FreeNAS unable to find domain controllers

[Dave Genton]

Ok, so FreeNAS with Open LDAP via Apple's OS X Server Open Directory is abandoned after much investment both time and financially. To get back on track with this system I installed a 2012R2 Domain Controller for authentication, single sign-on etc. with FreeNAS in this location knowing in the past with 9.2.x it was only moments to get it AD connected. Well "unable to find domain controllers" is all the farther I can get and searches come up with a bugs, fixed. then another bug same symptoms, then resolved to find another one. Went from 2012 thru Feb-2015 where last buy was resolved in 9.3 yet I am seeing it still in latest and greatest Stable release. While one bug ticket had someone missing a DNS IP address that's not the case here, single vlan, no dot1q encapsulation very simple and elegant yet expensive Mac Pro's and 3 vmware servers running against a beefy FreeNAS for NFS and iSCSI to vmware and afp to all the Mac Pro's. Open Directory I can never get an imported certificate to show in the pop down menu, it does in every other service menu but not in directory services where it counts.. Started 6pm yesterday, writing this as I leave with zero ldap integration that I sadly mistaken for a couple of hours last night to complete. I think for the first time I am on the edge with the bugs striking down every attempt at everything lately, IPMI open for weeks, ldap with Mac's no go, now AD even flakier.

Pressure valve released, ready to plan new attack, come back and get system working.. Anyone had any luck lately with newest 9.3 stable getting directory services integration ?? Open LDAP still preferred with Apple due to need for profile manager and some mac pro expenditures here to manage many apple end devices, but will do magic triangle AD, Open Directory, OS X Server if I must so I can get some rest...Hell if a nightly is working, I'd take it at this point but cant find a bug for past 2 months on same thing but honestly couldn't search much longer for it..
d-

 

[anodos]

I have one box configured as AD member server with server 2012r2 DCs operating at a 2008r2 functional level. Works fine. Post your configuration. Details to include: log entries, samba config, networking config.

 

[Norm Powroz]

Similar problem, although mine is on a fresh install of 9.3-STABLE. I have two domain controllers on my network -- primary is a 2012R2, secondary is a 2008 system. The domain functional level is 2008. Both domain controllers can be pinged from the FreeNAS server, and both can see the FreeNAS box via a ping. There is an entry in the DNS for the FreeNAS box. The FreeNAS server and the domain controllers all listen to the same time source, so they are clock-synchronized.

Every attempt to set up the domain controller access, by following the 9.3 documentation, fails with: "Unable to find domain controllers for my_domain.local."

Network config:
Hostname: freenas
Domain: my_domain.local
IPv4 Default Gateway: 10.x.x.x
Nameserver 1: 10.x.x.x
Nameserver 2: 10.x.x.x

Nameserver2 also happens to be one of the domain controllers (the 2012R2 one).

The debug.log shows:

freenas manage.py: [common.freenasldap:1061] FreeNAS_ActiveDirectory_Base.get_SRV_records: looking up SRV records for _ldap._tcp.dc._msdcs,mydomain.local
freenas manage.py: [common.freenasldap:1061] FreeNAS_ActiveDirectory_Base.get_SRV_records: no SRV records for _ldap._tcp.dc._msdcs,mydomain.local found, fail!

An NSLOOKUP from the FreeNAS server results in (although it has queried the correct server, which it found on its own):
*** Can't find _ldap._tcp.dc._msdcs.mydomain.local: No answer

If I run the same NSLOOKUP query from any Windows machine in my network, it works perfectly. Interestingly enough, running the NSLOOKUP from a different Linux system on the network failed with the same message. This leads me to think that there may be a problem with my Windows Domain Controllers and their DNS servers, but I haven't seen any signs of problems, and they all seem to be trundling along quite happily.

I guess at this point I'll take any advice to point me in the appropriate direction.

 

[billsey]

Similar problem, although mine is on a fresh install of 9.3-STABLE. I have two domain controllers on my network -- primary is a 2012R2, secondary is a 2008 system. The domain functional level is 2008. Both domain controllers can be pinged from the FreeNAS server, and both can see the FreeNAS box via a ping. There is an entry in the DNS for the FreeNAS box. The FreeNAS server and the domain controllers all listen to the same time source, so they are clock-synchronized.

Every attempt to set up the domain controller access, by following the 9.3 documentation, fails with: "Unable to find domain controllers for my_domain.local."

