Active Directory Service Keeps Failing

[FraserGlynn]

Hi all,

Over the past little while I'v been having this issue with the active directory service on FreeNAS-11/11.1 where after a period of time the active directory service appears to fail and I get the error "WARNING: attemp 1 to recover service activedirectory" and it might do this up to 5 times before it manages to resume normal programming, however this has meant that we've had to relog our workstations after this has happens otherwise we get a access denied error when we try to access our mapped network drives etc.

Furthermore since upgrading to version 11.1 it has started to fail to re-bind itself to the domain after the service has failed meaning that I have to manually go in and try to rejoin the domain which sometimes doesn't work either giving the error "Error: [MiddlewareError: Active Directory failed to reload.]"

I don't really know whats going on here especially considering I have a NAS at a clients that is running a very similar setup with active directory and it has no problems.

I've attached screenshots of the errors I was getting from the webUI and also attached a screenshot of the messages log file with some of the recent active directory errors in it.

Huge thanks in advance for your time and before you say anything, yes, I know that I have a dead disk, this NAS is taking up far too much of time *facepalm*.

 

[anodos]

Generate a debug and post it or pm it to me.

 

[FraserGlynn]

+--------------------------------------------------------------------------------+
+ FreeNAS-11.1-RELEASE (dc7d195f4) @1513378407 +
+--------------------------------------------------------------------------------+
Operating system type: FreeBSD
Operating system release: 11.1-STABLE
Operating system revision: 199506
Kernel version: FreeBSD 11.1-STABLE #0 r321665+d4625dcee3e(freenas/11.1-stable): Wed Dec 13 16:33:42 UTC 2017
root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64
Hostname: FOGLIGHT-DOUGLAS.GLYNN
Name of kernel file booted: /boot/kernel/kernel
debug finished in 0 seconds for FreeNAS-11.1-RELEASE (dc7d195f4)


+--------------------------------------------------------------------------------+
+ Active Directory Status @1513378407 +
+--------------------------------------------------------------------------------+
Active Directory is DISABLED
debug finished in 0 seconds for Active Directory Status
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory Settings @1513378407 +
+--------------------------------------------------------------------------------+
Domain: GLYNN.local
Bind name: DM-Admin
UNIX extensions: 0
Trusted domains: 0
SSL: off
Timeout: 120
DNS Timeout: 120
Domain controller:
Global Catalog Server:
debug finished in 0 seconds for Active Directory Settings
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ /etc/krb5.conf @1513378407 +
+--------------------------------------------------------------------------------+
[appdefaults]
pam = {
forwardable = true
ticket_lifetime = 86400
renew_lifetime = 86400
}

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
clockskew = 300
forwardable = yes
default_realm = GLYNN.LOCAL

[domain_realm]
glynn.local = GLYNN.LOCAL
.glynn.local = GLYNN.LOCAL
GLYNN.LOCAL = GLYNN.LOCAL
.GLYNN.LOCAL = GLYNN.LOCAL

[realms]
GLYNN.LOCAL = {
kdc = foglight-srv01.glynn.local:88
admin_server = foglight-srv01.glynn.local:88
kpasswd_server = foglight-srv01.glynn.local:464
default_domain = GLYNN.LOCAL
}

[logging]
default = SYSLOG:INFO:LOCAL7

debug finished in 0 seconds for /etc/krb5.conf
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ /etc/nsswitch.conf @1513378407 +
+--------------------------------------------------------------------------------+


