Active Directory with 1000+ users taking forever

Status
Not open for further replies.

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
Hi,

we have set up FreeNAS-9.10.2-U4 (27ae72978) and trying to configure directory service in FreeNAS with corporate ActiveDirectory(which has 1000+ users).

when i click on save after configuring AD service with realm name, domain user and password (with kerberos realm) it takes forever(have waited for 10+ hours) to load and never show a success message. however, wbinfo -u, wbinfo -g, wbinfo -t and net ads join -S dcname -U username all gives a positive output with user and group names. But "getent passwd" and "getent group" shows only local users and groups.
even on the "change permission" on the share do not show/recommend AD users as i type.

below is my messages log where we can see it get stuck at " cachetool.py: [common.pipesubr:66] Popen()ing: klist" for a long time and later displays "cachetool.py: [common.freenasusers:346] Directory Users could not be retrieved: {'desc': "Can't contact LDAP server"}"

Code:
Oct 18 09:49:59 BLRCM-FREENAS ActiveDirectory: AD_join_domain: net -k ads join ABCD.NET -S blrdc03.abcd.net -p 389
Oct 18 09:50:03 BLRCM-FREENAS ActiveDirectory: AD_join_domain: Successful
Oct 18 09:50:03 BLRCM-FREENAS ActiveDirectory: /usr/sbin/service ix-activedirectory status
Oct 18 09:50:03 BLRCM-FREENAS ActiveDirectory: activedirectory_status: checking status
Oct 18 09:50:03 BLRCM-FREENAS ActiveDirectory: AD_status_domain: net -k ads status ABCD.NET
Oct 18 09:50:04 BLRCM-FREENAS ActiveDirectory: AD_status_domain: Okay
Oct 18 09:50:04 BLRCM-FREENAS ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Oct 18 04:20:05 BLRCM-FREENAS notifier: Stopping winbindd.
Oct 18 04:20:05 BLRCM-FREENAS notifier: Waiting for PIDS: 76697.
Oct 18 04:20:05 BLRCM-FREENAS notifier: Stopping smbd.
Oct 18 04:20:06 BLRCM-FREENAS notifier: Waiting for PIDS: 76691, 76691.
Oct 18 04:20:06 BLRCM-FREENAS notifier: nmbd not running? (check /var/run/samba/nmbd.pid).
Oct 18 09:50:06 BLRCM-FREENAS ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Oct 18 04:20:08 BLRCM-FREENAS notifier: Performing sanity check on Samba configuration: OK
Oct 18 04:20:08 BLRCM-FREENAS notifier: Starting nmbd.
Oct 18 04:20:08 BLRCM-FREENAS notifier: Starting smbd.
Oct 18 04:20:08 BLRCM-FREENAS notifier: Starting winbindd.
Oct 18 09:50:08 BLRCM-FREENAS ActiveDirectory: /usr/sbin/service ix-pam quietstart
Oct 18 09:50:09 BLRCM-FREENAS ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Oct 18 09:50:10 BLRCM-FREENAS cachetool.py: [common.pipesubr:66] Popen()ing: klist
Oct 18 10:27:59 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s system-product-name
Oct 18 10:27:59 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s baseboard-product-name
Oct 18 11:28:22 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s system-product-name
Oct 18 11:28:22 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s baseboard-product-name
Oct 18 11:44:21 BLRCM-FREENAS cachetool.py: [common.freenasusers:346] Directory Users could not be retrieved: {'desc': "Can't contact LDAP server"}
Oct 18 11:44:21 BLRCM-FREENAS cachetool.py: [common.pipesubr:66] Popen()ing: klist
Oct 18 11:50:11 BLRCM-FREENAS cachetool.py: [common.freenasusers:346] Directory Users could not be retrieved: {'desc': "Can't contact LDAP server"}
Oct 18 11:50:11 BLRCM-FREENAS cachetool.py: [common.pipesubr:66] Popen()ing: klist
Oct 18 12:28:45 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s system-product-name
Oct 18 12:28:45 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s baseboard-product-name
Oct 18 13:29:08 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s system-product-name
Oct 18 13:29:08 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s baseboard-product-name
Oct 18 13:44:24 BLRCM-FREENAS cachetool.py: [common.freenasusers:229] Directory Groups could not be retrieved: {'desc': "Can't contact LDAP server"}
Oct 18 13:44:25 BLRCM-FREENAS ActiveDirectory: kerberos_status: klist -t
Oct 18 13:44:25 BLRCM-FREENAS ActiveDirectory: kerberos_status: Successful
Oct 18 13:44:25 BLRCM-FREENAS ActiveDirectory: activedirectory_status: checking status
Oct 18 13:44:25 BLRCM-FREENAS ActiveDirectory: AD_status_domain: net -k ads status ABCD.NET
Oct 18 13:44:26 BLRCM-FREENAS ActiveDirectory: AD_status_domain: Okay
Oct 18 13:44:26 BLRCM-FREENAS manage.py: [common.pipesubr:66] Popen()ing: klist
Oct 18 13:50:11 BLRCM-FREENAS cachetool.py: [common.freenasusers:229] Directory Groups could not be retrieved: {'desc': "Can't contact LDAP server"}
Oct 18 13:50:12 BLRCM-FREENAS ActiveDirectory: kerberos_status: klist -t
Oct 18 13:50:12 BLRCM-FREENAS ActiveDirectory: kerberos_status: Successful
Oct 18 13:50:12 BLRCM-FREENAS ActiveDirectory: activedirectory_status: checking status
Oct 18 13:50:12 BLRCM-FREENAS ActiveDirectory: AD_status_domain: net -k ads status ABCD.NET
Oct 18 13:50:13 BLRCM-FREENAS ActiveDirectory: AD_status_domain: Okay
Oct 18 13:50:13 BLRCM-FREENAS manage.py: [common.pipesubr:66] Popen()ing: klist



