AD Join with Subdomains not working

SeyBirk · Sep 28, 2017

Hi Forum,

this is my first post here and I want say thanks for this very feature rich product!

I'd like to use it in our company as a replacement for a commercial NAS solution, therefor it is crucial to connect it to the corporate AD.

The AD consists of a root domain with several sub domains, the domain join should happen against the root domain, but the most users are located in the sub domains.

I've created a computer object in the root domain and a service account with full permissions on this computer object, also a corresponding keytab file has been created. This keyfile is uploaded under "Kerberos Keytabs", under Kerberos Realms I've added the Realm of the root domain.
Within the "Active Directory" settings I put in the service account as "Domain Account Name", selected the corresponding Kerberos Realm and Kerberos Principal, unchecked "Use Default Domain" and checked "Allow Trusted Domains" and "UNIX extensions" and tried several "Idmap backend" settings. User/Group caching setting does not make any difference as well.

Now, when I enable the domain or start the cachetool, there is an error getting the data from the SUBDOMAIN.

Can somebody point me in the right direction please?

Thanks
SeyBirk

Running FreenNAS 11U4

Output from /var/log/messages while domain join:

Sep 28 14:24:25 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:24:25 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:24:26 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:24:26 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:24:27 freenas01 ActiveDirectory: AD_status_domain: Okay
Sep 28 14:24:30 freenas01 ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Sep 28 14:24:31 freenas01 ActiveDirectory: /usr/sbin/service ix-kerberos quietstart default ROOTDOMAIN.COM
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-ldap quietstart
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Sep 28 14:24:34 freenas01 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable -t /etc/kerberos/freenas01.keytab -k host/freenas01.rootdomain.com@ROOTDOMAIN.COM
Sep 28 14:24:34 freenas01 ActiveDirectory: kerberos_start: Successful
Sep 28 14:24:34 freenas01 ActiveDirectory: /usr/sbin/service ix-kinit status
Sep 28 14:24:35 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:24:35 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:24:35 freenas01 ActiveDirectory: /usr/sbin/service ix-sssd start
Sep 28 14:24:37 freenas01 ActiveDirectory: /usr/sbin/service sssd onestart
Sep 28 14:24:37 freenas01 root: /usr/local/etc/rc.d/sssd: WARNING: /usr/local/etc/sssd/sssd.conf is not readable.
Sep 28 14:24:37 freenas01 root: /usr/local/etc/rc.d/sssd: WARNING: failed precmd routine for sssd
Sep 28 14:24:37 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Sep 28 14:24:40 freenas01 ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Sep 28 14:24:43 freenas01 ActiveDirectory: activedirectory_start: checking if we are joined already
Sep 28 14:24:43 freenas01 ActiveDirectory: AD_testjoin_domain: net -k ads testjoin rootdomain.com -S dc04.rootdomain.com -p 389
Sep 28 14:24:45 freenas01 ActiveDirectory: AD_testjoin_domain: Successful
Sep 28 14:24:45 freenas01 ActiveDirectory: activedirectory_start: skipping join, already joined
Sep 28 14:24:45 freenas01 ActiveDirectory: /usr/sbin/service ix-activedirectory status
Sep 28 14:24:46 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:24:46 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:24:47 freenas01 ActiveDirectory: AD_status_domain: Okay
Sep 28 14:24:47 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Sep 28 14:24:51 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Sep 28 14:24:55 freenas01 ActiveDirectory: /usr/sbin/service ix-pam quietstart
Sep 28 14:24:56 freenas01 ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Sep 28 14:25:13 freenas01 /cachetool.py: [common.freenasusers:335] Directory Users could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Traceback (most recent call last):
File "/usr/local/www/freenasUI/common/freenasusers.py", line 332, in __init__
self.__users = dir(**kwargs)
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2594, in __init__
self.__get_users()
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2697, in __get_users
ad_users = self.get_users()
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2187, in get_users
self.dchandle, self.basedn, scope, filter, self.attributes
File "/usr/local/www/freenasUI/common/freenasldap.py", line 1848, in _search
clientctrls, timeout, sizelimit
File "/usr/local/www/freenasUI/common/freenasldap.py", line 428, in _search
id, resp_ctrl_classes=paged_ctrls
File "/usr/local/lib/python3.6/site-packages/l
Sep 28 14:25:13 freenas01 /cachetool.py: dap/ldapobject.py", line 680, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 687, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 263, in _ldap_call
result = func(*args,**kwargs)
ldap.REFERRAL: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Sep 28 14:25:41 freenas01 /cachetool.py: [common.freenasusers:217] Directory Groups could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Sep 28 14:25:42 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:25:42 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:25:43 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:25:43 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:25:44 freenas01 ActiveDirectory: AD_status_domain: Okay