group: files
hosts: files mdns dns
networks: files
passwd: files
shells: files
services: files
protocols: files
rpc: files
sudoers: files
debug finished in 0 seconds for /etc/nsswitch.conf
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ /usr/local/etc/smb4.conf @1513378407 +
+--------------------------------------------------------------------------------+
debug finished in 0 seconds for /usr/local/etc/smb4.conf
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Kerberos Tickets - 'klist' @1513378407 +
+--------------------------------------------------------------------------------+
klist: No ticket file: /tmp/krb5cc_0
debug finished in 0 seconds for Kerberos Tickets - 'klist'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ /usr/local/etc/sssd/sssd.conf @1513378407 +
+--------------------------------------------------------------------------------+
debug finished in 0 seconds for /usr/local/etc/sssd/sssd.conf
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ /etc/directoryservice/ActiveDirectory/config @1513378407 +
+--------------------------------------------------------------------------------+
debug finished in 0 seconds for /etc/directoryservice/ActiveDirectory/config
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ adtool get config_file @1513378407 +
+--------------------------------------------------------------------------------+
ad_machine=FOGLIGHTDOUGLAS$
ad_bindname=DM-Admin
ad_domainname=GLYNN.local
ad_basedn=DC=GLYNN,DC=local
ad_binddn=DM-Admin@GLYNN.LOCAL
ad_userdn=
ad_groupdn=
ad_site=
ad_dcname=foglight-srv01.glynn.local:389
ad_dchost=foglight-srv01.glynn.local
ad_dcport=389
ad_gcname=foglight-srv01.glynn.local:3268
ad_gchost=foglight-srv01.glynn.local
ad_gcport=3268
ad_krbname=foglight-srv01.glynn.local:88
ad_krbhost=foglight-srv01.glynn.local
ad_krbport=88
ad_kpwdname=foglight-srv01.glynn.local:464
ad_kpwdhost=foglight-srv01.glynn.local
ad_kpwdport=464
ad_krb_realm=GLYNN.LOCAL
ad_keytab_principal=
ad_keytab_file=
ad_timeout=120
ad_dns_timeout=120
ad_certfile=
ad_ssl=off
ad_verbose_logging=0
ad_unix_extensions=0
debug finished in 9 seconds for adtool get config_file
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory Domain Info - 'net ads info' @1513378416 +
+--------------------------------------------------------------------------------+
Can't load /usr/local/etc/smb4.conf - run testparm to debug it
debug finished in 0 seconds for Active Directory Domain Info - 'net ads info'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory Domain Status - 'net ads status' @1513378416 +
+--------------------------------------------------------------------------------+
Can't load /usr/local/etc/smb4.conf - run testparm to debug it
debug finished in 1 seconds for Active Directory Domain Status - 'net ads status'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory Trust Secret - 'wbinfo -t' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret
checking the trust secret for domain (null) via RPC calls failed
debug finished in 0 seconds for Active Directory Trust Secret - 'wbinfo -t'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory NETLOGON connection - 'wbinfo -P' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
checking the NETLOGON for domain[] dc connection to "" failed
debug finished in 0 seconds for Active Directory NETLOGON connection - 'wbinfo -P'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory trusted domains - 'wbinfo -m' @1513378417 +
+--------------------------------------------------------------------------------+
failed to call wbcListTrusts: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not list trusted domains
debug finished in 0 seconds for Active Directory trusted domains - 'wbinfo -m'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory all domains - 'wbinfo --all-domains' @1513378417 +
+--------------------------------------------------------------------------------+
failed to call wbcListTrusts: WBC_ERR_WINBIND_NOT_AVAILABLE
debug finished in 0 seconds for Active Directory all domains - 'wbinfo --all-domains'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory own domain - 'wbinfo --own-domain' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
(null)
debug finished in 0 seconds for Active Directory own domain - 'wbinfo --own-domain'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory online status - 'wbinfo --online-status' @1513378417 +
+--------------------------------------------------------------------------------+
failed to call wbcListTrusts: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not show online-status
debug finished in 0 seconds for Active Directory online status - 'wbinfo --online-status'
command used:
/root/active_directory.sh


could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
+--------------------------------------------------------------------------------+
+ Active Directory domain info - 'wbinfo --domain-info=(null)' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcDomainInfo: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not get domain info
debug finished in 0 seconds for Active Directory domain info - 'wbinfo --domain-info=(null)'
command used:
/root/active_directory.sh


could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
+--------------------------------------------------------------------------------+
+ Active Directory DC name - 'wbinfo --dsgetdcname=(null)' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Could not find dc for (null)
debug finished in 0 seconds for Active Directory DC name - 'wbinfo --dsgetdcname=(null)'
command used:
/root/active_directory.sh


