[9.3] Cannot change Active Directory Credentials

Status
Not open for further replies.

Luna

Cadet
Joined
Dec 28, 2015
Messages
8
I have a FreeNAS setup that works in every way needed, but was bound to Active Directory using a personal account of a domain admin rather than its own.

I have created a new user under the domain "FreeNAS LDAP" (or DOMAIN\freenas) with the basic permissions required. However, trying to change the domain account name and password (under Directory Service -> Active Directory) fails with:

{'desc': 'Invalid credentials', 'info': '80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580'}

Upon further investigation including using my own AD credentials, I found that this error pops up no matter what credentials are used, except for the credentials already in there. Which is to say this domain admin, and only this specific domain admin's credentials can be used now.

I'm not completely certain if this is a bug or something that was set up wrong along the way, but would appreciate if anyone had an idea of what to do. I had considered purging the settings for AD, but I don't know how and am a bit nervous about doing so as it might also reset all the nice permissions on all the shares if I do.

By god I'm almost willing to, though.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I have a FreeNAS setup that works in every way needed, but was bound to Active Directory using a personal account of a domain admin rather than its own.

I have created a new user under the domain "FreeNAS LDAP" (or DOMAIN\freenas) with the basic permissions required. However, trying to change the domain account name and password (under Directory Service -> Active Directory) fails with:

{'desc': 'Invalid credentials', 'info': '80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580'}

Upon further investigation including using my own AD credentials, I found that this error pops up no matter what credentials are used, except for the credentials already in there. Which is to say this domain admin, and only this specific domain admin's credentials can be used now.

I'm not completely certain if this is a bug or something that was set up wrong along the way, but would appreciate if anyone had an idea of what to do. I had considered purging the settings for AD, but I don't know how and am a bit nervous about doing so as it might also reset all the nice permissions on all the shares if I do.

By god I'm almost willing to, though.
How are you entering the user name under "directory service" -> "active directory? It should be in the format <user>, not <domain>\<user>
 

Luna

Cadet
Joined
Dec 28, 2015
Messages
8
Just the shortname used, so 'freenas' was attempted. That's also how the current credentials are in there.
 

Luna

Cadet
Joined
Dec 28, 2015
Messages
8
I do (with -u).

My username, which also doesn't work, is also there.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I do (with -u).

My username, which also doesn't work, is also there.
Okay then, provide the following information:
  • Version of FreeNAS
  • Hardware specifications
  • Contents of /etc/local/smb4.conf
  • Interesting log entries from /var/log/messages, /var/log/samba4/log.wb* (as in your winbind log)
 

Luna

Cadet
Joined
Dec 28, 2015
Messages
8
Certainly.

Running 9.3.1.

Intel C612 Chipset, E5-1620 v3 quad, 64GB RAM. 12x4TB deskstar 7K4000s in two pools of 6, RAIDZ2 on each and using an LSI SAS 9300-8i SAS. Two mirrored drives not on either of these pools house the system itself, on M600 SSDs.

~# cat /etc/local/smb4.conf
[global]
server max protocol = SMB3
interfaces = 127.0.0.1 192.168.10.48
bind interfaces only = yes
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 1883585
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
acl allow execute always = true
acl check permissions = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
netbios name = FREENAS
workgroup = DOMAIN
realm = DOMAIN.LCL
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = no
winbind refresh tickets = yes
idmap config DOMAIN: backend = rid
idmap config DOMAIN: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = plain
template shell = /bin/sh
template homedir = /home/%D/%U
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1


[Design Drive]
path = /mnt/pool0/DesignDrive
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[IDrive]
path = /mnt/pool0/IDrive
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
shadow:format = auto-%Y%m%d.%H%M-1w
shadow:snapdirseverywhere = yes
vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Ops]
path = /mnt/pool0/Ops
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
shadow:format = auto-%Y%m%d.%H%M-1w
shadow:snapdirseverywhere = yes
vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[ProdBackups$]
path = /mnt/pool0/ProdBackups
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Projects]
path = /mnt/pool1/Projects
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Stuff$]
path = /mnt/pool0/Stuff
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Users]
path = /mnt/pool0/Users
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
shadow:format = auto-%Y%m%d.%H%M-1w
shadow:snapdirseverywhere = yes
vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[Users$]
path = /mnt/pool1/Users
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[ValOps]
path = /mnt/pool0/ValOps
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
shadow:format = auto-%Y%m%d.%H%M-1w
shadow:snapdirseverywhere = yes
vfs objects = shadow_copy2 zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

As for logs, this is in messages after attempting to change the credentials:

Jan 8 14:14:09 freenas manage.py: [common.pipesubr:71] Popen()ing: klist

And in /var/log/samba4/log.wb*, nothing new comes up on attempt.

As far as "interesting" things, I'm not finding anything. There's a pile of "Kinit failed: Client not found in Kerberos database" lines from yesterday, but I believe those happen when I restart the server and clients don't log out and back on. There are none showing up after 9AM when people would come in and relog.

Logs are suspiciously quiet on this matter.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Certainly.

Running 9.3.1.

Intel C612 Chipset, E5-1620 v3 quad, 64GB RAM. 12x4TB deskstar 7K4000s in two pools of 6, RAIDZ2 on each and using an LSI SAS 9300-8i SAS. Two mirrored drives not on either of these pools house the system itself, on M600 SSDs.



As for logs, this is in messages after attempting to change the credentials:

Jan 8 14:14:09 freenas manage.py: [common.pipesubr:71] Popen()ing: klist

And in /var/log/samba4/log.wb*, nothing new comes up on attempt.

As far as "interesting" things, I'm not finding anything. There's a pile of "Kinit failed: Client not found in Kerberos database" lines from yesterday, but I believe those happen when I restart the server and clients don't log out and back on. There are none showing up after 9AM when people would come in and relog.

Logs are suspiciously quiet on this matter.
Create a bug report and post the link to it here.
https://bugs.freenas.org/projects/freenas
 
Status
Not open for further replies.
Top