SOLVED Scale Active Directory issue - unexpected realm

Marc Lachapelle · Jan 2, 2023

Hi, I was able to join my domain when I was using CORE. I currently use TrueNAS-SCALE-22.12.0. I have 3 redundant ADs, and they are on the same subnet as my TrueNAS SCALE. I can ping all my 3 ADs and

# host -t srv _ldap._tcp.mydomain.lan returns:

_ldap._tcp.mydomain.lan has SRV record 0 0 389 ws2k22-dc02.mydomain.lan.
_ldap._tcp.mydomain.lan has SRV record 0 0 389 ws2k22-dc01.mydomain.lan.
_ldap._tcp.mydomain.lan has SRV record 0 0 389 ws2k22-dc03.mydomain.lan.

# kinit truenas-AD@MYDOMAIN.LAN works properly

If I test using Samba
net ads lookup -S ws2k22-dc03.mydomain.lan returns:

Information for Domain Controller: 192.168.xxx.xxx

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 3b7c3080-3efb-42bf-b346-e50cca5432e9
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Runs Active Directory Web Services: yes
Runs on Windows 2012 or later: yes
Forest: mydomain.lan
Domain: mydomain.lan
Domain Controller: ws2k22-dc03.mydomain.lan
Pre-Win2k Domain: MYDOMAIN
Pre-Win2k Hostname: WS2K22-DC03
Server Site Name: MySite
Client Site Name: MySite
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

# midclt call activedirectory.start
# midclt call core.get_jobs '[["method", "=", "activedirectory.start"]]' | jq returns

"error": "[EFAULT] kinit with password failed: kinit: Cannot find KDC for realm \"WS2K22-DC01.MYDOMAIN.LAN\" while getting initial credentials\n",
"exception": "Traceback (most recent call last):\n File \"/usr/lib/python3/dist-packages/middlewared/job.py\", line 426, in run\n await self.future\n File \"/usr/lib/python3/dist-packages/middlewared/job.py\", line 461, in __run_body\n rv = await self.method(*([self] + args))\n File \"/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py\", line 597, in start\n await self.middleware.call('kerberos.start')\n File \"/usr/lib/python3/dist-packages/middlewared/main.py\", line 1306, in call\n return await self._call(\n File \"/usr/lib/python3/dist-packages/middlewared/main.py\", line 1255, in _call\n return await methodobj(*prepared_call.args)\n File \"/usr/lib/python3/dist-packages/middlewared/plugins/kerberos.py\", line 643, in start\n await asyncio.wait_for(self._kinit(), timeout=kinit_timeout)\n File \"/usr/lib/python3.9/asyncio/tasks.py\", line 481, in wait_for\n return fut.result()\n File \"/usr/lib/python3/dist-packages/middlewared/plugins/kerberos.py\", line 442, in _kinit\n await self.do_kinit({'krb5_cred': cred})\n File \"/usr/lib/python3/dist-packages/middlewared/schema.py\", line 1284, in nf\n return await func(*args, **kwargs)\n File \"/usr/lib/python3/dist-packages/middlewared/plugins/kerberos.py\", line 402, in do_kinit\n raise CallError(f\"kinit with password failed: {output[1].decode()}\")\nmiddlewared.service_exception.CallError: [EFAULT] kinit with password failed: kinit: Cannot find KDC for realm \"WS2K22-DC03.MYDOMAIN.LAN\" while getting initial credentials\n\n",
"exc_info": {
"repr": "CallError('kinit with password failed: kinit: Cannot find KDC for realm \"WS2K22-DC03.MYDOMAIN.LAN\" while getting initial credentials\\n')",
"type": "CallError",
"extra": null
},

Here is an extract from my /etc/krb5.conf

[domain_realm]
mydomain.lan = MYDOMAIN.LAN
.mydomain.lan = MYDOMAIN.LAN
MYDOMAIN.LAN = MYDOMAIN.LAN
.MYDOMAIN.LAN = MYDOMAIN.LAN

[realms]
MYDOMAIN.LAN = {
default_domain = MYDOMAIN.LAN
kdc = ws2k22-dc03.mydomain.lan
admin_server = ws2k22-dc03.mydomain.lan
kpasswd_server = ws2k22-dc03.mydomain.lan
}

What can I do next? Is it possible to use a procedure like Ubuntu manual AD join? , what would be the next step?

Thanks

Marc Lachapelle · Jan 2, 2023

@anodos would you have a suggestion?

anodos · Jan 2, 2023

`WS2K22-DC01.MYDOMAIN.LAN` looks like a DC and not a domain name. Perhaps "MYDOMAIN.LAN"?

