AD and multiple KDCs in a domain -- picks WRONG KDC

[chucktryon]

We have a geographically dispersed organization. Each office his its own assigned 10.x subnet. We have one central AD Domain Controller in the international office, and a couple of the larger offices have secondary AD Domain Controllers joined to the central controller over a VPN. While the secondary domain controllers can each talk to the main controller, the firewalls are set up such that none of the individual subnets can talk to each other. One very odd thing is that the DNS service replicates to All the domain controllers, so we see DNS information for the entire organization.

When FreeNAS tried to join the domain, I'm guessing that it looks up the SRV records to find the actual KDC for the domain. Our problem is that, since we have multiple domain controllers, there are SEVERAL SRV records in DNS, each on its own subnet. In fact, only one is usable on our subnet, since we can't touch the other controllers.

My problem is that, for some unknown reason, THE INTERFACE ALWAYS PICKS THE WRONG KDC, and then puts that in the krb5.conf and smb.conf files. We are on a 10.4 subnet, but the one it ALWAYS picks is on the 10.88 subnet. The records all have identical weights, so it's not like the other KDC has a higher priority.

[root@us-freenas-dev] ~# host -t SRV _kerberos._tcp.global.local
_kerberos._tcp.global.local has SRV record 0 100 88 eu-dc1.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 eu-dc2.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 usa-dc1.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 africa-dc.global.local.
_kerberos._tcp.global.local has SRV record 0 100 88 gb-dc1.global.local.

My question is, how do I get the interface to correctly pick the one and only KDC that it can actually talk to and put that one in the krb5.conf file?

 

[paleoN]

I would setup separate Sites for each geographic location in AD first.

 

[chucktryon]

Unfortunately, I don't have much control over the AD setup. There is just the one domain. Not sure how to set up separate sites.

 

[paleoN]

Unfortunately, I don't have much control over the AD setup.

Work with whoever does.

Not sure how to set up separate sites.

You go to the Active Directory Sites & Services tool and create new sites.

 

[chucktryon]

We *DO* have sites set up already.

Is there any way to get FreNAS to look up the SRV record for our particular site?

[root@freenas-dev]# host -t srv _kerberos._tcp.usa._sites.global.local
_kerberos._tcp.usa._sites.global.local has SRV record 0 100 88 usa-dc1.global.local.

 

[paleoN]

We *DO* have sites set up already.

Looks like I wasn't much help as I was wrong.

The records all have identical weights, so it's not like the other KDC has a higher priority.

From the documentation:

The realm that is used depends upon the priority in the SRV DNS record, meaning that DNS can override your Active Directory settings.

Though changing the weight in AD DNS changes it in all sites and a poor solution to your problem.


I will suggest you give some additional details of your problem so someone else can help.

• What version of AD are you running?
• Configured hostname & nameservers of FN8 box
• The contents of your krb5.conf file
• What you enter where in the GUI
• Output of:
  Code:

  host -t srv _ldap._tcp.global.local

• tail /var/log/messages after you try to join
• Anything else appropriate

 

[chucktryon]

Version of AD: Windows Server 2008 R2

Network Settings:
Network: 10.4.0.0/22
Hostname of FN8: us-freenas-dev (10.4.0.187)
Nameserver: 10.4.1.164 (the AD server)
Domain: global.local
FN8 Version: 8.3.0 BETA1

NOTE: I have been using the FreeNAS-8.2.0-RELEASE-p1-x64 version, but tried moving to the BETA hoping it might work better. It has not fixed the problem, and in fact, seems to have made things worse. Is it possible to back-rev a system once you have updated it?


AD Settings:
Domain Controller Name: usa-dc1@global.local
Domain Name: global.local
NetBIOS Name: us-freenas-dev
Workgroup Name: GLOBAL
Allow Trusted Domains: [yes]
Administrator Name: [admin name]

CIFS Setup:
Authentication: Local User
NetBIOS name: us-freenas-dev
Workgroup: GLOBAL
Local Master: [yes]
Time Server: [yes]
Enable home directories: [yes]
Home directories: /mnt/Vol1/homes
Unix Extensions: [yes]
Enable AIO: [yes]
Zeroconf share discovery: [yes]
Hostname lookups: [yes]


NOTE: the following is the GENERATED krb5.conf. I *KNOW* that the "africa-dc" name is wrong. THAT'S THE POINT. No matter what I do to change it back to the correct server on our subnet, the UI keeps changing it BACK again. That's what I'm trying to fix. SOMETIMES, if I click the button to join the AD domain, and then in a separate text window, copy the CORRECTED krb5.conf file over top of the generated file, it will join the domain, but that's very tricky to get the right timing.

