AD auth working on 9.1.1 but not on 9.2.1.7 ?!? DNS Update for freenas.local failed: ERROR

[Ben SysAdmin]

I follow a thread I found in this forum

sqlite3 /data/freenas-v1.db "update services_services set srv_enable = 1 where srv_service = 'directoryservice'"
service ix-kerberos start
service ix-kinit start
service ix-kinit status
echo $? # this should be 0
klist # this should show kerberos tickets

service ix-pam start
service ix-nsswitch start

service ix-samba start
service ix-activedirectory start
service ix-activedirectory status
echo $? # this should be 0
service samba restart

My setup fail at service ix-activedirectory start with error
DNS Update for freenas.local failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

I made the exact same thing on a old setup I had in virtualbox and its working fine. When I try with 9.2.17 my freenas join the domain but return me the dns error.

I use samba4 DC

My working config in 9.1.1

cat /etc/krb5.conf
[appdefaults]
pam = {
forwardable = true
ticket_lifetime = 36000
renew_lifetime = 36000
}

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
clockskew = 300
forwardable = yes
default_realm = MTL.DOMAIN.COM

[logging]
default = SYSLOG:INFO:LOCAL7

[realms]
MTL.DOMAIN.COM = {
kdc = gaia.DOMAIN.com:88
admin_server = gaia.DOMAIN.com:88
default_domain = mtl.DOMAIN.com
kpasswd_server = gaia.DOMAIN.com:88
}

[domain_realm]
mtl.DOMAIN.com = MTL.DOMAIN.COM
.mtl.DOMAIN.com = MTL.DOMAIN.COM
MTL.DOMAIN.COM = MTL.DOMAIN.COM
.MTL.DOMAIN.COM = MTL.DOMAIN.COM

my not working config in 9.2.1.7

[appdefaults]
pam = {
forwardable = true
ticket_lifetime = 86400
renew_lifetime = 86400
}

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
clockskew = 300
forwardable = yes
default_realm = MTL.DOMAIN.COM

[logging]
default = SYSLOG:INFO:LOCAL7

[realms]
MTL.DOMAIN.COM = {
kdc = gaia.DOMAIN.com:88
admin_server = gaia.DOMAIN.com:88
default_domain = mtl.DOMAIN.com
kpasswd_server = gaia.DOMAIN.com:88
}

[domain_realm]
mtl.DOMAIN.com = MTL.DOMAIN.COM
.mtl.DOMAIN.com = MTL.DOMAIN.COM
MTL.DOMAIN.COM = MTL.DOMAIN.COM
.MTL.DOMAIN.COM = MTL.DOMAIN.COM

I don't know if you need more config file. Let me know if someone can try to work with me to make it working in 9.2.1.7

 

[Michael Derby]

I have the same issue. Just got a bunch of hard drives because I expected this to work since it did in previous versions. Back to 9.1.1 I suppose.

 

[Ben SysAdmin]

I pretty happy to see im not alone with this issue. Did you try with samba4 dc too ??? Can we rollover to 91.1 thats the question... I saw a lot of change since this version. Like the system dataset pool will disapear in 9.1.1

My next try will be to sync my samba4 DC to openldap OU or something like that and connect freenas to openldap. I'm not sure it will work, I think the password is lost in the sync between samba and openldap. Stupid idea I had to build all my network arround samba4 dc lol but I can't go back.

 

[Michael Derby]

I have not tried samba4, but I don't have any data on there yet so I'm not too worried about starting over. Honestly AD integration is what I want to do, so other solutions are just a stop-gap.