TrueNAS 13.0-U3.1 can not join Windows Active Directory Server 2022

[derlucas]

I have a Server which we joined into a Windows Server 2019 Domain (The Domain is Services Function Level 2016). All was working fine, but we need to change the TrueNAS Server to another Domain/Server/Forest. First i tried to delete the AD configuration from the System but it turns out (like here mentioned in the Forums) that installing fresh is the way to go.

So i installed a fresh 13.3-U3.1.iso onto the system. I made sure the Timezone is the same as my DC (UTC) and times are the same. I checked DNS, all working fine.
When joining the Domain (it is also a freshly installed Windows Server 2022 Server with AD Services Function Level 2016) i get an error:

Code:

[EFAULT] activedirectory_update: Failed to validate domain configuration: 'NTSTATUSError' object is not subscriptable

Show : More info...

Code:

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 211, in _do_cldap
    cldap_ret = self.netctx.finddc(
samba.NTSTATUSError: (3221226045, 'The remote system is not reachable by the transport.')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 547, in do_update
    await self.middleware.run_in_thread(self.check_clockskew, new)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1154, in run_in_thread
    return await self.run_in_executor(self.thread_pool_executor, method, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1151, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 827, in check_clockskew
    pdc = ActiveDirectory_Conn(conf=ad, logger=self.logger).get_pdc()
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 240, in get_pdc
    cldap_ret = self._do_cldap()
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 222, in _do_cldap
    f"failed with error: {e[1]}.")
TypeError: 'NTSTATUSError' object is not subscriptable

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 139, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1235, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/service.py", line 387, in update
    rv = await self.middleware._call(
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1235, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 975, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 553, in do_update
    raise ValidationError(
middlewared.service_exception.ValidationError: [EFAULT] activedirectory_update: Failed to validate domain configuration: 'NTSTATUSError' object is not subscriptable

So i checked the "Allow Trusted Domains" Box and tried again. Then a small progress Windows comes up, but eventually this error shows:

Code:

'NTSTATUSError' object is not subscriptable

Show : More info ...

Code:

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 211, in _do_cldap
    cldap_ret = self.netctx.finddc(
samba.NTSTATUSError: (3221226045, 'The remote system is not reachable by the transport.')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 355, in run
    await self.future
  File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 391, in __run_body
    rv = await self.method(*([self] + args))
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 671, in start
    new_site = await self.middleware.call('activedirectory.get_site')
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1278, in call
    return await self._call(
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1246, in _call
    return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1151, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 1299, in get_site
    site = ActiveDirectory_Conn(conf=ad, logger=self.logger).get_site()
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 236, in get_site
    cldap_ret = self._do_cldap()
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 222, in _do_cldap
    f"failed with error: {e[1]}.")
TypeError: 'NTSTATUSError' object is not subscriptable

The 2022 Server AD also as a PKI installed and AD/LDAP is also available via SSL.

I unchecked "Enable" to have my settings at least stored, then went to System->CAs and imported the RootCA Certificate from the DC PKI.

Got back to Active Directory Menu and tried to enable, it makes no difference. Same error message.

So to make sure, i installed two virtual machines with TrueNAS Core 13.0-U3.1 onto my Hypervisior. I did the same basic configuration with Timezone and DNS checks.
I joined one of the Servers into the old AD without problems, but i get the same error when trying to join the other VM into the New Domain.

I'm not entirely sure why i have that problem or whats causing it. One notable difference however is that one is Windows Server 2019 and one is 2022.

Does someone have an idea how to get that working?

 

[anodos]

Hmm.. can you send me a debug please.

 

[derlucas]

Hey, thanks for your reply. Sorry for my late answer, i do not work for that customer every weekday.

So could you please explain with a bit more detail what logs you need?

 

[anodos]

Hey, thanks for your reply. Sorry for my late answer, i do not work for that customer every weekday.

