Freenas 11.2 won't join AD

[Furry]

Hello; this is my first post.

I'm trying out FreeNAS for use in my network, which has 2 x Windows 2012R2 servers (one of which is Windows Server Essentials, and the DC), and several PCs. For my FreeNAS configuration / environment, please see (hopefully) my signature below.

I can't get FreeNAS to join/use my domain/AD. I receive this error: [MiddlewareError: Active Directory failed to reload.]

I have:
1. Read the manual, sec. 10, "Directory Services".
2. Done searches on this site (and beyond) and followed down threads and links (found in those threads) to tutorials and YouTube videos.
3. Set nameserver1 within Global Configuration to be the WSE2012R2 server's IP.
4. Successfully pinged the domain from the FreeNAS shell, and pinged the FreeNAS box (by name: "freenas") from the WSE2012R2 server.
5. Copied the WSE2012R2 Administrator account to create "freenasadmin" user in AD.
6. Tried pre-creating the DNS 'A' record and the "freenas" computer in AD. Also tried not pre-creating these (apparently it's not / no longer really necessary).
7. Set the freenas box to use the same NTP server as the WSE2012R2 server (uk.pool.ntp.org).
8. Tried these commands as suggested by sec. 10.1.2 of the manual, with this result:

9. Tried this:

I'm now a bit stuck; can someone please advise what I might try next?

TIA

 

[anodos]

Check /etc/krb5.conf and make sure it has been generated correctly. Verify contents of /etc/directoryservice/ActiveDirectory/config

 

[Furry]

Check /etc/krb5.conf and make sure it has been generated correctly.

krb5.conf; I have substituted "furry" and "FURRY" for my actual domain name:

#
# krb5.conf(5) - configuration file for Kerberos 5
# $FreeBSD$
#

[app_defaults]
pam = {
forwardable = true
ticket_lifetime = 86400
renew_lifetime = 86400
}

[lib_defaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
clockskew = 300
forwadable = yes
default_realm = FURRY

[domain_realm]
furry= FURRY
.furry= FURRY
FURRY = FURRY
.FURRY= FURRY

[realms]
FURRY = {
default_domain = FURRY
kdc = freenas.furry.local.furry
admin_server = freenas.furry.local.furry
kpasswd_server = freenas.furry.local.furry
}

[logging]
default = SYSLOG:INFO:LOCAL7

 

[Furry]

Verify contents of /etc/directoryservice/ActiveDirectory/config

Contents (furry & FURRY substituted again):

ad_machine=freenas$
ad_bindname=freenasadmin
ad_domainname=furry.local
ad_basedn=DC=furry,DC=local
ad_binddn=freenasadmin@FURRY.LOCAL
ad_userdn=
ad_groupdn=
ad_site=
ad_dcname=wse2012r2.furry.local:389
ad_dchost=wse2012r2.furry.local
ad_dcport=389
ad_gcname=wse2012r2.furry.local:3268
ad_gchost=wse2012r2.furry.local
ad_gcport=3268
ad_krbname=wse2012r2.furry.local:88
ad_krbhost=wse2012r2.furry.local
ad_krbport=88
ad_kpwdname=wse2012r2.furry.local:464
ad_kpwdhost=wse2012r2.furry.local
ad_kpwdport=464
ad_krb_realm=FURRY
ad_keytab_principal=
ad_keytab_file=

 

[anodos]

You kdc is set to "freenas.furry.local.furry". It should be "wse2012r2.furry.local"

 

[anodos]

Did you manually add a kerberos realm to your server?

 

[Furry]

You kdc is set to "freenas.furry.local.furry". It should be "wse2012r2.furry.local"

Did you manually add a kerberos realm to your server?

Yes, I thought that looked odd; I didn't manually add kerberos realm, and I'm pretty sure these ended up like that by themselves, however I did try changing the kerberos realms (three, for KDC, Admin Server and Password Server) in the freenas box. It didn't make any difference, but I'll try again (perhaps I didn't quite get them right).

If I change these in the webgui, will that change appear in the krb5.conf file?

Edit(1): they do, after a reboot.
Edit(2): I still have the same error, though.

