Freenas join Domain fails

C

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
Hi all.
Freenas is on latest build.
situation is as follows. My AD (win 2012) crashed and i could not recover it (playground, privateer). I decided to create a new one with new namespace.
I set up a fresh AD on Windows 2016 and recogized that it told cannot contact LDAP Server.
First i recognized by using the "net ads join" command in debug mode that it couldn´t find the logon server but DNS is working fine an pointig directly to the Domain ncontroller.
Second after playing with the Workgrop in SAmba setings ( i have seen that it ignores the setting in the directory Tab) i have recognized that it has take the workgroup values as domain value.
Now it tells following in "net ads join":
"Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain."
As i can join a Windows Server to the same domain and could previously joined to the Windows 2012 Domain, i´m a little bit lost.
I created a computer account and a DNS record inside the new domain as well.
 
C

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
some additional remarks. On the Windows DC (essential version) i can see that freenas connects. it shows the right username for the bind but as User in the Log anonymous.
And on Freenas i see in messages: "Popen()ing: /usr/bin/kinit --renewable --password-file=/tmp/tmp2ypqczry Christian@KUEPPERS.LOCAL" which is the old account for the crashed domain.
 
C

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
for whatever reasons it still wants to get a ticket by the old domain:
troubleshooting steps per documentation
root@freenas:/var/log/samba4 # sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"
root@freenas:/var/log/samba4 # echo $?
0
root@freenas:/var/log/samba4 # service ix-kerberos start
root@freenas:/var/log/samba4 # service ix-nsswitch start
root@freenas:/var/log/samba4 # service ix-kinit start
kinit: krb5_get_init_creds: unable to reach any KDC in realm KUEPPERS.LOCAL
root@freenas:/var/log/samba4 # service ix-kinit status
root@freenas:/var/log/samba4 # echo $?
1
root@freenas:/var/log/samba4 # klist
klist: No ticket file: /tmp/krb5cc_0
---
 
C

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
root@freenas:/var/log/samba4 # python /usr/local/www/freenasUI/middleware/notifier.py start cifs
True
root@freenas:/var/log/samba4 # service ix-activedirectory start
Join to domain is not valid: NT code 0xfffffff6
Failed to join domain: Could not find the domain controller for this domain.
root@freenas:/var/log/samba4 # service ix-activedirectory status
root@freenas:/var/log/samba4 # echo $?
1
root@freenas:/var/log/samba4 # python /usr/local/www/freenasUI/middleware/notifier.py restart cifs
False
root@freenas:/var/log/samba4 # service ix-pam start
root@freenas:/var/log/samba4 # service ix-cache start &
[1] 73090
 
C

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
One additional hint:
Domain is "kueppers.netzwerk", Netbios name is "FAMILIE". Previously it was consistant
 
C

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
root@freenas:/home # host -t srv _ldap._tcp.kueppers.netzwerk
_ldap._tcp.kueppers.netzwerk has SRV record 0 100 389 DC2016.kueppers.netzwerk.
--------
i see still old logons:

root@freenas:/home # net cache samlogon list
SID Name When cached
----------------------------------------------------------------------------------------------------------------------------
S-1-5-21-3836162422-2732178687-2792648508-1130 KUEPPERS\Pu Fri Aug 9 21:36:36 2019 CEST
S-1-5-21-3836162422-2732178687-2792648508-1165 KUEPPERS\backup Fri Aug 9 23:30:57 2019 CEST
S-1-5-21-3836162422-2732178687-2792648508-1001 KUEPPERS\Christian Wed Jul 17 21:12:27 2019 CEST
S-1-5-21-3836162422-2732178687-2792648508-1132 KUEPPERS\Ruebe Mon Aug 5 20:36:04 2019 CEST
S-1-5-21-3836162422-2732178687-2792648508-1002 KUEPPERS\DC$ Fri Aug 9 11:43:00 2019 CEST
S-1-5-21-3836162422-2732178687-2792648508-1152 KUEPPERS\BDC-APP$ Sat Aug 10 00:57:08 2019 CEST
---------


