Project

General

Profile

Bug #7918

Problem on Active Derectory

Added by Tobias Müllauer over 5 years ago. Updated about 4 years ago.

Status:
Closed: Behaves correctly
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

[root@freenas ~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires          Principal                                   
Feb 10 20:52:50 Feb 11 06:52:50
[root@freenas ~]# service ix-sssd start
[root@freenas ~]# service sssd start
Will not 'start' sssd because sssd_enable is NO.
[root@freenas ~]# python /usr/local/www/freenasUI/middleware/notifier.py start c
ifs
False
[root@freenas ~]# service ix-activedirectory start
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
False
Failed to leave domain: Machine is a Domain Controller
samba not running? (check /var/run/samba4/samba.pid).

SEEN IN ;; Current Train: FreeNAS-9.3-Nightlies (Installed OS)

History

#1 Updated by John Hixson over 5 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from Important to Nice to have
  • Target version set to Unspecified

What is the problem? This doesn't state any problem here. You are trying to start SSSD and ix-activedirectory. Why? Can you elaborate on what problem(s) are occurring? While you're at it, can you go to System->Advanced->"Save Debug" and attach it to this ticket?

#2 Updated by Tobias Müllauer over 5 years ago

when i try to join domain from a windows client i get this.

---
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "toit.local":

The query was for the SRV record for _ldap._tcp.dc._msdcs.toit.local

The following domain controllers were identified by the query:
freenas.toit.local

However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

#3 Updated by Tobias Müllauer over 5 years ago

  • File debug-freenas-20150210211854.tgz added

her is the debug file

#4 Updated by Tobias Müllauer over 5 years ago

Why i did this bug report..

Site say so:http://doc.freenas.org/9.3/freenas_directoryservice.html

If the system will not join the active directory domain, try running the following commands in the order listed. If any of the commands fail or result in a traceback, create a bug report at bugs.freenas.org that includes the commands in the order which they were run and the exact wording of the error message or traceback.

#5 Updated by John Hixson over 5 years ago

  • Status changed from Screened to 15

From the looks of things, you have configured your system to be a domain controller. What are you trying to do? I see signs of trying to configure it as a member server in an Active Directory, but your getent output tells me you've configured it as a domain controller. Which do you want? I'm still not even clear on what the problem is.

#6 Updated by Tobias Müllauer over 5 years ago

Sorry. i am not so femiljer with this. and kind of confusion about the settings.

I only wont the freenas to be domain at its own.. So my client can connect to freenas active directory.

So you mean that i dont use services when i do this. services is only for joining freenas to a AD?

The problem is that i cant make Windows client to join the AD on freenas.
I got a messege you se above.

#7 Updated by John Hixson over 5 years ago

Tobias Müllauer wrote:

Sorry. i am not so femiljer with this. and kind of confusion about the settings.

I only wont the freenas to be domain at its own.. So my client can connect to freenas active directory.

So you mean that i dont use services when i do this. services is only for joining freenas to a AD?

The problem is that i cant make Windows client to join the AD on freenas.
I got a messege you se above.

Do you have DNS on your windows client(s) configured to use FreeNAS as the DNS server?

#8 Updated by Tobias Müllauer over 5 years ago

Yes and now..

Now i am working on pfsense and bind to get it work.

when i try using freenas as a dns server it dont work on anyting. all hostname and website gos down

#9 Updated by Tobias Müllauer over 5 years ago

UPDATE:

Now its working to have freenas IP = DNS on the clients.

But i cant join the domain. i can get in to Shares but no joining domain.

Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\Windows\debug\dcdiag.txt.

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "toit.local":

The query was for the SRV record for _ldap._tcp.dc._msdcs.toit.local

The following domain controllers were identified by the query:
freenas.toit.local

However no domain controllers could be contacted.

Common causes of this error include:

- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

#10 Updated by Tobias Müllauer over 5 years ago

C:\Users\mullcom>nslookup
10.in-addr.arpa
primary name server = localhost
responsible mail addr = backbone.telia.net
serial = 1
refresh = 3600 (1 hour)
retry = 900 (15 mins)
expire = 3600000 (41 days 16 hours)
default TTL = 3600 (1 hour)
(root) ? unknown type 41 ?
Default Server: UnKnown
Address: 10.90.110.6

set type=all
_kerberos._tcp.toit.local

Server: UnKnown
Address: 10.90.110.6

_kerberos._tcp.toit.local SRV service location:
priority = 0
weight = 100
port = 88
svr hostname = freenas.toit.local

exit

C:\Users\mullcom>ping toit.local

Pinging toit.local [10.90.110.6] with 32 bytes of data:
Reply from 10.90.110.6: bytes=32 time=1ms TTL=63
Reply from 10.90.110.6: bytes=32 time=1ms TTL=63

Ping statistics for 10.90.110.6:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

#11 Updated by Tobias Müllauer over 5 years ago

Command: wbinfor -t

checking the trust secret for domain TOIT via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

#12 Updated by Tobias Müllauer over 5 years ago

host -t srv _kerberos._tcp.toit.local
_kerberos._tcp.toit.local has SRV record 0 100 88 freenas.toit.local.