Network config:
Hostname: freenas
Domain: my_domain.local
IPv4 Default Gateway: 10.x.x.x
Nameserver 1: 10.x.x.x
Nameserver 2: 10.x.x.x

Nameserver2 also happens to be one of the domain controllers (the 2012R2 one).

The debug.log shows:

freenas manage.py: [common.freenasldap:1061] FreeNAS_ActiveDirectory_Base.get_SRV_records: looking up SRV records for _ldap._tcp.dc._msdcs,mydomain.local
freenas manage.py: [common.freenasldap:1061] FreeNAS_ActiveDirectory_Base.get_SRV_records: no SRV records for _ldap._tcp.dc._msdcs,mydomain.local found, fail!

An NSLOOKUP from the FreeNAS server results in (although it has queried the correct server, which it found on its own):
*** Can't find _ldap._tcp.dc._msdcs.mydomain.local: No answer

If I run the same NSLOOKUP query from any Windows machine in my network, it works perfectly. Interestingly enough, running the NSLOOKUP from a different Linux system on the network failed with the same message. This leads me to think that there may be a problem with my Windows Domain Controllers and their DNS servers, but I haven't seen any signs of problems, and they all seem to be trundling along quite happily.

I guess at this point I'll take any advice to point me in the appropriate direction.

If it's any consolation, I see the same results here. Any attempt at "nslookup _ldap._tcp.dc._msdcs.mydomain.local" works on the windows boxes and fails on the FreeNAS box.

 

[TravisT]

Not sure if this will help or not, as I'm in a similar situation. Look under Directory -> Kerberos Realms and see if you have more than one entry here.

I originally didn't notice the difference on the services page with the 9.3 upgrade. I enabled domain controller, thinking it was to enable active directory integration like it had in the past. I read in the guide that this emulates an active directory structure on freenas, which because I used the same information as my other AD domain, it couldn't find my records much like the errors you are having.

I deleted the records there and restarted the process using the directory tab instead of the Domain Controller service configuration on the services page. I now get "the service started successfully" when I enable active directory.

Unfortunately, I'm still having problems getting 9.3 integrated with my 2008R2 functional level domain with 2 DCs. Now I'm getting:

STATUS=daemon 'winbindd' finished starting up and ready to serve connections Could not get unix ID for SID

And none of my users/groups are populated in freenas. What am I missing?

 

[anodos]

Not sure if this will help or not, as I'm in a similar situation. Look under Directory -> Kerberos Realms and see if you have more than one entry here.

I originally didn't notice the difference on the services page with the 9.3 upgrade. I enabled domain controller, thinking it was to enable active directory integration like it had in the past. I read in the guide that this emulates an active directory structure on freenas, which because I used the same information as my other AD domain, it couldn't find my records much like the errors you are having.

I deleted the records there and restarted the process using the directory tab instead of the Domain Controller service configuration on the services page. I now get "the service started successfully" when I enable active directory.

Unfortunately, I'm still having problems getting 9.3 integrated with my 2008R2 functional level domain with 2 DCs. Now I'm getting:

STATUS=daemon 'winbindd' finished starting up and ready to serve connections Could not get unix ID for SID

And none of my users/groups are populated in freenas. What am I missing?

FreeNAS servers should be configured simultaneously as a DC and as an AD member server. Post your /etc/local/smb4.conf.

A few other thoughts

• Active Directory requires DNS to be working correctly. It doesn't sound like it is in this case for the original user. Using the "best practices analyzer" on your windows server might help ID misconfigurations.
• You can also go to "Directory" -> "Advanced" and manually enter the FQDN of "Domain Controller" and "Global Catalog Server".
• Make sure your Idmap backend is set to "rid".
• You might also want to check to make sure you don't have a GPO requiring signed ldap queries.

 

[Norm Powroz]

Well, for some crazy reason mine now seems to be working, although I keep feeling like it's a little flakey (that being the technical term for its behaviour). I don't know what I did, but after an idle period of about 24 hours, I could suddenly find the UserIDs for my domain. However, that didn't survive a reboot (thus the flakey comment).

I have since been able to get it to reconnect, and I've assigned domain users to my shares. One thing I did notice is that clicking "Rebuild Directory Service Cache" followed by restarting the CIFS service seems to straighten things out when the connection gets lost.

I tried (mistakenly) to configure FreeNAS as a DC, and neatly trashed my AD instance on my Windows DC. Restoring all of that took more time than I wanted to invest in it.

