Unable to find domain controllers for my.dom

Marco Suhr · May 14, 2019

Hello,

I have a problem by our customer. I try to connect a FreeNAS Server withe the customers AD that user can access to cifs-shares. When I set the configuration in the option for AD everything looks ok, but when I try to set the configuration on "enable" I'll get the error you can see in the subject.
I've check the the name resolution and the srv record for ldap on the domain controllers and everythink is ok. The NTP Server is the same that the AD server are using.
I can't find the problem for the error message and in /var/log/messages I doesn't find anything helpful.

The FreeNAS version is 11.2-U3. The AD Server running under Windows Server 2012 R2

Hope someone have a good idea for troubleshooting or an solution.
Thanks in advance and regards,
Marco

dlavigne · May 20, 2019

Were you able to resolve this? Does updating to 11.2-U4.1 resolve it?

Marco Suhr · May 21, 2019

I haven't in the last week not enough time to look at the problem. Is in the patch a bugfix for issues in that direction ?
I ask because it is a bigger thing to get an downtime for a patch ..

Thanks for answer :)
Marco

anodos · May 22, 2019

Often, these errors indicate a DNS issue in the AD domain. Try the following procedure:

Code:

sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1
service ix-hostname start
service ix-kerberos start
service ix-kinit start
<if the above step fails, check /etc/krb5.conf and verify that the information is correct. If it is, then manually `kinit <username>@<domain>`>
klist (verify that you have a ticket).
service ix-pre-samba start
net -k ads testjoin (see if you're joined to domain already). If you're not, then
net -d 5 -k ads join (this should give some pretty verbose output about what's going on and help identify the failure point).
<If it succeeds>
service samba_server onerestart
service ix-pam start
service ix-nsswitch start

Marco Suhr · May 22, 2019

Hello anodos,

thanks for your reply :)
I test your suggestion. The results I attached as code-segment.
I have check the kinit with different users and I write and a second test with the same user I copy the password to go secure to write it correctly.
I skip the last 3 steps ...

Have you an idea were there can be the error ?

I get the order to censor some informations. I hope I have overwrite all domain, names, hostnames, ips and ids correctly.

Code:

root@FREENAS01:~ # cp /data/freenas-v1.db /root/freenas-v1.db.ORIG
root@FREENAS01:~ #
root@FREENAS01:~ # sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
root@FREENAS01:~ # service ix-hostname start
root@FREENAS01:~ # service ix-kerberos start
root@FREENAS01:~ # service ix-kinit start
ERROR: Unable to find domain controllers for my.dom
root@FREENAS01:~ # cat /etc/krb5.conf
#
# krb5.conf(5) - configuration file for Kerberos 5
# $FreeBSD$
#

[appdefaults]
            pam = {
                   forwardable = true
                   ticket_lifetime = 86400
                   renew_lifetime = 86400
            }

[libdefaults]
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            clockskew = 300
            forwardable = yes
            default_realm = MY.DOM

[domain_realm]
            my.dom = MY.DOM
            .my.dom = MY.DOM
            MY.DOM = MY.DOM
            .MY.DOM = MY.DOM

[realms]
            MY.DOM = {
                   default_domain = MY.DOM
                   kdc = 10.10.10.21
                   admin_server = 10.10.10.21
                   kpasswd_server = 10.10.10.21
            }

[logging]
            default = SYSLOG:INFO:LOCAL7
root@FREENAS01:~ # kinit myadmin@my.dom
myadmin@my.dom's Password:
kinit: Password incorrect
root@FREENAS01:~ # kinit administrator@my.dom
administrator@my.dom's Password:
kinit: Password incorrect
***
root@FREENAS01:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: myadmin@MY.DOM