Samba wize it looks quite ok:

root@freenas01:~ # wbinfo -t
checking the trust secret for domain ROOTDOMAIN via RPC calls succeeded

root@freenas01:~ # wbinfo -D ROOTDOMAIN
Name : ROOTDOMAIN
Alt_Name : ROOTDOMAIN.com
SID : S-1-5-21-1719516974-4151221516-4053140022
Active Directory : Yes
Native : Yes
Primary : Yes

root@freenas01:~ # wbinfo -D SUBDOMAIN
Name : SUBDOMAIN
Alt_Name : SUBDOMAIN.ROOTDOMAIN.com
SID : S-1-5-21-676079285-2602053330-1765456227
Active Directory : Yes
Native : No
Primary : No

root@freenas01:~ # ls -l /usr/local/etc/sssd/
total 4
-rw-r--r-- 1 root wheel 1909 Sep 28 13:14 sssd.conf.sample

dlavigne · Oct 5, 2017

Were you able to resolve this? If not, it might be a bug. If you create a bug report at bugs.freenas.org, post the issue number here.

SeyBirk · Oct 8, 2017

Unfortunately not. Should I gather any further details?
Is it normal, that in a AD joined environment SSSD is not running / the SSSD config file is not existing?

Thanks
SeyBirk

dlavigne · Oct 9, 2017

You can include a debug (System -> Advanced -> Save Debug) in your bug report to assist the dev in diagnosing the issue.

4711 · Dec 1, 2017

Hi,
If it can be to any help, I was configuring kerberized AD directory service with keytab and had the same issue related to the file /usr/local/etc/sssd/sssd.conf not being readable. Some debugging revealed that sssd.conf was not generated due to problems with /usr/local/libexec/nas/generate_sssd_conf.py. E.g.,

"AttributeError: 'dict' object has no attribute 'netbiosname'".

The following patch appears to have resolved the problem for me. sssd.conf is now generated and domain join succeeds.

Code:

--- /usr/local/libexec/nas/generate_sssd_conf.py.orig   2017-12-01 23:24:25.427771685 +0100
+++ /usr/local/libexec/nas/generate_sssd_conf.py		2017-12-01 23:44:18.678151850 +0100
@@ -741,7 +741,7 @@
	 ad = client.call('notifier.directoryservice', 'AD')
	 use_ad_provider = False

-	ad_cookie = ad.netbiosname
+	ad_cookie = ad['netbiosname']
	 ad_domain = 'domain/%s' % ad_cookie

	 ad_section = None
@@ -779,7 +779,7 @@

	 __, hostname, __ = os.uname()[0:3]

-	if ad.keytab_file and ad.keytab_principal:
+	if ad['keytab_file'] and ad['keytab_principal']:
		 use_ad_provider = True

	 if use_ad_provider:
@@ -791,7 +791,7 @@
				 d[key] = 'ad'

		 ad_section.ad_hostname = hostname
-		ad_section.ad_domain = ad.domainname
+		ad_section.ad_domain = ad['domainname']
		 ad_section.ldap_id_mapping = False

	 for d in ad_defaults:
@@ -827,12 +827,12 @@
 #		ad_section.krb5_canonicalize = 'false'

	 else:
-		ad_section.ldap_uri = "ldap://%s" % ad.dchost
-		ad_section.ldap_search_base = ad.basedn
+		ad_section.ldap_uri = "ldap://%s" % ad['dchost']
+		ad_section.ldap_search_base = ad['basedn']