Any leads/help would be greatly appreciated.

Thanks,
Sharath TS
 

diedrichg

Wizard
Joined
Dec 4, 2012
Messages
1,319
I have no understanding of your situation, but you will need to list your full system specs, please.
 

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
ok. here is the situation. we have set up a freenas box and created datasets and CIFS shares. we need to be able to set permissions on the CIFS shares to corporate users and groups. To make this happen, i am trying to configure the Active Directory in FreeNAS to connect to corporate AD to fetch users and groups. As mentioned in the 1st thread, our corporate AD has a user base of more than 1000 and the FreeNAS Active Directory is unable to succeed as shown the log message in 1st thread.

Below are my system specs.
Build : FreeNAS-9.10.2-U4 (27ae72978)
Platform : Intel(R) Xeon(R) CPU E5-2603 v4 @ 1.70GHz

Memory : 32625MB

Let me know if any more information required.
 

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
Yes i have seen that. i am still new to this and trying to understand the concept.
So if i configure the Active Directory in FreeNAS Directory Services to fetch users, why is it trying to contact LDAP?
wbinfo -u and wbinfo -g display all network users and group but getent passwd and getend groups will not.
 
Last edited:

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
the directory is not populated with samba attributes yet as in this note http://doc.freenas.org/11/directoryservice.html#ldap?. is that the reason? is it mandatory for AD Directory service?

below is my smb4.conf


[global]
server min protocol = LANMAN1
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 939593
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = guest
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
time server = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = yes
idmap config *: backend = tdb
idmap config *: range = 10000-11000
server role = member server
workgroup = ABCD
realm = ABCD.NET
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = no
winbind refresh tickets = yes
idmap config ABCD: backend = ad
idmap config ABCD: range = 10000-11000
idmap config ABCD: schema mode = rfc2307
allow trusted domains = no
client ldap sasl wrapping = plain
template shell = /bin/sh
template homedir = /home/%D/%U
netbios name = BLRCM-FREENAS
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 10

[cifs_01]
path = /mnt/Volume1/cifs_01
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
the directory is not populated with samba attributes yet as in this note http://doc.freenas.org/11/directoryservice.html#ldap?. is that the reason? is it mandatory for AD Directory service?

below is my smb4.conf


[global]
server min protocol = LANMAN1
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 939593
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = guest
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
time server = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = yes
idmap config *: backend = tdb
idmap config *: range = 10000-11000
server role = member server
workgroup = ABCD
realm = ABCD.NET
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = no
winbind refresh tickets = yes
idmap config ABCD: backend = ad
idmap config ABCD: range = 10000-11000
idmap config ABCD: schema mode = rfc2307
allow trusted domains = no
client ldap sasl wrapping = plain
template shell = /bin/sh
template homedir = /home/%D/%U
netbios name = BLRCM-FREENAS
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 10

[cifs_01]
path = /mnt/Volume1/cifs_01
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
hide dot files = yes
guest ok = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

The "ad" backed requires Active Directory schema changes (RFC 2307). Since it appears that you do not have these, it is better to switch to using "rid" or "autorid".
 

