Can't join Active Directory,Failed to validate bind credentials: [EFAULT] timed out

dolphinit

Cadet
Joined
Feb 17, 2020
Messages
6
In the end I decided to install 11.2 instead (is a new setup). No problems joining AD this time. Might try upgrade to 11.3 before I start using properly
 

dolphinit

Cadet
Joined
Feb 17, 2020
Messages
6
Looks like my last reply didnt show

Since Im on a new install I re-started with 11.2 install. Connected to AD ok with that, Then upgraded to 11.3 and all seems ok. Will do some more testing tomorrow
 

hemlock

Dabbler
Joined
Feb 24, 2020
Messages
10
I am having the same issue on 11.3 with LDAP not working. What can I do to help troubleshoot?
I also get a option error when trying to enable the LDAP service, this is a brand new setup with a fresh install of 11.3
 

Attachments

  • DeepinScreenshot_select-area_20200224160929.png
    DeepinScreenshot_select-area_20200224160929.png
    79.9 KB · Views: 444

freenaslol

Cadet
Joined
Feb 13, 2020
Messages
5
I gave up on joining the domain of 11.3;

I redeployed 11.2 u8, and successfully joined the domain, and later upgraded to 11.3; but there is still a problem. When editing the permissions of the data set, every time I select a domain user or domain group, I get an error "Error: [uid ] Not an integer ”and Error: [gid] Not an integer; selecting other built-in users and groups is all normal! Why is that? ?

1582603664133.png


1582603722754.png


11.3 Domain support is too unstable ...;
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
I gave up on joining the domain of 11.3;
I can't reproduce your issue internally. The probability of the underlying issue getting fixed is low until we have a clear case to reproduce the issue. You can file a bug ticket about the AD timeout and if there is an underlying bug in the FreeNAS middleware it will get fixed. As I mentioned earlier, the timeout you were seeing is caused by our attempt to perform an LDAP bind to your AD domain taking more than 60 seconds to complete. I can convert this portion of the DS code to be run in the background (where it can take as long as it wants), but if there is an underlying issue with the python LDAP client then this will not improve the situation.

11.3 is different from 11.2 in that we rely exclusively on kerberos tickets and keytabs for the domain join. This is much more secure, but it also meant a significant redesign of how AD works. This means that there will probably be bugs that we need to fix (many of these things can end up being idiosyncratic or very hard to reproduce in a lab), which means that community bug reports and testing is extremely important.
 

glossjorge

Dabbler
Joined
Feb 24, 2020
Messages
12
We are having the same issue, Our brand new FreeNAS 11.3 will not join our Windows Domain, we can ping the domain (example.local) and all our Windows, Linux and Macs can join, but not FreeNAS, I wish FreeNAS came with realmd installed, it makes it so much easier to manage AD, but if somebody has found a solution, please let me know.

Thanks.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
We are having the same issue, Our brand new FreeNAS 11.3 will not join our Windows Domain, we can ping the domain (example.local) and all our Windows, Linux and Macs can join, but not FreeNAS, I wish FreeNAS came with realmd installed, it makes it so much easier to manage AD, but if somebody has found a solution, please let me know.

Thanks.
Can you PM me a debug?
 

dstewart51

Dabbler
Joined
Apr 2, 2019
Messages
12
This issue is affecting us as well. With 11.2ux I could join to our AD, but no such luck with 11.3 yet. Just updated our backup system to 11.3u1, not much luck here either. Id send anodos a debug but when attempting to create one, it fails "Failed to generate a debug file." This is on FreeNAS Certified systems.


Edit; I was able to generate this error after enabling SMB service then attempting to join AD again;
Code:
Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 87, in port_is_listening
    s.connect((host, port))
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 843, in do_update
    await self.middleware.run_in_thread(self.validate_domain, new)
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 1124, in validate_domain
    self.middleware.call_sync('activedirectory.check_clockskew', data)
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1143, in call_sync
    io_thread=True, job_on_progress_cb=job_on_progress_cb,
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1166, in run_coroutine
    return fut.result()
  File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 428, in result
    return self.__get_result()
  File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
    raise self._exception
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
    return await run_method(methodobj, *args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 1110, in check_clockskew
    pdc = ActiveDirectory_DNS(conf=ad, logger=self.logger).get_n_working_servers(SRV['PDC'], 1)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 147, in get_n_working_servers
    if self.port_is_listening(host, port, timeout=1):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 91, in port_is_listening
    raise CallError(e)
middlewared.service_exception.CallError: [EFAULT] timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
    io_thread=False)
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
    f'{self._config.namespace}.update', self, self.do_update, [data]
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 961, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 847, in do_update
    f"Failed to validate domain configuration: {e}"
middlewared.service_exception.ValidationError: [EFAULT] activedirectory_update: Failed to validate domain configuration: [EFAULT] timed out
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
This issue is affecting us as well. With 11.2ux I could join to our AD, but no such luck with 11.3 yet. Just updated our backup system to 11.3u1, not much luck here either. Id send anodos a debug but when attempting to create one, it fails "Failed to generate a debug file." This is on FreeNAS Certified systems.