So could you please explain with a bit more detail what logs you need?

middlewared.log

 

[derlucas]

In that file there are not new lines when i try to enable the AD Integration:

[2022/12/14 14:21:34] (DEBUG) EtcService.generate():445 - No new changes for /etc/local/ssh/sshd_config
[2022/12/14 14:21:34] (DEBUG) EtcService.generate():445 - No new changes for /etc/pam.d/sshd
[2022/12/14 14:21:34] (DEBUG) EtcService.generate():429 - mako:local/users.oath file removed.
[2022/12/14 14:21:34] (DEBUG) EtcService.generate():445 - No new changes for /etc/local/avahi/avahi-daemon.conf
[2022/12/14 14:21:35] (DEBUG) EtcService.generate():445 - No new changes for /etc/krb5.con

 

[derlucas]

So i installed a new test Domain Controller with a fresh new AD Forest. This time i did not create a PKI and the AD runs without SSL.

Joining works perfectly fine here also.
So i would assume it has to be something with SSL.

 

[anodos]

So i installed a new test Domain Controller with a fresh new AD Forest. This time i did not create a PKI and the AD runs without SSL.

Joining works perfectly fine here also.
So i would assume it has to be something with SSL.

Communication with AD basically uses protected SASL_GSSAPI bind rather than SSL.

 

[derlucas]

Do you have a suggestion about what i could do?

 

[anodos]

Do you have a suggestion about what i could do?

Can't suggest anything without actually seeing logs. The backtrace is a bug obviously but I need to know how to trigger it.

 

[derlucas]

Here is middlewared.log with "verbose" logging enabled:

[2022/12/15 11:25:04] (DEBUG) ActiveDirectoryService.start():635 - Starting Active Directory service for [AD.*****.NET]
[2022/12/15 11:25:23] (ERROR) middlewared.job.run():367 - Job <bound method ActiveDirectoryService.start of <middlewared.plugins.activedirectory.ActiveDirectoryService object at 0x81b122700>> failed
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 211, in _do_cldap
cldap_ret = self.netctx.finddc(
samba.NTSTATUSError: (3221226045, 'The remote system is not reachable by the transport.')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 355, in run
await self.future
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 391, in __run_body
rv = await self.method(*([self] + args))
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 678, in start
await self.middleware.call('activedirectory.get_netbios_domain_name')
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1278, in call
return await self._call(
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1246, in _call
return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1151, in run_in_executor
return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 1214, in get_netbios_domain_name
domain = ActiveDirectory_Conn(conf=ad, logger=self.logger).get_domain()
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 244, in get_domain
cldap_ret = self._do_cldap()
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 222, in _do_cldap
f"failed with error: {e[1]}.")
TypeError: 'NTSTATUSError' object is not subscriptable
[2022/12/15 11:27:01] (DEBUG) EtcService.generate():445 - No new changes for /etc/krb5.conf
[2022/12/15 11:27:02] (WARNING) middlewared.plugins.service_.services.base_freebsd.freebsd_service():142 - wsdd forcestart failed with code 1: 'wsdd is running as pid 1423\n'
[2022/12/15 11:27:02] (DEBUG) EtcService.generate():445 - No new changes for /etc/local/avahi/avahi-daemon.conf
[2022/12/15 11:27:02] (DEBUG) SMBService.add_admin_group():86 - No cache entry indicating delayed action to add admin_group was found.
[2022/12/15 11:27:05] (DEBUG) ActiveDirectoryService.get_cache():1547 - cache fill is in progress.
[2022/12/15 11:27:05] (DEBUG) ActiveDirectoryService.get_cache():1547 - cache fill is in progress.
[2022/12/15 11:28:21] (DEBUG) ShareSec.parse_share_sd():78 - S-1-1-0: failed to resolve SID to name: [EFAULT] wbinfo failed with error: failed to call wbcLookupSid: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not lookup sid S-1-1-0
[2022/12/15 11:28:21] (DEBUG) ShareSec.parse_share_sd():78 - S-1-1-0: failed to resolve SID to name: [EFAULT] wbinfo failed with error: failed to call wbcLookupSid: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not lookup sid S-1-1-0
[2022/12/15 11:28:26] (DEBUG) ActiveDirectoryService.get_cache():1547 - cache fill is in progress.
[2022/12/15 11:28:26] (DEBUG) ActiveDirectoryService.get_cache():1547 - cache fill is in progress.