could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
+--------------------------------------------------------------------------------+
+ Active Directory DC info - 'wbinfo --dc-info=(null)' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Could not find dc info (null)
debug finished in 0 seconds for Active Directory DC info - 'wbinfo --dc-info=(null)'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ Active Directory Users and Groups @1513378417 +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ Users - 'wbinfo -u' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users
+--------------------------------------------------------------------------------+
+ Groups - 'wbinfo -g' @1513378417 +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE
Error looking up domain groups
+--------------------------------------------------------------------------------+
+ Using getent @1513378417 +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ Users - 'getent passwd' @1513378417 +
+--------------------------------------------------------------------------------+
root:$6$rKAWDO8croRDeXwT$31qADtZc09YqKkL0FpHlzwewgQGagMyuYfLMEmLtBBfu4Jvp.qgDfHbBhM6rxD7nq2ZlW7JUN8khk/YS/DEpn.:0:0:root:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:2:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
avahi:*:200:200:avahi user:/nonexistent:/usr/sbin/nologin
messagebus:*:201:201:messagebus user:/nonexistent:/usr/sbin/nologin
ftp:*:14:14::/nonexistent:/bin/csh
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
ladvd:*:79:78:ladvd user:/var/empty:/usr/sbin/nologin
webdav:*:666:666:WebDAV Anonymous User:/var/empty:/usr/sbin/nologin
media:*:8675309:8675309:Media User:/var/empty:/usr/sbin/nologin
consul:*:469:469:Consul Daemon:/var/tmp/consul:/usr/sbin/nologin
nomad:*:472:472:Nomad Daemon:/var/tmp/nomad:/usr/sbin/nologin
minio:*:473:473:Minio Daemon:/var/tmp/minio:/usr/sbin/nologin
netdata:*:302:302:NetData Daemon:/var/cache/netdata:/usr/sbin/nologin
+--------------------------------------------------------------------------------+
+ Groups - 'getent group' @1513378417 +
+--------------------------------------------------------------------------------+
wheel:*:0
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5:uucp
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
ftp:*:14
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
www:*:80
nogroup:*:65533
nobody:*:65534
avahi:*:200
messagebus:*:201
hast:*:845
ladvd:*:78
webdav:*:666
media:*:8675309
consul:*:469
nomad:*:472
minio:*:473
netdata:*:302
debug finished in 0 seconds for Groups - 'getent group'
command used:
/root/active_directory.sh


