Active Directory Settings Won't Stick

[ayao218]

I'm having an issue using active directory and smb shares. It seems like everything is properly configured as there are no errors from the TrueNAS UI and everything is showing up as healthy. After clicking on save for the active directory settings, the SMB shares work, and authentication works perfectly. I also know authentication is really authenticating because using an incorrect password gives an error. Then about 10-30 seconds later, authentication stops working and NT_STATUS_LOGIN_FAILURE shows up when trying to authenticate using the same credentials as before.

I've ran through all the troubleshooting steps in the documentation here https://www.truenas.com/docs/core/directoryservices/activedirectory/ and everything is coming back fine even after the authentication stops working. I can still see all the groups and users. Status shows healthy.

Running TrueNAS-12.0-U3 and did a fresh install and restored from backup. Same results occur.

Any thoughts on the issue here?

Thanks!

 

[anodos]

I'm having an issue using active directory and smb shares. It seems like everything is properly configured as there are no errors from the TrueNAS UI and everything is showing up as healthy. After clicking on save for the active directory settings, the SMB shares work, and authentication works perfectly. I also know authentication is really authenticating because using an incorrect password gives an error. Then about 10-30 seconds later, authentication stops working and NT_STATUS_LOGIN_FAILURE shows up when trying to authenticate using the same credentials as before.

I've ran through all the troubleshooting steps in the documentation here https://www.truenas.com/docs/core/directoryservices/activedirectory/ and everything is coming back fine even after the authentication stops working. I can still see all the groups and users. Status shows healthy.

Running TrueNAS-12.0-U3 and did a fresh install and restored from backup. Same results occur.

Any thoughts on the issue here?

Thanks!

Can you PM me a debug please?

 

[ayao218]

After perusing my debug file, it appears that the issue is caused by my recent change of my domain's NetBIOS name. I see the old NetBIOS name in the auth_audit log under both mappedDomain and clientDomain which would explain the authentication failure. I also see errors in log.winbindd stating add_trusted_domain: SID [sid] already used by domain [OLDNETBIOS], expected [NEWNETBIOS].

Furthermore, these errors appear when wbinfo -m shows the old NetBIOS name. I see "Trust Type" for my new NetBIOS name as "Workstation" both before and after my old NetBIOS name appears. Once the old NetBIOS name appears, it claims "Trust Type" as "Routed (via AD)".

Lastly, when clicking save on the "Active Directory" menu, the old NetBIOS name is removed from wbinfo -m for 30 seconds which fixes the problem, but it is added after causing the issues to reappear. Leaving the domain and rejoining seems to fix the issue for longer (around 1 hour, but unsure of exact time), but the issue eventually crops up again.

I renamed the NetBIOS name using the rendom tool (rendom /list, /upload, /prepare, /execute, /end).

How is winbindd/TrueNAS still finding my old NetBIOS name and how can I fix it?

Thanks again!

 

[anodos]

After perusing my debug file, it appears that the issue is caused by my recent change of my domain's NetBIOS name. I see the old NetBIOS name in the auth_audit log under both mappedDomain and clientDomain which would explain the authentication failure. I also see errors in log.winbindd stating add_trusted_domain: SID [sid] already used by domain [OLDNETBIOS], expected [NEWNETBIOS].

Furthermore, these errors appear when wbinfo -m shows the old NetBIOS name. I see "Trust Type" for my new NetBIOS name as "Workstation" both before and after my old NetBIOS name appears. Once the old NetBIOS name appears, it claims "Trust Type" as "Routed (via AD)".

Lastly, when clicking save on the "Active Directory" menu, the old NetBIOS name is removed from wbinfo -m for 30 seconds which fixes the problem, but it is added after causing the issues to reappear. Leaving the domain and rejoining seems to fix the issue for longer (around 1 hour, but unsure of exact time), but the issue eventually crops up again.

I renamed the NetBIOS name using the rendom tool (rendom /list, /upload, /prepare, /execute, /end).

How is winbindd/TrueNAS still finding my old NetBIOS name and how can I fix it?

Thanks again!

Did you change our workgroup under Services->SMB to the correct one? Otherwise, it sounds like the change was possibly incomplete or didn't replicate fully through the domain. That's a pretty significant change to your AD domain and so it carries some risk of application breakage in general. You can try increasing the log level of winbindd and see where it's picking up the name from. `net -d 5 ads info` might help as well (will output verbose info about domain).

libads will store server affinity in samba's gencache.tdb. You can clear with "net cache flush", but this is on tmpfs on TrueNAS and so it'll be cleared on reboot anyway. Winbindd's cache is /var/db/system/samba4/winbindd_cache.tdb. You can clear via `service winbindd reload` or stopping winbindd, removing the file, and restarting it.

If you changed the domain netbios name after joining AD, you will probably need to leave the AD domain through our GUI and re-join. Some domain state (including secrets) is stored in a key-value store based in part on domain netbios name.

 

[ayao218]

I'm not entirely sure what happened, but it seems like it's fixed itself. I left and rejoined the domain, just like I have done in the past where it would stop working after some time, but this time it didn't stop working. Been working fine now for 2 days without any issues. I will report back if the issue comes back again.

Thanks again for all the help!