Project

General

Profile

Bug #7400

Active Directory Failed to join domain

Added by Stephen Benson over 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I have 9.2.7 running fine in my environment. Loaded 9.3 Stable and lost conductivity to my domain. Saw several bugs on this issue, so I updated to the latest stable version and tried again. I can ping domain server. Added windows shares and enabled cifs. I can see the server and view share via windows, but can't authenticate. Trying to load active directory service fails to start. I'm in mixed 2003/2008 mode and changed the gp info accordingly with no help. I followed the troubleshooting info and can see the srv records for the domain controllers. I tried the manual commands at the bottom and receive the error below.

FreeNAS-9.3-STABLE-201412312006

Welcome to FreeNAS
[root@freenas] ~# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"
[root@freenas] ~# echo $?
0
[root@freenas] ~# service ix-kerberos start
[root@freenas] ~# service ix-nsswitch start
[root@freenas] ~# service ix-kinit start
[root@freenas] ~# service ix-kinit status
[root@freenas] ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires          Principal
Jan 5 15:24:57 Jan 6 01:24:57
[root@freenas] ~# python /usr/local/www/freenasUI/middleware/notifier.py start cifs
True
[root@freenas] ~# service ix-activedirectory start
False
Failed to leave domain: Unable to fetch domain sid: are we joined?
winbindd not running? (check /var/run/samba/winbindd.pid).
smbd not running? (check /var/run/samba/smbd.pid).
nmbd not running? (check /var/run/samba/nmbd.pid).
[root@freenas] ~# service ix-activedirectory status
[root@freenas] ~# echo $?
1
[root@freenas] ~# python /usr/local/www/freenasUI/middleware/notifier.py restart cifs
False
[root@freenas] ~# service ix-pam start
[root@freenas] ~# service ix-cache start &
[1] 10338

Any help on this situation would be appreciated.

History

#1 Updated by Jordan Hubbard over 5 years ago

  • Category set to 36
  • Assignee set to John Hixson
  • Target version set to Unspecified

#2 Updated by John Hixson over 5 years ago

  • Status changed from Unscreened to Screened

#3 Updated by Stephen Benson over 5 years ago

I did some more searching and found errors on my DC the same as in bug report #7080. 9.2.1.7 still works fine for joining ad with minimal config on the freenas side, no changes on AD side. There must be something on my 9.3 configuration settings not sending signed LDAP info. I have tried all 3 SASL wrapping as well.

#4 Updated by John Hixson over 5 years ago

  • Status changed from Screened to 15

Can you try to enable AD from the UI, then attach /var/log/messages and /var/log/debug.log to this ticket please?

#5 Updated by Stephen Benson over 5 years ago

  • File debug.log added
  • File messages added

Attached are log files you requested.

#6 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Attached are log files you requested.

It's failing at ix-activedirectory. Can you modify /etc/ix.rc.d/ix-activedirectory to have "set -x" at the top? (right after #!/bin/sh). Afterwards, run this from the command line:

sh /etc/directoryservice/ActiveDirectory/ctl start

Post the results to this ticket.

#7 Updated by Stephen Benson over 5 years ago

  • File test.log added

Attached is the file with the output from above command.

#8 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Attached is the file with the output from above command.

The join is timing out. Can you bump up the timeout values in your AD config? try setting them at 60 and let me know if that fixes this.

#9 Updated by Stephen Benson over 5 years ago

  • File test.log added

Looks like same result with 60 sec. timeout.

#10 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Looks like same result with 60 sec. timeout.

The file you've attached is still set to 10 seconds. Can you verify that both 'AD timeout' and 'DNS timeout' in your Active Directory configuration are set to 60?

#11 Updated by John Hixson over 5 years ago

John Hixson wrote:

Stephen Benson wrote:

Looks like same result with 60 sec. timeout.

The file you've attached is still set to 10 seconds. Can you verify that both 'AD timeout' and 'DNS timeout' in your Active Directory configuration are set to 60?

And just in case, crank these up to 60, then click 'Save' but without 'enable' being clicked. Once it saves, then try and click 'enable' and 'save'.

#12 Updated by Stephen Benson over 5 years ago

  • File test.log added

According to the gui it shows 60 for each. Here's the output again.

#13 Updated by Stephen Benson over 5 years ago

I have left site name blank in the advanced settings, could these be looking for a site name? I have a home domain setup using default-first-site-name in AD Sites and Services. Also don't have a Kerberos Keytab set in advanced. Just checking other configs, in 9.2.1.7 I use the basic setup and everything clicks just fine.

