Can't join Active Directory,Failed to validate bind credentials: [EFAULT] timed out

[Gremlin]

Didn't disable Time (as it's kinda important) but was running Dimension 4 to keep better time, and reviewing the time service, it was indeed disabled. I've started it, but further testing I suspect the server isn't letting time requests through (UDP 123). Open on the firewall, and a Win10 machine will update it's time with net time, but a Unifi USG (Linux based) won't update either... so I did some more digging on the Server 2016 DC.

Easiest step is turning off the firewall to begin with (is it ruining your life). Yep. Double check NTP rule (it's a default one), couldn't see anything amiss (right scope, port, all profiles - domain/private/public) but wrote a new rule anyway. Sure enough, FreeNAS could now add the IP as an NTP server (and the Unifi USG was also happy). Not sure exactly what I need to run in shell, but using "ntpdate -q IPofServer" got me "no server suitable for sync..."

Then I went back to Directory Services / Active Directory, and it joined to the domain successfully (firewall on and off), so thanks anodos! Using the Monitor in the top right of the webGUI and it shows Active Directory as Healthy.

Chucked in all the steps I did in case it helps someone else.

(off to bed as it's almost 0130, but will check in tomorrow)

 

[Julien.guay]

whatever configuration I enter in the UI it seems like the smb4.conf is missing several parameter such as WORK GROUP not changing realm missing.
using net ads join does work for me if I modify the smb4.conf

 

[anodos]

whatever configuration I enter in the UI it seems like the smb4.conf is missing several parameter such as WORK GROUP not changing realm missing.
using net ads join does work for me if I modify the smb4.conf

Realm is only added if the AD service is enabled. Workgroup, site, etc should be auto-detected.

 

[guemi]

I did have issues joining my NAS to the Windows Domain as well, I had to set DC as my NTP, regardless of time being the same with the freebsd provided NTP, it still would time out. So definitely worth trying.

FWIW, settings are attached that worked.

 

[guemi]

Very strange, after a reboot however the Directory Service Monitor is now saying that Active Directory FAULTED and when looking at the Active Directory settings, I am now unable to specify username and password.

Anyone had anything familar happen?

 

[anodos]

Very strange, after a reboot however the Directory Service Monitor is now saying that Active Directory FAULTED and when looking at the Active Directory settings, I am now unable to specify username and password.

Anyone had anything familar happen?

You have a kerberos keytab selected. If you deselect, you will be able to set a username and password.

 

[guemi]

You have a kerberos keytab selected. If you deselect, you will be able to set a username and password.

Ah ok. Would this have to do with the AD suddenly stop working after reboot?

 

[anodos]

Ah ok. Would this have to do with the AD suddenly stop working after reboot?

No. That's a separate issue. Failing to start on reboot could be caused by a number of reasons. Our middleware only really communicates with AD during the initial domain join, once this is done, all remaining AD interaction is handed off to winbindd. If we're timing out on trying to kinit in your environment, then that's probably worth taking a close look at your AD environment and DNS.

 

[LuMex91]

Hello @All,

i am hang up on AD-Join:

My Setup:
FreeNAS-11.3-U2.1
Server 2019 Standard as an DC

I can join to my Active Directory but if i restart my freenas the domain join is broken alway show faulted.

Thanks for your help

 

[anodos]

Hello @All,

i am hang up on AD-Join:

My Setup:
FreeNAS-11.3-U2.1
Server 2019 Standard as an DC

I can join to my Active Directory but if i restart my freenas the domain join is broken alway show faulted.

Thanks for your help

Are you sure it's broken? There's a race bug where it can get stuck showing a "faulted" state after a reboot. midclt call cache.pop DS_STATE followed by midclt call directoryservices.get_state.

 

[EJacobowitz]

I am also hung up on joining to domain using active directory service.
New test Windows server 2019 standard. I was able to install windows 10 and join to the domain with no issue.
I confirmed Freenas has correct DNS and can ping AD server (Both FQDN and just the domain) I also confirmed the time is with-in the same minute between Freenas and PDC. I get the alert faulted as you mention above, but I am also getting the following error in Event Viewer in windows server(see below). If I change the way I add the account setting in freenas I get an error right away that it can't login where the other way excepts my input, so I assume it is correct. Any help is appreciated.
---------------

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: FREENAS$
Account Domain: COMPUCADE

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: FREENAS
Source Network Address: <Myipaddresswenthere>
Source Port: 48167

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

 

[Gremlin]

What is the error you get on FreeNAS if you set the username and password correctly?
Is the Windows Time service running on the server?
Can you try using Shell in FreeNAS to sync time with the server? If you run into issues, try disabling the firewall as a first test.

