Project

General

Profile

Bug #72745

Fix error messages during boot that are caused by checking the "Unix Extensions" checkbox in AD

Added by John Clendenen almost 3 years ago. Updated over 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

tldr: My FreeNAS server is bound to AD and I get an sssd error during boot. I am using ad backend, so shouldn't need sssd.

generate_sssd_conf.py throws AttributeError: 'dict' object has no attribute 'netbiosname'

A possible fix is here: https://forums.freenas.org/index.php?threads/ad-join-with-subdomains-not-working.58087/

Can this fix be implemented or sssd disabled since I am not using it. Also if you guys can give us some idea of where we are with sssd support, I am unclear as to whether it is supported/recommended in FreeNAS.


I am working on binding FreeNAS to a Samba4 AD DC. I have it working using ad idmap backend, but am getting an sssd error during boot.

Traceback (most recent call last):
  File "/usr/local/libexec/nas/generate_sssd_conf.py", line 907, in <module>
    main()
  File "/usr/local/libexec/nas/generate_sssd_conf.py", line 899, in main
    add_activedirectory_section(client, sc)
  File "/usr/local/libexec/nas/generate_sssd_conf.py", line 744, in add_activedirectory_section
    ad_cookie = ad.netbiosname
AttributeError: 'dict' object has no attribute 'netbiosname'
/etc/rc: WARNING: /usr/local/etc/sssd/sssd.conf is not readable.
/etc/rc: WARNING: failed precmd routine for sssd

I didn't realize sssd was even in FreeNAS, so I looked into it and I can't figure out if this is a relic of FreeIPA support in Corral or if it's something that's being actively maintained.

This ticket seems to indicate that it is abandoned:

https://redmine.ixsystems.com/issues/9812

This ticket seems to indicate that it is backlogged:

https://redmine.ixsystems.com/issues/23485

This ticket seems to indicate that it might be on the radar for 11.3:

https://redmine.ixsystems.com/issues/39167

It is briefly mentioned in the docs:

https://www.ixsystems.com/documentation/freenas/11.2/directoryservices.html?highlight=sssd


Anyway, for this particular error:

AttributeError: 'dict' object has no attribute 'netbiosname'

I found a possible solution in the forum here:

https://forums.freenas.org/index.php?threads/ad-join-with-subdomains-not-working.58087/

Code:
--- /usr/local/libexec/nas/generate_sssd_conf.py.orig   2017-12-01 23:24:25.427771685 +0100
+++ /usr/local/libexec/nas/generate_sssd_conf.py        2017-12-01 23:44:18.678151850 +0100
@@ -741,7 +741,7 @@
     ad = client.call('notifier.directoryservice', 'AD')
     use_ad_provider = False

-    ad_cookie = ad.netbiosname
+    ad_cookie = ad['netbiosname']
     ad_domain = 'domain/%s' % ad_cookie

     ad_section = None
@@ -779,7 +779,7 @@

     __, hostname, __ = os.uname()[0:3]

-    if ad.keytab_file and ad.keytab_principal:
+    if ad['keytab_file'] and ad['keytab_principal']:
         use_ad_provider = True

     if use_ad_provider:
@@ -791,7 +791,7 @@
                 d[key] = 'ad'

         ad_section.ad_hostname = hostname
-        ad_section.ad_domain = ad.domainname
+        ad_section.ad_domain = ad['domainname']
         ad_section.ldap_id_mapping = False

     for d in ad_defaults:
@@ -827,12 +827,12 @@
 #        ad_section.krb5_canonicalize = 'false'

     else:
-        ad_section.ldap_uri = "ldap://%s" % ad.dchost
-        ad_section.ldap_search_base = ad.basedn
+        ad_section.ldap_uri = "ldap://%s" % ad['dchost']
+        ad_section.ldap_search_base = ad['basedn']

-        ad_section.ldap_default_bind_dn = ad.binddn
+        ad_section.ldap_default_bind_dn = ad['binddn']
         ad_section.ldap_default_authtok_type = 'password'
-        ad_section.ldap_default_authtok = ad.bindpw
+        ad_section.ldap_default_authtok = ad['bindpw']

     sc[ad_domain] = ad_section
     sc['sssd'].add_domain(ad_cookie)

They were asked to post a ticket about it, but if they did, I didn't find it (apologizes if I overlooked it).


Related issues

Related to FreeNAS - Bug #72984: Fix SSSD ldb errorDone

History

#1 Updated by John Clendenen almost 3 years ago

I have discovered that the `UNIX extensions` checkbox in the directory services gui is what was triggering sssd to initialize during boot. I may be mistaken here because most of my experience is with linux/bsd/samba and not Windows Server, but it was my experience that the terminology 'unix extensions' in AD indicated rfc 2307 and not sssd (in fact, I believe it's being deprecated). Initially, I did find it odd that it was an option additional to to rfc2307, but after reading the guid description:

Only set if the AD server is explicitly configured to map permissions for UNIX users. Setting provides persistent UIDs and GUIDs. Leave unset to map users and groups to the UID or GUID range configured in Samba.

I was more reassured that it referred to rfc2307.

Anyway, after disabling it, I no longer get the sssd error on boot. However, I am still curious about future sssd support.

#2 Updated by Dru Lavigne almost 3 years ago

#3 Updated by Dru Lavigne almost 3 years ago

  • Assignee changed from Release Council to Andrew Walker

#4 Updated by William Grzybowski almost 3 years ago

  • Target version changed from Backlog to 11.2-U3

#5 Updated by Andrew Walker almost 3 years ago

Fixing the tracebacks for U3. This feature should actually not be used. If the AD domain has RFC2307 extensions, then an appropriate winbind idmap backend should be selected (i.e. "ad" or "rfc2307")

#6 Updated by Bug Clerk almost 3 years ago

  • Status changed from Unscreened to In Progress

#8 Updated by Dru Lavigne almost 3 years ago

  • Subject changed from SSSD Error During Boot to Fix error messages during boot that are caused by checking the "Unix Extensions" checkbox in AD

#10 Updated by Dru Lavigne over 2 years ago

  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#11 Avatar?id=55038&size=24x24 Updated by Zackary Welch over 2 years ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

Confirmed fixed in 11.2-U3.

#12 Updated by Bonnie Follweiler over 2 years ago

Assigned to Zackary

#13 Updated by Dru Lavigne over 2 years ago

  • Status changed from Passed Testing to Done

Also available in: Atom PDF