+--------------------------------------------------------------------------------+
+ User and Group cache dump @1513378417 +
+--------------------------------------------------------------------------------+
FreeNAS_Users:
pwd.struct_passwd(pw_name='_dhcp', pw_passwd='*', pw_uid=65, pw_gid=65, pw_gecos='dhcp programs', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='_pflogd', pw_passwd='*', pw_uid=64, pw_gid=64, pw_gecos='pflogd privsep user', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='auditdistd', pw_passwd='*', pw_uid=78, pw_gid=77, pw_gecos='Auditdistd unprivileged user', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='avahi', pw_passwd='*', pw_uid=200, pw_gid=200, pw_gecos='avahi user', pw_dir='/nonexistent', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='bin', pw_passwd='*', pw_uid=3, pw_gid=7, pw_gecos='Binaries Commands and Source', pw_dir='/', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='bind', pw_passwd='*', pw_uid=53, pw_gid=53, pw_gecos='Bind Sandbox', pw_dir='/', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='consul', pw_passwd='*', pw_uid=469, pw_gid=469, pw_gecos='Consul Daemon', pw_dir='/var/tmp/consul', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='daemon', pw_passwd='*', pw_uid=1, pw_gid=1, pw_gecos='Owner of many system processes', pw_dir='/root', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='ftp', pw_passwd='*', pw_uid=14, pw_gid=14, pw_gecos='', pw_dir='/nonexistent', pw_shell='/bin/csh')
pwd.struct_passwd(pw_name='games', pw_passwd='*', pw_uid=7, pw_gid=13, pw_gecos='Games pseudo-user', pw_dir='/', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='hast', pw_passwd='*', pw_uid=845, pw_gid=845, pw_gecos='HAST unprivileged user', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='kmem', pw_passwd='*', pw_uid=5, pw_gid=2, pw_gecos='KMem Sandbox', pw_dir='/', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='ladvd', pw_passwd='*', pw_uid=79, pw_gid=78, pw_gecos='ladvd user', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='mailnull', pw_passwd='*', pw_uid=26, pw_gid=26, pw_gecos='Sendmail Default User', pw_dir='/var/spool/mqueue', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='man', pw_passwd='*', pw_uid=9, pw_gid=9, pw_gecos='Mister Man Pages', pw_dir='/usr/share/man', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='media', pw_passwd='*', pw_uid=8675309, pw_gid=8675309, pw_gecos='Media User', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='messagebus', pw_passwd='*', pw_uid=201, pw_gid=201, pw_gecos='messagebus user', pw_dir='/nonexistent', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='minio', pw_passwd='*', pw_uid=473, pw_gid=473, pw_gecos='Minio Daemon', pw_dir='/var/tmp/minio', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='netdata', pw_passwd='*', pw_uid=302, pw_gid=302, pw_gecos='NetData Daemon', pw_dir='/var/cache/netdata', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='news', pw_passwd='*', pw_uid=8, pw_gid=8, pw_gecos='News Subsystem', pw_dir='/', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='nobody', pw_passwd='*', pw_uid=65534, pw_gid=65534, pw_gecos='Unprivileged user', pw_dir='/nonexistent', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='nomad', pw_passwd='*', pw_uid=472, pw_gid=472, pw_gecos='Nomad Daemon', pw_dir='/var/tmp/nomad', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='operator', pw_passwd='*', pw_uid=2, pw_gid=5, pw_gecos='System &', pw_dir='/', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='pop', pw_passwd='*', pw_uid=68, pw_gid=6, pw_gecos='Post Office Owner', pw_dir='/nonexistent', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='proxy', pw_passwd='*', pw_uid=62, pw_gid=62, pw_gecos='Packet Filter pseudo-user', pw_dir='/nonexistent', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='root', pw_passwd='$6$rKAWDO8croRDeXwT$31qADtZc09YqKkL0FpHlzwewgQGagMyuYfLMEmLtBBfu4Jvp.qgDfHbBhM6rxD7nq2ZlW7JUN8khk/YS/DEpn.', pw_uid=0, pw_gid=0, pw_gecos='root', pw_dir='/root', pw_shell='/bin/csh')
pwd.struct_passwd(pw_name='smmsp', pw_passwd='*', pw_uid=25, pw_gid=25, pw_gecos='Sendmail Submission User', pw_dir='/var/spool/clientmqueue', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='sshd', pw_passwd='*', pw_uid=22, pw_gid=22, pw_gecos='Secure Shell Daemon', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='tty', pw_passwd='*', pw_uid=4, pw_gid=65533, pw_gecos='Tty Sandbox', pw_dir='/', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='uucp', pw_passwd='*', pw_uid=66, pw_gid=66, pw_gecos='UUCP pseudo-user', pw_dir='/var/spool/uucppublic', pw_shell='/usr/local/libexec/uucp/uucico')
pwd.struct_passwd(pw_name='webdav', pw_passwd='*', pw_uid=666, pw_gid=666, pw_gecos='WebDAV Anonymous User', pw_dir='/var/empty', pw_shell='/usr/sbin/nologin')
pwd.struct_passwd(pw_name='www', pw_passwd='*', pw_uid=80, pw_gid=80, pw_gecos='World Wide Web Owner', pw_dir='/nonexistent', pw_shell='/usr/sbin/nologin')