Edit; I was able to generate this error after enabling SMB service then attempting to join AD again;
Code:
Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 87, in port_is_listening
    s.connect((host, port))
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 843, in do_update
    await self.middleware.run_in_thread(self.validate_domain, new)
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 1124, in validate_domain
    self.middleware.call_sync('activedirectory.check_clockskew', data)
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1143, in call_sync
    io_thread=True, job_on_progress_cb=job_on_progress_cb,
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1166, in run_coroutine
    return fut.result()
  File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 428, in result
    return self.__get_result()
  File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
    raise self._exception
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
    return await run_method(methodobj, *args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 1110, in check_clockskew
    pdc = ActiveDirectory_DNS(conf=ad, logger=self.logger).get_n_working_servers(SRV['PDC'], 1)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 147, in get_n_working_servers
    if self.port_is_listening(host, port, timeout=1):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 91, in port_is_listening
    raise CallError(e)
middlewared.service_exception.CallError: [EFAULT] timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
    io_thread=False)
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
    f'{self._config.namespace}.update', self, self.do_update, [data]
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 961, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 847, in do_update
    f"Failed to validate domain configuration: {e}"
middlewared.service_exception.ValidationError: [EFAULT] activedirectory_update: Failed to validate domain configuration: [EFAULT] timed out
I sent you a private message about next steps to investigate this.
 

dstewart51

Dabbler
Joined
Apr 2, 2019
Messages
12
Anodos asked me to post this updated activedirectory.py script that is more tolerate of timeout errors. Im now able to join our AD with 11.3.
 

Attachments

  • activedirectory.txt
    72.3 KB · Views: 804

freenaslol

Cadet
Joined
Feb 13, 2020
Messages
5
I downgraded to 11.2 U8, adding the domain is normal, the domain user and domain group are also normal, and the SMB service can access the space normally.

However, SMB cannot log in with a local account, prompting that the username and password are wrong; the fact is that the account password is correct, I tested it on the command line;

ftp login with local account is normal;

How can I disable domain login when logging in with a local account?

Login in a non-domain environment, directly enter username "pubtt", and still prompt the username and password error;

After Freenas enables the domain, can't I log in with local users at the same time?:(

I hope U2 can be released as soon as possible, and resolve the compatibility issues between domain and local accounts at one time;:cool:

1582684658609.png

1582684703243.png

1582684794328.png

1582684832301.png

1582685116690.png

1582687674928.png

1582687862657.png

1582687189170.png
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
If you are authenticating with a local (to the FreeNAS server) account in an AD environment, you must prefix the NetBIOS name of the FreeNAS server to the account name "FREENAS\pubtt".
 

glossjorge

Dabbler
Joined
Feb 24, 2020
Messages
12
Hey guys,

I downloaded the activedirectory.txt, renamed to be a .py backed up the old one and put it in the same folder as the old one, but when I tried to bind I'm still getting the timeout error, I only put the domain name, domain user and password to bind, do I have to put something else in advanced?

Thanks.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
Hey guys,

I downloaded the activedirectory.txt, renamed to be a .py backed up the old one and put it in the same folder as the old one, but when I tried to bind I'm still getting the timeout error, I only put the domain name, domain user and password to bind, do I have to put something else in advanced?

Thanks.
Did you restart middlewared? service middlewared onerestart
 

ram777

Cadet
Joined
Feb 28, 2020
Messages
2
After I updated to Freenas 11.3 U1, no connection can be made from Freenas machine to AD domain controler.
I can ping AD server but I cannot connect using Active Directory from Freenas 11.3 U1.
The error I get is "Failed to validate bind credentials: [EFAULT] timed out " .

I tried to replace Activedirectory.ph with the file given as glossjorge No success ...

I changed the boot environment to Freenas 11.2.U7 and can connect to the AD without problem.
My problem is I cannot go back to this version because I updated ZFS in Freenas 11.3.U1 and the pool is no visible.

Now I am on 11.3 U1 but with AD issue, that means the users cannot see their file.
Please find a sollution.

Thank you.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,544
After I updated to Freenas 11.3 U1, no connection can be made from Freenas machine to AD domain controler.
I can ping AD server but I cannot connect using Active Directory from Freenas 11.3 U1.
The error I get is "Failed to validate bind credentials: [EFAULT] timed out " .

I tried to replace Activedirectory.ph with the file given as glossjorge No success ...

I changed the boot environment to Freenas 11.2.U7 and can connect to the AD without problem.
My problem is I cannot go back to this version because I updated ZFS in Freenas 11.3.U1 and the pool is no visible.

Now I am on 11.3 U1 but with AD issue, that means the users cannot see their file.
Please find a sollution.

Thank you.
Finalized fix is here: https://raw.githubusercontent.com/f...ewared/middlewared/plugins/activedirectory.py
Back up and replace /usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py with the version linked above, and then restart the FreeNAS middleware. service middlewared onerestart
 

glossjorge

Dabbler
Joined
Feb 24, 2020
Messages
12
I tried that command and the middleware service never came back up and I couldn't access the server anymore, I had to re-install it.
 
Top