After updating a FreeNAS 11.2-U8 test machine to 11.3-U2, it can no longer authenticate users from a trusted domain with Kerberos (only NTLM works). Every attempt at connecting to the freenas machine via \\DNSNAME fails. Using the IP of the updated freenas server works, however.
We have a two way domain trust between USERDOMAIN and SERVERDOMAIN.USERDOMAIN. With the freenas server being on SERVERDOMAIN.USERDOMAIN and the users being on USERDOMAIN.
Running "wbinfo --online-status" after updating to 11.3-U2 produces this output:
However "wbinfo -a USERDOMAIN\\user" works, but not "wbinfo -K USERDOMAIN\\user"
Here is the working 11.2-U8 testparm output:
# Global parameters
[global]
aio max threads = 2
deadtime = 15
disable spoolss = Yes
dns proxy = No
domain master = No
dos charset = CP437
hostname lookups = Yes
kernel change notify = No
lm announce = Yes
load printers = No
local master = No
logging = file
max log size = 51200
max open files = 7547618
multicast dns register = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
preferred master = No
printcap name = /dev/null
realm = SERVERDOMAIN.USERDOMAIN
security = ADS
server min protocol = SMB2_02
server role = member server
server string = FreeNAS Server
template shell = /bin/sh
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = SERVERDOMAIN
idmap config userdomain : unix_primary_group = yes
idmap config userdomain : unix_nss_info = yes
idmap config userdomain : bind_path_group = cn=Users,dc=userdomain
idmap config userdomain : bind_path_user = cn=Users,dc=userdomain
idmap config userdomain : ldap_user_dn = cn=adbind,cn=Users,dc=userdomain
idmap config userdomain : ldap_base_dn = dc=userdomain
idmap config userdomain : ldap_url = ldap://ldap.userdomain
idmap config userdomain : read only = yes
idmap config userdomain : range = 100-999999
idmap config userdomain : ldap_server = stand-alone
idmap config userdomain : backend = rfc2307
idmap config serverdomain: unix_nss_info = yes
idmap config serverdomain: unix_primary_group = yes
idmap config serverdomain: schema mode = rfc2307
idmap config serverdomain: range = 1000000-90000000
idmap config serverdomain: backend = ad
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb
acl allow execute always = Yes
create mask = 0666
directory mask = 0777
directory name cache size = 0
dos filemode = Yes
strict locking = No
[staff]
aio write size = 0
path = "/mnt/tank/staff"
read only = No
veto files = /.snapshot/.windows/.mac/.zfs/
vfs objects = zfs_space zfsacl streams_xattr
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special
Here is the broken 11.3-U2 testparm output:
# Global parameters
[global]
aio max threads = 2
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
domain master = No
enable web service discovery = Yes
kerberos method = secrets and keytab
kernel change notify = No
load printers = No
local master = No
logging = file
max log size = 51200
nsupdate command = /usr/local/bin/samba-nsupdate -g
preferred master = No
realm = SERVERDOMAIN.USERDOMAIN
restrict anonymous = 2
security = ADS
server min protocol = SMB2_02
server role = member server
server string = FreeNAS Server
template shell = /bin/sh
unix extensions = No
winbind cache time = 7200
winbind max domain connections = 10
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = SERVERDOMAIN
idmap config userdomain : unix_primary_group = yes
idmap config userdomain : unix_nss_info = yes
idmap config userdomain : bind_path_group = cn=Users,dc=userdomain
idmap config userdomain : bind_path_user = cn=Users,dc=userdomain
idmap config userdomain : ldap_user_dn = cn=adbind,cn=Users,dc=userdomain
idmap config userdomain : ldap_base_dn = dc=userdomain
idmap config userdomain : ldap_url = ldap://ldap.userdomain
idmap config userdomain : read only = yes
idmap config userdomain : range = 100-999999
idmap config userdomain : ldap_server = stand-alone
idmap config userdomain : backend = rfc2307
idmap config *: range = 90000001-100000000
idmap config serverdomain: unix_primary_group = True
idmap config serverdomain: unix_nss_info = yes
idmap config serverdomain: schema_mode = rfc2307
idmap config serverdomain: range = 1000000-90000000
idmap config serverdomain: backend = ad
idmap config * : backend = tdb
allocation roundup size = 0
directory name cache size = 0
dos filemode = Yes
include = /usr/local/etc/smb4_share.conf
[staff]
aio write size = 0
ea support = No
mangled names = illegal
path = /mnt/tank/staff
read only = No
vfs objects = streams_xattr zfs_space zfsacl
nfs4:acedup = merge
nfs4:chown = true
The diff between working 11.2 and non-working 11.3 testparms:
I've attached the debug output from log.smbd when I try connecting to the fileserver "FREENAS"[10.208.192.136] after updating to 11.3-U2 from a Windows computer "WINDOWSBOX"[10.208.192.153] as USERDOMAIN\user.
If I revert back to the 11.2-U8 boot snapshot connected with users on the trusted domains works again.
We have a two way domain trust between USERDOMAIN and SERVERDOMAIN.USERDOMAIN. With the freenas server being on SERVERDOMAIN.USERDOMAIN and the users being on USERDOMAIN.
