Active Directory Broken After Updating to Scale

broyuken

broyuken

Cadet
Joined
Dec 20, 2023
Messages
4
EDIT: I reinstalled TrueNas from scratch, imported my pools and AD worked fine. Not sure what the issue was but I worked around it.

I upgraded my TrueNas core to Scale 23.10.1 the other day and now my SMB shares no longer work. I went into the active directory section and it shows AD and LDAP are both disabled. I try to re-enable it, but the username/password boxes do not show. How can I clear out the old AD settings to try to get this working once again?

I ran a bunch of commands I saw from previous posts but they didn't seem to match up and solve my issue.

Code:
root@broynas[~]# dig

; <<>> DiG 9.18.12-1-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37899
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       86399   IN      NS      a.root-servers.net.
.                       86399   IN      NS      b.root-servers.net.
.                       86399   IN      NS      c.root-servers.net.
.                       86399   IN      NS      d.root-servers.net.
.                       86399   IN      NS      e.root-servers.net.
.                       86399   IN      NS      f.root-servers.net.
.                       86399   IN      NS      g.root-servers.net.
.                       86399   IN      NS      h.root-servers.net.
.                       86399   IN      NS      i.root-servers.net.
.                       86399   IN      NS      j.root-servers.net.
.                       86399   IN      NS      k.root-servers.net.
.                       86399   IN      NS      l.root-servers.net.
.                       86399   IN      NS      m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.     86399   IN      A       198.41.0.4

;; Query time: 11 msec
;; SERVER: 10.0.86.203#53(10.0.86.203) (UDP)
;; WHEN: Wed Dec 20 16:35:04 EST 2023
;; MSG SIZE  rcvd: 268

root@broynas[~]# host -t srv dc1.broyuken.com
dc1.broyuken.com has no SRV record
root@broynas[~]# host -t srv _ldap._tcp.broyuken.com
_ldap._tcp.broyuken.com has SRV record 0 100 389 dc1.broyuken.com.
_ldap._tcp.broyuken.com has SRV record 0 100 389 dc2.broyuken.com.
root@broynas[~]# 2023 Dec 20 16:56:50 broynas Device: /dev/sdd [SAT], 624 Currently unreadable (pending) sectors
2023 Dec 20 16:56:50 broynas Device: /dev/sdd [SAT], 624 Offline uncorrectable sectors
2023 Dec 20 16:56:51 broynas Device: /dev/sdd [SAT], 624 Currently unreadable (pending) sectors
2023 Dec 20 16:56:51 broynas Device: /dev/sdd [SAT], 624 Offline uncorrectable sectors

root@broynas[~]#
root@broynas[~]#
root@broynas[~]# midclt call kerberos.realm.query
[]
root@broynas[~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
root@broynas[~]# ktutil list
ktutil:
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
ktutil:  exit
root@broynas[~]# midclt call kerberos.keytab.query '[]' '{"count":true}'
0
root@broynas[~]#


I also tried running a command I found here on the forum which ended up erroring for me.
Code:
root@broynas[~]# midclt call activedirectory.update '{"kerberos_principal": "", "enable": false}'
'bindpw'
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 201, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/service/config_service.py", line 83, in update
    rv = await self.middleware._call(
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 44, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 586, in do_update
    elif not new['enable'] and new['bindpw']:
                               ~~~^^^^^^^^^^
KeyError: 'bindpw'

root@broynas[~]#
 
Last edited:
T

thehoney4you

Cadet
Joined
Sep 5, 2022
Messages
3
So im not the only one.
my fix, I deleted the servers account in AD (did not need to do)
under network make sure your name servers are you AD computer
then go to:
Credentials->Directory Services->advanced settings "show"
under Kerberos Realms delete you domain entry
under Kerberos Keytab delete AD_MACHINE_ACCOUNT
 
broyuken

broyuken

Cadet
Joined
Dec 20, 2023
Messages
4
I tried that but my keytab is empty. The password option just won't show up no matter what I try.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
There's a bug that impacts people using incomplete payload via shell middleware client (will be fixed in 23.10.2).

If you disable AD via webui, you should be able to re-input administrator account credentials and re-join AD. This will create a new kerberos keytab and reset AD machine account password for our computer object. We no longer under any circumstances store the AD bind password in our database (this behavior was generally deprecated in TrueNAS 12).
 
broyuken

broyuken

Cadet
Joined
Dec 20, 2023
Messages
4
It is disabled, and I can't reinput the credentials because the AD configuration screen doesn't have a spot for credentials.
1704228356304.png


1704228432843.png
 
T

thehoney4you

Cadet
Joined
Sep 5, 2022
Messages
3
ok so on mine
stop smb service
Kerberos Realms delete you domain entry
Kerberos Keytab delete AD_MACHINE_ACCOUNT
 

Attachments

  • Capture.JPG
    Capture.JPG
    53.9 KB · Views: 134
broyuken

broyuken

Cadet
Joined
Dec 20, 2023
Messages
4
yea I don't have any of those to remove so my issue must be something different. AD was working prior to upgrading from CORE to SCALE.

Can we please move this post from the archives to the Cobia section? I don't know how this ended up in the archives section.
 
Last edited:
You must log in or register to reply here.

Similar threads

K
Active Directory DNS response does not contain answer to question
Replies
0
Views
3K
kyle_macaulay
K
X
TrueNAS Scale 22.02.1 - LDAP Directory Service Error
Replies
1
Views
2K
xenu
X
M
SOLVED Scale Active Directory issue - unexpected realm
Replies
19
Views
3K
anodos
anodos
I
SOLVED Re-joining Active Directory results in DNS timeout
Replies
11
Views
2K
INS4NIt
I
G
Unable to launch custom
Replies
2
Views
1K
VanekAF
V
Top