FreeNAS 9.2.1.5 fails join to Win2K8R2

[chucktryon]

I'm having a serious problem trying to get a freenas server (9.1 or 9.2) to join my AD domain again. I've had this working under previous versions (9.0 and 9.1), but not since going to 9.1.1 or 9.2. I know there are about a bazillion threads on AD, but I'm hoping that perhaps someone will spot something obvious I'm overlooking...

We have a geographically distributed organization, so each local field has their own DC, linked back to the central domain.

I've followed many different online guides (all saying mostly the same thing), but my process keeps failing at the net -k ads join global.local step. The log files don't give any obvious indication of what the error is.
http://forums.freenas.org/index.php...directory-folder-file-user-permissions.20610/
http://doc.freenas.org/index.php/Directory_Services (keytab documentation is incorrect.)
http://forums.freenas.org/index.php?threads/ad-authentication-problem-after-upgraded-to-9-1-0.14133/
https://bugs.freenas.org/issues/2544
http://forums.freenas.org/index.php...2-issues-after-enabling-ad-integration.14385/

My CIFS/Directory setup:
Host: usfreenasdev.global.local
NetBIOS name: usfreenasdev (or: USFREENASDEV)
Workgroup: GLOBAL
Zeroconf: OFF
Local Master: OFF
Time Server for Domain: OFF
Unix Extensions: ON
Zeroconf discovery: OFF
Domain Name: global.local
Domain Account Name: freenasadmin
Use Default Domain: OFF
Domain Controller: dc1.global.local
AD timeout: 10
DNS timeout: 10


etc/local# cat smb4.conf
[global]
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 11070
syslog only = yes
syslog = 1
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = Yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
server string = FreeNAS Dev Server
ea support = yes
store dos attributes = yes
map archive = no
map readonly = no
map hidden = no
map system = no
acl allow execute always = true
server role = standalone
netbios name = USFREENASDEV
workgroup = GLOBAL
security = user
pid directory = /var/run/samba
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 3


~# net ads join -S dc1.global.local -U admin.name
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.


What I've done:
- checked the time and the clocks are synced between the DC and the Freenas box to within a few seconds.
- checked to see that there are both A and PTR records for the FreeNAS server, and that I can ping the server by name from the DC.
- Since we have multiple controllers in our DNS SRV records (most of which are unreachable), I have used the advanced option to explicitly name the controller that I have to connect to. I've checked that I can ping that server by name.
- made sure that "Active Directory" is selected under Setting=>General=>Directory Service.
- confirmed that the "local master" option under CIFS is turned OFF
- pre-staged the computer account (with the correct name) in our departmental "Computers" OU, to make sure I have permissions
- created a non-privileged "freenasadmin" account, and then gave that account full permissions to the new computer object.
- tried joining with both an administrator account, and the special account created above.
- increased system RAM (System was running fine before at 2Gig, but I've increased to 6Gig.)
- tried making sure that CIFS is turned OFF before trying to turn Directory Services ON. (This helped in the past.)
- made sure I have a ZFS pool defined (/mnt/Vol1)
- deleted and re-created the machine account on the domain. (This has helped in the past.)
- specified the DC name in the Directory Services advanced config both by name and by IP address.
- entered the system's NetBIOS name in both caps and lower case
- removed special characters (eg, dashes) from the host name.
- changed the password so it doesn't have spaces or special characters.
- updated to 9.2.1.6 BETA, and downgraded back to 9.1.1
- reloaded a config I had working back when I was originally on 9.1.1 and it was intermittently working
- checked both the /var/log/messages (no useful error messages) and var/log/messages/samba (or samba4) and not found anything that obviously indicates what is going wrong.
- changed the DNS server to be pointing directly to our domain controller, rather than through our normal DNS server (which normally redirects "global.local" name requests to the DC)
- the command "kinit <my.name>" does work on the FreeNAS server
- have NOT yet tried starting from scratch again on a clean FreeNAS install.