Running "wbinfo --online-status" after updating to 11.3-U2 produces this output:
BUILTIN : active connection
FREENAS : active connection
SERVERDOMAIN : active connection
USERDOMAIN : no active connection
However "wbinfo -a USERDOMAIN\\user" works, but not "wbinfo -K USERDOMAIN\\user"
Here is the working 11.2-U8 testparm output:
# Global parameters
[global]
aio max threads = 2
deadtime = 15
disable spoolss = Yes
dns proxy = No
domain master = No
dos charset = CP437
hostname lookups = Yes
kernel change notify = No
lm announce = Yes
load printers = No
local master = No
logging = file
max log size = 51200
max open files = 7547618
multicast dns register = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
preferred master = No
printcap name = /dev/null
realm = SERVERDOMAIN.USERDOMAIN
security = ADS
server min protocol = SMB2_02
server role = member server
server string = FreeNAS Server
template shell = /bin/sh
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = SERVERDOMAIN
idmap config userdomain : unix_primary_group = yes
idmap config userdomain : unix_nss_info = yes
idmap config userdomain : bind_path_group = cn=Users,dc=userdomain
idmap config userdomain : bind_path_user = cn=Users,dc=userdomain
idmap config userdomain : ldap_user_dn = cn=adbind,cn=Users,dc=userdomain
idmap config userdomain : ldap_base_dn = dc=userdomain
idmap config userdomain : ldap_url = ldap://ldap.userdomain
idmap config userdomain : read only = yes
idmap config userdomain : range = 100-999999
idmap config userdomain : ldap_server = stand-alone
idmap config userdomain : backend = rfc2307
idmap config serverdomain: unix_nss_info = yes
idmap config serverdomain: unix_primary_group = yes
idmap config serverdomain: schema mode = rfc2307
idmap config serverdomain: range = 1000000-90000000
idmap config serverdomain: backend = ad
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb
acl allow execute always = Yes
create mask = 0666
directory mask = 0777
directory name cache size = 0
dos filemode = Yes
strict locking = No
[staff]
aio write size = 0
path = "/mnt/tank/staff"
read only = No
veto files = /.snapshot/.windows/.mac/.zfs/
vfs objects = zfs_space zfsacl streams_xattr
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special
Here is the broken 11.3-U2 testparm output:
# Global parameters
[global]
aio max threads = 2
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
domain master = No
enable web service discovery = Yes
kerberos method = secrets and keytab
kernel change notify = No
load printers = No
local master = No
logging = file
max log size = 51200
nsupdate command = /usr/local/bin/samba-nsupdate -g
preferred master = No
realm = SERVERDOMAIN.USERDOMAIN
restrict anonymous = 2
security = ADS
server min protocol = SMB2_02
server role = member server
server string = FreeNAS Server
template shell = /bin/sh
unix extensions = No
winbind cache time = 7200
winbind max domain connections = 10
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = SERVERDOMAIN
idmap config userdomain : unix_primary_group = yes
idmap config userdomain : unix_nss_info = yes
idmap config userdomain : bind_path_group = cn=Users,dc=userdomain
idmap config userdomain : bind_path_user = cn=Users,dc=userdomain
idmap config userdomain : ldap_user_dn = cn=adbind,cn=Users,dc=userdomain
idmap config userdomain : ldap_base_dn = dc=userdomain
idmap config userdomain : ldap_url = ldap://ldap.userdomain
idmap config userdomain : read only = yes
idmap config userdomain : range = 100-999999
idmap config userdomain : ldap_server = stand-alone
idmap config userdomain : backend = rfc2307
idmap config *: range = 90000001-100000000
idmap config serverdomain: unix_primary_group = True
idmap config serverdomain: unix_nss_info = yes
idmap config serverdomain: schema_mode = rfc2307
idmap config serverdomain: range = 1000000-90000000
idmap config serverdomain: backend = ad
idmap config * : backend = tdb
allocation roundup size = 0
directory name cache size = 0
dos filemode = Yes
include = /usr/local/etc/smb4_share.conf
[staff]
aio write size = 0
ea support = No
mangled names = illegal
path = /mnt/tank/staff
read only = No
vfs objects = streams_xattr zfs_space zfsacl
nfs4:acedup = merge
nfs4:chown = true
The diff between working 11.2 and non-working 11.3 testparms:
3d2
< acl allow execute always = Yes
6,8c5,6
< create mask = 0666
< deadtime = 15
< directory mask = 0777
---
> allocation roundup size = 0
> bind interfaces only = Yes
13d10
< dos charset = CP437
14a12,13
> ea support = No
> enable web service discovery = Yes
17d15
< hostname lookups = Yes
32c30
< idmap config serverdomain: schema mode = rfc2307
---
> idmap config serverdomain: schema_mode = rfc2307
34c32
< idmap config serverdomain: unix_primary_group = yes
---
> idmap config serverdomain: unix_primary_group = True
35a34,35
> include = /usr/local/etc/smb4_share.conf
> kerberos method = secrets and keytab
37d36
< lm announce = Yes
40a40
> mangled names = illegal
42,43d41
< max open files = 7547618
< multicast dns register = No
46d43
< nfs4:mode = special
48c45
< path = "/mnt/tank/staff"
---
> path = /mnt/tank/staff
50d46
< printcap name = /dev/null
52a49
> restrict anonymous = 2
58d54
< strict locking = No
60,61c56,57
< veto files = /.snapshot/.windows/.mac/.zfs/
< vfs objects = zfs_space zfsacl streams_xattr
---
> unix extensions = No
> vfs objects = streams_xattr zfs_space zfsacl
63,64d58
< winbind enum groups = Yes
< winbind enum users = Yes
69d62
< zfsacl:acesort = dontcare
I've attached the debug output from log.smbd when I try connecting to the fileserver "FREENAS"[10.208.192.136] after updating to 11.3-U2 from a Windows computer "WINDOWSBOX"[10.208.192.153] as USERDOMAIN\user.
If I revert back to the 11.2-U8 boot snapshot connected with users on the trusted domains works again.