  Issued                Expires               Principal
May 22 15:30:00 2019  May 23 01:30:00 2019  krbtgt/MY.DOM@MY.DOM
root@FREENAS01:~ # service ix-pre-samba start
net -k ads testjoin
Join to domain is not valid: NT code 0xfffffff6
root@FREENAS01:~ # net -d 5 -k ads join
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = WORKGROUP
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config WORKGROUP: backend = rid
doing parameter idmap config WORKGROUP: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = WORKGROUP
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config WORKGROUP: backend = rid
doing parameter idmap config WORKGROUP: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="FREENAS01"
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lagg1 ip=10.10.10.100 bcast=10.10.15.255 netmask=255.255.240.0
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'FREENAS01'
            domain_name              : *
                domain_name              : 'MY.DOM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'root'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x01 (1)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/run/samba4/gencache.tdb
Opening cache file at /var/run/samba4/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
ads_dns_lookup_srv: 2 records returned in the answer section.
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.18:88 10.10.10.20:88 10.10.1.20:88 10.10.1.21:88
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.21:88 10.10.10.20:88 10.10.1.20:88 10.10.1.21:88
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf..JOIN with realm MY.DOM KDC list =         kdc = 10.10.10.20
        kdc = 10.10.10.21
        kdc = 10.10.1.20
        kdc = 10.10.1.21

sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
no entry for AD01.MY.DOM#20 found.
resolve_hosts: Attempting host lookup for name AD01.MY.DOM<0x20>
namecache_store: storing 2 addresses for AD01.MY.DOM#20: 10.10.10.20,10.10.1.20
Connecting to 10.10.10.20 at port 445
Socket options:
    SO_KEEPALIVE = 0
    SO_REUSEADDR = 0
    SO_BROADCAST = 0
    TCP_NODELAY = 4
    TCP_KEEPCNT = 8
    TCP_KEEPIDLE = 7200
    TCP_KEEPINTVL = 75
    IPTOS_LOWDELAY = 0
    IPTOS_THROUGHPUT = 0
    SO_REUSEPORT = 0
    SO_SNDBUF = 33580
    SO_RCVBUF = 65700
    SO_SNDLOWAT = 2048
    SO_RCVLOWAT = 1
    SO_SNDTIMEO = 0
    SO_RCVTIMEO = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host AD01.MY.DOM auth_type 0, auth_level 1
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 168
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
signed SMB2 message
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'FREENAS01$'
            netbios_domain_name      : 'MY'
            dns_domain_name          : 'MY.DOM'
            forest_name              : 'MY.DOM'
            dn                       : NULL
            domain_guid              : 938***
            domain_sid               : *
                domain_sid               : S-1-5***
            modified_config          : 0x00 (0)
            error_string             : 'Invalid configuration ("workgroup" set to 'WORKGROUP', should be 'MY') and configuration modification was not requested'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            krb5_salt                : NULL
            result                   : WERR_CAN_NOT_COMPLETE
Failed to join domain: Invalid configuration ("workgroup" set to 'WORKGROUP', should be 'MY') and configuration modification was not requested
return code = -1
root@FREENAS01:~ #

anodos · May 22, 2019

The join failed because your workgroup under Services->SMB should be set to "MY" instead of "WORKGROUP". The reason auto-detection for workgroup didn't complete is because we didn't get DNS query results for DCs quickly enough (we probably timed out after 5 seconds). You can increase the timeout value by running the command sysctl freenas.directoryservice.activedirectory.dns.timeout=30 and sysctl freenas.directoryservice.activedirectory.dns.lifetime = 30 and retry.

