AD Auth Suddenly Stopped Working

[KLEPTOROTH]

Hey guys,
So I've been moving along just fine in Corral until my AD authentication broke. Yes I've rebooted, made sure my clocks are sync'd, etc. When I try to login to an SMB share as a regular AD user, I get authentication denied, from any machine no matter what. Even though I'm using the owner's AD account, AND Domain Users is the group on the share and all the files.

When I login as my admin user (which has been made an admin in FreeNAS) it works. So clearly AD authentication works, but I can't figure out why it won't recognize a regular, non-privileged user.

Don't know if its related, but when I try to nslookup from the FreeNAS box, I get "Bus error (core dumped)".

Anyone have any ideas? Also I can't find the authentication logs, the only place I could find log files for auth or SMB contained 0 byte files.

Thanks for any ideas!

 

[anodos]

Hey guys,
So I've been moving along just fine in Corral until my AD authentication broke. Yes I've rebooted, made sure my clocks are sync'd, etc. When I try to login to an SMB share as a regular AD user, I get authentication denied, from any machine no matter what. Even though I'm using the owner's AD account, AND Domain Users is the group on the share and all the files.

When I login as my admin user (which has been made an admin in FreeNAS) it works. So clearly AD authentication works, but I can't figure out why it won't recognize a regular, non-privileged user.

Don't know if its related, but when I try to nslookup from the FreeNAS box, I get "Bus error (core dumped)".

Anyone have any ideas? Also I can't find the authentication logs, the only place I could find log files for auth or SMB contained 0 byte files.

Thanks for any ideas!

DNS has to be functioning in order for AD to work. Try pinging your dc by FQDN, then try wbinfo --ping-dc.

It's possible that it might be time to move on from Corral. The Corral is quickly becoming full of dead horses, which kind of stinks, but what can you do about it.

 

[KLEPTOROTH]

DNS has to be functioning in order for AD to work. Try pinging your dc by FQDN, then try wbinfo --ping-dc.

It's possible that it might be time to move on from Corral. The Corral is quickly becoming full of dead horses, which kind of stinks, but what can you do about it.

Thanks for the response, and yes of course! I can ping the DC by name, even its alias, just fine. AD has had a green light up until today, even though I started getting these errors:
Task Name:
Binding to directory XXXXXXXX failed

Description:
ENOENT: Job org.samba.winbindd not found

Output of wbinfo --ping-dc:
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

Do you have any idea where I can fix this?

I hear ya on moving on, I have to wait until 11.1 as I am using docker. I know I could do RancherOS but I'm already struggling with docker (probably corral's fault) and I don't want to add more variables to the mix. Plus I don't know how to migrate docker containers yet so that has been holding me back as well, at least docker works. I just have no idea why it was working beautifully and just out of the blue it stopped.

 

[anodos]

Thanks for the response, and yes of course! I can ping the DC by name, even its alias, just fine. AD has had a green light up until today, even though I started getting these errors:
Task Name:
Binding to directory CCS failed

Description:
ENOENT: Job org.samba.winbindd not found

Output of wbinfo --ping-dc:
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

Do you have any idea where I can fix this?

I hear ya on moving on, I have to wait until 11.1 as I am using docker. I know I could do RancherOS but I'm already struggling with docker (probably corral's fault) and I don't want to add more variables to the mix. Plus I don't know how to migrate docker containers yet so that has been holding me back as well, at least docker works. I just have no idea why it was working beautifully and just out of the blue it stopped.

Post output of testparm. It looks like winbind might not be enabled, but Corral did some crazy stuff with Samba. I never looked very closely at the code so I can't be sure how to properly launch it. I vaguely recall cython wrappers around winbind and general concerns about thread-safety and stability.

 

[KLEPTOROTH]

Post output of testparm. It looks like winbind might not be enabled, but Corral did some crazy stuff with Samba. I never looked very closely at the code so I can't be sure how to properly launch it. I vaguely recall cython wrappers around winbind and general concerns about thread-safety and stability.