 

[anodos]

I am also hung up on joining to domain using active directory service.
New test Windows server 2019 standard. I was able to install windows 10 and join to the domain with no issue.
I confirmed Freenas has correct DNS and can ping AD server (Both FQDN and just the domain) I also confirmed the time is with-in the same minute between Freenas and PDC. I get the alert faulted as you mention above, but I am also getting the following error in Event Viewer in windows server(see below). If I change the way I add the account setting in freenas I get an error right away that it can't login where the other way excepts my input, so I assume it is correct. Any help is appreciated.
---------------

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: FREENAS$
Account Domain: COMPUCADE

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: FREENAS
Source Network Address: <Myipaddresswenthere>
Source Port: 48167

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

This indicates that we tried to use an account associated with the AD computer object for our server (hence the server name followed by the "$"). The account didn't exist in AD and so it failed. U2.1 can get stuck in this state due to stored credentials in samba's secrets.tdb. A typical case where this might happen is someone joins AD, encounters an issue, and in troubleshooting decides to delete the AD computer object and re-join AD. It will be fixed in 11.3, but in the meantime try the following:

1. Disable AD
2. Remove AD_MACHINE_ACCOUNT kerberos keytab on FN server
3. rm /var/db/system/samba4/private/secrets.tdb
4. net cache flush
5. Enter credentials in AD form and enable AD service.

 

[EJacobowitz]

This indicates that we tried to use an account associated with the AD computer object for our server (hence the server name followed by the "$"). The account didn't exist in AD and so it failed. U2.1 can get stuck in this state due to stored credentials in samba's secrets.tdb. A typical case where this might happen is someone joins AD, encounters an issue, and in troubleshooting decides to delete the AD computer object and re-join AD. It will be fixed in 11.3, but in the meantime try the following:

1. Disable AD
2. Remove AD_MACHINE_ACCOUNT kerberos keytab on FN server
3. rm /var/db/system/samba4/private/secrets.tdb
4. net cache flush
5. Enter credentials in AD form and enable AD service.

I appreciate the response, It has fixed that error in EV in windows, but still can not connect to AD. I am now seeing the following error in FN

It seems to be a "permissions" issue I just not sure where to look. So far EV and FW logs looks clean.

 

[uri]

As I see I'm not only one who has an issue with AD after reboot!

So, if AD server go down and then become avaliable the FreeNAS server shows FAULT AD and reboot is helpless!

But if I go to AD settings in FreeNAS uncheck AD and save, then check AD and save the FreeNAS server is succesfully joining to AD!


FreeNAS FreeNAS-11.3-U2.1

AD Windows Server 2012 R2 with latest updates!

 

[kevinjj]

Is it a samba 4 Active Directory .

 

[kevinjj]

FreeNas 11.3 new install;
ESXI 6.5 ENV;
Windows 2012 R2 AD;

AD time out up to 90;

AD Account is correct;

ping AD Server is OK; ping NAS's HostName(xxxx.domain.com) is OK;

Does anyone know why?

Is it a Samba 4 Active Directory ?

 

[EJacobowitz]

I appreciate the response, It has fixed that error in EV in windows, but still can not connect to AD. I am now seeing the following error in FN
View attachment 38226
It seems to be a "permissions" issue I just not sure where to look. So far EV and FW logs looks clean.

Finally, I tested with another AD account and it worked. From there I created a new data set and SMB share and so far so good. I am so excited. Thank you @anodos for your solution. Your solution on my initial error let me continue to move forward and figure out my issue.

Thanks again

 

[alex_d]

finally it works by me too. I had two issues.
The first one: the windows time service wasn't active as a time server. The command to detect it ntpdate -q <dc> (DC - FQDN of the domain controller). The group policy should be activated: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers->Enable Windows NTP Server should be on.

The second and most difficult: I had a problem with a connection to DC. Configuring of the Active Directory Service in Freenas was always stopped at 50%: connecting to the DC was ok, but Freenas has never get registered itself completely. So, net ads info returned the info about the domain, but net ads join has never succeeded. The same was happening with smbclient commando: NT_STATUS_IO_TIMEOUT. After all, it is turned out to be, that DC wasn't properly listening on the port 445 (and 139). I have the multi-homed DC in ESXi and though the only one adapter was configured to work as DC adapter, Windows chooses another one. I figured it out after disabling the firewall - smbclient started to return NT_STATUS_CONNECTION_REFUSED error instead. So, nothing is helped and I just deleted the virtual adapter and added the another one. Freenas was able to register in domain in a second.