Marco Suhr · May 23, 2019

Hi,

I have done two test.
For the first try I run the two commands for the dns timeout you have give to me:

Code:

root@FREENAS01:~ # sysctl freenas.directoryservice.activedirectory.dns.timeout=30
freenas.directoryservice.activedirectory.dns.timeout: 5 -> 30
root@FREENAS01:~ # sysctl freenas.directoryservice.activedirectory.dns.lifetime=30
freenas.directoryservice.activedirectory.dns.lifetime: 5 -> 30

Then I try the steps in note #4 to join the domain. The results were the same as before.
Here are the results for the first attempt, if I should have overlooked something:

Code:

root@FREENAS01:~ # sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
root@FREENAS01:~ # service ix-hostname start
root@FREENAS01:~ # service ix-kerberos start
root@FREENAS01:~ # service ix-kinit start
ERROR: Unable to find domain controllers for my.dom
root@FREENAS01:~ # kinit myadmin@my.dom
myadmin@my.dom's Password:
kinit: Password incorrect
root@FREENAS01:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: myadmin@MY.DOM

  Issued                Expires               Principal
May 23 05:30:00 2019  May 23 15:30:00 2019  krbtgt/MY.DOM@MY.DOM
root@FREENAS01:~ # service ix-pre-samba start
root@FREENAS01:~ # net -k ads testjoin
Join to domain is not valid: NT code 0xfffffff6
root@FREENAS01:~ # net -d 5 -k ads join
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = WORKGROUP
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config WORKGROUP: backend = rid
doing parameter idmap config WORKGROUP: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = WORKGROUP
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config WORKGROUP: backend = rid
doing parameter idmap config WORKGROUP: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="FREENAS01"
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lagg1 ip=10.10.10.100 bcast=10.10.15.255 netmask=255.255.240.0
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'FREENAS01'
            domain_name              : *
                domain_name              : 'MY.DOM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'root'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x01 (1)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/run/samba4/gencache.tdb
Opening cache file at /var/run/samba4/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
ads_dns_lookup_srv: 2 records returned in the answer section.
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
no entry for AD02.MY.DOM#20 found.
resolve_hosts: Attempting host lookup for name AD02.MY.DOM<0x20>
namecache_store: storing 2 addresses for AD02.MY.DOM#20: 10.10.10.21,10.10.1.21
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.21:88 10.10.1.21:88 10.10.10.20:88 10.10.1.20:88
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.21:88 10.10.10.20:88 10.10.1.20:88 10.10.1.21:88
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf..JOIN with realm MY.DOM KDC list =         kdc = 10.10.10.20
        kdc = 10.10.10.21
        kdc = 10.10.1.21
        kdc = 10.10.1.20

sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
no entry for AD01.MY.DOM#20 found.
resolve_hosts: Attempting host lookup for name AD01.MY.DOM<0x20>
namecache_store: storing 2 addresses for AD01.MY.DOM#20: 10.10.10.20,10.10.1.20
Connecting to 10.10.10.20 at port 445
Socket options:
    SO_KEEPALIVE = 0
    SO_REUSEADDR = 0
    SO_BROADCAST = 0
    TCP_NODELAY = 4
    TCP_KEEPCNT = 8
    TCP_KEEPIDLE = 7200
    TCP_KEEPINTVL = 75
    IPTOS_LOWDELAY = 0
    IPTOS_THROUGHPUT = 0
    SO_REUSEPORT = 0
    SO_SNDBUF = 33580
    SO_RCVBUF = 65700
    SO_SNDLOWAT = 2048
    SO_RCVLOWAT = 1
    SO_SNDTIMEO = 0
    SO_RCVTIMEO = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host AD01.MY.DOM auth_type 0, auth_level 1
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 168
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
signed SMB2 message
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'FREENAS01$'
            netbios_domain_name      : 'MY'
            dns_domain_name          : 'MY.DOM'
            forest_name              : 'MY.DOM'
            dn                       : NULL
            domain_guid              : 938***
            domain_sid               : *
                domain_sid               : S-1-5***
            modified_config          : 0x00 (0)
            error_string             : 'Invalid configuration ("workgroup" set to 'WORKGROUP', should be 'MY') and configuration modification was not requested'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            krb5_salt                : NULL
            result                   : WERR_CAN_NOT_COMPLETE
Failed to join domain: Invalid configuration ("workgroup" set to 'WORKGROUP', should be 'MY') and configuration modification was not requested
return code = -1
root@FREENAS01:~ #

I must split the answer because the forum won't post comments with to many letters ....

