SOLVED Active Directory some machines cannot authenticate to freenas

JimKusz

Dabbler
Joined
Sep 10, 2018
Messages
19
Hi all:

We had some issues with our Active Directory servers overnight. They're all back up and healthy, and user authentication on workstations is working just fine.

On our ~50 computer network, we have about 4 workstations that are having trouble accessing our freenas system, which is joined as a member of the domain. All domain controllers are Windows 2016 servers.

On most computers, I can log in with my domain account, and transparently access the NAS. It "just works" like its supposed to.

On the computers that are having problems, when I log in to them, then try and access the NAS, I'm prompted for credentials. it doesn't matter what credentials I provide, permission is denied. I've tried my account (member of every admin group there is..), regular users, and even the domain admin account. They all come up as incorrect user/pass. But the bigger issue is that its asking at all....

Not really sure where to go with troubleshooting this. Its definitely talking to the server, so its not a DNS/IP/Firewall issue. klist on a non-working system shows tickets for the AD, but NOT for the NAS while working ones do show a ticket for the NAS. klist on the NAS shows a single ticket-granting ticket, still current, and attempts to renew it are successful (issued time is current; expire time remains the same, though). Oh, and I have removed and re-added one of the problem machines, with no change (of course deleting the computer account out of the AD while it was unjoined before rejoining).

I've also tried accessing it from a non-domain linux system with smbclient. Specifying domain credentials (in the form of domain.com/user) generates incorrect user/password errors.

Suggestions?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
midclt call smb.status AUTH_LOG | jq should show results of auth attempts. Check what's happening with the failed ones. Maybe on working computer compare IP address vs domain name (NTLMv2 vs Kerberos), it's possible that ntlm is being blocked for some reason.
 

JimKusz

Dabbler
Joined
Sep 10, 2018
Messages
19
Thanks for the reply, but the command failed. Sorry, I don't know anything about that partular command to know how to troubleshoot it. Here's my output:
Code:
root@storage:/var/log/samba4 # midclt call smb.status AUTH_LOG | jq
[ENOMETHOD] Method "status" not found in "smb"
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1109, in _method_lookup
    methodobj = getattr(serviceobj, method_name)
AttributeError: 'SMBService' object has no attribute 'status'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 307, in on_message
    serviceobj, methodobj = self.middleware._method_lookup(message['method'])
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1111, in _method_lookup
    raise CallError(f'Method "{method_name}" not found in "{service}"', CallError.ENOMETHOD)
middlewared.service_exception.CallError: [ENOMETHOD] Method "status" not found in "smb"



Other updates:
I was incorrect in stating that clients were not getting a cifs @ [nas] ticket; they are. They still cannot access it.

It also appears that computers that have not been used for several hours are much more likely to have the problem (not able to authenticate with the nas)
 

JimKusz

Dabbler
Joined
Sep 10, 2018
Messages
19
Just in case it matters, here's the support info from the web gui of the NAS:

Code:
OS Version:
FreeNAS-11.3-U5
Model:
SSG-6049P-E1CR36L
Memory:
95 GiB
Serial Number:
S287161X9208566
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
Is your FreeNAS server's time the same as the clients'? Active Directory Kerberos tickets need to be synced throughout the domain.
 

JimKusz

Dabbler
Joined
Sep 10, 2018
Messages
19
I thought it was, but when I looked real close, I discovered discrepancies...And fixed them, and things started working...

::bang head on wall::

Thanks!
 
Top