Active directory not showing users or groups

[James Richardson]

Hello,

I'm sure this has come up a few times but i can't seem to get this working, found plenty of articles but none seem to help. I think the AD settings are correct.

I'm using a Windows 2008 R2 DC and using Freenas version FreeNAS-9.10.2-U3 with the updates installed.

• It appears to have joined the domain fine.
• The is DNS record setup.
• Time/date is correct.
• It's appeared in my active directory.
• Given the computer object FULL access on the Freenas admin account i made in AD.
• Settings in Network and Active Directory look OK.
• SMB won't let me change the Workgroup to my domain, says the NETBIOS name is not valid, either though it's right!!!

Pictures attached, any help will be appreciated :) :).



James

 

[anodos]

Turn off SMB. Fill out only the following items under "Directory Services" -> "AD"

• Domain Name [foo.com]
• Domain Account Name [name of member of domain admins]
• Domain Account Password
• NetBIOS Name [name of your server]

Before doing this, verify that:
Time on FreeNAS server and DC is same
Hostname, Domain Name, and Nameservers are properly set under "Network" -> "Global Configuration".

 

[James Richardson]

That's all fine, i've checked that about 5 times.

 

[anodos]

That's all fine, i've checked that about 5 times.

Then you should look at /var/log/samba4/log.wb* logs. See if anything stands out and post here.

 

[James Richardson]

Hello,

I've tried the command above and I got;

[root@freenas ~]# /var/log/samba4/log.wb*
bash: /var/log/samba4/log.wb-BUILTIN: Permission denied

I've also noticed that the freenas server is 3 minutes behind the DC, i have tried to sync the time with the DC but still 3 minutes behind.

James

 

[anodos]

Hello,

I've tried the command above and I got;

[root@freenas ~]# /var/log/samba4/log.wb*
bash: /var/log/samba4/log.wb-BUILTIN: Permission denied

I've also noticed that the freenas server is 3 minutes behind the DC, i have tried to sync the time with the DC but still 3 minutes behind.

James

Fun times. Perhaps enable SSH access to the server, then use an SFTP client such as "winscp" to copy the log files to your desktop. Open them in a program such as "notepad++" and copy the contents here enclosed in [ code ] tags.

 

[James Richardson]

OK I've got to the logs now which one do i want there about 7 logs file, I assume I want to log file for the domain.

There is quite a lot in the log file, here is a small part of it;

Code:

[2017/04/21 12:47:35.053978,  0] ../source3/librpc/crypto/gse.c:345(gse_get_client_auth_token)
  gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
[2017/04/21 12:47:35.054143,  1] ../auth/gensec/spnego.c:623(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/04/21 12:47:35.054235,  0] ../source3/libads/sasl.c:779(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2017/04/21 12:47:35.067967,  1] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain FASUK failed: An internal error occurred.
[2017/04/21 12:47:35.589541,  0] ../source3/librpc/crypto/gse.c:345(gse_get_client_auth_token)
  gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
[2017/04/21 12:47:35.589684,  1] ../auth/gensec/spnego.c:623(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/04/21 12:47:35.589794,  0] ../source3/libads/sasl.c:779(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2017/04/21 12:47:35.589859,  1] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain FASUK failed: An internal error occurred.
[2017/04/21 12:47:36.108099,  0] ../source3/librpc/crypto/gse.c:345(gse_get_client_auth_token)
  gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
[2017/04/21 12:47:36.108225,  1] ../auth/gensec/spnego.c:623(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/04/21 12:47:36.108319,  0] ../source3/libads/sasl.c:779(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2017/04/21 12:47:36.108384,  1] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain FASUK failed: An internal error occurred.

James

 

[anodos]

OK I've got to the logs now which one do i want there about 7 logs file, I assume I want to log file for the domain.

There is quite a lot in the log file, here is a small part of it;

Code:

[2017/04/21 12:47:35.053978,  0] ../source3/librpc/crypto/gse.c:345(gse_get_client_auth_token)
  gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
[2017/04/21 12:47:35.054143,  1] ../auth/gensec/spnego.c:623(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/04/21 12:47:35.054235,  0] ../source3/libads/sasl.c:779(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2017/04/21 12:47:35.067967,  1] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain FASUK failed: An internal error occurred.
[2017/04/21 12:47:35.589541,  0] ../source3/librpc/crypto/gse.c:345(gse_get_client_auth_token)
  gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
[2017/04/21 12:47:35.589684,  1] ../auth/gensec/spnego.c:623(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/04/21 12:47:35.589794,  0] ../source3/libads/sasl.c:779(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2017/04/21 12:47:35.589859,  1] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain FASUK failed: An internal error occurred.
[2017/04/21 12:47:36.108099,  0] ../source3/librpc/crypto/gse.c:345(gse_get_client_auth_token)
  gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]
[2017/04/21 12:47:36.108225,  1] ../auth/gensec/spnego.c:623(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/04/21 12:47:36.108319,  0] ../source3/libads/sasl.c:779(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2017/04/21 12:47:36.108384,  1] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain FASUK failed: An internal error occurred.