Marc Lachapelle · Jan 2, 2023

anodos said:
`WS2K22-DC01.MYDOMAIN.LAN` looks like a DC and not a domain name. Perhaps "MYDOMAIN.LAN"?

I totally agree but : in krb5.conf the domain name is OK and according to https://www.truenas.com/docs/scale/scaletutorials/credentials/directoryservices/configadscale/ I have to use the DC

I tried using the only the domain name and it failed "Failed to discover Active Directory Domain Controller for domain. This may indicate a DNS misconfiguration."

Marc Lachapelle · Jan 2, 2023

And I forgot: if you look at

the Realm is good.

morganL · Jan 2, 2023

The message below seems to indicate some confusion on the "realm name"

cannot find KDC for realm \"WS2K22-DC03.MYDOMAIN.LAN\"

Marc Lachapelle · Jan 2, 2023

morganL said:
The message below seems to indicate some confusion on the "realm name"

cannot find KDC for realm \"WS2K22-DC03.MYDOMAIN.LAN\"

I agree but not only did everything by the book https://www.truenas.com/docs/scale/scaletutorials/credentials/directoryservices/configadscale/ but I tried using only the domain name too. In addition the realm is correct in the UI.

and it is also OK in the Kerberos config file

Is there something else I can provide?

If I were a decent Python programmer I would look at see if the script does not grab the wrong field e.g. "Domain Name" instead ÈKerberos Realm" somewhere ...

anodos · Jan 2, 2023

As I said, this is failing because you are populating "Domain Name" with an incorrect value (your domain controller's hostname). It should be identical to what you populated for the kerberos realm. In fact, kerberos information is auto-detected and auto-populated if you leave it blank.

In Active Directory, your kerberos realm and domain name are identical.

anodos · Jan 2, 2023

You are misreading the example. "AD02.LAB.IXSYSTEMS.COM" is the domain / realm name. In the example you don't see the DC name, which could be something like DC01.AD02.LAB.IXSYSTEMS.COM".

Marc Lachapelle · Jan 2, 2023

anodos said:
As I said, this is failing because you are populating "Domain Name" with an incorrect value (your domain controller's hostname). It should be identical to what you populated for the kerberos realm. In fact, kerberos information is auto-detected and auto-populated if you leave it blank.

Yup I agree in principle but when populating "Domain Name" with "mydomain.lan" I get "Failed to discover Active Directory Domain Controller for domain. This may indicate a DNS misconfiguration." . I was not expecting to have to provide the DC instead of the domain until I saw these 2 screens

Here we see that ad02.lab.ixsystems.com is a host name but it is used as the domain name

ref: https://www.truenas.com/docs/scale/scaletutorials/credentials/directoryservices/configadscale/

Marc Lachapelle · Jan 2, 2023

anodos said:
You are misreading the example. "AD02.LAB.IXSYSTEMS.COM" is the domain / realm name. In the example you don't see the DC name, which could be something like DC01.AD02.LAB.IXSYSTEMS.COM".

Humm there is something I do not understand then: how can we ping a domain?

And if I only use mydomain.lan then I get "Failed to discover Active Directory Domain Controller for domain. This may indicate a DNS misconfiguration". I assume my domain is set OK because

- host -t srv _ldap._tcp.mydomain.lan works
- kinit truenas-AD@MYDOMAIN.LAN works too

anodos · Jan 2, 2023

Marc Lachapelle said:
Humm there is something I do not understand then: how can we ping a domain?

Because DNS.

Code:

root@truenas[~]# dig BILLY.GOAT

; <<>> DiG 9.16.27-Debian <<>> BILLY.GOAT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64295
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;BILLY.GOAT.            IN    A

;; ANSWER SECTION:
BILLY.GOAT.        600    IN    A    192.168.0.60
BILLY.GOAT.        600    IN    A    192.168.0.59

;; Query time: 0 msec
;; SERVER: 192.168.0.59#53(192.168.0.59)
;; WHEN: Mon Jan 02 18:02:37 PST 2023
;; MSG SIZE  rcvd: 71

This is my home domain:

Code:

root@truenas[~]# midclt call activedirectory.domain_info | jq
{
  "LDAP server": "192.168.0.59",
  "LDAP server name": "DC01.BILLY.GOAT",
  "Realm": "BILLY.GOAT",
  "Bind Path": "dc=BILLY,dc=GOAT",
  "LDAP port": 389,
  "Server time": 1672711448,
  "KDC server": "192.168.0.59",
  "Server time offset": 1,
  "Last machine account password change": 1672421314
}

I'm currently communicating with DC01.BILLY.GOAT. My realm is BILLY.GOAT.