And here is System->Advanced "Save Debug" ixdiagnose\fndebug\ActiveDirectory\dump:

+--------------------------------------------------------------------------------+
+ Active Directory Status @1671103139 +
+--------------------------------------------------------------------------------+
Active Directory is DISABLED
debug finished in 0 seconds for Active Directory Status


+--------------------------------------------------------------------------------+
+ Active Directory Run Status @1671103139 +
+--------------------------------------------------------------------------------+
nmbd is not running.
smbd is not running.
winbindd is not running.
+--------------------------------------------------------------------------------+
+ @1671103139 +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ SMB Service Status @1671103139 +
+--------------------------------------------------------------------------------+
SMB will not start on boot.
debug finished in 0 seconds for SMB Service Status


+--------------------------------------------------------------------------------+
+ Active Directory Settings @1671103139 +
+--------------------------------------------------------------------------------+
{
"id": 1,
"domainname": "AD.*****DO.NET",
"bindname": "svc-vault1",
"verbose_logging": false,
"allow_trusted_doms": false,
"use_default_domain": false,
"allow_dns_updates": true,
"disable_freenas_cache": false,
"restrict_pam": false,
"site": "",
"timeout": 60,
"dns_timeout": 10,
"nss_info": null,
"enable": false,
"kerberos_principal": "",
"createcomputer": "",
"kerberos_realm": null,
"netbiosname": "truenastest2",
"netbiosalias": []
}
debug finished in 0 seconds for Active Directory Settings


+--------------------------------------------------------------------------------+
+ /etc/krb5.conf @1671103139 +
+--------------------------------------------------------------------------------+

debug finished in 0 seconds for /etc/krb5.conf


+--------------------------------------------------------------------------------+
+ /etc/nsswitch.conf @1671103139 +
+--------------------------------------------------------------------------------+


group: files
hosts: files dns
networks: files
passwd: files
shells: files
services: files
protocols: files
rpc: files
sudoers: files
debug finished in 0 seconds for /etc/nsswitch.conf


+--------------------------------------------------------------------------------+
+ /usr/local/etc/smb4.conf @1671103139 +
+--------------------------------------------------------------------------------+


[global]
dns proxy = No
aio max threads = 2
max log size = 5120
load printers = No
printing = bsd
disable spoolss = Yes
dos filemode = Yes
kernel change notify = No
directory name cache size = 0
server multi channel support = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
unix charset = UTF-8
log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log
obey pam restrictions = False
rpc_daemon:mdssd = disabled
rpc_server:mdssvc = disabled
enable web service discovery = True
logging = file
server min protocol = SMB2_02
unix extensions = No
restrict anonymous = 2
server string = TrueNAS Server
bind interfaces only = Yes
netbios name = truenastest2
netbios aliases =
server role = standalone
workgroup = WORKGROUP
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
registry shares = yes
include = registry
debug finished in 0 seconds for /usr/local/etc/smb4.conf


+--------------------------------------------------------------------------------+
+ /usr/local/etc/smb4_share.conf @1671103139 +
+--------------------------------------------------------------------------------+
debug finished in 0 seconds for /usr/local/etc/smb4_share.conf


+--------------------------------------------------------------------------------+
+ Kerberos Tickets - 'klist' @1671103139 +
+--------------------------------------------------------------------------------+
klist: No ticket file: /tmp/krb5cc_0
debug finished in 0 seconds for Kerberos Tickets - 'klist'


+--------------------------------------------------------------------------------+
+ Kerberos Principals - 'ktutil' @1671103139 +
+--------------------------------------------------------------------------------+
ktutil: krb5_kt_start_seq_get FILE:/etc/krb5.keytab: keytab /etc/krb5.keytab open failed: No such file or directory
debug finished in 0 seconds for Kerberos Principals - 'ktutil'


+--------------------------------------------------------------------------------+
+ Active Directory Trust Secret - 'wbinfo -t' @1671103139 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret
checking the trust secret for domain (null) via RPC calls failed
debug finished in 0 seconds for Active Directory Trust Secret - 'wbinfo -t'


+--------------------------------------------------------------------------------+
+ Active Directory NETLOGON connection - 'wbinfo -P' @1671103139 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
checking the NETLOGON for domain[] dc connection to "" failed
debug finished in 0 seconds for Active Directory NETLOGON connection - 'wbinfo -P'