James

You have too much clock skew. Synchronize the time on your FreeNAS server with your DC.

 

[James Richardson]

I have tried to sync with the DC but it's not doing it. It's 3 minutes out but I thought you could be a maximum of 5 minutes out.

What's the command to sync the Freenas with the DC server please? I've been looking and tried a few commands but they haven't been successful, sorry :-(.

I set the Timezone to "Europe/London" but it was an hour out, so changed it to "UTC" and now it's only 3 minutes out.

Regards,

James

 

[James Richardson]

Bump

 

[razor1299]

You installed and configure the Identity Management for UNIX Components?

 

[James Richardson]

Sorry for the delay, I didn't even know about that feature, I'll install it now and see if that helps.

 

[razor1299]

Sorry for the delay, I didn't even know about that feature, I'll install it now and see if that helps.

F.Y.I

https://msdn.microsoft.com/en-us/library/cc731178(v=ws.11).aspx#BKMK_command

 

[Vito Reiter]

NTP server prep

• From a CMD prompt, type w32tm /query /configuration - if NtpServer shows time.windows.com- you should really think about changing it.
  • To change the time server to both use a more accurate clock, and redundant clocks, type the following:
    • w32tm /config /syncfromflags:manual /manualpeerlist:"0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1" /update /reliable:yes
    • If you got any result other then "The command completed successfully", verify your command line. View an example successful result HERE.
    • Restart the Windows time service by issuing the following command net stop w32time && net start w32time. View an example successful restart HERE.

Configuring Time Server

• Click on System -> NTP Servers -> View NTP Servers
  • Remove all 3 default NTP servers
  • Click Add NTP Server
    • Address: 10.10.10.3
    • Prefer: checked (only if you have other time servers configured)
    • Leave everything else at its default setting
      
      

• Now that the time server is set, you need to set your time zone
• Click on Settings -> General
  • Timezone: (obviously select YOUR time zone)
  • Directory Service: Active Directory (since we plan on using Active Directory)
  • Click "Save"
    
    

This is from the active directory setup, you can make your actually DC the 'timezone' for FreeNAS. So FreeNAS gets its time from your DC avoiding potential issues with the sync of time. This is all in documentation.

EDIT: Also HERE, you'll find further setup for NTP in the docs if you need help.

 

[James Richardson]

Are these the commands to be used on the Windows DC or the FreeNAS server??

I saw these commands before and they didn't work on the FreeNAS "Shell" option.

I've set my FreeNAS to look at our DC for a NTP server already but it's 3 minutes out.

Also I don't the option at the "Active Directory option at the bottom to select, see attached.

Regards
James

 

[Vito Reiter]

Are these the commands to be used on the Windows DC or the Freenas server??

I saw these commands before and they didn't work on the Freenas "Shell" option.

I've set my Freenas to look at our DC for a NTP server already but it's 3 minutes out.

Also I don't the option at the "Active Directory option at the bottom to select, see attached.

Regards
James

Since that post was made the active directory area moved, however, the commands in the top quote are to be run on the DC itself in order to allow FreeNAS to connect to it.

 

[James Richardson]

Hello,

Thanks for the replies guys. Sadly I'm no better off, it's still 3 minutes out from the DC and I can't see the Users or groups from the AD :-( :-(.

I installed the UNIX component and I've been through the documentation but i don't quite understand it.

What is classed as a NIS server? Is it always a Freenas (Ubuntu server)?? tried updating the maps but it did nothing, it just give me an error or said it was successful and nothing appeared, screenshot attached.

Thanks,
James

 

[anodos]

Hello,

Thanks for the replies guys. Sadly I'm no better off, it's still 3 minutes out from the DC and I can't see the Users or groups from the AD :-( :-(.

I installed the UNIX component and I've been through the documentation but i don't quite understand it.

What is classed as a NIS server? Is it always a Freenas (Ubuntu server)?? tried updating the maps but it did nothing, it just give me an error or said it was successful and nothing appeared, screenshot attached.

Thanks,
James

The "Unix component" advice was bad. Your log clearly indicated that there is too much clock skew between your FreeNAS server and DC. Point both of them to the same time source (preferably stratum 1 time server) so that they have the same time. Sometimes people have difficulty using Windows servers as a time source for Unix systems. It's never a bad idea to have a good, secure stratum 0 device on your network and synchronize your servers with it.

 

[James Richardson]

Okey dokey, is the stratum time server a download or do I need to buy some equipment??

Sorry I've not heard of that before, i usually just get devices to sync from the DC but the Freenas server is the only one that doesn't appear to want to sync correctly

 

[Ericloewe]

It's never a bad idea to have a good, secure stratum 0 device on your network and synchronize your servers with it.

Sure, but the practicality of a GPS-disciplined temperature-controlled rubidium oscillator leaves a bit to be desired.