Project

General

Profile

Bug #8232

Can't get Directory Services working since upgrade to 9.3 STABLE-201502270750

Added by Michael Preissner over 5 years ago. Updated about 4 years ago.

Status:
Closed: Behaves correctly
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

First had problems upgrading to 201502270750. Upgrade seemed to fail via UI, but after reboot, system is now reporting itself as 201502270750.

Directory Services will now not work (joining Active Directory as member). I am assuming it is related to the requirement to use SSL/TLS, but there is no certificate to choose for the connection (I'm using an external CA, and have already created/imported a cert for the FreeNAS itself which is currently being used for the HTTPS server). If I understand the previous topics on AD under 9.3, I'm guessing that the idmap backend also needs to change now from AD to rfc2307? And I should probably re-enable UNIX extensions?

What is the correct way to set up directory services for AD membership now that some of the AD bugs have supposedly been worked out?

Oh yeah...also seeing this error repeatedly in my /var/log/messages: "init: can't exec getty '/usr/local/sbin/zfsd' for port /dev/zfsd: No such file or directory"

History

#1 Updated by Peter Voigt over 5 years ago

I am having exactly the same problem after upgrade to FreeNAS-9.3-STABLE-201502270607. And it's mentioned by others in the forum: https://forums.freenas.org/index.php?threads/weird-log-entry-in-messages.27961/#post-181150

Regards,
Peter

#2 Avatar?id=24324&size=24x24 Updated by Erik Koennecke over 5 years ago

"init: can't exec getty '/usr/local/sbin/zfsd' for port /dev/zfsd: No such file or directory"

Same error here, spams the logs. Could this error be filed as a separate bug?

#3 Updated by Michael Preissner over 5 years ago

I'll go ahead and open a bug for this. It hits the log every 30 seconds.

#4 Updated by Dr K K over 5 years ago

For the record, I don't have this error. If it is useful to compare some of these users' configs and/or settings to mine, let me know.

#5 Updated by Michael Preissner over 5 years ago

Which error? The directory services problem? Or the "init: can't exec getty..." error (bug 8233)?

#6 Updated by Jordan Hubbard over 5 years ago

  • Category set to 36
  • Assignee set to John Hixson
  • Target version set to Unspecified

#7 Updated by Jordan Hubbard over 5 years ago

Yeah, the ttys problem is #8223 and I just rolled a fix for that. This is something different.

#8 Updated by John Hixson over 5 years ago

  • Status changed from Unscreened to 15

Michael Preissner wrote:

First had problems upgrading to 201502270750. Upgrade seemed to fail via UI, but after reboot, system is now reporting itself as 201502270750.

Directory Services will now not work (joining Active Directory as member). I am assuming it is related to the requirement to use SSL/TLS, but there is no certificate to choose for the connection (I'm using an external CA, and have already created/imported a cert for the FreeNAS itself which is currently being used for the HTTPS server). If I understand the previous topics on AD under 9.3, I'm guessing that the idmap backend also needs to change now from AD to rfc2307? And I should probably re-enable UNIX extensions?

I need more info here. SSL and TLS are not required for AD to work. Are you trying to get FreeNAS to join your AD where SSL or TLS are in place? If so, what certificate are you using? As for the idmap backend, if you have unix attributes, you can use the ad idmap backend. If not, you can use the rid backend. Can you give me more details on what you're trying to accomplish and what is going wrong? Please go to system->advanced->"save debug" and attach the output to this ticket as well.

What is the correct way to set up directory services for AD membership now that some of the AD bugs have supposedly been worked out?

Oh yeah...also seeing this error repeatedly in my /var/log/messages: "init: can't exec getty '/usr/local/sbin/zfsd' for port /dev/zfsd: No such file or directory"

#9 Updated by Michael Preissner over 5 years ago

  • File debug-store-20150227174447.tgz added

I configured my FreeNAS using the options specified in bug 7387 and everything was working under 9.3-STABLE-201502070132. My AD integration continued to work up through 201502232343. Since upgrading to 201502270750, and now on 201502271818, my AD integration is broken. I have not been using SSL/TLS yet, but I intend to in the near future - though no certificate shows up in the "Certificate" drop down. My Idmap is "ad" and my Winbind NSS is rfc2307. I have UNIX extensions enabled on my AD (which is a standalone server running CentOS 7 with Samba 4.1.17).

#10 Updated by John Hixson over 5 years ago

Your config looks fine and nothing is sticking out that is obvious. Can you try bumping up the "dns timeout" and "ad timeout" values to 60 in your AD UI and see if that makes any difference?

#11 Updated by Michael Preissner over 5 years ago

No difference at all. I receive the "Service failed to start" error through the UI about 10 seconds into the process.

Everything worked up through 201502242343, and my domain servers haven't changed in a while. Unless you guys made some changes to the AD integration that would significantly affect the time needed to start services, changing the timeouts wouldn't have any effect.

Is there any way to generate more verbose logs for you guys to look at? I already have verbose logging enabled on the directory services page...

#12 Updated by Michael Preissner over 5 years ago

FYI, reverting back to the 201502232343 boot environment allows AD integration to work again.

#13 Updated by John Hixson over 5 years ago

Okay. Are you available for a teamviewer session? I'd like to get to the bottom of this.

#14 Updated by Michael Preissner over 5 years ago

I can be available tonight around 8 PM Eastern, or I can carve some time out of my day tomorrow starting around 11 AM Eastern. Let me know what works best and I can get you my TeamViewer info.

#15 Updated by John Hixson over 5 years ago

Michael Preissner wrote:

I can be available tonight around 8 PM Eastern, or I can carve some time out of my day tomorrow starting around 11 AM Eastern. Let me know what works best and I can get you my TeamViewer info.

Are you available right now?

#16 Updated by Michael Preissner over 5 years ago

Yes. Can you email me direct and I'll send you my teamviewer info?

#17 Updated by John Hixson over 5 years ago

Michael Preissner wrote:

Yes. Can you email me direct and I'll send you my teamviewer info?

#18 Updated by John Hixson over 5 years ago

  • Status changed from 15 to Closed: Behaves correctly

I got a hold of Michael and we did a teamviewer session. The problem turned out to be clock skew which in turn was pissing off Kerberos. We got it fixed and all is well now.

#19 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

#20 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-store-20150227174447.tgz)

Also available in: Atom PDF