If I go fore more specific DC-related info:

Code:

root@truenas[~]# midclt call activedirectory.lookup_dc | jq  
{
  "Information for Domain Controller": "192.168.0.60",
  "Response Type": "LOGON_SAM_LOGON_RESPONSE_EX",
  "GUID": "d12f596f-27c5-4e5e-8d97-1853ca6103fc",
  "Forest": "BILLY.GOAT",
  "Domain": "BILLY.GOAT",
  "Domain Controller": "DC02.BILLY.GOAT",
  "Pre-Win2k Domain": "BILLY",
  "Pre-Win2k Hostname": "DC02",
  "Server Site Name": "Default-First-Site-Name",
  "Client Site Name": "Default-First-Site-Name",
  "NT Version": 5,
  "LMNT Token": 65535,
  "LM20 Token": 65535,
  "Flags": {
    "Is a PDC": false,
    "Is a GC of the forest": true,
    "Is an LDAP server": true,
    "Supports DS": true,
    "Is running a KDC": true,
    "Is running time services": true,
    "Is the closest DC": true,
    "Is writable": true,
    "Has a hardware clock": false,
    "Is a non-domain NC serviced by LDAP server": false,
    "Is NT6 DC that has some secrets": false,
    "Is NT6 DC that has all secrets": true,
    "Runs Active Directory Web Services": true,
    "Runs on Windows 2012 or later": true
  }
}

You can see my Forest is BILLY.GOAT and my Domain is BILLY.GOAT.

I should be able to dig kerberos SRV records for my domain:

Code:

root@truenas[~]# dig srv _kerberos._tcp.dc._msdcs.billy.goat.

; <<>> DiG 9.16.27-Debian <<>> srv _kerberos._tcp.dc._msdcs.billy.goat.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36980
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._tcp.dc._msdcs.billy.goat. IN    SRV

;; ANSWER SECTION:
_kerberos._tcp.dc._msdcs.billy.goat. 600 IN SRV    0 100 88 dc01.billy.goat.
_kerberos._tcp.dc._msdcs.billy.goat. 600 IN SRV    0 100 88 dc02.billy.goat.

;; ADDITIONAL SECTION:
dc01.billy.goat.    3600    IN    A    192.168.0.59
dc02.billy.goat.    3600    IN    A    192.168.0.60

;; Query time: 0 msec
;; SERVER: 192.168.0.59#53(192.168.0.59)
;; WHEN: Mon Jan 02 18:08:35 PST 2023
;; MSG SIZE  rcvd: 166

Marc Lachapelle · Jan 2, 2023

anodos said:

Hello. Thanks for your help. Nowhere in your explanation I see the command ping as can be seen in

This is one the reason why I used one of my DC hostnames. I totally agree that it should be a domain name and not a hostname. I will consider that a a typo in the documentation

I am familiar with dig. Here it is

root@truenas[/etc]# dig mydomain.lan

; <<>> DiG 9.16.27-Debian <<>> mydomain.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37031
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;mydomain.lan. IN A

;; AUTHORITY SECTION:
mydomain.lan. 3600 IN SOA ws2k22-dc01.mydomain.lan. hostmaster.mydomain.lan. 13865 900 600 86400 3600

;; Query time: 4 msec
;; SERVER: 192.168.168.25#53(192.168.168.25)
;; WHEN: Mon Jan 02 21:11:52 EST 2023
;; MSG SIZE rcvd: 106

Note; All my 3 DCs are redundant and I used dc03 because it is currently the PDC. As we can see dc01 is the master of the DNS.

I also tested Kerberos command kinit and it works
kinit truenas-AD@MYDOMAIN.LAN
This leads to thing that the realm "MYDOMAIN.LAN" is OK

I also tried "midclt call activedirectory.domain_info | jq" but it failed. I assume it is because I am not joined to my domain.

If it helps I was able to use the LDAP directory service.

