SOLVED I can join, but not bind to Active Directory

[dstewart51]

Hello, after a few hours of troubleshooting I thought it best to ask for some help.

Trying to bind FreeNAS-11.2-U3 to Active Directory, it appears to join, but will not bind. I'm not able to see any of the AD users or groups in either the security settings or under the system users and groups. This was the same with 11.2-U2. Ill try to provide some of the debug info I have seen requested from similar threads.

When trying to Enable AD, I continually see this error;
[MiddlewareError: Active Directory start timed out after 90 seconds.]

However, it appears everything is joining properly;
wbinfo -t
checking the trust secret for domain ETMCORAD via RPC calls succeeded

wbinfo --ping-dc
checking the NETLOGON for domain[ETMCORAD] dc connection to "LAWILSHIRE-DC1.etmcorad.com" succeeded

wbinfo -i "etmcorad\dstewartxxx"
ETMCORAD\dstewartxxx:*:131419:20513::/home/ETMCORAD/dstewartxxx:/bin/sh

/etc/directoryservice/ActiveDirectory/ctl start
False
True
Join is OK
False
True

This is from the ad_verifier.py script found here: https://raw.githubusercontent.com/anodos325/samba_scripts/adverify_devel/not_samba/ad_verifier.py;
python ad_verifier.py
10.21.68.5 is not a name server for AD domain etmcorad.com
10.21.60.133 is not a name server for AD domain etmcorad.com
10.21.0.133 is not a name server for AD domain etmcorad.com

Then running `net -k -d 3 ads join` shows this at the end;
Using short domain name -- ETMCORAD
Joined 'CAWBCFMMFS' to dns domain 'etmcorad.com'
added interface ix0 ip=192.168.0.2 bcast=192.168.0.3 netmask=255.255.255.252
added interface igb0 ip=10.21.68.20 bcast=10.21.71.255 netmask=255.255.252.0
retrying DNS update with next nameserver after receiving ERROR_DNS_CONNECTION_FAILED
DoDNSUpdate: signed update failed
DNS Update for cawbcfmmfs.etmcorad.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
return code = 0


So it appears there could be a DNS issue of some kind. Some pointers, hints, advice would be much appreciated, I'm not an AD guy.

 

[dstewart51]

@anodos (sorry to page you), but you do seem to be the resedent expert here :).

 

[anodos]

Do you see your users if you perform a 'wbinfo -u'

 

[anodos]

Post your smb4.conf

 

[dstewart51]

Hi anodos!

Yes, I can see and list all the AD users `wbinfo -u`, of which there are 12,215 if that helps. The same with the groups `wbinfo -g`, 3,867.

smb4.conf;

[global]
server min protocol = SMB2_02
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
private dir = /var/db/samba4/private
max open files = 939269
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
obey pam restrictions = yes
ntlm auth = no
directory name cache size = 0
kernel change notify = no
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
time server = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
workgroup = ETMCORAD
realm = ETMCORAD.COM
security = ADS
client use spnego = yes
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = no
winbind refresh tickets = yes
winbind nss info = rfc2307
idmap config ETMCORAD: backend = rid
idmap config ETMCORAD: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = sign
template shell = /bin/sh
template homedir = /home/%D/%U
netbios name = CAWBCFMMFS
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1


[Accounting]
path = "/mnt/tank/Accounting"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Apps]
path = "/mnt/tank/Apps"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

[CBSIS]
path = "/mnt/tank/CBSIS"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Engineering]
path = "/mnt/tank/Engineering"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

---

path = "/mnt/tank/HR"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Payroll]
path = "/mnt/tank/Payroll"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Promo]
path = "/mnt/tank/Promo"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Sales]
path = "/mnt/tank/Sales"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

[Traffic]
path = "/mnt/tank/Traffic"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Users]
path = "/mnt/tank/Users"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Vault]
path = "/mnt/tank/Vault"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

 

[anodos]

Well, it sounds like you're joined to AD right now. I will investigate the UI thing. I have a strong suspicion of where the problem is.

 

[anodos]

Can you run the following command then send the the contents of /var/log/middlewared.log?

midclt call service.start activedirectory NOTE: this will cause a service disruption, and in your environment it may take upwards of 5-10 minutes.

 

[dstewart51]

Thanks for looking in to this with me anodos, this problem is preventing us from deploying 3, 140TB systems. We cant apply any security to the shares or files, at least not via the UI.

CAWBCFMMFS# midclt call service.start activedirectory
True

/var/log/middlewared.log is attached.

 

[dstewart51]

Here is a cleaner log, only the lines output by running the command above.

 

[anodos]

It looks like the server joined AD just fine. What symptoms are you seeing? If you run python /usr/local/www/freenasui/tools/cachetool.py dump do you see your AD users?

Even if the cache is failing to fill properly, you should be able to manually specify usernames in the UI by typing "DOMAIN\username" and pressing enter. Likewise, if you create a share without setting permissions, you can use a domain admin user to take ownership of the share via the security tab in file explorer and set permissions through windows (this should be done prior to data migration).

 

[dstewart51]

I do not see the AD users running cachetool.py, output attached. Confirmed, I can manually type in "DOMAIN\user" in the User field. Did not know I could type it in there :) Ill have to copy over some files and further test permissions.

 

[anodos]

It seems like you probably have directory service caching turned off (which is a good idea in large environments). In 11.3 I'm reworking how the DS caching works to improve scalability. We'll populate the FreeNAS cache with the contents of the winbindd resolver cache rather than performing LDAP queries to the AD DC.

 

[dstewart51]

Yes, it appears to just be a UI issue that was throwing me off. In the process of copying over some data now and will test permissions, but it looks good so far!

Ill mark this as solved for now, since my original suspicions were dis-proven.