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
ok there is some progress by setting idmap backed as "rid". with this, i am able to view users and groups with "getent passwd" and "getent group". but again, after i click on save, it takes more than an hour and again with the same error "can't contact LDAP server" below is the log.

Code:
Oct 21 10:39:39 BLRCM-FREENAS ActiveDirectory: /usr/sbin/service ix-pam quietstart
Oct 21 10:39:39 BLRCM-FREENAS ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Oct 21 10:39:41 BLRCM-FREENAS cachetool.py: [common.pipesubr:66] Popen()ing: klist
Oct 21 10:56:30 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s system-product-name
Oct 21 10:56:30 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s baseboard-product-name
Oct 21 11:05:46 BLRCM-FREENAS cachetool.py: [common.freenasusers:229] Directory Groups could not be retrieved: {'desc': "Can't contact LDAP server"}
Oct 21 11:05:47 BLRCM-FREENAS ActiveDirectory: kerberos_status: klist -t
Oct 21 11:05:47 BLRCM-FREENAS ActiveDirectory: kerberos_status: Successful
Oct 21 11:05:47 BLRCM-FREENAS ActiveDirectory: activedirectory_status: checking status
Oct 21 11:05:47 BLRCM-FREENAS ActiveDirectory: AD_status_domain: net -k ads status ABCD.NET
Oct 21 11:05:48 BLRCM-FREENAS ActiveDirectory: AD_status_domain: Okay
Oct 21 11:05:49 BLRCM-FREENAS manage.py: [common.pipesubr:66] Popen()ing: klist
Oct 21 11:56:53 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s system-product-name
Oct 21 11:56:53 BLRCM-FREENAS alert.py: [common.pipesubr:66] Popen()ing: /usr/local/sbin/dmidecode -s baseboard-product-name
Oct 21 12:39:41 BLRCM-FREENAS cachetool.py: [common.freenasusers:346] Directory Users could not be retrieved: {'desc': "Can't contact LDAP server"}
Oct 21 12:39:41 BLRCM-FREENAS cachetool.py: [common.pipesubr:66] Popen()ing: klist



i had to cancel the operation as it was taking long time.

AND in the "change permission" operation on a dataset, the user names are not displayed in the dropdown. and if i type domain user "ABCD\user" it will throw error "The user ABCD\user is not valid." however, that user exist in the "getent passwd".

Any idea why the AD Directory service taking this long and with the {'desc': "Can't contact LDAP server"} error?
 
Last edited:

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
@anodos
ok here is an update. when i check "Disable Active Directory user/group cache " this option and save the AD directory service it starts with a success message. plus, wbinfo -u/-g/-t/-i and getent passwd/group all works as expected.

Here is the catch, when i try to set mount point permission as domain users "ABCD\userx", it works only for few users and for the rest it shows "The user ABCD\userx is not valid."
And for the users that are apparently not valid, wbinfo -i "ABCD\userx" and getent passwd "ABCD\userx" shows the result. i.e the user exist.

Plus, the dropdown for the users and groups in permission of dataset do not suggest any DOMAIN users even as i type many characters.

should i check if the UID displayed in FreeNAS is mapped properly as per corporate UID?
am i missing any thing?
 
Last edited:

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
one more update.
i am able to set permission for the apparent "not valid" users on command line with chown. But not from UI. is this a bug in freeNAS?
 

M H

Explorer
Joined
Sep 16, 2013
Messages
98
You will not see AD users and groups in the change permissions dialog in the FreeNAS GUI. You have to sign into the your FreeNAS share as root user and change permissions via windows. You're looking for something that will never appear with regards to changing AD permissions via the FreeNAS GUI.
 
Status
Not open for further replies.
Top