+--------------------------------------------------------------------------------+
+ Active Directory trusted domains - 'wbinfo -m' @1671103139 +
+--------------------------------------------------------------------------------+
failed to call wbcListTrusts: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not list trusted domains
debug finished in 0 seconds for Active Directory trusted domains - 'wbinfo -m'


+--------------------------------------------------------------------------------+
+ Active Directory all domains - 'wbinfo --all-domains' @1671103139 +
+--------------------------------------------------------------------------------+
failed to call wbcListTrusts: WBC_ERR_WINBIND_NOT_AVAILABLE
debug finished in 0 seconds for Active Directory all domains - 'wbinfo --all-domains'


+--------------------------------------------------------------------------------+
+ Active Directory own domain - 'wbinfo --own-domain' @1671103139 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
(null)
debug finished in 0 seconds for Active Directory own domain - 'wbinfo --own-domain'


+--------------------------------------------------------------------------------+
+ Active Directory online status - 'wbinfo --online-status' @1671103139 +
+--------------------------------------------------------------------------------+
failed to call wbcListTrusts: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not show online-status
debug finished in 0 seconds for Active Directory online status - 'wbinfo --online-status'


could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
+--------------------------------------------------------------------------------+
+ Active Directory domain info - 'wbinfo --domain-info=(null)' @1671103139 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcDomainInfo: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not get domain info
debug finished in 0 seconds for Active Directory domain info - 'wbinfo --domain-info=(null)'


+--------------------------------------------------------------------------------+
+Active Directory DC name - 'wbinfo --dsgetdcname="AD.*****DO.NET"' @1671103139+
+--------------------------------------------------------------------------------+
Could not find dc for "AD.*****DO.NET"
debug finished in 0 seconds for Active Directory DC name - 'wbinfo --dsgetdcname="AD.*****DO.NET"'


could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
+--------------------------------------------------------------------------------+
+ Active Directory DC info - 'wbinfo --dc-info=(null)' @1671103139 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Could not find dc info (null)
debug finished in 1 seconds for Active Directory DC info - 'wbinfo --dc-info=(null)'


+--------------------------------------------------------------------------------+
+ Active Directory Users - 'wbinfo -u' @1671103140 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users
+--------------------------------------------------------------------------------+
+ Active Directory Groups - 'wbinfo -g' @1671103140 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
Error looking up domain groups
debug finished in 0 seconds for Active Directory Groups - 'wbinfo -g'


+--------------------------------------------------------------------------------+
+ Active Directory SPN list @1671103140 +
+--------------------------------------------------------------------------------+
[EAUTH] Kerberos ticket is required.
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 139, in call_method
result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1235, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 975, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 1107, in get_spn_list
await self.middleware.call("kerberos.check_ticket")
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1278, in call
return await self._call(
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1235, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/kerberos.py", line 170, in check_ticket
raise CallError("Kerberos ticket is required.", errno.EAUTH)
middlewared.service_exception.CallError: [EAUTH] Kerberos ticket is required.

debug finished in 0 seconds for Active Directory SPN list


+--------------------------------------------------------------------------------+
+ idmap settings @1671103140 +
+--------------------------------------------------------------------------------+
[
{
"id": 1,
"name": "DS_TYPE_ACTIVEDIRECTORY",
"dns_domain_name": null,
"range_low": 100000001,
"range_high": 200000000,
"idmap_backend": "RID",
"options": {},
"certificate": null
},
{
"id": 2,
"name": "DS_TYPE_LDAP",
"dns_domain_name": null,
"range_low": 10000,
"range_high": 90000000,
"idmap_backend": "LDAP",
"options": {
"ldap_base_dn": "",
"ldap_user_dn": "",
"ldap_url": "",
"ssl": "OFF"
},
"certificate": null
},
{
"id": 5,
"name": "DS_TYPE_DEFAULT_DOMAIN",
"dns_domain_name": null,
"range_low": 90000001,
"range_high": 100000000,
"idmap_backend": "TDB",
"options": {},
"certificate": null
}
]
debug finished in 0 seconds for idmap settings

Do you need anything else?