Thanks for that - it did mention permissions issues:
Load smb config files from /usr/local/etc/smb4.conf
lp_load_ex: changing to config backend registry
Processing section "[XXXXXXXX]"
Processing section "[XXXXXXXX]"
Loaded services file OK.
WARNING: state directory /var/db/samba4 should have permissions 0755 for browsing to work

WARNING: cache directory /var/db/samba4 should have permissions 0755 for browsing to work

WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
multicast dns register = No
realm = XXXXXXXX
server string = FreeNAS Server
workgroup = XXXXXXXX
domain master = No
lm announce = Yes
local master = No
preferred master = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
client ldap sasl wrapping = plain
logging = logd@10
max log size = 51200
kernel change notify = No
panic action = /usr/local/libexec/samba/samba-backtrace
registry shares = Yes
disable spoolss = Yes
load printers = No
printcap name = /dev/null
server min protocol = CORE
allow trusted domains = No
map to guest = Bad User
ntlm auth = Yes
obey pam restrictions = Yes
passdb backend = freenas
security = ADS
server role = member server
username map = /usr/local/etc/smbusers
deadtime = 15
max open files = 1178309
template homedir = /home/%U
template shell = /bin/sh
winbind cache time = 3600
winbind offline logon = Yes
dns proxy = No
idmap config *: range = 0-100000000
idmap config * : backend = freenas
store dos attributes = Yes
strict locking = No
directory name cache size = 0
dos filemode = Yes
acl allow execute always = Yes
ea support = Yes
create mask = 0750
directory mask = 0750


[XXXXXXXX]
path = /mnt/XXXXXXXX/XXXXXXXX
veto files = /.snapshot/.zfs/.windows/.config-smb-*.json/
read only = No
vfs objects = shadow_copy_zfs zfsacl zfs_space aio_pthread
shadow:sort = desc
shadow:dataset = CCS-NAS/SpaceEngineers
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special


[XXXXXXXX]
path = /mnt/XXXXXXXX/XXXXXXXX
veto files = /.snapshot/.zfs/.windows/.config-smb-*.json/
guest ok = Yes
read only = No
vfs objects = shadow_copy_zfs zfsacl zfs_space recycle aio_pthread
shadow:sort = desc
shadow:dataset = XXXXXXXX/XXXXXXXX
recycle:subdir_mode = 0700
recycle:directory_mode = 0777
recycle:touch = yes
recycle:versions = yes
recycle:keeptree = yes
recycle:repository = .recycle/%U
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special

I fixed the permissions and now I get this:
Load smb config files from /usr/local/etc/smb4.conf
lp_load_ex: changing to config backend registry
Processing section "[XXXXXXXX]"
Processing section "[XXXXXXXX"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions < - This is the same as before.

 

[KLEPTOROTH]

Post output of testparm. It looks like winbind might not be enabled, but Corral did some crazy stuff with Samba. I never looked very closely at the code so I can't be sure how to properly launch it. I vaguely recall cython wrappers around winbind and general concerns about thread-safety and stability.

Well..... Now I can't get the SMB service out of error state. Any idea of how I can view some logs to figure out what is going on? I'm looking in the /var/db/system/log/samba4 directory, but all the log files there are empty. So frustrating!

on a side note wbinfo --ping-dc is now returning:
checking the NETLOGON for domain[XXXXXXXX] dc connection to "XXXXXXXX.lan" succeeded

 

[anodos]

I'm not too familiar with

Well..... Now I can't get the SMB service out of error state. Any idea of how I can view some logs to figure out what is going on? I'm looking in the /var/db/system/log/samba4 directory, but all the log files there are empty. So frustrating!

on a side note wbinfo --ping-dc is now returning:
checking the NETLOGON for domain[CCS] dc connection to "CCS-DC01.crimsoncomputer.lan" succeeded

What about wbinfo -t and wbinfo -u

 

[KLEPTOROTH]

I'm not too familiar with


What about wbinfo -t and wbinfo -u

wbinfo -t:
checking the trust secret for domain CCS via RPC calls succeeded
wbinfo -u lists all my domain users.

 

[anodos]

wbinfo -t:
checking the trust secret for domain CCS via RPC calls succeeded
wbinfo -u lists all my domain users.

Hmm.. this sounds good. Still no access to shares via AD?

 

[KLEPTOROTH]

Hmm.. this sounds good. Still no access to shares via AD?

Now that AD seems to be online, the SMB share won't come out of ERROR state.