Thanks again, Marc

Marc Lachapelle · Jan 2, 2023

Another detail I forgot to mention. It was working on CORE, worked on SCALE when I upgraded. I had to re-install SCALE and then ....

anodos · Jan 2, 2023

Nowhere in your explanation I see the command ping as can be seen

Hmm... thought that would be self-evident from the dig results. My DCs respond to ICMP echo request:

Code:

root@truenas[/mnt/dozer/middleware/src/middlewared]# ping BILLY.GOAT
PING BILLY.GOAT (192.168.0.59) 56(84) bytes of data.
64 bytes from DC01.BILLY.GOAT (192.168.0.59): icmp_seq=1 ttl=128 time=1.22 ms
64 bytes from DC01.BILLY.GOAT (192.168.0.59): icmp_seq=2 ttl=128 time=1.15 ms

I will consider that a a typo in the documentation

Not a typo per-se. Just not useful advice and maybe confusing since there's not the context over internal setup of this particular test domain.

midclt call activedirectory.domain_info | jq failed

You can append the domain name to that command:

Code:

root@truenas[/mnt/dozer/middleware/src/middlewared]# midclt call activedirectory.domain_info BILLY.GOAT | jq
{
  "LDAP server": "192.168.0.60",
  "LDAP server name": "DC02.BILLY.GOAT",
  "Realm": "BILLY.GOAT",
  "Bind Path": "dc=BILLY,dc=GOAT",
  "LDAP port": 389,
  "Server time": 1672715334,
  "KDC server": "192.168.0.60",
  "Server time offset": 1,
  "Last machine account password change": 1672421314
}

If you can't do that then you have DNS configuration issues.

Marc Lachapelle · Jan 3, 2023

Thanks,

Patrick M. Hausen · Jan 3, 2023

In AD you must use the domain controllers as DNS servers. Or some server that serves the domain's DNS zone by being a secondary. That's a way to cache that information e.g. at a remote location without running a full DC there.

But stick to the DCs first.

Then it is also a requirement that the domain name without an additional host part resolves to the IP addresses of the DCs. That's how the discovery of the domain works. AD takes care of that, that's not a step you have to configure manually. That's why ping with the domain name works.

Nowadays most enterprises use domains like "bigcorp.lan" but when this "Internet" thing became a thing many had "bigcorp.com" as their AD domain and where quite annoyed that you could not reach the externally hosted company web site at http://bigcorp.com. The reason should now be obvious.

Marc Lachapelle · Jan 3, 2023

Patrick M. Hausen said:
In AD you must use the domain controllers as DNS servers. Or some server that serves the domain's DNS zone by being a secondary. That's a way to cache that information e.g. at a remote location without running a full DC there.

But stick to the DCs first.

Then it is also a requirement that the domain name without an additional host part resolves to the IP addresses of the DCs. That's how the discovery of the domain works. AD takes care of that, that's not a step you have to configure manually. That's why ping with the domain name works.

Nowadays most enterprises use domains like "bigcorp.lan" but when this "Internet" thing became a thing many had "bigcorp.com" as their AD domain and where quite annoyed that you could not reach the externally hosted company web site at http://bigcorp.com. The reason should now be obvious.

Hi Patrick,

Thanks for your help. My DCs (3 of them) are also DNS servers. I run 3 Win22K ADs (and DNS)

But .... I have to check the second requirement "domain name without an additional host part resolves to the IP addresses of the DCs" . I need to double check but I think you have found it . When I ping my domain without a hostname (ping mydomain.lan) nothing happens ...

Now I know where to look, and if it works it would be another proof that it is ALWAYS the DNS

Thanks, now I know where to look for ... I need to make sure I can ping the domain not just the hosts

Thanks Patrick, Your clear explanation shows that you really deserve your "Hall of Famer" status.

Marc Lachapelle · Jan 3, 2023

Hello again and thanks Patrick,

You were right. There was one missing record in my DNS, this one

Adding this record allowed me to ping my domain (before I could ping only my hosts) I used this link to fix my issue https://serverfault.com/questions/4...domain-local-but-can-ping-server-domain-local

This is the first time this missing record causes me an issue.

What threw me of guard is that the advanced section allows you to specify a realm and the error message was mentioning a different realm. Even if I specified the Kerberos realm to MYDOMAIN.LAN the realm shown in the error logs was the realm version of the domain name.

Now after adding the DNS entry and changing ws2k22-dc01.mydomain.lan to mydomain.lan I have:

Patrick and anodos thank you both for your help. I tried to document what I have done to fix my issue in the hope it would help others. If you have questions please DM me.

And as we say often: "It was the DNS"

anodos · Jan 3, 2023

Right. The sysadmin haiku:

Its-not-DNS.-There-is-no-wayits-DNS.-It-was-DNS.jpeg

Important Announcement for the TrueNAS Community.

SOLVED Scale Active Directory issue - unexpected realm

Dabbler

Dabbler

Sambassador

Dabbler

Dabbler

Captain Morgan

Dabbler

Sambassador

Sambassador

Dabbler

Dabbler

Sambassador

Dabbler

Dabbler

Sambassador

Dabbler

Hall of Famer

Dabbler

Dabbler

Sambassador

Similar threads