One thing that you may wish to check is output ofThanks @amodos , with the 113u1 the krb5.keytab is back but i have some problem with the ldap service. and the nfsv4 integration. i reinstall a another server in 112u8 to compare.
getent passwd
I vaguely recall that I needed to reconfigure nscld to look for a non-standard attribute in the ldap schema to determine users /groups to avoid duplicate entries.Feb 28 11:37:53 fn113u1 nslcd[988]: [0b1daf] <passwd="fn113u1\nobody"> no available LDAP server found: Server is unavailable: Resource temporarily unavailable Feb 28 11:37:53 fn113u1 nslcd[988]: [ca13fc] <passwd="FN113U1\nobody"> no available LDAP server found: Server is unavailable: Resource temporarily unavailable Feb 28 11:37:53 fn113u1 nslcd[988]: [e65e86] <passwd="FN113U1\NOBODY"> no available LDAP server found: Server is unavailable: Resource temporarily unavailable Feb 28 11:37:53 fn113u1 nslcd[988]: [48089a] <group/member="nobody"> no available LDAP server found: Server is unavailable Feb 28 11:37:53 fn113u1 nslcd[988]: [48089a] <group/member="nobody"> no available LDAP server found: Server is unavailable Feb 28 11:37:53 fn113u1 nslcd[988]: [2d312f] <group/member="nobody"> no available LDAP server found: Server is unavailable: Resource temporarily unavailable Feb 28 11:37:53 fn113u1 nslcd[988]: [2d312f] <group/member="nobody"> no available LDAP server found: Server is unavailable: Resource temporarily unavailable Feb 28 11:37:56 fn113u1 zfsd: ConnectToDevd: Connecting to devd. Feb 28 11:37:56 fn113u1 zfsd: Connection to devd successful Feb 28 11:38:35 fn113u1 collectd[1632]: plugin_load: plugin "syslog" successfully loaded. Feb 28 11:38:35 fn113u1 collectd[1632]: plugin_load: plugin "threshold" successfully loaded. Feb 28 11:38:35 fn113u1 collectd[1632]: plugin_load: plugin "zfs_arc" successfully loaded. Feb 28 11:38:35 fn113u1 collectd[1632]: plugin_load: plugin "zfs_arc_v2" successfully loaded. Feb 28 11:38:35 fn113u1 collectd[1632]: plugin_load: plugin "nfsstat" successfully loaded. Feb 28 11:38:35 fn113u1 collectd[1632]: plugin_load: plugin "write_graphite" successfully loaded. Feb 28 11:38:35 fn113u1 collectd[1632]: plugin_load: plugin "nut" successfully loaded. Feb 28 11:38:35 fn113u1 collectd[1632]: type = syslog, key = LogLevel, value = err Feb 28 11:38:41 fn113u1 nslcd[988]: [f878aa] <group/member="chris"> connected to LDAP server ldap://centos7ipa.mynet.local:389 root@fn113u1[/var/log]#
getent passwd
resulted in duplicate entries: patty:*:347800004:347800004:patty mac:/home/patty: cburge:*:347800001:347800001:chris burge:/home/cburge: admin:*:347800000:347800000:Administrator:/home/admin: admin:*:347800000:347800000:Administrator:/home/admin: cburge:*:347800001:347800001:chris burge:/home/cburge: patty:*:347800004:347800004:patty mac:/home/patty: root@fn113u1[/var/log]#
source=https://www.redhat.com/archives/freeipa-users/2017-March/msg00167.htmlCompat tree is just that: a tree that returns data in a format
compatible with RFC2307 to clients that do not understand RFC2307bis. A
second use for the compat tree is to provide unified virtual tree for
clients that do not use SSSD so that both users from IPA and from
trusted Active Directory forests are accessible by such 'legacy'
clients. This second use case requires that you are using RFC2307 schema
in your client setup and that AD users are always fully qualified
(user ad domain).
@xenu Thanks for pointing out the use of base DN with "cn=compat" together with RFC2307 schema. My nfsv4 error was not noticing while changing configs I had left off the sec=krb5 on the individual FreeNAS nfs share config.
The LDAP webui form needs some TLC and could do with a reset button which not only disables nslcd and clears the nlscd conf file, but ensures all previous field values are cleared. Currently it's too easy to get stuck with a ""Simultaneous keytab and password authentication are not permitted." error even when fields are manually cleared on the webui form.
The code path to disable LDAP automatically is related to the ldap.started check. Because of the impact of a misconfigured LDAP service on other services, we run a validation check periodically on the config, and disable the service if it fails. If you're seeing this on reboot, try running the commandThe bind password field is one culprit. Currently a working and enabled LDPA config has to be re-enabled on re-booting FreeNAS.
midclt call ldap.started
and see if it returns a validation error.root@fn113u1[~]# midclt call ldap.started False root@fn113u1[~]#
Basically, it looks like the UI is making no provision to clear the bind password. I have a WIP fix for this here: https://raw.githubusercontent.com/f...4/src/middlewared/middlewared/plugins/ldap.py@anodos Not acted on your info yet, but I noticed if you save the FreeNAS config (SYSTEM > GENERAL) when you have a working LDAP config which contained no bind password the "ldap_bindpw" field in the directory_ldap table is not blank. Should it be?
midclt call ldap.update '{"bindpw": ""}'
which should nuke the password[/cmd]What about before the reboot?That command just returns false after a re-boot:
Code:root@fn113u1[~]# midclt call ldap.started False root@fn113u1[~]#
root@fn113u1[~]# midclt call ldap.update '{"bindpw": ""}' {"id": 1, "hostname": ["centos7ipa.mynet.local"], "basedn": "cn=compat,dc=mynet,dc=local", "binddn": "", "bindpw": " ", "anonbind": false, "kerberos_realm": 1, "kerberos_principal": "host/fn113u1.mynet.local@MYNET.LOCAL", "ssl": "ON", "certificate": null, "validate_certificates": false, "disable_freenas_cache": false, "timeout": 10, "dns_timeout": 10, "idmap_backend": "LDAP", "has_samba_schema": false, "auxiliary_parameters": "", "schema": "RFC2307", "enable": false, "uri_list": ["ldaps://centos7ipa.mynet.local:636"]} root@fn113u1[~]#
root@fn113u1[~]# midclt call ldap.started True root@fn113u1[~]#
midclt call ldap.started
now shows True
after boot and klist shows the kinit command ran where before it returned false and kinit had to be run manually. The "enabled" checkbox sticks now. GSSAPI Error: Miscellaneous failure (see text) or directory (open(/tmp/krb5cc_0): No such file or directory)
midclt call ldap.start