-		ad_section.ldap_default_bind_dn = ad.binddn
+		ad_section.ldap_default_bind_dn = ad['binddn']
		 ad_section.ldap_default_authtok_type = 'password'
-		ad_section.ldap_default_authtok = ad.bindpw
+		ad_section.ldap_default_authtok = ad['bindpw']

	 sc[ad_domain] = ad_section
	 sc['sssd'].add_domain(ad_cookie)

For the record I first observed the issue with FreeNAS 9.10.2-U1. The patch above is to FreeNAS 11.0-U4. I have long intended to report the issue, but too many other things have come in between :-(

Thanks!
/magnus

dlavigne · Dec 8, 2017

4711 said:
Hi,
If it can be to any help, I was configuring kerberized AD directory service with keytab and had the same issue related to the file /usr/local/etc/sssd/sssd.conf not being readable. Some debugging revealed that sssd.conf was not generated due to problems with /usr/local/libexec/nas/generate_sssd_conf.py. E.g.,

"AttributeError: 'dict' object has no attribute 'netbiosname'".

The following patch appears to have resolved the problem for me. sssd.conf is now generated and domain join succeeds.

Code:
--- /usr/local/libexec/nas/generate_sssd_conf.py.orig 2017-12-01 23:24:25.427771685 +0100 +++ /usr/local/libexec/nas/generate_sssd_conf.py 2017-12-01 23:44:18.678151850 +0100 @@ -741,7 +741,7 @@ ad = client.call('notifier.directoryservice', 'AD') use_ad_provider = False - ad_cookie = ad.netbiosname + ad_cookie = ad['netbiosname'] ad_domain = 'domain/%s' % ad_cookie ad_section = None @@ -779,7 +779,7 @@ __, hostname, __ = os.uname()[0:3] - if ad.keytab_file and ad.keytab_principal: + if ad['keytab_file'] and ad['keytab_principal']: use_ad_provider = True if use_ad_provider: @@ -791,7 +791,7 @@ d[key] = 'ad' ad_section.ad_hostname = hostname - ad_section.ad_domain = ad.domainname + ad_section.ad_domain = ad['domainname'] ad_section.ldap_id_mapping = False for d in ad_defaults: @@ -827,12 +827,12 @@ # ad_section.krb5_canonicalize = 'false' else: - ad_section.ldap_uri = "ldap://%s" % ad.dchost - ad_section.ldap_search_base = ad.basedn + ad_section.ldap_uri = "ldap://%s" % ad['dchost'] + ad_section.ldap_search_base = ad['basedn'] - ad_section.ldap_default_bind_dn = ad.binddn + ad_section.ldap_default_bind_dn = ad['binddn'] ad_section.ldap_default_authtok_type = 'password' - ad_section.ldap_default_authtok = ad.bindpw + ad_section.ldap_default_authtok = ad['bindpw'] sc[ad_domain] = ad_section sc['sssd'].add_domain(ad_cookie)

For the record I first observed the issue with FreeNAS 9.10.2-U1. The patch above is to FreeNAS 11.0-U4. I have long intended to report the issue, but too many other things have come in between :-(

Thanks!
/magnus

Please post the ticket number once you have a chance to report it. Thanks!

Important Announcement for the TrueNAS Community.

AD Join with Subdomains not working

SeyBirk

Cadet

dlavigne

Guest

SeyBirk

Cadet

dlavigne

Guest

4711

Cadet

dlavigne

Guest

Similar threads