#14 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

I have left site name blank in the advanced settings, could these be looking for a site name? I have a home domain setup using default-first-site-name in AD Sites and Services. Also don't have a Kerberos Keytab set in advanced. Just checking other configs, in 9.2.1.7 I use the basic setup and everything clicks just fine.

What the file shows is still 10 seconds. Can you run this from the command line and post the output to this ticket please?

sqlite3 /data/freenas-v1.db "select ad_timeout, ad_dns_timeout from directoryservice_activedirectory;"

#15 Updated by Stephen Benson over 5 years ago

Comes back 60|60

#16 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Comes back 60|60

Can you attach /etc/directoryservice/ActiveDirectory/config to this ticket?

#17 Updated by Stephen Benson over 5 years ago

Config is empty - 0B when opened in notepad.

#18 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Config is empty - 0B when opened in notepad.

Do this from the command line:

adtool get config_file

Post output to this ticket please.

#19 Updated by Stephen Benson over 5 years ago

ad_bindname=tsradmin
ad_domainname=benson-family.local
ad_netbiosname=BENSON-FAMILY
ad_basedn=DC=benson-family,DC=local
ad_binddn=
ad_site=
ad_dcname=tsr-dc8r2.benson-family.local
ad_dchost=tsr-dc8r2.benson-family.local
ad_dcport=389
ad_gcname=tsr-dc8r2.benson-family.local
ad_gchost=tsr-dc8r2.benson-family.local
ad_gcport=3268
ad_krbname=tsr-dc8r2.benson-family.local:88
ad_krbhost=tsr-dc8r2.benson-family.local
ad_krbport=88
ad_kpwdname=tsr-dc8r2.benson-family.local:464
ad_kpwdhost=tsr-dc8r2.benson-family.local
ad_kpwdport=464
ad_krb_realm=BENSON-FAMILY.LOCAL
ad_krb_kdc=tsr-dc8r2.benson-family.local
ad_krb_admin_server=tsr-dc8r2.benson-family.local
ad_krb_kpasswd_server=tsr-dc8r2.benson-family.local
ad_keytab_name=
ad_keytab_principal=
ad_keytab_file=
ad_timeout=60
ad_dns_timeout=60
ad_ssl=off
ad_unix_extensions=0

#20 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

ad_bindname=tsradmin
ad_domainname=benson-family.local
ad_netbiosname=BENSON-FAMILY
ad_basedn=DC=benson-family,DC=local
ad_binddn=
ad_site=
ad_dcname=tsr-dc8r2.benson-family.local
ad_dchost=tsr-dc8r2.benson-family.local
ad_dcport=389

Okay. Everything looks good. Can you do this:

rm -f /etc/directoryservice/ActiveDirectory/config
sh /etc/directoryservice/ActiveDirectory/ctl stop
sh /etc/directoryservice/ActiveDirectory/ctl start

Post the results here

ad_gcname=tsr-dc8r2.benson-family.local
ad_gchost=tsr-dc8r2.benson-family.local
ad_gcport=3268
ad_krbname=tsr-dc8r2.benson-family.local:88
ad_krbhost=tsr-dc8r2.benson-family.local
ad_krbport=88
ad_kpwdname=tsr-dc8r2.benson-family.local:464
ad_kpwdhost=tsr-dc8r2.benson-family.local
ad_kpwdport=464
ad_krb_realm=BENSON-FAMILY.LOCAL
ad_krb_kdc=tsr-dc8r2.benson-family.local
ad_krb_admin_server=tsr-dc8r2.benson-family.local
ad_krb_kpasswd_server=tsr-dc8r2.benson-family.local
ad_keytab_name=
ad_keytab_principal=
ad_keytab_file=
ad_timeout=60
ad_dns_timeout=60
ad_ssl=off
ad_unix_extensions=0

#21 Updated by Stephen Benson over 5 years ago

  • File start.log added
  • File stop.log added

Attached logs for each command

#22 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Attached logs for each command

Even at 60 seconds, it's timing out. More commands for you to run ;-)

sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1"
service ix-kerberos start
service ix-nsswitch start
service ix-kinit start
klist # you should have a kerberos ticket granting ticket

/usr/local/bin/net -k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389
echo $? # this should be 0

I'm curious what the net ads join does. That appears to be where things are failing here.