/var/log/messages
Jun 2 15:27:43 usfreenasdev ActiveDirectory: /usr/sbin/service ix-kerberos quietstart
Jun 2 15:27:44 usfreenasdev ActiveDirectory: AD_init: binddn = freenasadmin@GLOBAL.LOCAL
Jun 2 15:27:44 usfreenasdev ActiveDirectory: AD_init: dchost = dc1.global.local, dcport = 389
Jun 2 15:27:44 usfreenasdev ActiveDirectory: AD_query_rootDSE: filter = (objectclass=*), attributes =
Jun 2 15:27:44 usfreenasdev ActiveDirectory: AD_init: basedn = DC=global,DC=local
Jun 2 15:27:44 usfreenasdev ActiveDirectory: AD_init: gchost = dc1.global.local, gcport = 3268
Jun 2 15:27:44 usfreenasdev ActiveDirectory: AD_init: krbhost = dc1.global.local, krbport = 88
Jun 2 15:27:44 usfreenasdev ActiveDirectory: AD_init: kpwdhost = dc1.global.local, kpwdport = 464
Jun 2 15:27:44 usfreenasdev ix-kerberos: generate_krb5_conf: krbhost=dc1.global.local, kpwdhost=dc1.global.local, domainname=global.local
Jun 2 15:27:44 usfreenasdev ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Jun 2 15:27:44 usfreenasdev ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Jun 2 15:27:45 usfreenasdev ActiveDirectory: AD_init: binddn = freenasadmin@GLOBAL.LOCAL
Jun 2 15:27:45 usfreenasdev ActiveDirectory: AD_init: dchost = dc1.global.local, dcport = 389
Jun 2 15:27:45 usfreenasdev ActiveDirectory: AD_query_rootDSE: filter = (objectclass=*), attributes =
Jun 2 15:27:45 usfreenasdev ActiveDirectory: AD_init: basedn = DC=global,DC=local
Jun 2 15:27:45 usfreenasdev ActiveDirectory: AD_init: gchost = dc1.global.local, gcport = 3268
Jun 2 15:27:45 usfreenasdev ActiveDirectory: AD_init: krbhost = dc1.global.local, krbport = 88
Jun 2 15:27:45 usfreenasdev ActiveDirectory: AD_init: kpwdhost = dc1.global.local, kpwdport = 464
Jun 2 15:27:45 usfreenasdev ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable --password-file=/tmp/tmp.aserrX freenasadmin@GLOBAL.LOCAL
Jun 2 15:27:46 usfreenasdev ActiveDirectory: kerberos_start: Successful
Jun 2 15:27:56 usfreenasdev ActiveDirectory: /usr/sbin/service ix-kinit status
Jun 2 15:27:57 usfreenasdev ActiveDirectory: AD_init: binddn = freenasadmin@GLOBAL.LOCAL
Jun 2 15:27:57 usfreenasdev ActiveDirectory: AD_init: dchost = dc1.global.local, dcport = 389
Jun 2 15:27:57 usfreenasdev ActiveDirectory: AD_query_rootDSE: filter = (objectclass=*), attributes =
Jun 2 15:27:57 usfreenasdev ActiveDirectory: AD_init: basedn = DC=global,DC=local
Jun 2 15:27:57 usfreenasdev ActiveDirectory: AD_init: gchost = dc1.global.local, gcport = 3268
Jun 2 15:27:57 usfreenasdev ActiveDirectory: AD_init: krbhost = dc1.global.local, krbport = 88
Jun 2 15:27:57 usfreenasdev ActiveDirectory: AD_init: kpwdhost = dc1.global.local, kpwdport = 464
Jun 2 15:27:57 usfreenasdev ActiveDirectory: kerberos_status: klist -t
Jun 2 15:27:57 usfreenasdev ActiveDirectory: kerberos_status: Successful
Jun 2 15:27:57 usfreenasdev ActiveDirectory: /usr/sbin/service ix-samba quietstart
Jun 2 15:27:59 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc'
Jun 2 15:27:59 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: zfs list -H -o mountpoint,name
Jun 2 15:27:59 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: zfs list -H -o mountpoint
Jun 2 15:27:59 usfreenasdev last message repeated 3 times
Jun 2 15:27:59 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmppanOcI -s /usr/local/etc/smb4.conf -e tdbsam:/var/etc/private/passdb.tdb
Jun 2 15:28:00 usfreenasdev ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py start cifs
Jun 2 15:28:02 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc'
Jun 2 15:28:03 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: zfs list -H -o mountpoint,name
Jun 2 15:28:03 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: zfs list -H -o mountpoint
Jun 2 15:28:03 usfreenasdev last message repeated 3 times
Jun 2 15:28:03 usfreenasdev generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmpJxbUov -s /usr/local/etc/smb4.conf -e tdbsam:/var/etc/private/passdb.tdb
Jun 2 15:28:03 usfreenasdev notifier: Performing sanity check on Samba configuration: OK
Jun 2 15:28:03 usfreenasdev notifier: Starting nmbd.
Jun 2 15:28:03 usfreenasdev notifier: Starting smbd.
Jun 2 15:28:04 usfreenasdev notifier: Starting winbindd.
Jun 2 15:28:04 usfreenasdev ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Jun 2 15:28:04 usfreenasdev winbindd[11528]: [2014/06/02 15:28:04.348364, 0] ../source3/winbindd/winbindd_util.c:634(init_domain_list)
Jun 2 15:28:04 usfreenasdev winbindd[11528]: Could not fetch our SID - did we join?
Jun 2 15:28:04 usfreenasdev winbindd[11528]: [2014/06/02 15:28:04.350058, 0] ../source3/winbindd/winbindd.c:1204(winbindd_register_handlers)
Jun 2 15:28:04 usfreenasdev winbindd[11528]: unable to initialize domain list
Jun 2 15:28:04 usfreenasdev ActiveDirectory: AD_init: binddn = freenasadmin@GLOBAL.LOCAL
Jun 2 15:28:04 usfreenasdev ActiveDirectory: AD_init: dchost = dc1.global.local, dcport = 389
Jun 2 15:28:05 usfreenasdev ActiveDirectory: AD_query_rootDSE: filter = (objectclass=*), attributes =
Jun 2 15:28:05 usfreenasdev ActiveDirectory: AD_init: basedn = DC=global,DC=local
Jun 2 15:28:05 usfreenasdev ActiveDirectory: AD_init: gchost = dc1.global.local, gcport = 3268
Jun 2 15:28:05 usfreenasdev ActiveDirectory: AD_init: krbhost = dc1.global.local, krbport = 88
Jun 2 15:28:05 usfreenasdev ActiveDirectory: AD_init: kpwdhost = dc1.global.local, kpwdport = 464
Jun 2 15:28:05 usfreenasdev ActiveDirectory: activedirectory_start: trying to join domain
Jun 2 15:28:05 usfreenasdev ActiveDirectory: AD_join_domain: net -k ads join global.local
Jun 2 15:28:15 usfreenasdev ActiveDirectory: AD_join_domain: Failed
Jun 2 15:28:15 usfreenasdev ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
Jun 2 15:28:17 usfreenasdev notifier: winbindd not running? (check /var/run/samba/winbindd.pid).
Jun 2 15:28:17 usfreenasdev notifier: Stopping smbd.
Jun 2 15:28:17 usfreenasdev notifier: Stopping nmbd.