FreeNAS_Groups:
grp.struct_group(gr_name='_dhcp', gr_passwd='*', gr_gid=65, gr_mem=[])
grp.struct_group(gr_name='_pflogd', gr_passwd='*', gr_gid=64, gr_mem=[])
grp.struct_group(gr_name='audit', gr_passwd='*', gr_gid=77, gr_mem=[])
grp.struct_group(gr_name='authpf', gr_passwd='*', gr_gid=63, gr_mem=[])
grp.struct_group(gr_name='avahi', gr_passwd='*', gr_gid=200, gr_mem=[])
grp.struct_group(gr_name='bin', gr_passwd='*', gr_gid=7, gr_mem=[])
grp.struct_group(gr_name='bind', gr_passwd='*', gr_gid=53, gr_mem=[])
grp.struct_group(gr_name='consul', gr_passwd='*', gr_gid=469, gr_mem=[])
grp.struct_group(gr_name='daemon', gr_passwd='*', gr_gid=1, gr_mem=[])
grp.struct_group(gr_name='dialer', gr_passwd='*', gr_gid=68, gr_mem=[])
grp.struct_group(gr_name='ftp', gr_passwd='*', gr_gid=14, gr_mem=[])
grp.struct_group(gr_name='games', gr_passwd='*', gr_gid=13, gr_mem=[])
grp.struct_group(gr_name='guest', gr_passwd='*', gr_gid=31, gr_mem=[])
grp.struct_group(gr_name='hast', gr_passwd='*', gr_gid=845, gr_mem=[])
grp.struct_group(gr_name='kmem', gr_passwd='*', gr_gid=2, gr_mem=[])
grp.struct_group(gr_name='ladvd', gr_passwd='*', gr_gid=78, gr_mem=[])
grp.struct_group(gr_name='mail', gr_passwd='*', gr_gid=6, gr_mem=[])
grp.struct_group(gr_name='mailnull', gr_passwd='*', gr_gid=26, gr_mem=[])
grp.struct_group(gr_name='man', gr_passwd='*', gr_gid=9, gr_mem=[])
grp.struct_group(gr_name='media', gr_passwd='*', gr_gid=8675309, gr_mem=[])
grp.struct_group(gr_name='messagebus', gr_passwd='*', gr_gid=201, gr_mem=[])
grp.struct_group(gr_name='minio', gr_passwd='*', gr_gid=473, gr_mem=[])
grp.struct_group(gr_name='netdata', gr_passwd='*', gr_gid=302, gr_mem=[])
grp.struct_group(gr_name='network', gr_passwd='*', gr_gid=69, gr_mem=[])
grp.struct_group(gr_name='news', gr_passwd='*', gr_gid=8, gr_mem=[])
grp.struct_group(gr_name='nobody', gr_passwd='*', gr_gid=65534, gr_mem=[])
grp.struct_group(gr_name='nogroup', gr_passwd='*', gr_gid=65533, gr_mem=[])
grp.struct_group(gr_name='nomad', gr_passwd='*', gr_gid=472, gr_mem=[])
grp.struct_group(gr_name='operator', gr_passwd='*', gr_gid=5, gr_mem=['uucp'])
grp.struct_group(gr_name='proxy', gr_passwd='*', gr_gid=62, gr_mem=[])
grp.struct_group(gr_name='smmsp', gr_passwd='*', gr_gid=25, gr_mem=[])
grp.struct_group(gr_name='sshd', gr_passwd='*', gr_gid=22, gr_mem=[])
grp.struct_group(gr_name='staff', gr_passwd='*', gr_gid=20, gr_mem=[])
grp.struct_group(gr_name='sys', gr_passwd='*', gr_gid=3, gr_mem=[])
grp.struct_group(gr_name='tty', gr_passwd='*', gr_gid=4, gr_mem=[])
grp.struct_group(gr_name='uucp', gr_passwd='*', gr_gid=66, gr_mem=[])
grp.struct_group(gr_name='webdav', gr_passwd='*', gr_gid=666, gr_mem=[])
grp.struct_group(gr_name='wheel', gr_passwd='*', gr_gid=0, gr_mem=[])
grp.struct_group(gr_name='www', gr_passwd='*', gr_gid=80, gr_mem=[])
debug finished in 6 seconds for User and Group cache dump

 

[FraserGlynn]

Generate a debug and post it or pm it to me.

Any ideas?
I've made a few changes since the last message, I've added another USB in a mirror for the boot volume in case the boot USB that I had was flakey.
I also did a format boot drive upgrade installation to try and refresh the freenas files in case they had corrupted for whatever reason.
Thanks again for your help!

 

[chendel]

I am experiencing the same exact problem. I had no problems running the previous 11 stable version, but then updated to the most current version (11.1) in the stable train and this problem began. I then wiped everything, did a fresh install of 11.0, and had no AD issues. Just this evening, I upgraded again via the web console and as soon as the server rebooted I began having the repetitive active directory errors displaying and users were unable to connect to their shares.

Any way I can help out?

 

[FraserGlynn]

I am experiencing the same exact problem. I had no problems running the previous 11 stable version, but then updated to the most current version (11.1) in the stable train and this problem began. I then wiped everything, did a fresh install of 11.0, and had no AD issues. Just this evening, I upgraded again via the web console and as soon as the server rebooted I began having the repetitive active directory errors displaying and users were unable to connect to their shares.