In the second try I set the workgroup under Services -> SMB to MY an try again the steps under #4. The results are in the next posts.

Marco Suhr · May 23, 2019

Code:

root@FREENAS01:~ # sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
root@FREENAS01:~ # service ix-hostname start
root@FREENAS01:~ # service ix-kerberos start
root@FREENAS01:~ # service ix-kinit start
ERROR: Unable to find domain controllers for my.dom
root@FREENAS01:~ # kinit myadmin@my.dom
myadmin@my.dom's Password:
kinit: Password incorrect
root@FREENAS01:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: myadmin@MY.DOM

  Issued                Expires               Principal
May 23 05:30:00 2019  May 23 15:30:00 2019  krbtgt/MY.DOM@MY.DOM
May 23 09:22:53 2019  May 23 15:30:00 2019  cifs/AD01.MY.DOM@MY.DOM
root@FREENAS01:~ # service ix-pre-samba start
root@FREENAS01:~ # net -k ads testjoin
Join to domain is not valid: NT code 0xfffffff6

Marco Suhr · May 23, 2019

Code:

root@FREENAS01:~ # net -d 5 -k ads join
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = MY
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config MY: backend = rid
doing parameter idmap config MY: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter server min protocol = SMB2_02
doing parameter server max protocol = SMB3
doing parameter interfaces = 127.0.0.1 10.10.10.100
doing parameter bind interfaces only = yes
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter private dir = /var/db/samba4/private
doing parameter max open files = 2121905
doing parameter logging = file
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter obey pam restrictions = yes
doing parameter ntlm auth = no
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter time server = yes
doing parameter acl allow execute always = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter workgroup = MY
doing parameter realm = MY.DOM
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter ads dns update = yes
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = no
doing parameter winbind refresh tickets = yes
doing parameter idmap config MY: backend = rid
doing parameter idmap config MY: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter netbios name = FREENAS01
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="FREENAS01"
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lagg1 ip=10.10.10.100 bcast=10.10.15.255 netmask=255.255.240.0
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'FREENAS01'
            domain_name              : *
                domain_name              : 'MY.DOM'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'root'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x01 (1)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001f (31)
Opening cache file at /var/run/samba4/gencache.tdb
Opening cache file at /var/run/samba4/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
ads_dns_lookup_srv: 2 records returned in the answer section.
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.20:88 10.10.10.21:88 10.10.1.20:88 10.10.1.21:88
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.20:88 10.10.10.21:88 10.10.1.20:88 10.10.1.21:88
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf..JOIN with realm MY.DOM KDC list =         kdc = 10.10.10.20
        kdc = 10.10.10.21
        kdc = 10.10.1.20
        kdc = 10.10.1.21

sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD01.MY.DOM#20 found.
Connecting to 10.10.10.20 at port 445
Socket options:
    SO_KEEPALIVE = 0
    SO_REUSEADDR = 0
    SO_BROADCAST = 0
    TCP_NODELAY = 4
    TCP_KEEPCNT = 8
    TCP_KEEPIDLE = 7200
    TCP_KEEPINTVL = 75
    IPTOS_LOWDELAY = 0
    IPTOS_THROUGHPUT = 0
    SO_REUSEPORT = 0
    SO_SNDBUF = 33580
    SO_RCVBUF = 65700
    SO_SNDLOWAT = 2048
    SO_RCVLOWAT = 1
    SO_SNDTIMEO = 0
    SO_RCVTIMEO = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
signed SMB2 message
Bind RPC Pipe: host AD01.MY.DOM auth_type 0, auth_level 1
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 168
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.20:88 10.10.1.20:88 10.10.10.21:88 10.10.1.21:88
saf_fetch: Returning "AD02.MY.DOM" for "MY.DOM" domain
get_dc_list: preferred server list: "AD02.MY.DOM, *"
resolve_ads: Attempting to resolve KDCs for MY.DOM using DNS
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD02.MY.DOM#20 found.
get_dc_list: returning 4 ip addresses in an ordered list
get_dc_list: 10.10.10.20:88 10.10.1.20:88 10.10.10.21:88 10.10.1.21:88
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf.MY with realm MY.DOM KDC list =         kdc = 10.10.10.20
        kdc = 10.10.10.21
        kdc = 10.10.1.21
        kdc = 10.10.1.20

sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD01.MY.DOM#20 found.
ads_try_connect: sending CLDAP request to 10.10.10.20 (realm: MY.DOM)
Successfully contacted LDAP server 10.10.10.20
Connected to LDAP server AD01.MY.DOM
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
ads_domain_func_level: 6
machine account creation created
signed SMB2 message
Bind RPC Pipe: host AD01.MY.DOM auth_type 0, auth_level 1
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 44
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 12
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 12
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 32
signed SMB2 message
signed SMB2 message
Host account for FREENAS01 does not have service principal names.
Retrieving the servicePrincipalNames failed.
ads_domain_func_level: 6
     join: struct secrets_domain_infoB
        version                  : SECRETS_DOMAIN_INFO_VERSION_1 (1)
        reserved                 : 0x00000000 (0)
        info                     : union secrets_domain_infoU(case 1)
        info1                    : *
            info1: struct secrets_domain_info1
                reserved_flags           : 0x0000000000000000 (0)
                join_time                : Thu May 23 09:27:06 2019 CEST
                computer_name            : 'FREENAS01'
                account_name             : 'FREENAS01$'
                secure_channel_type      : SEC_CHAN_WKSTA (2)
                domain_info: struct lsa_DnsDomainInfo
                    name: struct lsa_StringLarge
                        length                   : 0x0000 (0)
                        size                     : 0x0000 (0)
                        string                   : *
                            string                   : 'MY'
                    dns_domain: struct lsa_StringLarge
                        length                   : 0x0000 (0)
                        size                     : 0x0000 (0)
                        string                   : *
                            string                   : 'MY.DOM'
                    dns_forest: struct lsa_StringLarge
                        length                   : 0x0000 (0)
                        size                     : 0x0000 (0)
                        string                   : *
                            string                   : 'MY.DOM'
                    domain_guid              : 938***
                    sid                      : *
                        sid                      : S-1-5***
                trust_flags              : 0x0000001a (26)
                       0: NETR_TRUST_FLAG_IN_FOREST
                       1: NETR_TRUST_FLAG_OUTBOUND
                       0: NETR_TRUST_FLAG_TREEROOT
                       1: NETR_TRUST_FLAG_PRIMARY 
                       1: NETR_TRUST_FLAG_NATIVE   
                       0: NETR_TRUST_FLAG_INBOUND 
                       0: NETR_TRUST_FLAG_MIT_KRB5
                       0: NETR_TRUST_FLAG_AES     
                trust_type               : LSA_TRUST_TYPE_UPLEVEL (2)
                trust_attributes         : 0x00000040 (64)
                       0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
                       0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
                       0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
                       0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
                       0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
                       0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
                       1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
                       0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
                reserved_routing         : NULL
                supported_enc_types      : 0x0000001f (31)
                       1: KERB_ENCTYPE_DES_CBC_CRC
                       1: KERB_ENCTYPE_DES_CBC_MD5
                       1: KERB_ENCTYPE_RC4_HMAC_MD5
                       1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
                       1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
                       0: KERB_ENCTYPE_FAST_SUPPORTED
