SOLVED Cannot reconnect to AD

Joined
Oct 11, 2018
Messages
2
Without getting into too many details, I had to build a new domain controller. The old one was trashed. The new DC is up and running with the same domain name, etc. Now I can't reconnect Freenas to Active Directory. I get an error that says MiddlewareError: Failed to reload Active Directory. I followed the steps in section 9.1.2 of the Freenas manual, but it did not help. I've rebooted Freenas and the DC. When I open the shell and run wbinfo, I see the groups from Active Directory, but not the users. Not sure if those groups are left over from the previous connection.
I'm new at Freenas and have no idea what else to try. Can anyone help?
 
Joined
Oct 11, 2018
Messages
2
I figured out the problem. I didn't notice before, but the time on the new DC was 5 hours off. I fixed the time and then I was able to connect to AD again.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I figured out the problem. I didn't notice before, but the time on the new DC was 5 hours off. I fixed the time and then I was able to connect to AD again.

That happens more frequently than you'd think. It's the most common reason for failing to join an AD domain. :)
There are plans to have FreeNAS check these externalities when you're configuring AD integration and generate alerts.
 

Zyrusvirus

Dabbler
Joined
May 14, 2012
Messages
23
Hi Friends. I have the same problem. My Windows System says example 10:00 PM and my FreeNAS also 10:00 PM.
When i will connect to my AD, says FreeNAS [MiddlewareError: Active Directory failed to reload.
Will it still be the same mistake?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Hi Friends. I have the same problem. My Windows System says example 10:00 PM and my FreeNAS also 10:00 PM.
When i will connect to my AD, says FreeNAS [MiddlewareError: Active Directory failed to reload.
Will it still be the same mistake?


If you're on FreeNAS 11.1-U6, then you can try out the following diagnostic script. Copy it to the local filesystem and run "python ad_verifier.py". It might help point to where the problem is.

Alternatively, you can run
Code:
/etc/directoryservice/ActiveDirectory/ctl start
from the command line and get a better idea about where it's failing.

https://raw.githubusercontent.com/anodos325/samba_scripts/adverify_devel/not_samba/ad_verifier.py
 

Zyrusvirus

Dabbler
Joined
May 14, 2012
Messages
23
Thx for yout tip.
I find my problem. My FreeNAS DNS Name will not be resolved correctly.
I use FreeNAS-11.2-RC1.
However, I can not solve my dns problem. it simply does not resolve properly on the network.
 

Zyrusvirus

Dabbler
Joined
May 14, 2012
Messages
23
Hey Friends.
My DNS Error is fixed.

The Active Directory connection Error stays anyway.


 

Zyrusvirus

Dabbler
Joined
May 14, 2012
Messages
23
Does anyone have a suggestion why I can not join my AD?
 

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
My error message is the same, but with another errormessage:
--------
root@freenas:/ # /etc/directoryservice/ActiveDirectory/ctl start
False
False
Join to domain is not valid: NT code 0xfffffff6
Failed to join domain: Failed to set machine spn: Constraint violation
Do you have sufficient permissions to create machine accounts?
False
winbindd not running? (check /var/run/samba4/winbindd.pid).
smbd not running? (check /var/run/samba4/smbd.pid).
nmbd not running? (check /var/run/samba4/nmbd.pid).
True
---------------
The account is the domain admin.
AD is Windows 2012R2 essentials
This appears as well directly after i did the first troubleshooting steps of the guide and verified to have a kerberos ticket. after this command klist doesn´t show a ticket any more, even the file is there.
The interesting is that i have a second box with 11.1 U6 as well where it is working. the only difference is that the old one was upgraded while the new one is a fresh install.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Failed to join domain: Failed to set machine spn: Constraint violation
Do you have sufficient permissions to create machine accounts?
False

Typically a constraint violation when setting machine spn is in indication that there is already a computer object in AD with an identical kerberos SPN entry (these have to be unique).
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Does anyone have a suggestion why I can not join my AD?

If you run this sequence of commands you should get a fairly detailed description of what's going on:
1) sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
2) service ix-hostname start
3) service ix-kerberos start
4) service ix-kinit start
5) service ix-pre-samba start
6) net -k -d 7 ads join
 

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
Typically a constraint violation when setting machine spn is in indication that there is already a computer object in AD with an identical kerberos SPN entry (these have to be unique).
Thanks. That turned to be the solution. forgot that i´ve set it on my other box as well.
 

kabutomz

Dabbler
Joined
Jul 17, 2019
Messages
11
If you're on FreeNAS 11.1-U6, then you can try out the following diagnostic script. Copy it to the local filesystem and run "python ad_verifier.py". It might help point to where the problem is.

Alternatively, you can run
Code:
/etc/directoryservice/ActiveDirectory/ctl start
from the command line and get a better idea about where it's failing.

https://raw.githubusercontent.com/anodos325/samba_scripts/adverify_devel/not_samba/ad_verifier.py

Thanks a lot. That helped me. My problem was I was using server max protocol = SMB3_11 instead of SMB3.
 

iRaven

Cadet
Joined
Jul 4, 2023
Messages
1
Having the same issue here as the above posts.
Error: Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 355, in run await self.future File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 391, in __run_body rv = await self.method(*([self] + args)) File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 703, in start await self._net_ads_join() File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 1051, in _net_ads_join await self._parse_join_err(netads.stdout.decode().split(':', 1)) File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 1028, in _parse_join_err raise CallError(msg[1]) middlewared.service_exception.CallError: [EFAULT] Failed to set machine spn: Constraint violation Do you have sufficient permissions to create machine accounts?
Attempting to join AD with an account that is a domain administrator. Server is running TrueNAS-13.0-U5.1.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Constraint violation often means that you have some other server on the network with the same kerberos SPN registered. Not even a domain admin is allowed to perform this operation because it would break the other server (TLDR version).
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Or an active registration of the same server still in AD. If you do not remove a computer from your domain but e.g. reinstall after a crash, you need to first remove the registration in "Active Directory Users and Computers" on the DC to be able to rejoin.
 
Top