Can't join Active Directory,Failed to validate bind credentials: [EFAULT] timed out

freenaslol

Cadet
Joined
Feb 13, 2020
Messages
5
FreeNas 11.3 new install;
ESXI 6.5 ENV;
Windows 2012 R2 AD;

AD time out up to 90;

AD Account is correct;

ping AD Server is OK; ping NAS's HostName(xxxx.domain.com) is OK;

Does anyone know why?
 

Attachments

  • QQ截图20200213173951.jpg
    QQ截图20200213173951.jpg
    29.3 KB · Views: 1,857
  • QQ截图20200213174019.jpg
    QQ截图20200213174019.jpg
    33.4 KB · Views: 2,109

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
You can PM me /var/log/middlewared.log. This is probably a case of the LDAP bind timing out. We set the NETWORK_TIMEOUT value for ldap.conf based on "dns_timeout". ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, self.ad['dns_timeout']). You can try increasing it.
 

acarmona

Cadet
Joined
Feb 13, 2020
Messages
8
Hi, Bro!

/vat/log/middlewared.log
(DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf

What can I try bro?
 

freenaslol

Cadet
Joined
Feb 13, 2020
Messages
5
Hi, anodos

AD Timeout, DNS Timeout up to 60;

The problems remain ;

[2020/02/14 11:16:10] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:28:55] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:30:33] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:31:13] (DEBUG) ServiceService._simplecmd():287 - Calling: start(ssh)
[2020/02/14 11:31:13] (DEBUG) EtcService.generate():274 - No new changes for /etc/local/ssh/sshd_config
[2020/02/14 11:31:40] (DEBUG) ServiceService._simplecmd():287 - Calling: reload(ssh)
[2020/02/14 11:37:19] (DEBUG) ServiceService._simplecmd():287 - Calling: start(lldp)
[2020/02/14 11:37:34] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:37:40] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
[2020/02/14 11:38:06] (DEBUG) ServiceService._simplecmd():287 - Calling: stop(lldp)
[2020/02/14 11:39:02] (DEBUG) EtcService.generate():274 - No new changes for /etc/krb5.conf
 

Attachments

  • 1.jpg
    1.jpg
    36.3 KB · Views: 2,045
  • 2.jpg
    2.jpg
    43.8 KB · Views: 1,711
  • middlewared.zip
    2.4 KB · Views: 297

tfili

Dabbler
Joined
Dec 20, 2017
Messages
10
Whats about DNS entries for the domain ? Are you able to ping the domain ? ... not the AD
Do you use the AD as the first nameserver ?

Do you have tried to join from cli with net ads join -U adminuser ?
 

acarmona

Cadet
Joined
Feb 13, 2020
Messages
8
I can send a ping correctly.
My AD is the first nameserver.

net ads join -U freenasadmin:
Failed to join domain: This operation is only allowd for the PDC of the domain
My ad is PDC
 

tfili

Dabbler
Joined
Dec 20, 2017
Messages
10
Is it posible to get a kerberos ticket ? : kinit freenasadmin

Whats about firewall related problems ?
Is the ESXi in the same network / VLAN than the AD or do you use NAT ?
 

acarmona

Cadet
Joined
Feb 13, 2020
Messages
8
This is correct?
1581687500094.png


The servers share the same VLAN.
My english is very bad, sorry.
 

Attachments

  • 1581687486526.png
    1581687486526.png
    15.1 KB · Views: 1,427

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Turn on "verbose logging", and run the following commands:
midclt call activedirectory.update '{"enable": false}'
midclt call activedirectory.update '{"enable": true}'
and upload the middlewared log.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Try the following:
midclt call activedirectory.update '{"enable": false}'
midclt call activedirectory.update '{"enable": true, "verbose_logging": true, "dns_timeout": 30}'
This looks suspiciously like we're hitting the a timeout for middleware calls. If this is the case then it looks like the environment is taking over 60 seconds complete an LDAP bind. You may want to also review logs on your AD DC.
 

MikeUK

Cadet
Joined
Feb 3, 2020
Messages
9
Acarmona, did you ever get this to work? as I had similar issues but never got it to work. But it worked fine on 11.2.7
 
Top