                       0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
                       0: KERB_ENCTYPE_CLAIMS_SUPPORTED
                       0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
                salt_principal           : *
                    salt_principal           : 'host/freenas01.my.dom@MY.DOM'
                password_last_change     : Thu May 23 09:27:06 2019 CEST
                password_changes         : 0x0000000000000001 (1)
                next_change              : NULL
                password                 : *
                    password: struct secrets_domain_info1_password
                        change_time              : Thu May 23 09:27:06 2019 CEST
                        change_server            : 'AD01.MY.DOM'
                        cleartext_blob           : DATA_BLOB length=432
                        nt_hash: struct samr_Password
                            hash: ARRAY(16): <REDACTED SECRET VALUES>
                        salt_data                : *
                            salt_data                : 'MY.DOMhostfreenas01.my.dom'
                        default_iteration_count  : 0x00001000 (4096)
                        num_keys                 : 0x0004 (4)
                        keys: ARRAY(4)
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype                  : 0x00000012 (18)
                                iteration_count          : 0x00001000 (4096)
                                value                    : DATA_BLOB length=32
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype                  : 0x00000011 (17)
                                iteration_count          : 0x00001000 (4096)
                                value                    : DATA_BLOB length=16
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype                  : 0x00000017 (23)
                                iteration_count          : 0x00001000 (4096)
                                value                    : DATA_BLOB length=16
                            keys: struct secrets_domain_info1_kerberos_key
                                keytype                  : 0x00000003 (3)
                                iteration_count          : 0x00001000 (4096)
                                value                    : DATA_BLOB length=8
                old_password             : NULL
                older_password           : NULL
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 1
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
tdb(/var/db/samba4/private/secrets.tdb): tdb_transaction_start: nesting 2
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/private/secrets.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/private/secrets.tdb
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/group_mapping.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/group_mapping.tdb
tdbsam_open: successfully opened /var/db/samba4/private/passdb.tdb
Home server: freenas01
Home server: freenas01
Finding user root
Trying _Get_Pwnam(), username as lowercase is root
Get_Pwnam_internals did find user [root]!
Forcing Primary Group to 'Domain Users' for root
Home server: freenas01
Home server: freenas01
add_sid_to_builtin S-1-5*** is already a member of S-1-5***
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/group_mapping.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/group_mapping.tdb
add_sid_to_builtin S-1-5*** is already a member of S-1-5***
add_sid_to_builtin S-1-5*** is already a member of S-1-5***
dbwrap_lock_order_lock: check lock order 1 for /var/db/samba4/group_mapping.tdb
dbwrap_lock_order_unlock: release lock order 1 for /var/db/samba4/group_mapping.tdb
ldb_wrap open of secrets.ldb
sitename_fetch: Returning sitename for realm 'MY.DOM': "Zentrale"
name AD01.MY.DOM#20 found.
Connecting to 10.10.10.20 at port 445
Socket options:
    SO_KEEPALIVE = 0
    SO_REUSEADDR = 0
    SO_BROADCAST = 0
    TCP_NODELAY = 4
    TCP_KEEPCNT = 8
    TCP_KEEPIDLE = 7200
    TCP_KEEPINTVL = 75
    IPTOS_LOWDELAY = 0
    IPTOS_THROUGHPUT = 0
    SO_REUSEPORT = 0
    SO_SNDBUF = 33580
    SO_RCVBUF = 65700
    SO_SNDLOWAT = 2048
    SO_RCVLOWAT = 1
    SO_SNDTIMEO = 0
    SO_RCVTIMEO = 0
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message
signed SMB2 message