CATing /var/db/system/log/serviced.log gives me stuff like this:

Code:

2017-08-14 19:07:25,256 DEBUG Job:eek:rg.samba.smbd main.py:333 Job did exec() into ['/usr/local/sbin/smbd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:25,265 DEBUG Job:eek:rg.samba.nmbd main.py:333 Job did exec() into ['/usr/local/sbin/nmbd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:25,281 INFO Job:eek:rg.samba.winbindd main.py:217 Starting job
2017-08-14 19:07:25,286 DEBUG Job:eek:rg.samba.winbindd main.py:254 Started as PID 28090
2017-08-14 19:07:25,296 DEBUG Job:eek:rg.samba.winbindd main.py:333 Job did exec() into ['/usr/local/sbin/winbindd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:26,496 INFO Job:eek:rg.samba.smbd main.py:267 Stopping job
2017-08-14 19:07:26,499 INFO Job:eek:rg.samba.smbd main.py:362 Job has exited with code 15
2017-08-14 19:07:26,501 INFO Job:eek:rg.samba.smbd main.py:217 Starting job
2017-08-14 19:07:26,508 DEBUG Job:eek:rg.samba.smbd main.py:254 Started as PID 28091
2017-08-14 19:07:26,520 DEBUG Job:eek:rg.samba.smbd main.py:333 Job did exec() into ['/usr/local/sbin/smbd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:26,541 INFO Job:eek:rg.samba.nmbd main.py:267 Stopping job
2017-08-14 19:07:26,543 INFO Job:eek:rg.samba.nmbd main.py:362 Job has exited with code 15
2017-08-14 19:07:26,545 INFO Job:eek:rg.samba.nmbd main.py:217 Starting job
2017-08-14 19:07:26,553 DEBUG Job:eek:rg.samba.nmbd main.py:254 Started as PID 28092
2017-08-14 19:07:26,569 DEBUG Job:eek:rg.samba.nmbd main.py:333 Job did exec() into ['/usr/local/sbin/nmbd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:26,599 INFO Job:eek:rg.samba.winbindd main.py:267 Stopping job
2017-08-14 19:07:26,601 INFO Job:eek:rg.samba.winbindd main.py:362 Job has exited with code 15
2017-08-14 19:07:26,603 INFO Job:eek:rg.samba.winbindd main.py:217 Starting job
2017-08-14 19:07:26,610 DEBUG Job:eek:rg.samba.winbindd main.py:254 Started as PID 28093
2017-08-14 19:07:26,627 DEBUG Job:eek:rg.samba.winbindd main.py:333 Job did exec() into ['/usr/local/sbin/winbindd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:28,792 INFO Context main.py:652 Added job anonymous.python3.6@28094
2017-08-14 19:07:28,798 DEBUG Job:anonymous.python3.6@28094 main.py:333 Job did exec() into ['/usr/local/bin/net', 'getdomainsid']
2017-08-14 19:07:28,895 INFO Job:anonymous.net@28094 main.py:362 Job has exited with code 256
2017-08-14 19:07:30,081 INFO Job:eek:rg.samba.smbd main.py:267 Stopping job
2017-08-14 19:07:30,084 INFO Job:eek:rg.samba.smbd main.py:362 Job has exited with code 15
2017-08-14 19:07:30,086 INFO Job:eek:rg.samba.smbd main.py:217 Starting job
2017-08-14 19:07:30,091 DEBUG Job:eek:rg.samba.smbd main.py:254 Started as PID 28096
2017-08-14 19:07:30,105 DEBUG Job:eek:rg.samba.smbd main.py:333 Job did exec() into ['/usr/local/sbin/smbd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:30,130 INFO Job:eek:rg.samba.nmbd main.py:267 Stopping job
2017-08-14 19:07:30,132 INFO Job:eek:rg.samba.nmbd main.py:362 Job has exited with code 15
2017-08-14 19:07:30,134 INFO Job:eek:rg.samba.nmbd main.py:217 Starting job
2017-08-14 19:07:30,139 DEBUG Job:eek:rg.samba.nmbd main.py:254 Started as PID 28097
2017-08-14 19:07:30,156 DEBUG Job:eek:rg.samba.nmbd main.py:333 Job did exec() into ['/usr/local/sbin/nmbd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:30,182 INFO Job:eek:rg.samba.winbindd main.py:267 Stopping job
2017-08-14 19:07:30,187 INFO Job:eek:rg.samba.winbindd main.py:362 Job has exited with code 15
2017-08-14 19:07:30,190 INFO Job:eek:rg.samba.winbindd main.py:217 Starting job
2017-08-14 19:07:30,196 DEBUG Job:eek:rg.samba.winbindd main.py:254 Started as PID 28098
2017-08-14 19:07:30,214 DEBUG Job:eek:rg.samba.winbindd main.py:333 Job did exec() into ['/usr/local/sbin/winbindd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:30,244 INFO Context main.py:652 Added job anonymous.python3.6@28099
