AD Leave - Reset?

[Rayb]

Hi,

I am currently re-doing my lab AD after the old one had a meltdown.
All attemtps to salvage the old one have failed, and I am setting up a new one since this is, after all, just a lab.

Changing AD domain on the FreeNAS boxes, however, has proven a bit difficult.

Trying to leave the defunct AD results in this:

Code:

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
    io_thread=False)
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 961, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 1473, in leave
    raise CallError(f"kinit for domain [{ad['domainname']}] with password failed: {output[1].decode()}")
middlewared.service_exception.CallError: [EFAULT] kinit for domain [home.domain.local] with password failed: kinit: krb5_get_init_creds: Wrong realm

So...

Is there a way to hard reset this configuration?
The FreeNAS boxes in question also run iSCSI storage for the environment in question so I dread a re-install.

Anyone?

 

[anodos]

Hi,

I am currently re-doing my lab AD after the old one had a meltdown.
All attemtps to salvage the old one have failed, and I am setting up a new one since this is, after all, just a lab.

Changing AD domain on the FreeNAS boxes, however, has proven a bit difficult.

Trying to leave the defunct AD results in this:

Code:

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
    io_thread=False)
  File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1077, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.7/site-packages/middlewared/schema.py", line 961, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 1473, in leave
    raise CallError(f"kinit for domain [{ad['domainname']}] with password failed: {output[1].decode()}")
middlewared.service_exception.CallError: [EFAULT] kinit for domain [home.domain.local] with password failed: kinit: krb5_get_init_creds: Wrong realm

So...

Is there a way to hard reset this configuration?
The FreeNAS boxes in question also run iSCSI storage for the environment in question so I dread a re-install.

Anyone?

Disable AD service, remove kerberos keytab and realm manually, change nameservers to be correct for AD, input new domain details.

 

[Rayb]

Disable AD service, remove kerberos keytab and realm manually, change nameservers to be correct for AD, input new domain details.

By AD service you mean SMB service, right?

 

[Rayb]

• Stopped the SMB service
• Deleted all Kerberos details
• Put correct name servers in config
• gave AD module the correct settings.

Does not work...

The documentation says to run this:

Code:

sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"
echo $?
service ix-kerberos start
service ix-nsswitch start
service ix-kinit start
service ix-kinit status
echo $?
klist

python /usr/local/www/freenasUI/middleware/notifier.py start cifs
service ix-activedirectory start
service ix-activedirectory status
echo $?
python /usr/local/www/freenasUI/middleware/notifier.py restart cifs
service ix-pam start
service ix-cache start &

Output is as follows:

Code:

root@bombadil:~ # sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"
root@bombadil:~ # echo $?
0
root@bombadil:~ # service ix-kerberos start
ix-kerberos does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@bombadil:~ # service ix-nsswitch start
root@bombadil:~ # service ix-kinit start
root@bombadil:~ # service ix-kinit status
root@bombadil:~ # echo $?
0
root@bombadil:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: raymond@HOME.DOMAIN.LOCAL

 Issued                Expires               Principal
May 14 13:25:58 2020  May 14 23:25:58 2020  krbtgt/HOME.DOMAIN.LOCAL@HOME.DOMAIN.LOCAL
root@bombadil:~ # python /usr/local/www/freenasUI/middleware/notifier.py start cifs
True
root@bombadil:~ # service ix-activedirectory start
ix-activedirectory does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@bombadil:~ # service ix-activedirectory status
ix-activedirectory does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@bombadil:~ # echo $?
1
root@bombadil:~ # python /usr/local/www/freenasUI/middleware/notifier.py restart cifs
True
root@bombadil:~ # service ix-pam start
ix-pam does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable
root@bombadil:~ # service ix-cache start &
[1] 39742
root@bombadil:~ # ix-cache does not exist in /etc/rc.d or the local startup
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable

somethings smells fishy here....

 

[anodos]

Which documentation? Those are troubleshooting steps for 11.2 and earlier. Not 11.3.

 

[Rayb]

Which documentation? Those are troubleshooting steps for 11.2 and earlier. Not 11.3.

That explains why it fails :)

But I am still stuck with two useless SMB servers..

Leaving the old domain does not work since that domain does not answer to these calls.

Removing the settings and re-applying proper setting does not work.
Is there a way to just reset the whole thing?

 

[anodos]

That explains why it fails :)

But I am still stuck with two useless SMB servers..

Leaving the old domain does not work since that domain does not answer to these calls.

Removing the settings and re-applying proper setting does not work.
Is there a way to just reset the whole thing?

How about:

Code:

rm /var/db/system/samba4/private/secrets.tdb
net cache flush

then disable / enable in the GUI.

 

[Rayb]

Still no go.

I will set up a fresh vm freenas and try to figure out if it is the nas of my 2016 AD that is the problem.

 

[Rayb]

A new VM worked right out of the box. It makes a machine account in the AD domain, I can edit ACLs using AD objects directly.

No matter what I did, I could not make that happen with the existing installations.

I ended up doing a "reset config" and re-importing the pools. Not ideal, but now I have my SMB shares back. But changing domains should be doable... (My QNAP had no problems doing this)

But thanks for helping.

 

[stewartLG]

I just had the exact same experience trying to leave an Active Directory domain and join another. FreeNAS is just not equipped right now to handle this transition gracefully, and I had problem after problem.

I reported one of the issues to Jira, but they are so numerous, really all you should need to do is set an engineer on this and have them fix each bug as it arises during testing.

Fortunately this server was a very simple backup box, so I was up and working in about 30 minutes from a fresh install after importing the pool.

 

[Redemption]

Dang almost 3 years later and there seems to be no improvement in this area. I am stuck with issues too.