FreeNAS and AD - AD Group & Users not appearing in FreeNAS GUI

[NugentS]

I have two FreeNAS boxes.
Box 1: Virtual on ESXi - purely for testing purposes whilst I work out how things work
Box 2: Hardware. X10SRi-F, 128GB, Boot from SATADOM, Lots of scratch disks for testing with

There are two Windows AD Servers, both virtual, work just fine. LAN is just layer 2 with no known issues

Both on 11.3-U2.1 Built from same ISO
Box 1 works with AD. On a reboot it fails but this is fixed with a couple of POSTINIT commands from elsewhere in this forum
midclt call cache.pop DS_STATE
midclt call directoryservices.get_state
When I set up a windows share I can assign a domain group to it and it works

Box 2: Says its attached to AD and requires the same fix to the reboot issue as above.
wbinfo -u returns a list of domain users
wbinfo -g returns a list of domain groups
wbinfo -t returns succeeded
But when I attempt to assign a group to a share there are no AD groups available in the Group* dropdown box. Just as there are no AD users available if I try and add a user to the ACL. The AD users and groups are no appearing in the GUI

Box 2 does appear in the AD correctly as far as I can tell.

I joined the domain in the following manner:
1. Set up NAS name, and domain, fixed IP address in Network
2. Set up location in System\General
3. Removed the NTP Servers and added my DC's - which are pointed to ntp.org themselves. Time seems correct
4. Setup a pool
5. Under Directory Services\Active Directory put in domain name, username and password and ticked enable
6. Waited a bit for Directory Services Monitor to say "Healthy"

I have spotted other incidences of this issue on the forum - but not seen any solution that seems to apply to me / works as everything I try says its working - except it isn't

I did try setting up a share - so it appears in Windows. I even tried setting permissions on that share - but got told I have no access

root@nas[/var/log/samba4]# host -t srv _ldap._tcp.Sendarian.co.uk
_ldap._tcp.Sendarian.co.uk has SRV record 0 100 389 heradc.sendarian.co.uk.
_ldap._tcp.Sendarian.co.uk has SRV record 0 100 389 HeraDC.sendarian.co.uk.
_ldap._tcp.Sendarian.co.uk has SRV record 0 100 389 zeusdc.sendarian.co.uk.
_ldap._tcp.Sendarian.co.uk has SRV record 0 100 389 ZeusDC.sendarian.co.uk.
root@nas[/var/log/samba4]# ping heradc
PING heradc.sendarian.co.uk (192.168.38.11): 56 data bytes
64 bytes from 192.168.38.11: icmp_seq=0 ttl=128 time=0.222 ms
64 bytes from 192.168.38.11: icmp_seq=1 ttl=128 time=0.256 ms
64 bytes from 192.168.38.11: icmp_seq=2 ttl=128 time=0.285 ms
^C
--- heradc.sendarian.co.uk ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.222/0.254/0.285/0.026 ms
root@nas[/var/log/samba4]# ping zeusdc
PING zeusdc.sendarian.co.uk (192.168.38.10): 56 data bytes
64 bytes from 192.168.38.10: icmp_seq=0 ttl=128 time=0.219 ms
64 bytes from 192.168.38.10: icmp_seq=1 ttl=128 time=0.330 ms
^C
--- zeusdc.sendarian.co.uk ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.219/0.275/0.330/0.055 ms
root@nas[/var/log/samba4]#

 

[NugentS]

Minor update:
I managed to change sufficient permissions to allow me to change permissions on the dataset/share and used Windows to add Domain Users with full control.

I can now copy files to the NAS.
However when I look at the ACL on the share a new section has appeared

Which implies some mapping is failing between AD users and groups and the FreeNAS equivalents

 

[NugentS]

I set up a group on FreeNAS with that group ID called domain-users which obviously does appear in the GUI and that works.

I think this confirms what is going wrong in that there is no mapping between AD Users and Groups and the FreeNAS users and groups.

Why, is a whole different ballgame.

 

[NugentS]

Another update

A series of commands as per the manual

root@nas[~]#
root@nas[~]# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"
root@nas[~]# echo $?
0
root@nas[~]# service ix-kerberos start
ix-kerberos does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@nas[~]# service ix-nsswitch start
root@nas[~]# service ix-kinit start
root@nas[~]# service ix-kinit status
root@nas[~]# echo $?
0
root@nas[~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: NAS$@SENDARIAN.CO.UK

Issued Expires Principal
May 9 16:06:13 2020 May 10 02:06:13 2020 krbtgt/SENDARIAN.CO.UK@SENDARIAN.CO.UK
root@nas[~]# python /usr/local/www/freenasUI/middleware/notifier.py start cifs
True
root@nas[~]# service ix-activedirectory start
ix-activedirectory does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@nas[~]# service ix-activedirectory status
ix-activedirectory does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@nas[~]# echo $?
1
root@nas[~]# python /usr/local/www/freenasUI/middleware/notifier.py restart cifs
True
root@nas[~]# service ix-pam start
ix-pam does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@nas[~]# service ix-cache start &
[1] 7113
root@nas[~]# ix-cache does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable

[1] + exit 1 service ix-cache start
root@nas[~]#

 

[NugentS]

I took the particular install of FreeNAS out the back of the garden and shot it.
Reinstalled from scratch and all is good (at the moment)

Just wierd