 

[anodos]

Hmm... interesting. It looks like attempt to lookup a DC in your environment is failing. That area of code is supposed to auto-detect your AD netbios domain name (short form) via CLDAP ping. Maybe run command net -S <domain name> ads lookup to get this value and populate it as the workgroup in Services->SMB:

Code:

root@TN3[~]# net -S BILLY.GOAT ads lookup
Information for Domain Controller: 192.168.0.59

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: d12f596f-27c5-4e5e-8d97-1853ca6103fc
Flags:
    Is a PDC:                                   yes
    Is a GC of the forest:                      yes
    Is an LDAP server:                          yes
    Supports DS:                                yes
    Is running a KDC:                           yes
    Is running time services:                   no
    Is the closest DC:                          yes
    Is writable:                                yes
    Has a hardware clock:                       no
    Is a non-domain NC serviced by LDAP server: no
    Is NT6 DC that has some secrets:            no
    Is NT6 DC that has all secrets:             yes
    Runs Active Directory Web Services:         yes
    Runs on Windows 2012 or later:              yes
Forest: BILLY.GOAT
Domain: BILLY.GOAT
Domain Controller: DC01.BILLY.GOAT
Pre-Win2k Domain: BILLY
Pre-Win2k Hostname: DC01
Server Site Name: Default-First-Site-Name
Client Site Name: Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

Above is output for one of my test domains. Workgroup is Pre-Win2k Domain: BILLY.

 

[derlucas]

I tried setting the AD Netbios Domain name to Services->SMB without success.

Here is the output from your command:

root@truenastest2[/]# ping the***dc1.ad.****.net
PING the****dc1.ad.****.net (192.168.1.111): 56 data bytes
64 bytes from 192.168.1.111: icmp_seq=0 ttl=128 time=0.263 ms
^C
--- the***dc1.ad.****.net ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.263/0.263/0.263/0.000 ms
root@truenastest2[/]# net -S ad.****.net ads lookup
ads_connect: No logon servers are currently available to service the logon request.
ads_connect: No logon servers are currently available to service the logon request.
Didn't find the cldap server!
root@truenastest2[/]#

Here i changed the DNS Server to the testDC server and tried also:

root@truenastest2[/]# ping testdc.testdomain.local
PING testdc.testdomain.local (192.168.1.136): 56 data bytes
64 bytes from 192.168.1.136: icmp_seq=0 ttl=128 time=0.371 ms
^C
--- testdc.testdomain.local ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.371/0.371/0.371/0.000 ms
root@truenastest2[/]# net -S testdomain.local ads lookup
Information for Domain Controller: 192.168.1.136

Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: ca577e4c-a235-434d-aaa0-c0b6052172fd
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Runs Active Directory Web Services: yes
Runs on Windows 2012 or later: yes
Forest: testdomain.local
Domain: testdomain.local
Domain Controller: testdc.testdomain.local
Pre-Win2k Domain: TESTDOMAIN
Pre-Win2k Hostname: TESTDC
Server Site Name: Default-First-Site-Name
Client Site Name: Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff

Here is the result of DNS checks:

root@truenastest2[/]# dig _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net ANY
;; QUESTION SECTION:
;_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net. IN ANY

;; ANSWER SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net. 600 IN SRV 0 100 389 ***dc1.ad.****.net.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net. 600 IN SRV 0 100 389 ***dc2.ad.****.net.

;; ADDITIONAL SECTION:
***dc1.ad.****.net. 3600 IN A 192.168.1.111
***dc1.ad.****.net. 3600 IN AAAA 2a01:a700:8809:350::111
***dc2.ad.****.net. 3600 IN A 192.168.1.112
***dc2.ad.****.net. 3600 IN AAAA 2a01:a700:8809:350::112
***dc2.ad.****.net. 3600 IN AAAA 2a01:a700:8809:350:189:3604:b4f8:7a43

;; Query time: 0 msec
;; SERVER: 192.168.1.111#53(192.168.1.111)
;; WHEN: Thu Dec 15 13:44:13 UTC 2022
;; MSG SIZE rcvd: 307

root@truenastest2[/]# dig _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net ANY
;; QUESTION SECTION:
;_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net. IN ANY

;; ANSWER SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net. 600 IN SRV 0 100 88 ***dc2.ad.****.net.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ad.****.net. 600 IN SRV 0 100 88 ***dc1.ad.****.net.

