listed - dc.loki.local - is actually a DNS record that points to the domain loki.local and so resolves to all dc's. This is to prevent authentication issues where the samba server binds to a named dc and that dc is offline. I have retested with a real dc name in for completeness, but the result is the same - no dc_port in the config file and a failed bind.

Can you try the latest update and confirm if it fixes your problem?

#12 Updated by Jordan Hubbard almost 6 years ago

Note: Your Build setting should be FreeNAS-9.3-STABLE-201412301712

#13 Updated by Dave Butwell almost 6 years ago

Jordan - just applied the update and will test in a moment. Just working around a new 'feature' of the latest build - not all DHCP parameters are applied anymore, the gateway and name servers seem to be ignored.

#14 Updated by Dave Butwell almost 6 years ago

  • File debug.log added
  • File messages added

Don't think I am getting much further :( GUI join.

#15 Updated by Dave Butwell almost 6 years ago

  • File config added
  • File debug.log added
  • File messages added
  • File putty.log added

CLI join

#16 Updated by Dave Butwell almost 6 years ago

OK so changing my DC from the DNS alias to a real DC (and a reboot of the NAS) allows for a good join. Just testing how it handles the named DC being offline.

#17 Updated by Dave Butwell almost 6 years ago

As expected (sadly) after a NAS reboot with the named DC down AD integration fails to start - it should go to another DC in the domain.

#18 Updated by Jordan Hubbard almost 6 years ago

  • Status changed from 15 to Unscreened

OK, back to John. Please open a new bug report for the other issues observed regarding DHCP - rolling too many issues into one bug report is a good way of ensuring that at least some of those issues get lost. :( Thanks.

#19 Updated by John Hixson almost 6 years ago

  • Status changed from Unscreened to Screened

#20 Updated by John Hixson almost 6 years ago

  • Status changed from Screened to 15

Dave Butwell wrote:

As expected (sadly) after a NAS reboot with the named DC down AD integration fails to start - it should go to another DC in the domain.

So, just to confirm, if you hard set the DC value, everything works as expected, but if it's left empty, it fails?

#21 Updated by Dave Butwell almost 6 years ago

So I hadn't tried with no DC specified - just testing that now. The join works and authenticates against DC01, I have just shut down that DC and am rebooting the NAS to see if it fails over to the next available DC (DC02)

#22 Updated by Dave Butwell almost 6 years ago

As before - when the DC that it originally joined against is down it fails to use another available DC. This is why I originally had an alias record in DNS (dc.loki.local) which resolved to loki.local causing all of the DCs to be listed in the response. When one failed to respond it simply moves onto the next IP so NAS reboots (effectively a 'fresh' join) and authentication requests can continue provided at least one DC remains up.

In brief a join to the domain name or to a named DC will work correctly (9.3 build released Dec 31) but this creates a dependency on a specific DC being available from then on.

#23 Updated by Dave Butwell almost 6 years ago

Could this now be similar behaviour to that experienced in Bug #7326?

#24 Updated by John Hixson almost 6 years ago

  • Status changed from 15 to Screened
  • Priority changed from Nice to have to No priority
  • Target version changed from Unspecified to 49

#25 Updated by Jordan Hubbard over 4 years ago

  • Assignee changed from John Hixson to Wojciech Kloska

#26 Updated by Jordan Hubbard over 4 years ago

  • Assignee changed from Wojciech Kloska to Erin Clark

#27 Updated by Erin Clark over 4 years ago

Are you still having this problem? Have you tried 9.10 to see if it helps?

#28 Updated by Dave Butwell over 4 years ago

Erin,

Didn't know this was still open. All is good with the world in 9.10. It was actually fixed somewhen in 9.3 but I can't remember when.

Cheers,

Dave

#29 Updated by Erin Clark over 4 years ago

  • Status changed from Screened to Resolved

Well hot dog, closing ticket

#30 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Target version changed from 49 to N/A

#31 Updated by Dru Lavigne almost 3 years ago

  • File deleted (messages)

#32 Updated by Dru Lavigne almost 3 years ago

  • File deleted (messages)

#33 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug.log)

#34 Updated by Dru Lavigne almost 3 years ago

  • File deleted (messages)

#35 Updated by Dru Lavigne almost 3 years ago

  • File deleted (putty.log)

#36 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug.log)

#37 Updated by Dru Lavigne almost 3 years ago

  • File deleted (config)

#38 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug.log)

#39 Updated by Dru Lavigne almost 3 years ago

  • File deleted (messages)

#40 Updated by Dru Lavigne almost 3 years ago

  • File deleted (config)

#41 Updated by Dru Lavigne almost 3 years ago

  • File deleted (messages)

#42 Updated by Dru Lavigne almost 3 years ago

  • File deleted (putty.log)

#43 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug.log)

Also available in: Atom PDF