Any way I can help out?

Well At least I know that its not just me, I've just updated the NAS at our clients to 11.1 and it looks like its having the same issue with AD. I guess we're rolling back to 11.0 for the time being but I guess we should file a bug report!

 

[chendel]

I rolled back to 11.0-U4 via my boot volume and have been up for about 24 hours with no problems. I'm not sure if it's a bug, or something (coincidentally) wrong in our configurations, but I'd sure like to find out what's wrong!

 

[Ericloewe]

If there's a bug, it's not going anywhere without a bug report.

 

[FraserGlynn]

I rolled back to 11.0-U4 via my boot volume and have been up for about 24 hours with no problems. I'm not sure if it's a bug, or something (coincidentally) wrong in our configurations, but I'd sure like to find out what's wrong!

It could be, but it seems more likely to be something to do with the update, a bug report has been filed.

https://redmine.ixsystems.com/issues/27321

 

[Michael Schefczyk]

Dear FraserGlynn,

Did you ever get the active directory issue resolved other than by downgrading? The bug report was quickly dismissed as a user configuration error. Nevertheless, I think that there is more to it and it seems that windows sharing remains unreliable because of more than just lack of user configuration skills or lack of documentation.

Regards,

Michael Schefczyk

 

[Michael Schefczyk]

Dear All,

I did file another bug report https://redmine.ixsystems.com/issues/30678

"I find the issue & bug reported by Fraser Glynn (https://forums.freenas.org/index.ph...tory-service-keeps-failing.59797/#post-423882 and https://redmine.ixsystems.com/issues/27321) extremely real and I would be glad if I could determine where the user configuration error for which the previous ticked was closed might be located and how it can be resolved.

I have a SOHO LAN with 5 Domain Controllers, 2 x Windows Server 2012 R2 plus 3 x Windows Server 2016. Clients are Windows 10, Windows Server 2016, and Debian Stretch. I have been using two Freenas servers in the linux backend of our systems for a long time. I have been replacing two more user facing Qnap servers for Freenas last month and the trouble stated with SMB.

I see frequent directory recoveries. Almost always after root GUI logon, for example. Then, one often sees a blank password (instead of dots) in directory GUI config and "Enable" unchecked. Then wbinfo -u not working. Otherwise, SMB almost always works when client computer is started fresh and fails sometime thereafter, even though wbinfo -u may be populated.

Kerberos Realms contains lists of all DCs in my network under KDC, Admin Server and Password Server. Is that OK? Getting tickets (kinit/klist) is never a problem.
Domain name is lastname.local. It has been that for years and it has been working with Qnap SMB for years.

I did try many combinations of settings, but it is plainly impossible to enumerate all combinations. Hence, where the documentation is not really rich, questions do remain. N.B. I did read a lot about samba considering it as alternative DC until noticing that compatiblity when using it as a DC basically ends at Windows Server 2008 R2 (plus Server 2012 as experimental).

Open questions on settings under directory:
- How many recovery attemts set to 0 - OK?
- Enable Monitoring is on. Keeping it off does not seem to be a sufficient workaround.
- Encryption Mode set to off. Is there best practice documentation available on encryption?
- Is it OK to leave user/group base, site name, domain controller and global catalog server empty, if Kerberos Realms to contain everything? Otherwise one would have to pick one single DC, correct? Did try single DC but did not work better.
- AD and DNS timeout left at 60 - OK?
- Idmap backend rid at defailt - OK?
- Winbind NSS Info rfc23077 - OK?
- SASL wrapping seal - OK?

Is the NetBIOS Alias a significant setting unter directory and/or service?

Open questions on settings under service:
- Charsets CP437 and UTF-8 OK?
- Allow Empty Password significant?
- NTLMv1 auth significant?
- Idmap Range significant?

I would like to use Kerboros Keytabs but description in section 9.5 of the documentation does not work with my DCs.

I can send logs like log.nmbd, log.smbd, log.wb, log-winbindd from /var/log/samba4/ plus anything else which may be required. However, at verbose/debug logging levels, there is just a heavy load of information. I did not find the needle in the stack, yet.
Are workarounds required like mount nfs on Windows server and share from there or is a solution possible?"

Any recommendations by anyone, please?

Regards,

Michael Schefczyk