Open to ANY suggestions....

 

[dasti]

I was at the same point as you yesterday same checks, same result
we were searching n the samba wiki, and my collegue solved the problem by changing the workgroup name

before
Domain Name (DNS/Realm-Name): cn.company.com
workgroup : CN.COMPANY.COM or workgroup : WORKGROUP

now
Domain Name (DNS/Realm-Name): cn.company.com
workgroup : CN

wbinfo -u or -p or -g all works

I'm in freenas 9.2.1.6 beta upgraded from a 9.2.1.5 (I didn't tried on a 9.2.1.5 since the problem has been solved)
Active directory 2003

Now I try to fiend a way to create all those home directories with the good rights automatically ! :)

 

[slushieken]

I was at the same point as you yesterday same checks, same result
we were searching n the samba wiki, and my collegue solved the problem by changing the workgroup name

before
Domain Name (DNS/Realm-Name): cn.company.com
workgroup : CN.COMPANY.COM or workgroup : WORKGROUP

now
Domain Name (DNS/Realm-Name): cn.company.com
workgroup : CN

AND

~# net ads join -S dc1.westchester.org -U administrator
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
------------------------------------------------------------------------
This fixed me too, much to my surprise... I replaced the WORKGROUP setting with my Active Directory name minus the top level domain.

Example:

DNS domain is: weschester.org
Active Directory domain is: westchester.org

Changed workgroup setting under BOTH CIFS and Directory Services from:WORKGROUP to:westchester

tried again, everything worked! Joined right up first time.

Totally default Windows 2012 R2 installed, creating the first forest for this domain. Used Domain Administrator credentials for all work. No DNS registration on the internet was set up for this server as authoritative. I will set that up later.

Could not beleive it was only this. It must use that name for a directive when authenticating even to an AD Domain.

Started with this document: http://forums.freenas.org/index.php...directory-folder-file-user-permissions.20610/

No changes from what it states in there other than those absolutely required.