I dont get it? whot is the problem ?
Pleas i have try realy hard her to join the domain and get it working somting must be truble but whot?

#13 Updated by Tobias Müllauer over 5 years ago

net ads testjoin
Failed to open /var/db/samba4/private/secrets.tdb
Join to domain is not valid: Access denied

#14 Updated by John Hixson over 5 years ago

Tobias Müllauer wrote:

net ads testjoin
Failed to open /var/db/samba4/private/secrets.tdb
Join to domain is not valid: Access denied

Do you have jails running on the box by chance? Can you provide the ouput of netstat -na|grep LISTEN?

#15 Updated by John Hixson over 5 years ago

Still waiting to here back from Tobias on this.

#16 Updated by John Hixson over 5 years ago

Tobias? Is this still an issue?

#17 Updated by Tobias Müllauer over 5 years ago

Sorry for late reply much to do at work.

tcp4 0 0 .22 *. LISTEN
tcp6 0 0 .22 *. LISTEN
tcp4 0 0 127.0.0.1.9042 .* LISTEN
tcp6 0 0 *.80 *.
LISTEN
tcp4 0 0 10.90.110.6.80 .* LISTEN
tcp4 0 0 *.139 *.
LISTEN
tcp4 0 0 .445 *. LISTEN
tcp6 0 0 .139 *. LISTEN
tcp6 0 0 .445 *. LISTEN
tcp4 0 0 .3269 *. LISTEN
tcp4 0 0 .3268 *. LISTEN
tcp4 0 0 .636 *. LISTEN
tcp4 0 0 .389 *. LISTEN
tcp6 0 0 .3269 *. LISTEN
tcp6 0 0 .3268 *. LISTEN
tcp6 0 0 .636 *. LISTEN
tcp6 0 0 .389 *. LISTEN
tcp4 0 0 .135 *. LISTEN
tcp6 0 0 .135 *. LISTEN
tcp4 0 0 .1024 *. LISTEN
tcp6 0 0 .1024 *. LISTEN
tcp4 0 0 .53 *. LISTEN
tcp6 0 0 .53 *. LISTEN
tcp4 0 0 .464 *. LISTEN
tcp4 0 0 .88 *. LISTEN
tcp6 0 0 .464 *. LISTEN
tcp6 0 0 .88 *. LISTEN
tcp4 0 0 10.90.110.6.869 .* LISTEN
tcp4 0 0 127.0.0.1.713 *.
LISTEN
tcp6 0 0 ::1.813 .* LISTEN
tcp4 0 0 10.90.110.6.697 *.
LISTEN
tcp4 0 0 127.0.0.1.697 .* LISTEN
tcp6 0 0 ::1.697 *.
LISTEN
tcp4 0 0 10.90.110.6.2049 .* LISTEN
tcp4 0 0 10.90.110.6.840 *.
LISTEN
tcp4 0 0 127.0.0.1.840 .* LISTEN
tcp6 0 0 ::1.840 *.
LISTEN
tcp4 0 0 10.90.110.6.111 .* LISTEN
tcp4 0 0 127.0.0.1.111 *.
LISTEN
tcp6 0 0 ::1.111 .* LISTEN
tcp4 0 0 10.90.110.6.3260 *.
LISTEN

#18 Updated by Tobias Müllauer over 5 years ago

And i have now start up a samba domain insted. becos Freenas diddent work to be standalone ACDC.

Now when i have a SAMBA ACDC i wont to make freenas a secendary.

#19 Updated by John Hixson over 5 years ago

Tobias Müllauer wrote:

And i have now start up a samba domain insted. becos Freenas diddent work to be standalone ACDC.

Now when i have a SAMBA ACDC i wont to make freenas a secendary.

So it is working for you? Currently making FreeNAS a secondary DC is not supported.

#20 Updated by John Hixson over 5 years ago

  • Status changed from 15 to Closed: Behaves correctly

Seeing as it is working for you I'm closing this out. As stated before, FreeNAS currently cannot be a secondary DC. In the future that might change.

#21 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

#22 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-freenas-20150210211854.tgz)

Also available in: Atom PDF