Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Can't join Active Directory,Failed to validate bind credentials: [EFAULT] timed out

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,064
You can PM me /var/log/middlewared.log. This is probably a case of the LDAP bind timing out. We set the NETWORK_TIMEOUT value for ldap.conf based on "dns_timeout". ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, self.ad['dns_timeout']). You can try increasing it.
 
Joined
Feb 13, 2020
Messages
8
Hi, Bro!

/vat/log/middlewared.log
(DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf

What can I try bro?
 
Joined
Feb 13, 2020
Messages
4
Hi, anodos

AD Timeout, DNS Timeout up to 60;

The problems remain ;

[2020/02/14 11:16:10] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:28:55] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:30:33] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:31:13] (DEBUG) ServiceService._simplecmd():287 - Calling: start(ssh)
[2020/02/14 11:31:13] (DEBUG) EtcService.generate():274 - No new changes for /etc/local/ssh/sshd_config
[2020/02/14 11:31:40] (DEBUG) ServiceService._simplecmd():287 - Calling: reload(ssh)
[2020/02/14 11:37:19] (DEBUG) ServiceService._simplecmd():287 - Calling: start(lldp)
[2020/02/14 11:37:34] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:37:40] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:38:06] (DEBUG) ServiceService._simplecmd():287 - Calling: stop(lldp)
[2020/02/14 11:39:02] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
 

Attachments

tfili

Newbie
Joined
Dec 20, 2017
Messages
10
Whats about DNS entries for the domain ? Are you able to ping the domain ? ... not the AD
Do you use the AD as the first nameserver ?

Do you have tried to join from cli with net ads join -U adminuser ?
 
Joined
Feb 13, 2020
Messages
8
I can send a ping correctly.
My AD is the first nameserver.

net ads join -U freenasadmin:
Failed to join domain: This operation is only allowd for the PDC of the domain
My ad is PDC
 

tfili

Newbie
Joined
Dec 20, 2017
Messages
10
Is it posible to get a kerberos ticket ? : kinit freenasadmin

Whats about firewall related problems ?
Is the ESXi in the same network / VLAN than the AD or do you use NAT ?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,064
Turn on "verbose logging", and run the following commands:
midclt call activedirectory.update '{"enable": false}'
midclt call activedirectory.update '{"enable": true}'
and upload the middlewared log.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,064
Try the following:
midclt call activedirectory.update '{"enable": false}'
midclt call activedirectory.update '{"enable": true, "verbose_logging": true, "dns_timeout": 30}'
This looks suspiciously like we're hitting the a timeout for middleware calls. If this is the case then it looks like the environment is taking over 60 seconds complete an LDAP bind. You may want to also review logs on your AD DC.
 
Joined
Feb 3, 2020
Messages
3
Acarmona, did you ever get this to work? as I had similar issues but never got it to work. But it worked fine on 11.2.7
 
Top