Fab Sidoli
Contributor
- Joined
- May 15, 2019
- Messages
- 114
Hi All,
I'm having great difficulty configuring the AD directory service and require some help sorting this out.
I had a working 11.2-U7 box that I upgrade to 11.3 and things broke from there. I have also tried a fresh install of 11.3 in case the cause was a db issue created during the upgrade path.
I was using encryption with SASL wrapping set to seal. I also had the idmap backed set to AD and SFU set for NSS info and IDMAP schema mode.
Under 11.3 my previously working certificates get rejected with one of two errors:
"Certificate matching query does not exist.
Error: Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
io_thread=False)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
f'{self._config.namespace}.update', self, self.do_update, [data]
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 960, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 856, in do_update
{'prefix': 'ad_'}
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
return await run_method(methodobj, *args)
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 964, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/datastore.py", line 302, in update
data[name] = field.rel.to.objects.get(pk=data[name]) if data[name] is not None else None
File "/usr/local/lib/python3.7/site-packages/django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/django/db/models/query.py", line 385, in get
self.model._meta.object_name
freenasUI.system.models.DoesNotExist: Certificate matching query does not exist."
or
"Certificate matching query does not exist.
Error: Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
io_thread=False)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
f'{self._config.namespace}.update', self, self.do_update, [data]
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 960, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 856, in do_update
{'prefix': 'ad_'}
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
return await run_method(methodobj, *args)
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 964, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/datastore.py", line 302, in update
data[name] = field.rel.to.objects.get(pk=data[name]) if data[name] is not None else None
File "/usr/local/lib/python3.7/site-packages/django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/django/db/models/query.py", line 385, in get
self.model._meta.object_name
freenasUI.system.models.DoesNotExist: Certificate matching query does not exist."
Having put these certs in from scratch I know they do exist.
At the moment I would just like to nuke my AD settings altogether and start again but I'm not sure how to do this. I can't do it through the UI and I can't doing via the CLI.
# net -k ads leave
No realm set, are we joined ?
# net ads join -U domainuser
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
<><>< Some other info that may be useful ><><>
I can do a kinit
# kinit domainuser
domainuser@DOMAINS's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: domainuser@DOMAIN
Issued Expires Principal
Feb 21 13:16:19 2020 Feb 21 23:16:19 2020 krbtgt/DOMAIN@DOMAIN
# wbinfo -t
checking the trust secret for domain LCN via RPC calls failed
wbcCheckTrustCredentials(LCN): error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
# ping domain
PING domain (IP): 56 data bytes
64 bytes from IP: icmp_seq=0 ttl=128 time=0.335 ms
64 bytes from IP: icmp_seq=1 ttl=128 time=0.088 ms
Please let me know what other debugging information would be useful.
I'm having great difficulty configuring the AD directory service and require some help sorting this out.
I had a working 11.2-U7 box that I upgrade to 11.3 and things broke from there. I have also tried a fresh install of 11.3 in case the cause was a db issue created during the upgrade path.
I was using encryption with SASL wrapping set to seal. I also had the idmap backed set to AD and SFU set for NSS info and IDMAP schema mode.
Under 11.3 my previously working certificates get rejected with one of two errors:
"Certificate matching query does not exist.
Error: Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
io_thread=False)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
f'{self._config.namespace}.update', self, self.do_update, [data]
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 960, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 856, in do_update
{'prefix': 'ad_'}
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
return await run_method(methodobj, *args)
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 964, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/datastore.py", line 302, in update
data[name] = field.rel.to.objects.get(pk=data[name]) if data[name] is not None else None
File "/usr/local/lib/python3.7/site-packages/django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/django/db/models/query.py", line 385, in get
self.model._meta.object_name
freenasUI.system.models.DoesNotExist: Certificate matching query does not exist."
or
"Certificate matching query does not exist.
Error: Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
io_thread=False)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/service.py", line 302, in update
f'{self._config.namespace}.update', self, self.do_update, [data]
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 960, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 856, in do_update
{'prefix': 'ad_'}
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1127, in call
app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1091, in _call
return await run_method(methodobj, *args)
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 964, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/datastore.py", line 302, in update
data[name] = field.rel.to.objects.get(pk=data[name]) if data[name] is not None else None
File "/usr/local/lib/python3.7/site-packages/django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/django/db/models/query.py", line 385, in get
self.model._meta.object_name
freenasUI.system.models.DoesNotExist: Certificate matching query does not exist."
Having put these certs in from scratch I know they do exist.
At the moment I would just like to nuke my AD settings altogether and start again but I'm not sure how to do this. I can't do it through the UI and I can't doing via the CLI.
# net -k ads leave
No realm set, are we joined ?
# net ads join -U domainuser
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.
<><>< Some other info that may be useful ><><>
I can do a kinit
# kinit domainuser
domainuser@DOMAINS's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: domainuser@DOMAIN
Issued Expires Principal
Feb 21 13:16:19 2020 Feb 21 23:16:19 2020 krbtgt/DOMAIN@DOMAIN
# wbinfo -t
checking the trust secret for domain LCN via RPC calls failed
wbcCheckTrustCredentials(LCN): error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
# ping domain
PING domain (IP): 56 data bytes
64 bytes from IP: icmp_seq=0 ttl=128 time=0.335 ms
64 bytes from IP: icmp_seq=1 ttl=128 time=0.088 ms
Please let me know what other debugging information would be useful.