Code:

[root@us-freenas-dev] /etc# cat krb5.conf 
[appdefaults]
    pam = {
        forwardable = true
        krb4_convert = false
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
    }

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    clockskew = 300
    forwardable = yes
    default_realm = GLOBAL.LOCAL

[logging]
	default = SYSLOG:INFO:LOCAL7

[realms]
	GLOBAL.LOCAL = {
        kdc = africa-dc.global.local                   <--------------- THIS IS THE BROKEN PART
        admin_server = africa-dc.global.local
        default_domain = global.local
    }

[domain_realm]
    global.local = GLOBAL.LOCAL
    .global.local = GLOBAL.LOCAL
    GLOBAL.LOCAL = GLOBAL.LOCAL
    .GLOBAL.LOCAL = GLOBAL.LOCAL

NOTE: If you do the "host" command more than once, the names rotate, so that each name comes up first in turn. This is typical DNS "round-robin" behavior.

Code:

[root@us-freenas-dev] ~# host -t srv _ldap._tcp.global.local
_ldap._tcp.global.local has SRV record 0 100 389 africa-dc.global.local.
_ldap._tcp.global.local has SRV record 0 100 389 ict-dc1.global.local.
_ldap._tcp.global.local has SRV record 0 100 389 usa-dc1.global.local.
_ldap._tcp.global.local has SRV record 0 100 389 ict-dc2.global.local.
_ldap._tcp.global.local has SRV record 0 100 389 qts-dc1.global.local.

When I try to join the domain, after about 15 minutes or so, I get the following in the /var/log/messages file:

Code:

Aug 31 10:15:59 us-freenas-dev notifier: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Aug 31 10:18:30 us-freenas-dev notifier: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Aug 31 10:21:01 us-freenas-dev notifier: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Aug 31 10:21:07 us-freenas-dev notifier: kinit: krb5_get_init_creds: unable to reach any KDC in realm GLOBAL.LOCAL
Aug 31 10:26:19 us-freenas-dev notifier: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Aug 31 10:26:20 us-freenas-dev notifier: No realm set, are we joined ?
Aug 31 10:26:20 us-freenas-dev notifier: winbindd does not exist in /etc/rc.d or the local startup
Aug 31 10:26:20 us-freenas-dev notifier: directories (/usr/local/etc/rc.d)

The "I'm working..." little graphic under the AD slider switch NEVER stops unless I refresh the page (ie., whatever process it's waiting for never returns).

(Can't think of anything else...)

 

[gait]

I am experiencing exactly the same issue. We have a single domain split across multiple subnets - each subnet has it's own site in AD and each site/subnet has it's own DC and all are connected via WAN/VPN links. The NASs on the same subnet as the PDC all work fine but as soon as you join a NAS from one of the other subnets to the domain (and we always point them to the local DC on the subnet), it all turns to mush as described above.

Running a net ads info on a NAS on one of the remote subnets shows the LDAP and KDC server as the PDC which is on the main subnet even though we specified a local DC when joining them to AD. It would seem whatever routine is being run when the initial join to AD is being made is ignoring any of the Sites and Services info and assuming everything is on one big, zippy local network...

If the link goes down from the remote subnet to the main network, none of the NAS are able to get any AD info, even though there are local DCs at each location.

As a side note, I have recently set up a Nas4Free box on one of the subnets and it isn't experiencing any of these issues.

 

[DynamoHum]

I'd be tempted to try "winbind use default domain = no"

 

[chucktryon]

BTW - it appears that the latest released version (8.3.0-RELEASE) *FIXES* this problem. This release has some other issues (the Web GUI doesn't seem to start correctly on boot -- see the workaround), but I have been using it now for a while with our AD controller (with multiple sites), and the domain seems to work fine.

 

[chucktryon]

The current release -- 8.3.1 RC1 -- appears to get around the problem of multiple sites by giving a place to override the domain and kdc controllers in the AD config dialog. (This seems like a "cheat" to me, but if the shoe fits...) Unfortunately, I'm seeing a new problem where the join domain process tries to LEAVE the domain first. This deletes the old machine account record, which in our case is a problem because we can't just add a NEW machine account in the "default" location, because we don't have full administrative access to the DC. We have to "pre-stage" our machine accounts do the domain controller knows which OU to put the account in. (When a machine attempts to "join" the domain, if there is already a record there with that name, the DC just replaces it with the new machine.)

 

[gait]

Fortunately the site only has a ouple of dc's and the buildings are close to each other and nobody works in the one with the issue on weekends so when we upgrade to 8.3.1 we'll just hoof them to the primary location and do it there.
Thakns for the update.

 

[byroncollege]

Another option might be to create a round robin DNS alias ito use as the override address? This gives you some redundancy rather than just forcing to one DNS server.