debug:
root@freenas:/home # net -k ads testjoin -d10 -w kueppers.netzwerk
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter server min protocol = NT1
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 192.168.2.2
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter aio max threads = 2
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 469685
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = no
doing parameter ntlm auth = yes
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = Freenas Physical Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter unix extensions = no
doing parameter acl allow execute always = false
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = yes
doing parameter local master = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = standalone
doing parameter netbios name = FREENAS
doing parameter netbios aliases = VFREENAS
doing parameter workgroup = KUEPPERSWKG
doing parameter security = user
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = no
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 10
doing parameter wins server = 192.168.2.12
pm_process() returned Yes
lp_servicenumber: couldn't find homes
messaging_dgm_ref: messaging_dgm_init returned No error: 0
messaging_dgm_ref: unique = 16017407295050741414
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
messaging_init_internal: my id: 82770
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter server min protocol = NT1
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 192.168.2.2
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter aio max threads = 2
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 469685
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = no
doing parameter ntlm auth = yes
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = Freenas Physical Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter unix extensions = no
doing parameter acl allow execute always = false
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = yes
doing parameter local master = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = standalone
doing parameter netbios name = FREENAS
doing parameter netbios aliases = VFREENAS
doing parameter workgroup = KUEPPERSWKG
doing parameter security = user
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = no
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 10
doing parameter wins server = 192.168.2.12
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="FREENAS"
my_netbios_names[1]="VFREENAS"
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface bge1 ip=192.168.2.2 bcast=192.168.2.15 netmask=255.255.255.240
Opening cache file at /var/run/samba4/gencache.tdb
Opening cache file at /var/run/samba4/gencache_notrans.tdb
gencache_set_data_blob: Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121015 seconds in the past)
sitename_fetch: No stored sitename for realm ''
ads_dc_name: domain=KUEPPERSWKG
resolve_and_ping_netbios: (cldap) looking for domain 'KUEPPERSWKG'
get_sorted_dc_list: attempting lookup for name KUEPPERSWKG (sitename NULL)
gencache_set_data_blob: Adding cache entry with key=[SAFJOIN/DOMAIN/KUEPPERSWKG] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121015 seconds in the past)
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/KUEPPERSWKG] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121015 seconds in the past)
saf_fetch: failed to find server for "KUEPPERSWKG" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up KUEPPERSWKG#1c (sitename (null))
gencache_set_data_blob: Adding cache entry with key=[NBT/KUEPPERSWKG#1C] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121015 seconds in the past)
no entry for KUEPPERSWKG#1C found.
resolve_lmhosts: Attempting lmhosts lookup for name KUEPPERSWKG<0x1c>
startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error was No such file or directory
gencache_set_data_blob: Adding cache entry with key=[WINS_SRV_DEAD/192.168.2.12,0.0.0.0] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121015 seconds in the past)
wins_srv_is_dead: 192.168.2.12 is alive
resolve_wins: using WINS server 192.168.2.12 and tag '*'
parse_nmb: packet id = 26310
nmb packet from 192.168.2.12(35072) header: id=26310 opcode=Query(0) response=Yes
header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes
header: rcode=3 qdcount=0 ancount=0 nscount=0 arcount=0
Negative name query response, rcode 0x03: The name requested does not exist.
resolve_hosts: not appropriate for name type <0x1c>
