Active Directory Users/permissions gone after upgrade to 9.3

[Nicholas Bento]

Hi There,
I just upgraded my NAS to version 9.3, and now all my active directory users and groups have disappeared, and the permissions for them are gone on my storage. I have ran wbinfo -t, wbinfo -g, and wbinfo -u from shell and they return the correct results, however when looking in the UI the users are nowhere to be found.
Any help is greatly appreciated, thanks!

 

[amwg16]

I have the same exact issue!!!


Sent from my iPhone using Tapatalk

 

[Nicholas Bento]

Glad I'm not the only one, thought I was losing my mind!

Also another tidbit, when I navigate to the mount in shell and do an ls -al on it, looks like it shows the UID of 10200, which I assume was my Administrator that I had assigned from AD, but it seems it is somehow no longer mapped to it in FreeNAS.

Also, running the commands getent passwd and getent group also do not show my domain users or groups either. Maybe the problem is occurring with nsswitch?

And also spotted this in the console:
Dec 10 09:19:53 Zenon winbindd[4333]: STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsads reopen failed after error No such object

 

[dlavigne]

As you find bugs, please report them at bugs.freenas.org. If they are related to a forum thread, put the bug number in the thread so other users can follow the bug's progress and any workarounds.

 

[Nicholas Bento]

well I've at least got myself up and running. I went into the Active Directory options and changed the Idmap backend to rid, and now when i do getent passwd and getent group I see all my domain users and groups. I then had to navigate to my mounts and reassign the permissions to the appropriate users and groups using chown -R. I can now navigate my shares as before. Note that all the windows permissions I had assigned are wrecked; Once I was able to grant my domain admin privilege to the directories, I had to go back in through windows and re-create the permissions.

 

[dlavigne]

Thanks for the update!

 

[Nicholas Bento]

Sure, would you like me to open up a bug ticket with this information?

 

[dlavigne]

You could, though I'm not sure if it is a bug or not. Which idmap backend to use is specific to the domain's configuration. rid is the default for AD, though there was a bug where it wasn't for a few weeks so you may have been bitten by that. It is nasty having to recreate all of the perms, just not sure which part failed to cause that.

 

[amwg16]

All my shares were locked out. Switching to rid allowed me to check permissions and confirm that they had indeed been reset. Downgraded back to 9.2.1.9 and my shares and permissions were back in tact. GUI also showed my existing AD users & groups. I think I'll sit on that for a while, until it's fixed.


Sent from my iPhone using Tapatalk

 

[depasseg]

Looks like this: https://bugs.freenas.org/issues/7079

 

[cfa]

I too am suffering from this bug. Changing the IDMAP setting in Advanced settings under Active Directory to 'rid' does not help. In fact it makes the problem worse. Running wbinfo -u results in no results

I switched the setting back to 'ad' ... since it stands to reason that an acronym like 'ad' in a section named 'Active Directory' would be appropriate. Now running wbinfo -u gives me the 600+ results I expect from our company domain server.

I've been watching the debug.log during the process. It properly connects but there are some troubling results in there. Here is a snippet:

Dec 26 12:07:38 cfaNAS cachetool.py: [common.freenasldap:177] FreeNAS_LDAP_Directory[ERROR]: An LDAP Exception occured
Dec 26 12:07:38 cfaNAS cachetool.py: [common.freenasldap:184] FreeNAS_LDAP_Directory[ERROR]: desc: 'Size limit exceeded'

...
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\Domain Computers'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\Domain Users'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\Domain Guests'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\Group Policy Creator Owners'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\Cert Publishers'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\RAS and IAS Servers'
....
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\info'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\payroll'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\development'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\parentproject'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\ticketsales'
Dec 26 12:07:44 cfaNAS cachetool.py: [common.freenasldap:2615] Error on getgrnam: 'getgrnam(): name not found: MYDOMAIN\\donate'

Could these errors be related to the problem with my domain accounts not appearing the security lists ??

 

[dlavigne]

Don't just change the idmap backend (as the default will work) unless your environment meets the requirements for that backend. See Table 9.1b at http://doc.freenas.org/9.3/freenas_directoryservice.html#active-directory for the requirements of each backend.