Opened a bug report for this (NAS-102204), but curious if anyone else has seen this and/or if there is some upgrade related setting that triggers this. I saw this after upgrading from 9.10 to 11.2.
My domain is still Windows 2003 so I have to append "allw_weak_crypto = true" to the krb5.conf file under libdefaults. I have the appropriate line added in the GUI under Directory Services / Kerberos Settings in the "Libdefaults auxiliary parameters" box. Under 9.10 I had no issues, but when I upgraded to FreeNAS 11.2 I could suddenly no longer start directory services. Looking at the krb5.conf file from the console, I can see that it isn't adding the proper line. When I try to start from the command line I get:
root@riva:~ # /etc/directoryservice/ActiveDirectory/ctl start
False
kinit: krb5_get_init_creds: KDC has no support for encryption type
I tried manually editing the file, but quickly found it gets over-written on every start. Since I am rather stubborn, I edited it AND did a chattr to make the file immutable. With the line where it's supposed to be and running the same command I get:
root@riva:/etc/rc.d # chattr +i /etc/krb5.conf
root@riva:/etc/rc.d # /etc/directoryservice/ActiveDirectory/ctl start
False
[Errno 1] Operation not permitted: '/etc/krb5.conf'
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 166, in call_method
result = await self.middleware.call_method(self, message)
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1097, in call_method
return await self._call(message['method'], serviceobj, methodobj, params, app=app, io_thread=False)
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1045, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/etc.py", line 153, in generate
with open(outfile, 'w') as f:
PermissionError: [Errno 1] Operation not permitted: '/etc/krb5.conf'
True
Join is OK
False
True
Everything now starts as it should; the new "errors" above are expected with the file being immutable. Under services SMB is starting now as expected, and I can browse and use my shares as needed. I shouldn't have to do this work-around to get it running. Something is wrong about how it updates the krb5.conf file before starting the service.
My domain is still Windows 2003 so I have to append "allw_weak_crypto = true" to the krb5.conf file under libdefaults. I have the appropriate line added in the GUI under Directory Services / Kerberos Settings in the "Libdefaults auxiliary parameters" box. Under 9.10 I had no issues, but when I upgraded to FreeNAS 11.2 I could suddenly no longer start directory services. Looking at the krb5.conf file from the console, I can see that it isn't adding the proper line. When I try to start from the command line I get:
root@riva:~ # /etc/directoryservice/ActiveDirectory/ctl start
False
kinit: krb5_get_init_creds: KDC has no support for encryption type
I tried manually editing the file, but quickly found it gets over-written on every start. Since I am rather stubborn, I edited it AND did a chattr to make the file immutable. With the line where it's supposed to be and running the same command I get:
root@riva:/etc/rc.d # chattr +i /etc/krb5.conf
root@riva:/etc/rc.d # /etc/directoryservice/ActiveDirectory/ctl start
False
[Errno 1] Operation not permitted: '/etc/krb5.conf'
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 166, in call_method
result = await self.middleware.call_method(self, message)
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1097, in call_method
return await self._call(message['method'], serviceobj, methodobj, params, app=app, io_thread=False)
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1045, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/etc.py", line 153, in generate
with open(outfile, 'w') as f:
PermissionError: [Errno 1] Operation not permitted: '/etc/krb5.conf'
True
Join is OK
False
True
Everything now starts as it should; the new "errors" above are expected with the file being immutable. Under services SMB is starting now as expected, and I can browse and use my shares as needed. I shouldn't have to do this work-around to get it running. Something is wrong about how it updates the krb5.conf file before starting the service.
