AD errors between 9.10-STABLE and 9.10.1 or 2 U1, U2, U3

Status
Not open for further replies.

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
Hi All

I am running a very stable 9.10-STABLE with CIFS Shares, UEFI Windows VMs using IOHYVE and Active Directory access on a local domain the Domain Controller for which I have full access to and have not modified since I installed 9.10-STABLE.

I have tried each of the recommended updates as outlined in the title of this thread but in every case AD, CIFS and UEFI simply stopped working. CIFS service disappears in the later updates and SMB appears instead (don't know if this is relevant). My shares are visible in Windows Explorer under the new updates but are not accessible (access is denied). AD is not available "Unable to find Domain controllers for ...." and the iohyve uefi guestsystem returns that uefi is not a known guest which I imagine means that the uefi command which was available in iohyve 7.5 is no longer available in 7.8

I have been through every post both here and elsewhere to no avail. Am I missing something? Has something so significant changed between 9.10-STABLE and 9.10.1 etc that these issues are arising.

My time is synchronised with the domain, idmap is set to RID, AD is enabled (but disables as I reboot to these new updates).

How can it be that a perfectly working system just falls over as a result of some bug fixes.

I can of course continue using 9.10-STABLE but I'm stuck there as I need the functionality mentioned above to continue working after updates.

All ideas gratefully received.

regards
Ian
 
D

dlavigne

Guest
CIFS was renamed to SMB (not related, but why it looks different). What is related is the bump in Samba versions. So, the newer Samba version doesn't like something in your config. Please post the contents of smb4.conf and your AD config settings.
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
Thanks mate. Sounds promising. Getting a little late in the night here in Australia. I'll dig up the conf files and post in the morning. Appreciate the help.
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
These are the settings for the working system. Just seen that I get a "Cannot load /usr/local/etc/smb4.conf" during the bootup of the updates after 9.10-STABLE

smb4.conf -Working

[global]
server max protocol = SMB3
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 942077
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = ParadigmRAID Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
workgroup = PARADIGM
realm = PARADIGM.LOCAL
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
idmap config PARADIGM: backend = rid
idmap config PARADIGM: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = plain
template shell = /bin/sh
template homedir = /home/%U
netbios name = XXXXXXXXXXX
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1


[XXXXXXXXXX]
path = /mnt/Paradigm/XXXXXXX
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


[XXXXXXXXXX]
path = /mnt/Paradigm/XXXXXXXX
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
vfs objects = zfs_space zfsacl aio_pthread streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

AD Config - This doesn't change from working to not working except Enable gets set to - No

Domain Name - paradigm.local
Encryption Mode -Off
Certificate - None
Use Default Domain - Yes
Allow DNS updates - Yes
Domain Controller xxxxx.paradigm.local
Kerberos Realm - paradigm.local
AD Timeout - 60
DNS Timeout - 60
Idmap backend - rid
Winbind NSS Info - None
SASL wrapping - Plain
Enable - Yes
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
More info:

On the basis that samba might be the issue I tried a "service samba start" from the shell and got "samba does not exist in /etc/rc.d or the local startup directories (/etc/ix.rc.d /usr/local/ect/rc.d)
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
Should the pid directory in smb4.conf be changed to /var/run/samba4 rather than /var/run/samba?
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
Note that winbindd, smbd and nmbd are all started services when running under the updates. However the domain seems to be unreachable/invisible unless running under 9.10-STABLE
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
I notice that there is a .json config file in the root of each CIFS share could it need to be changed for the updates?
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
CIFS was renamed to SMB (not related, but why it looks different). What is related is the bump in Samba versions. So, the newer Samba version doesn't like something in your config. Please post the contents of smb4.conf and your AD config settings.

Posted the smb4.conf as requested. Any thoughts as to the issue? Other info subsequently posted might be useful too?
 

jixam

Dabbler
Joined
May 1, 2015
Messages
47
[...] Active Directory access on a local domain the Domain Controller for which I have full access to and have not modified [...]

This sounds a lot like an issue we recently had. The trick was to create a separate domain user for the FreeNAS AD join. Using Administrator suddenly stopped working.
 

Ian Carson

Explorer
Joined
Jul 5, 2016
Messages
55
Thanks Jixam. I'll certainly give that a go today. If it works it could perhaps go towards a solution to several bugs around AD that have appeared in the bug list.
 
Status
Not open for further replies.
Top