FreeNAS 11.3-U3.2 Update started issues connecting to Active Directory

[ballistic]

Hello,

last week i updated FreeNAS from 11.3-U2.1 to 11.3-U3.2 and soon i found out that smb shares stopped working and no Domain User is able to access the network shares. After Checking the Webfrontend i found the status for Directory Server failing.

I Checked following settings:
- DNS and if it works
- Domainname
- Service Account
- Password
- ROOT Certificate for AD LDAP
- TLS Settings (tested with and without TLS)
- Time
- Reachablility of Domaincontrollers from shell

Testing AD with net ads and midclt, i got the following errors

Code:

# midclt call activedirectory.domain_info | jq
[EFAULT] ads_connect: No logon servers are currently available to service the logon request.
ads_connect: No logon servers are currently available to service the logon request.
Didn't find the ldap server!

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
    io_thread=False)
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1084, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 961, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 1355, in domain_info
    raise CallError(netads.stderr.decode())
middlewared.service_exception.CallError: [EFAULT] ads_connect: No logon servers are currently available to service the logon request.
ads_connect: No logon servers are currently available to service the logon request.
Didn't find the ldap server!

# net ads info
ads_connect: No logon servers are currently available to service the logon request.

So i decided to switch the bootbank back to 11.3-U2.1 and rebootet my NAS. SMB started to work again and midclt and net ads reports successful connect to Active Directory. I Switched again to 11.3-U3.2 and everything is failing again.

Any Idea what is happening here? i found no updates notes about issues or changes with AD.

Thanks in advance.

 

[anodos]

midclt call activedirectory.domain_info is just a wrapper around "net -k ads domain info". You should verify the following:
1) contents of /etc/krb5.conf
2) contents of /etc/resolv.conf
3) testparm -s output
4) output of "klist" should show a kerberos ticket for your AD domain.

First one should have your domain
Second one should _only_ have DCs for your domain
Third one should show your AD domain as realm

 

[ballistic]

Hi,

sorry for the late reply, i mostly out of office because of COVID-19 and not playing with our NAS without local access.


/etc/krb5.conf content, i replaced the real domain/hostname/ip.

Code:

#
# krb5.conf(5) - configuration file for Kerberos 5
# $FreeBSD$
#

[appdefaults]
            pam = {
                   forwardable = true
                   ticket_lifetime = 86400
                   renew_lifetime = 86400
            }

[libdefaults]
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            clockskew = 300
            forwardable = true

[domain_realm]
            mydomain.net = MYDOMAIN.NET
            .mydomain.net = MYDOMAIN.NET
            MYDOMAIN.NET = MYDOMAIN.NET
            .MYDOMAIN.NET = MYDOMAIN.NET

[realms]
            MYDOMAIN.NET = {
                   default_domain = MYDOMAIN.NET
            }

[logging]
            default = SYSLOG:INFO:LOCAL7

/etc/resolv.conf

Code:

# Generated by resolvconf
search mydomain.net
nameserver 10.40.30.5
nameserver 10.40.30.6
nameserver 2001:xxxx:xxxx:xxxx::5

testparm -s output

Code:

root@xxx[/etc]# testparm -s output
Load smb config files from output
Error loading services.

Output of klist

Code:

root@xxx[/]# klist
klist: No ticket file: /tmp/krb5cc_0

Content of smb4.conf

Code:

[global]
        dns proxy = No
        aio max threads = 2
        max log size = 51200
        allocation roundup size = 0
        load printers = No
        printing = bsd
        disable spoolss = Yes
        dos filemode = Yes
        kernel change notify = No
        directory name cache size = 0
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        unix charset = UTF-8
        log level = 1
        obey pam restrictions = False
        enable web service discovery = True
        logging = file
        server min protocol = SMB2_02
        unix extensions = No
        restrict anonymous = 2
        server string = FreeNAS Server
        bind interfaces only = Yes
        netbios name = xxx
        netbios aliases =
        server role = standalone
        workgroup = MYDOMAIN
        idmap config *: backend = tdb
        idmap config *: range = 90000001-100000000

        include = /usr/local/etc/smb4_share.conf

My two domain servers are reachable from our NAS. going back to 11.3-U2.1 fixes the issue. testparm without "-s output" tells me "services file OK." on both the working 11.3-U2.1 and the not working 11.3-U3.2.

klist on working boot image works.

Code:

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: SVC_FREENAS@MYDOMAIN.NET

  Issued                Expires               Principal
Jul  9 14:29:06 2020  Jul 10 00:29:06 2020  krbtgt/MYDOMAIN.NET@MYDOMAIN.NET

All config files look okay, i have no idea why 11.3-U3.2 have issues with AD connectivity.

 

[anodos]

Can you PM me a debug?
Command is "testparm -s". Not "testparm -s output".