;; ADDITIONAL SECTION:
***dc2.ad.****.net. 3600 IN A 192.168.1.112
***dc2.ad.****.net. 3600 IN AAAA 2a01:a700:8809:350:189:3604:b4f8:7a43
***dc2.ad.****.net. 3600 IN AAAA 2a01:a700:8809:350::112
***dc1.ad.****.net. 3600 IN A 192.168.1.111
***dc1.ad.****.net. 3600 IN AAAA 2a01:a700:8809:350::111

;; Query time: 0 msec
;; SERVER: 192.168.1.111#53(192.168.1.111)
;; WHEN: Thu Dec 15 13:45:03 UTC 2022
;; MSG SIZE rcvd: 311

Thanks for your help so far.

 

[anodos]

Ping isn't a good guide for determining whether your DNS is configured correctly BTW. This won't tell you anything about SRV records, connectivity to AD KDC, AD LDAP, etc, etc.

Configure DNS correctly for the domain you're trying to join, then run net -S <domain> -d 5 ads lookup. That might give you some indication about where the configuration issue is.

 

[derlucas]

Hey, i just added some DNS Debugging Info to my last post.
Here is the output with "-d 5":

root@truenastest2[/]# net -S ad.****.net -d 5 ads lookup
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter dns proxy = No
doing parameter aio max threads = 2
doing parameter max log size = 5120
doing parameter load printers = No
doing parameter printing = bsd
doing parameter disable spoolss = Yes
doing parameter dos filemode = Yes
doing parameter kernel change notify = No
doing parameter directory name cache size = 0
doing parameter server multi channel support = No
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter unix charset = UTF-8
doing parameter log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log
doing parameter obey pam restrictions = False
doing parameter rpc_daemon:mdssd = disabled
doing parameter rpc_server:mdssvc = disabled
doing parameter enable web service discovery = True
doing parameter logging = file
doing parameter server min protocol = SMB2_02
doing parameter unix extensions = No
doing parameter restrict anonymous = 2
doing parameter server string = TrueNAS Server
doing parameter bind interfaces only = Yes
doing parameter netbios name = truenastest1
doing parameter netbios aliases =
doing parameter server role = standalone
doing parameter workgroup = ADTHEDO
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter registry shares = yes
doing parameter include = registry
doing parameter registry shares = yes
process_registry_service: service name global
pm_process() returned Yes
added interface em0 ip=192.168.1.135 bcast=192.168.1.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
added interface em0 ip=192.168.1.135 bcast=192.168.1.255 netmask=255.255.255.0
Opening cache file at /var/run/samba4/gencache.tdb
sitename_fetch: No stored sitename for realm ''
namecache_fetch: no entry for ad.****.net#20 found.
resolve_hosts: Attempting host lookup for name ad.****.net<0x20>
namecache_store: storing 2 addresses for ad.****.net#20: 192.168.1.112,192.168.1.111
ads_try_connect: sending CLDAP request to 192.168.1.112 (realm: (null))
Successfully contacted LDAP server 192.168.1.112
sitename_fetch: No stored sitename for realm ''
namecache_fetch: name ad.****.net#20 found.
ads_try_connect: sending CLDAP request to 192.168.1.112 (realm: (null))
Successfully contacted LDAP server 192.168.1.112
ads_cldap_netlogon: did not get a reply
CLDAP query failed!
return code = -1
root@truenastest2[/]#

 

[derlucas]

Hey, are there any other things we can try to narrow the problem down?

 

[derlucas]

The Problem still exists. Can i buy support somehow?

 

[morganL]

These types of network integration issues are very complex. iX only provides support with its appliances.

Sounds like you'll need a 3rd party.

 

[derlucas]

But i can successfully join a Windows 10 VM into my Domain. A plain debian 11 with sssd also i can join into the Domain.
All checks for DNS seems to be fine.
Can you recommend 3rd Party support?

 

[JoeAtWork]

Can you recommend 3rd Party support?

Have you checked on the price of a filer from iXsystems, just a small one that you can do this with an call support, that may be the same as calling in a consulting company. I have seen some consulting companies for the enterprise do 5-10k per day for a smart application engineer. YMMV