 

[anodos]

Well, for some crazy reason mine now seems to be working, although I keep feeling like it's a little flakey (that being the technical term for its behaviour). I don't know what I did, but after an idle period of about 24 hours, I could suddenly find the UserIDs for my domain. However, that didn't survive a reboot (thus the flakey comment).

I have since been able to get it to reconnect, and I've assigned domain users to my shares. One thing I did notice is that clicking "Rebuild Directory Service Cache" followed by restarting the CIFS service seems to straighten things out when the connection gets lost.

I tried (mistakenly) to configure FreeNAS as a DC, and neatly trashed my AD instance on my Windows DC. Restoring all of that took more time than I wanted to invest in it.

Yeah, you have to be careful when doing things in an AD environment. In my younger years, I too was burned by some poor choices fueled by sleep-deprivation and screwed up a domain. As a matter of course now, I virtualize all my DCs and snapshot them before adding new servers / making changes, and of course do testing in a physically isolated testing environment (which you can probably set up using trial licenses of Windows server).

That being said, you should look at your winbind logs for clues about what may be going wrong with samba (/var/log/samba4/log.wb-*). You may need to increase logging verbosity. If there's nothing apparent in the logs, you can file a bug report.

 

[TravisT]

I haven't had time to look into my issue any more until today. I don't want to hijack the thread, but being that it is a related issue I'll keep it here unless someone suggests otherwise.

Thanks @anodos for the info you've provided so far, but I'm a little confused on the advice provided here. Should FreeNAS be configured as a DC (as in enabling the DC service on FN)? If so, is there an order that this should take place (before or after configuring the directory service)? I currently have partial success, but I'm not sure where I'm going wrong. This was a fully-working freenas deployment which I started experiencing problems after upgrading to 9.3 (from 9.2.1.6-RELEASE). Currently I'm seeing *some* of my AD users in the drop-down for my volumes, but not all of them. The three that I can see are the administrator account, the guest account and the krbtgt user accounts. I can also see about 11 group accounts (not all of them). I cannot access the volumes, regardless of the permissions set.

Any idea what may be missing here?

 

[TravisT]

I just tried running through the wizard, and all of my users can be seen in the dropdown when setting up a share on an unused disk. After applying the changes, the volume/share is created but the permissions show root/wheel in the GUI afterwards. Also, the only time I can see all of the accounts in the dropdown is when using the wizard. In the standard GUI, they are not shown.

 

[depasseg]

Not sure it helps or not, but I have this working on 3 FN servers (running 9.3). Double check Network -> General settings (hostname, domain and NS1 (preferably your AD's primary DNS). And then under Directoy Services -> Active Directory enter Domain Name, User, Password, NetBIOS (machine name w/o domain), encryption is off, realm is my domain name, timeouts are 10, idmap is RID, and SASL wrapping is plain. This is against a pair of win2008R2's. Forward and reverse dns need to be configured and reloaded.

I'm pretty sure that I just followed the docs.

 

[TravisT]

Thanks for the reply. I'm trying that now, after doing a factory reset. One problem may have been that I restored a backup from an earlier version. Also, I was reading another post on using RID just as you posted. Mine had defaulted to AD

 

[Norm Powroz]

Based on an earlier comment, I took a look at the log.wb-* files in /var/log. One of them (wb-DOMAINNAME) is filled with:

[2015/06/12 23:55:00.145734, 1] ../source3/libeds/ldap_utils.c:91(ads_do_search_retry_internal)
Reducing LDAP page size from 1000 to 500 due to IO_TIMEOUT
[2015...
Reducing LDAP page size from 500 to 250 due to IO_TIMEOUT

And one of the others (wb-FREENAS) is filled with:
STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsGot sig[15] terminate (is_parent=0)

No idea if these are good|bad, but I would assume neither of them indicates success.

 

[anodos]

Thanks for the reply. I'm trying that now, after doing a factory reset. One problem may have been that I restored a backup from an earlier version. Also, I was reading another post on using RID just as you posted. Mine had defaulted to AD

It should be defaulting to RID. It may be worth posting another bug report regarding that. :D

Having it set to "AD" will definitely break things.

 

[TravisT]

So it does seem to default to RID after resetting to factory defaults. That setting was on AD after importing my configs from 9.2.1.6, so that may have been because of the version differences.

 

[anodos]

So it does seem to default to RID after resetting to factory defaults. That setting was on AD after importing my configs from 9.2.1.6, so that may have been because of the version differences.

This is a very common problem in upgrades from 9.2.x to 9.3. Once you set it to RID everything should start working.