 

[Furry]

Now, I get this when I enter the commands I used earlier (imagine that the domain name under the blue stuff is FURRY):

 

[anodos]

Now, I get this when I enter the commands I used earlier (imagine that the domain name under the blue stuff is FURRY):

It looks like you're trying to kinit with an incorrect password. Try this:
sh -x /etc/directoryservice/ActiveDirectory/ctl restart and pm me the output. Feel free to redact whatever you want.

 

[Furry]

It looks like you're trying to kinit with an incorrect password. Try this:
sh -x /etc/directoryservice/ActiveDirectory/ctl restart and pm me the output. Feel free to redact whatever you want.

I've done that. Managed to direct it to a file (by the third time through). What "should" I redact? (I notice that there's at least one password in the clear).

In the meantime, I noticed that SMB wouldn't start, so I rebooted, then received an alert, saying "Active Directory did not bind to the domain". I hadn't received that alert before.

SMB still would not start - until I 'restarted' (attempted) the AD service (on freenas), having entered the password (as it seems to need, each time). Now it's back to the original error.

 

[Matt_G]

Are you absolutely sure your DNS is setup and working correctly?
If you try and ping furry.local, does it resolve that domain name to the IP of your DC?

 

[Furry]

Are you absolutely sure your DNS is setup and working correctly?
If you try and ping furry.local, does it resolve that domain name to the IP of your DC?

Yes, it does.

 

[anodos]

Try the following:

Code:

sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
service ix-hostname start
service ix-kerberos start
kinit <your username>
(if that succeeds without password error, then "klist" to verify you have a kerberos ticket)
service ix-pre-samba start
net -k ads join
service samba_server start
service ix-nsswitch start
service ix-pam start
service ix-cache start

If it fails at kinit or net -k ads join, then reply to this thread with output.

 

[Furry]

Try the following:

Code:

sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
service ix-hostname start
service ix-kerberos start
kinit <your username>
(if that succeeds without password error, then "klist" to verify you have a kerberos ticket)
service ix-pre-samba start
net -k ads join
service samba_server start
service ix-nsswitch start
service ix-pam start
service ix-cache start

If it fails at kinit or net -k ads join, then reply to this thread with output.

Here's the result; got as far as the net -k ads join (note that I fluffed the first command, at first attempt):

 

[anodos]

"Not enough storage" is the response from your DC. You can post output of "net -k -d 5 ads join", but I think you'll need to investigate through event viewer on your DC.

 

[Furry]

"Not enough storage" is the response from your DC. You can post output of "net -k -d 5 ads join", but I think you'll need to investigate through event viewer on your DC.

I've had a look, but I can't see any errors which appear relevant - but I don't really know what I'm looking for. Are you able to give any hints?

 

[anodos]

I've had a look, but I can't see any errors which appear relevant - but I don't really know what I'm looking for. Are you able to give any hints?

Perhaps try deleting your pre-staged computer object and re-run "net -k ads join"

 

[Furry]

Perhaps try deleting your pre-staged computer object and re-run "net -k ads join"

No difference.

 

[Furry]

I managed to get this to work, at last - by resetting the configuration to defaults, then filling in the minimum configuration information from the webGUI. Also with the DC (still) pre-configured, for DNS 'A' record, freenas computer, and freenas admin.

 

[Furry]

I managed to get this to work, at last - by resetting the configuration to defaults, then filling in the minimum configuration information from the webGUI. Also with the DC (still) pre-configured, for DNS 'A' record, freenas computer, and freenas admin.

Since doing this, I notice:

1. The Kerberos Realm is now FURRY.LOCAL, whereas before it was / was set to be wse2012r2.furry.local, and KDC, Password Server and Admin Server have nothing defined.
2. I have a previously-defined SMB share which still appears to Windows clients, but which is not defined in the webGUI (e.g. under Sharing), and which I can't get rid of; I've tried detaching the pool etc., which is supposed to destroy all data.
3. I can see the AD accounts listed, in the form (e.g.) "FURRY\freenasadmin" when I edit permissions for a pool / dataset, but these do not appear under "Accounts".