dbwrap_lock_order_lock: check lock order 3 for /var/run/samba4/g_lock.tdb
dbwrap_lock_order_unlock: release lock order 3 for /var/run/samba4/g_lock.tdb
signed SMB2 message
Bind RPC Pipe: host AD01.MY.DOM auth_type 0, auth_level 1
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
dbwrap_lock_order_lock: check lock order 2 for /var/db/samba4/private/netlogon_creds_cli.tdb
dbwrap_lock_order_unlock: release lock order 2 for /var/db/samba4/private/netlogon_creds_cli.tdb
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 20
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 28
dbwrap_lock_order_lock: check lock order 2 for /var/db/samba4/private/netlogon_creds_cli.tdb
dbwrap_lock_order_unlock: release lock order 2 for /var/db/samba4/private/netlogon_creds_cli.tdb
rpccli_setup_netlogon_creds_locked: using new netlogon_creds cli[FREENAS01$/FREENAS01] to AD01.MY.DOM
signed SMB2 message
dbwrap_lock_order_lock: check lock order 3 for /var/run/samba4/g_lock.tdb
dbwrap_lock_order_unlock: release lock order 3 for /var/run/samba4/g_lock.tdb
dbwrap_lock_order_lock: check lock order 3 for /var/run/samba4/g_lock.tdb
dbwrap_lock_order_unlock: release lock order 3 for /var/run/samba4/g_lock.tdb
signed SMB2 message
Starting GENSEC mechanism schannel
Bind RPC Pipe: host AD01.MY.DOM auth_type 68, auth_level 6
create_generic_auth_rpc_bind_req: generate first token
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 72
check_bind_response: accepted!
    seed        4128a520:9475d046
    seed+time   9e0ef06c:9475d046
    CLIENT      cbd88e84:b5e90174
    seed+time+1 9e0ef06d:9475d046
    SERVER      dd4a9d85:afba6836
rpc_api_pipe: host AD01.MY.DOM
signed SMB2 message
rpc_read_send: data_to_read: 104
dbwrap_lock_order_lock: check lock order 2 for /var/db/samba4/private/netlogon_creds_cli.tdb
dbwrap_lock_order_unlock: release lock order 2 for /var/db/samba4/private/netlogon_creds_cli.tdb
dbwrap_lock_order_lock: check lock order 3 for /var/run/samba4/g_lock.tdb
dbwrap_lock_order_unlock: release lock order 3 for /var/run/samba4/g_lock.tdb
signed SMB2 message
signed SMB2 message
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : 'FREENAS01$'
            netbios_domain_name      : 'MY'
            dns_domain_name          : 'MY.DOM'
            forest_name              : 'MY.DOM'
            dn                       : 'CN=FREENAS01,CN=Computers,DC=MY,DC=DOM'
            domain_guid              : 938***
            domain_sid               : *
                domain_sid               : S-1-5***
            modified_config          : 0x00 (0)
            error_string             : NULL
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x0000001f (31)
            krb5_salt                : 'host/freenas01.my.dom@MY.DOM'
            result                   : WERR_OK
Using short domain name -- MY
Joined 'FREENAS01' to dns domain 'MY.DOM'
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lagg1 ip=10.10.10.100 bcast=10.10.15.255 netmask=255.255.240.0
ads_dns_lookup_ns: 2 records returned in the answer section.
return code = 0
root@FREENAS01:~ # service samba_server onerestart
Performing sanity check on Samba configuration: OK
winbindd not running? (check /var/run/samba4/winbindd.pid).
Stopping smbd.
Waiting for PIDS: 94472.
Stopping nmbd.
Waiting for PIDS: 94468.
Performing sanity check on Samba configuration: OK
Starting nmbd.
Starting smbd.
Starting winbindd.
root@FREENAS01:~ # service ix-pam start
root@FREENAS01:~ # service ix-nsswitch start
root@FREENAS01:~ #

Marco Suhr · May 23, 2019

After the second test I can connect to FreeNAS shares with my domain credentials. Very big thanks you anodos :)

I have check if I can now enable the domain service with the webgui but it is still the same error, but on the commandline I can enable the domain service ...
I will try to update the FreeNAS in the next time and take a look if the problem is still there.

Important Announcement for The TrueNAS Community.

Unable to find domain controllers for my.dom

Marco Suhr

Cadet

dlavigne

Guest

Marco Suhr

Cadet

anodos

Sambassador

Marco Suhr

Cadet

anodos

Sambassador

Marco Suhr

Cadet

Marco Suhr

Cadet

Marco Suhr

Cadet

Marco Suhr

Cadet

Similar threads

Important Announcement for The TrueNAS Community.