Active Directory drops approx 4 days for both TrueNAS-12.0-U8.1 servers.

[Dave Anderson]

I have 2 servers receiving audio and data files from 2 call center workstations and about every 4 days I have to disable and re-enable the Active Directory connection. I am connecting to Windows 2008 r2 OS on the domain controllers.

I am using Dell rack mount servers with 96GB of memory and red drives for the arrays.

I have attached a screenshot of the error message I get.

I have had these server for about a year and a half and have tried a lot of things, I thought I could just wait for an update that would fix it but they haven't helped. I talked with a TruNAS sales guy a couple years who gave me a quote and the boss said try the open source version on something less critical and then we would spend the money on the bigger system. So I set up 2 servers in different locations. Everything else works great, but there is no way the boss is going to spend money on something that has problems.

If someone has seen this before and can tell what the stupid thing I am doing is, I would appreciate it.

 

[anodos]

Hmm... that error message often can indicate that we transitioned to a speaking to a DC where our computer account password is not accepted. Alternatively, it could mean that time is significantly out of sync with the DC we were trying to talk to.

This can happen if there's an issue with replication between DCs in the environment, or inconsistent time on DCs. You can look in winbind logs in /var/log/samba4/ to try to get more info about the auth problem. Alternatively, you can walk the DCs checking net -P -S <server name> ads status to ensure we can auth to all DCs in our AD site.

 

[Dave Anderson]

Hello and thanks for your time and expertise!

I checked the time on all servers before and just now, that isn't an issue.

Replication seems to be working fine I was able to log into both DC's with the same user, and when I make changes to one DC the other gets the updates.

I looked in the logs, I can see where it was having issues with auth at the times it had the error I posted. I don't see anything else, but then my eyes aren't use to looking at those logs.

I ran that command you gave on one of the servers and am getting this:
kerberos_kinit_password TRUENAS@MYTREX.INC failed: Preauthentication failed
kerberos_kinit_password TRUENAS@MYTREX.INC failed: Preauthentication failed

Yes 2 lines. So I guess I don't know what that means as the server is currently using AD and allowing writes and reads.

This feels like I am just missing something.

 

[anodos]

Hello and thanks for your time and expertise!

I checked the time on all servers before and just now, that isn't an issue.

Replication seems to be working fine I was able to log into both DC's with the same user, and when I make changes to one DC the other gets the updates.

I looked in the logs, I can see where it was having issues with auth at the times it had the error I posted. I don't see anything else, but then my eyes aren't use to looking at those logs.

I ran that command you gave on one of the servers and am getting this:
kerberos_kinit_password TRUENAS@MYTREX.INC failed: Preauthentication failed
kerberos_kinit_password TRUENAS@MYTREX.INC failed: Preauthentication failed

Yes 2 lines. So I guess I don't know what that means as the server is currently using AD and allowing writes and reads.

This feels like I am just missing something.

Looks like the stored machine account password in secrets.tdb was rejected and we tried to kinit and failed as well.
net -S <DC name> ads info will show you server time offset which may indicate one avenue for failure (clock being out of sync). If you add -d 5 to arguments list you'll get more verbose output. You can increase debug level to 10 to get more info.

 

[ChrisRJ]

I am connecting to Windows 2008 r2 OS on the domain controllers.

Regular support for this has ended almost 8 years ago and extended support stopped almost 3 years ago. Unless you have some very special arrangement with Microsoft, that means the machine did not receive any fix for multiple years.

This may not be responsible for the issue discussed in this thread. But it is a huge security problem. And depending on the details of applicable legislation you may even be personally liable for the consequences of a security incident. So my strong advice would be to update immediately.

 

[anodos]

Regular support for this has ended almost 8 years ago and extended support stopped almost 3 years ago. Unless you have some very special arrangement with Microsoft, that means the machine did not receive any fix for multiple years.

This may not be responsible for the issue discussed in this thread. But it is a huge security problem. And depending on the details of applicable legislation you may even be personally liable for the consequences of a security incident. So my strong advice would be to update immediately.

Ah yes, good eye. I glossed over that detail. It's also good to note that we don't go out of our way to support EOL versions of Windows server. I periodically have bug tickets filed because TrueNAS can no longer communicate with Server 2003 (which are summarily closed because it's an unsupported configuration and requires downgrading security on our end).

 

[Dave Anderson]

Ahh, thanks! So it could be a problem with the older version of Windows server. Unfortunately I didn't set them up and am not the one who maintains them. But I do have some influence.

Also the time offset was 0.

And "Last machine account password change: Fri, 09 Dec 2022 09:37:56 MST" was something that surprised me. I haven't changed any passwords in the last month.

Can you tell me what that is actually saying, and what password it is talking about?

Thanks guys I am going to try to get those servers upgraded. Any suggestions on what version works best with TruNAS?

 

[Dave Anderson]

Ahh, thanks! So it could be a problem with the older version of Windows server. Unfortunately I didn't set them up and am not the one who maintains them. But I do have some influence.

Also the time offset was 0.

And "Last machine account password change: Fri, 09 Dec 2022 09:37:56 MST" was something that surprised me. I haven't changed any passwords in the last month.

Can you tell me what that is actually saying, and what password it is talking about?

Thanks guys I am going to try to get those servers upgraded. Any suggestions on what version works best with TruNAS?

 

[Dave Anderson]

Ahh, thanks! So it could be a problem with the older version of Windows server. Unfortunately I didn't set them up and am not the one who maintains them. But I do have some influence.

Also the time offset was 0.

And "Last machine account password change: Fri, 09 Dec 2022 09:37:56 MST" was something that surprised me. I haven't changed any passwords in the last month.

Can you tell me what that is actually saying, and what password it is talking about?

Thanks guys I am going to try to get those servers upgraded. Any suggestions on what version works best with TruNAS?

I figured out what the "Last machine account password change" is. That is the last time I had to reset the AD connection.

 

[anodos]

I figured out what the "Last machine account password change" is. That is the last time I had to reset the AD connection.

Yes, that's the last time the password changed for the AD computer account for the TrueNAS server. Every time you leave and re-join AD, the machine account password is forcibly changed to a new randomized one.