name_resolve_bcast: Attempting broadcast lookup for name KUEPPERSWKG<0x1c>
sendto failed: Can't assign requested address
Adding 0 DC's from auto lookup
get_dc_list: no servers found
ads_find_dc: name resolution for realm '' (domain 'KUEPPERSWKG') failed: NT_STATUS_NO_LOGON_SERVERS
get_sorted_dc_list: attempting lookup for name KUEPPERSWKG (sitename NULL)
saf_fetch: failed to find server for "KUEPPERSWKG" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up KUEPPERSWKG#1c (sitename (null))
no entry for KUEPPERSWKG#1C found.
resolve_lmhosts: Attempting lmhosts lookup for name KUEPPERSWKG<0x1c>
startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error was No such file or directory
wins_srv_is_dead: 192.168.2.12 is alive
resolve_wins: using WINS server 192.168.2.12 and tag '*'
parse_nmb: packet id = 21381
nmb packet from 192.168.2.12(35072) header: id=21381 opcode=Query(0) response=Yes
header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes
header: rcode=3 qdcount=0 ancount=0 nscount=0 arcount=0
Negative name query response, rcode 0x03: The name requested does not exist.
resolve_hosts: not appropriate for name type <0x1c>
name_resolve_bcast: Attempting broadcast lookup for name KUEPPERSWKG<0x1c>
sendto failed: Can't assign requested address
Adding 0 DC's from auto lookup
get_dc_list: no servers found
Could not look up dc's for domain KUEPPERSWKG
ads_find_dc: (ldap) looking for realm '' and falling back to domain 'kueppers.netzwerk'
sitename_fetch: No stored sitename for realm ''
ads_dc_name: domain=kueppers.netzwerk
resolve_and_ping_netbios: (cldap) looking for domain 'kueppers.netzwerk'
get_sorted_dc_list: attempting lookup for name kueppers.netzwerk (sitename NULL)
gencache_set_data_blob: Adding cache entry with key=[SAFJOIN/DOMAIN/KUEPPERS.NETZWERK] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121017 seconds in the past)
gencache_set_data_blob: Adding cache entry with key=[SAF/DOMAIN/KUEPPERS.NETZWERK] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121017 seconds in the past)
saf_fetch: failed to find server for "kueppers.netzwerk" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up kueppers.netzwerk#1c (sitename (null))
gencache_set_data_blob: Adding cache entry with key=[NBT/KUEPPERS.NETZWERK#1C] and timeout=[Thu Jan 1 01:00:00 1970 CET] (-1566121017 seconds in the past)
no entry for kueppers.netzwerk#1C found.
resolve_hosts: not appropriate for name type <0x1c>
Adding 0 DC's from auto lookup
get_dc_list: no servers found
ads_find_dc: name resolution for realm '' (domain 'kueppers.netzwerk') failed: NT_STATUS_NO_LOGON_SERVERS
get_sorted_dc_list: attempting lookup for name kueppers.netzwerk (sitename NULL)
saf_fetch: failed to find server for "kueppers.netzwerk" domain
get_dc_list: preferred server list: ", *"
internal_resolve_name: looking up kueppers.netzwerk#1c (sitename (null))
no entry for kueppers.netzwerk#1C found.
resolve_hosts: not appropriate for name type <0x1c>
Adding 0 DC's from auto lookup
get_dc_list: no servers found
Could not look up dc's for domain kueppers.netzwerk
ads_connect: No logon servers are currently available to service the logon request.
Join to domain is not valid: No logon servers are currently available to service the logon request.
return code = -1
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Remove the old kerberos realm from Directory Services-> Kerberos realms. In the terminal type: "rm /etc/directoryservice/ActiveDirectory/config", and "kdestroy". In the GUI, verify that your new DC is set as NS1 in your DNS configuration (and remove any old entries for the old domain). Once you have done this, go back to Directory Services-> Active Directory, and re-enter your domain information for the new domain, check the enable box, and hit "OK".
 
C

Ckone

Dabbler
Joined
Nov 16, 2018
Messages
22
Hi Anodos,
thanks. I tried that all but didn´t work out. Nevertheless one i did not before and that was a reboot. After a reboot the wbove shown errors occured again but i could join the domain.
Thx for support.
 
You must log in or register to reply here.

Similar threads

SerialMonkey
11.3-U1 Failed to join AD
Replies
3
Views
5K
SerialMonkey
SerialMonkey
D
  • Locked
Freenas can't join AD with SME domain server
Replies
0
Views
2K
drone
D
M
  • Locked
Problem freenas 8.3.0 P1 with AD 2008R2
Replies
0
Views
2K
marcosasjr
M
L
ActiveDirectory did not bind to the domain
Replies
17
Views
25K
anodos
anodos
D
Failed to Join Windows Domain
Replies
2
Views
2K
anodos
anodos
Top