AD Not working after rollback from 23.10.1.1

[sgt_jamez]

I tried updating to v23.10.1 and had my AD config disappear. I rolled back to v23.10.0.1 and all was well so I left it at that until I had more time to dig into it. Today I saw v23.10.1.1 and ran that update. Same thing, AD config gone, so I tried to roll back again but this time it didn't work. I deleted the computer name from DNS, I stopped the SMB service, cleared the AD password, unchecked enable and saved. Also deleted the Kerebos realm domain.

When I go back to directory services the password is already entered, check enable box, and save...
I get this error message:
[EINVAL] No server IP addresses passed DNS validation. This may indicate an improperly configured reverse zone. Review middleware log files for details regarding errors encountered.

The more dropdown:

Code:

Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 426, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 464, in __run_body
    rv = await self.method(*([self] + args))
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 766, in start
    await self.post_join_setup(job, {
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 662, in post_join_setup
    await self.middleware.call('activedirectory.register_dns', ad, smb, smb_ha_mode)
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1398, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1341, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/dns.py", line 151, in register_dns
    raise CallError(
middlewared.service_exception.CallError: [EINVAL] No server IP addresses passed DNS validation. This may indicate an improperly configured reverse zone. Review middleware log files for details regarding errors encountered.

I am not sure what to do from here. I hate to admit it but I don't know how to check the middleware log. My DNS server does not have a reverse zone set up.

I have two servers running SCALE and the other one is still working on AD. Can someone provide some guidance?

 

[anodos]

had my AD config disappear.

Can you provide more details about this? What part of AD config disappeared?

 

[sgt_jamez]

Can you provide more details about this? What part of AD config disappeared?

After the update to v23.10.1 and reboot, if I go into the Directory Services, I just get the default options of setting up LDAP or Active Directory.
I'm booting my server back into v23.10.1 now so I can give better details

edit after reboot: So the SMB service is started but the icon at the top right that would normally show my Active Directory as healthy is gone, and Directory Services just shows buttons for Configure Active Directory and Configure LDAP.

Advanced Settings:

 

[anodos]

edit after reboot: So the SMB service is started but the icon at the top right that would normally show my Active Directory as healthy is gone, and Directory Services just shows buttons for Configure Active Directory and Configure LDAP.

I don't see kerberos realm configuration in your screenshot. Were you lacking that in previous version?
What is output of midclt call activedirectory.config?

 

[sgt_jamez]

I don't see kerberos realm configuration in your screenshot. Were you lacking that in previous version?
What is output of midclt call activedirectory.config?

No, the realm was there before.

Output of midclt call activedirectory.config

Code:

{"id": 1, "domainname": "CARROTNET.LAN", "bindname": "bear", "verbose_logging": false, "allow_trusted_doms": false, "use_default_domain": false, "allow_dns_updates": true, "disable_freenas_cache": false, "restrict_pam": false, "site": "", "timeout": 60, "dns_timeout": 10, "nss_info": null, "enable": false, "kerberos_principal": "", "createcomputer": "", "kerberos_realm": null, "netbiosname": "bilkonas", "netbiosalias": []}

 

[sgt_jamez]

If I click on Configure Active Directory, the domain name, domain account name, and netbios name are present.
Adding the password, checking enable and clicking save...
There's a flash of a progress bar and the save button text goes dull grey and it seems to be doing something or waiting but nothing ever happens.

Additionally,
host -t srv _ldap._tcp.carrotnet.lan
_ldap._tcp.carrotnet.lan has SRV record 0 100 389 dc1.carrotnet.lan.
_ldap._tcp.carrotnet.lan has SRV record 0 100 389 dc2.carrotnet.lan.

 

[anodos]

Can you PM me debugs from both TrueNAS versions? It's failing because there is missing kerberos configuration information. You need a kerberos realm and a kerberos principle in order to have a stable AD join (both are auto-generated and inserted into the configuration database when you first join AD through our webui).

 

[sgt_jamez]

I will, but I don't know how to get a debug. I am a dabbler.

 

[anodos]

I will, but I don't know how to get a debug. I am a dabbler.

System->Advanced->Save Debug in UI.

 

[sgt_jamez]

Ok sent...

 

[anodos]

Summary:
* The domain join in 23.10.0.1 was in an undefined state (no kerberos principal), but this wasn't properly detected in that version. 23.10.1 and later detects this and disables the service.
* You can join technically join AD without a populated reverse zone, you should just uncheck the advanced feature to perform automatic DNS update. If you go this route though the onus is on you as administrator to make sure the forward lookup zone is correctly populated with entries for the TrueNAS server.

 

[IonutZ]

Hey @anodos,

I'm running into the same issue on 1/2 of my TrueNAS instances. Both are connected to the same domain (running Active Directory on Windows 2022). This is on TrueNAS latest nightly Cobia. I'm curious, what does a proper configuration of a reverse zone look like? In my DNS server, my reverse lookup zones just have IP addresses.

@sgt_jamez sorry for hijacking, might be able to work something out together :) I don't see anyone else having this issue on the internet except for us

EDIT: Found out my issue is related to the fact that I changed the hostname of my truenas instance (a while back). Error in middleware says:

[2024/01/27 13:54:51] (WARNING) ActiveDirectoryService.ipaddresses_to_register():124 - Reverse lookup of "redacted ip" points to nasx.domain.com., expected nasy.domain.com..

Since this worked up until the last update, and my change was done 1+ years ago... where and how can I change what TrueNAS's AD client thinks TrueNAS's hostname is supposed to be.

 

[Axemann]

Ran into almost the same issue discussed here, and the fix for my instance was to run:

Code:

midclt call activedirectory.update '{"kerberos_principal": "", "enable": false, "bindpw": ""}'

Once I did that and force-refreshed the webUI, I was able to re-enter the bind credentials and proceed on my merry way.

PS: You may need to replace "bindpw" with "bindname" if the above doesn't work (and your instance is hung up on the username rather than the password).