2017-08-14 19:07:30,252 DEBUG Job:anonymous.python3.6@28099 main.py:333 Job did exec() into ['/usr/local/bin/net', 'ads', 'join', 'crimsoncomputer.lan', '-k']
2017-08-14 19:07:31,126 INFO Job:anonymous.net@28099 main.py:362 Job has exited with code 0
2017-08-14 19:07:31,134 INFO Job:eek:rg.samba.winbindd main.py:267 Stopping job
2017-08-14 19:07:31,137 INFO Job:eek:rg.samba.winbindd main.py:362 Job has exited with code 15
2017-08-14 19:07:31,139 INFO Job:eek:rg.samba.winbindd main.py:217 Starting job
2017-08-14 19:07:31,145 DEBUG Job:eek:rg.samba.winbindd main.py:254 Started as PID 28101
2017-08-14 19:07:31,159 DEBUG Job:eek:rg.samba.winbindd main.py:333 Job did exec() into ['/usr/local/sbin/winbindd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:07:37,168 INFO Job:eek:rg.samba.winbindd main.py:362 Job has exited with code 256
2017-08-14 19:07:37,267 INFO Context main.py:652 Added job anonymous.smbd@28102
2017-08-14 19:07:37,308 INFO Context main.py:652 Added job anonymous.smbd@28103
2017-08-14 19:07:39,900 INFO Context main.py:652 Added job anonymous.smbd@28104
2017-08-14 19:07:39,901 INFO Job:anonymous.smbd@28104 main.py:362 Job has exited with code 0
2017-08-14 19:08:31,544 INFO Context main.py:652 Added job anonymous.python3.6@28106
2017-08-14 19:08:31,551 DEBUG Job:anonymous.python3.6@28106 main.py:333 Job did exec() into ['/usr/local/bin/net', 'getdomainsid']
2017-08-14 19:08:31,651 INFO Job:anonymous.net@28106 main.py:362 Job has exited with code 0
2017-08-14 19:09:00,615 INFO Job:eek:rg.samba.winbindd main.py:217 Starting job
2017-08-14 19:09:00,622 DEBUG Job:eek:rg.samba.winbindd main.py:254 Started as PID 28109
2017-08-14 19:09:00,638 DEBUG Job:eek:rg.samba.winbindd main.py:333 Job did exec() into ['/usr/local/sbin/winbindd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:09:06,676 INFO Job:eek:rg.samba.winbindd main.py:362 Job has exited with code 256
2017-08-14 19:09:18,997 INFO Job:eek:rg.samba.winbindd main.py:217 Starting job
2017-08-14 19:09:19,005 DEBUG Job:eek:rg.samba.winbindd main.py:254 Started as PID 28110
2017-08-14 19:09:19,017 DEBUG Job:eek:rg.samba.winbindd main.py:333 Job did exec() into ['/usr/local/sbin/winbindd', '--foreground', '--configfile=/usr/local/etc/smb4.conf']
2017-08-14 19:09:23,014 INFO Job:eek:rg.samba.winbindd main.py:362 Job has exited with code 256
2017-08-14 19:09:31,794 INFO Context main.py:652 Added job anonymous.python3.6@28111
2017-08-14 19:09:31,801 DEBUG Job:anonymous.python3.6@28111 main.py:333 Job did exec() into ['/usr/local/bin/net', 'getdomainsid']
2017-08-14 19:09:31,896 INFO Job:anonymous.net@28111 main.py:362 Job has exited with code 0
2017-08-14 19:10:32,048 INFO Context main.py:652 Added job anonymous.python3.6@28116
2017-08-14 19:10:32,057 DEBUG Job:anonymous.python3.6@28116 main.py:333 Job did exec() into ['/usr/local/bin/net', 'getdomainsid']
2017-08-14 19:10:32,153 INFO Job:anonymous.net@28116 main.py:362 Job has exited with code 0

Ugh.....

 

[KLEPTOROTH]

I think I might just have to reinstall FN, import my shares and set it all up again. Hopefully that will fix it...... I'd much rather know exactly what broke but... Desperate times, desperate measures. I gotta figure out how to import the docker containers now....

 

[anodos]

I think I might just have to reinstall FN, import my shares and set it all up again. Hopefully that will fix it...... I'd much rather know exactly what broke but... Desperate times, desperate measures. I gotta figure out how to import the docker containers now....

Yeah, it looks like it's a middleware problem. I don't think you'll be able to get much help with that. :(

 

[KLEPTOROTH]

Yeah, it looks like it's a middleware problem. I don't think you'll be able to get much help with that. :(

Darn. Well, really appreciate all your help!! :D