\\FreeNAS path not working for some users

HelloWill

Dabbler
Joined
May 3, 2016
Messages
20
Symptoms
  • Everything has been working fine for a long time, and we have had no recent changes to any infrastructure
  • Last Friday (4 days ago), users were unable to connect to \\freenas
  • Users cannot connect to \\freenas, but it works fine when connecting to the IP
    • When connecting to \\freenas, it will continually prompt for credentials on some clients, on others it works
  • Some users are able to connect just fine to \\freenas, others it only works if you use \\ip
  • the same user might work fine on one workstation, but they'll have to use the \\ip on another
  • Permissions haven't changed, and when a user uses \\IP, everything works fine
Troubleshooting Steps
  • Rebooted the FreeNAS server several times (the final reboot didn't produce the "active directory failed to relaod" issue)
  • Confirmed DNS was working correctly
  • Pinged the DNS servers from the FreeNAS box with great response times and no dropped packets
  • Tried connecting to the server using \\freenas from multiple computers using the same credentials (some worked, some didn't)
  • Rebooted domain controllers
  • Restarted DNS services on both domain controllers
  • Confirmed time seems to be accurate on all boxes
  • Confirmed DNS resolutions were working correctly on all clients, even those having issues
  • Attempted to rebuild cache for active directory
Error Messages
  • in /var/db/system/syslog-2cf8bd0eb1d742db9c1d9f9e6d30a105/log/samba4/log.smbd this gets repeated over and over again
    • ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
      gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/name@FQDN kvno 22) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
      [2019/06/28 10:32:31.416373, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
      SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
  • Couldn't connect to active directory: [middleware.exceptions:36] [MiddlewareError: Active Directory failed to reload.]
    • After rebooting the FreeNAS box, it finally worked correctly
Workaround
  • I've added machine password timeout = 0 to /usr/local/etc/smb4.conf, which might help in the future and changed the mapped drive on user's computer to use the IP instead of name, so nobody is blocked now
Configuration
  • SMB shares
  • Active directory integration for permissions and authentication
  • Mixed client environment (Windows, *nix, Mac)
  • Running version FreeNAS-11.1-U7
  • 2 NIC / Lagg groups
    • 1 used by servers
    • 1 used by clients
I've read other threads and confirmed the NTP settings / times look to be correct, as well as making sure "other" has execute permissions on tank.
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
IP address working but not FQDN means that you have a kerberos problem. Possibly kerberos has been broken in your environment for a while, but client / GPO updates are exposing the issue. Look through advanced properties of your FreeNAS server's computer object and verify that the SRV record mentioned in the error message is set in your Kerberos Service Principals.
 
Top