#23 Updated by Stephen Benson over 5 years ago

[root@freenas] /# service ix-kerberos start
[root@freenas] /# service ix-nsswitch start
[root@freenas] /# service ix-kinit start
[root@freenas] /# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires          Principal
Jan 7 22:36:40 Jan 8 08:36:40
[root@freenas] /# /usr/local/bin/net -k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
[root@freenas] /#

#24 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

[root@freenas] /# service ix-kerberos start
[root@freenas] /# service ix-nsswitch start
[root@freenas] /# service ix-kinit start
[root@freenas] /# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued Expires Principal
Jan 7 22:36:40 Jan 8 08:36:40
[root@freenas] /# /usr/local/bin/net -k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
[root@freenas] /#

I goofed. Run these commands again:
sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1"
service ix-kerberos start
service ix-nsswitch start
service ix-kinit start
klist # you should have a kerberos ticket granting ticket

service ix-pre-samba start

/usr/local/bin/net -k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389
echo $? # this should be 0

#25 Updated by Stephen Benson over 5 years ago

Worked this time.
.
[root@freenas] /# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1"
[root@freenas] /# service ix-kerberos start
[root@freenas] /# service ix-nsswitch start
[root@freenas] /# service ix-kinit start
[root@freenas] /# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires          Principal
Jan 7 22:36:40 Jan 8 08:36:40
[root@freenas] /# service ix-pre-samba start
[root@freenas] /# /usr/local/bin/net k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389
Using short domain name -
BENSON-FAMILY
Joined 'FREENAS' to dns domain 'benson-family.local'
[root@freenas] /# echo $?
0
[root@freenas] /#

#26 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Worked this time.
.
[root@freenas] /# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1"
[root@freenas] /# service ix-kerberos start
[root@freenas] /# service ix-nsswitch start
[root@freenas] /# service ix-kinit start
[root@freenas] /# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued Expires Principal
Jan 7 22:36:40 Jan 8 08:36:40
[root@freenas] /# service ix-pre-samba start
[root@freenas] /# /usr/local/bin/net k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389
Using short domain name -
BENSON-FAMILY
Joined 'FREENAS' to dns domain 'benson-family.local'
[root@freenas] /# echo $?
0
[root@freenas] /#

If it's working from the command line, it should be working from the UI. Can you try from the UI now? Before doing so, run this from the command line:

sh /etc/directoryservice/ActiveDirectory/ctl stop

Let me know if it works from the UI

#27 Updated by Stephen Benson over 5 years ago

Thanks John. Worked from UI as well. wbinfo -u gets usernames fine as well. All go now.

Did you find anything specific that was to blame or was it user error on my side?

I am on a test VM doing this bug fixing and I'm looking at upgrading my home server, but want to make sure it will work before I do. I tried 9.3 Stable on that server last week, as I had a drive issue, but had same problem joining.

Thanks again.

#28 Updated by John Hixson over 5 years ago

Stephen Benson wrote:

Thanks John. Worked from UI as well. wbinfo -u gets usernames fine as well. All go now.

Did you find anything specific that was to blame or was it user error on my side?

The only thing that I saw was the join timing out. Once you bumped up the timeout to 60 seconds, it makes everything work ;-)

I am on a test VM doing this bug fixing and I'm looking at upgrading my home server, but want to make sure it will work before I do. I tried 9.3 Stable on that server last week, as I had a drive issue, but had same problem joining.

What problems? Was it the same issue? Have you tried to bump up the timeouts to 60 seconds on that as well ?

Thanks again.

#29 Updated by Stephen Benson over 5 years ago

Yes I had the same issue on my production machine, reverted back to 9.2.1.7 on that. I will start a fresh vm and try again to duplicate with timeouts at 10 using basic UI settings. If it fails to start I will bump up time outs and see if it fixes it.

Thanks again for the time.

#30 Updated by John Hixson over 5 years ago

  • Status changed from 15 to Resolved

Stephen Benson wrote:

Yes I had the same issue on my production machine, reverted back to 9.2.1.7 on that. I will start a fresh vm and try again to duplicate with timeouts at 10 using basic UI settings. If it fails to start I will bump up time outs and see if it fixes it.

Thanks again for the time.

No problem. Since this was a timeout issue, I'm closing this ticket out. If you have any new issues please open a new ticket ;-).

#31 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

#32 Updated by Dru Lavigne almost 3 years ago

  • File deleted (messages)

#33 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug.log)

#34 Updated by Dru Lavigne almost 3 years ago

  • File deleted (test.log)

#35 Updated by Dru Lavigne almost 3 years ago

  • File deleted (test.log)

#36 Updated by Dru Lavigne almost 3 years ago

  • File deleted (test.log)

#37 Updated by Dru Lavigne almost 3 years ago

  • File deleted (stop.log)

#38 Updated by Dru Lavigne almost 3 years ago

  • File deleted (start.log)

Also available in: Atom PDF