AD Not Working Not Saving Config 9.3.1 Stable

[Nick Lutz]

Hi All,

Ended up with some extra hardware and decided to setup another FreeNAS instance. All excited, about 20TB worth of SSD's, about another 100TB of 4TB SAS 10K drives, an HP DL585 with 32 threads and 384GB RAM... and the new and improved FreeNAS 9.3.1! Or that is how it started out anyways...

Fresh install of 9.3.1 FreeNAS-9.3-STABLE-201509022158.iso.

Configured IP, NTP, DNS, etc. All working. Followed the Active Directory instructions posted here:

http://doc.freenas.org/9.3/freenas_directoryservice.html#

Upon populating the AD info in the basic "Directory-->Active Directory" screen...

The GUI issues a red message:

"Unable to find domain controllers for OrlandoPG.net"

In the /var/log/debug.log we see:

Oct 1 18:24:39 THUNDERBIRD manage.py: [common.freenasldap:1086] FreeNAS_ActiveDirectory_Base.get_SRV_records: looking up SRV records for _ldap._tcp.dc._msdcs.orlandopg.net

and then the dreaded:

Oct 1 18:25:09 THUNDERBIRD manage.py: [common.freenasldap:1093] FreeNAS_ActiveDirectory_Base.get_SRV_records: no SRV records for _ldap._tcp.dc._msdcs.orlandopg.net found, fail!

So moving on to the troubleshooting section (http://doc.freenas.org/9.3/freenas_directoryservice.html#troubleshooting-tips):

[root@THUNDERBIRD] /var/log# host -t srv _ldap._tcp.dc._msdcs.orlandopg.net

and I get:

_ldap._tcp.dc._msdcs.orlandopg.net has SRV record 0 100 389 ad.orlandopg.net.

When I do this (not in trouble shooting section):

[root@THUNDERBIRD] /var/log# host -t srv _kerberos._tcp.dc._msdcs.orlandopg.net

I get this:

_kerberos._tcp.dc._msdcs.orlandopg.net has SRV record 0 100 88 ad.orlandopg.net.

When I do this:

[root@THUNDERBIRD] /var/log# ping ad.orlandopg.net

I get this:

PING ad.ORLANDOPG.NET (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=128 time=0.111 ms
... (ad nauseum)

And when I test DNS/Reverse Lookups we have:

[root@THUNDERBIRD] /var/log# nslookup ad.orlandopg.net
Server: 192.168.1.2
Address: 192.168.1.2#53

Name: ad.orlandopg.net
Address: 192.168.1.2

[root@THUNDERBIRD] /var/log# nslookup 192.168.1.2
Server: 192.168.1.2
Address: 192.168.1.2#53

2.1.168.192.in-addr.arpa name = ad.orlandopg.net.

Our AD system is a simple one node AD/DNS with no forest of clones, no DNS alternatives, etc.

I have another older FN 9.2 instance authenticated to this same AD (yes, with many issues and workarounds, but finally working).

Now here is the real fun part; the configuration will not save since it fails to authenticate. I've tried several sets of credentials including the domain administrator with no luck. I've tried using Advanced mode and supplying the domain controller name.

Any help/ideas from anyone here?

My next step will be to downgrade to an older version until these horrible bugs are worked out.

Also, BTW, System-->Advanced-->Enable autotune --> On fails with a red message above "Periodic Notification User: nobody (in the dropdown box by default); The user nobody is not valid (and any other user that I select produces the same message, so therefore no settings on this page are saved.

This means that I'd probably not be able to take advantage of the large RAM footprint of this particular machine.

Sigh....

Thank you for your time and patience.

 

[cyberjock]

I would put a ticket in at bugs.freenas.org.

I will say you have some DNS problems, but as to how to fix them, I have no idea.

 

[Nick Lutz]

Thanks CyberJock. I'm probably going to give up on FreeNAS and setup a Windows 2012R2 storage server. We are moving over to Hyper-V and System Center VMM so keeping a FreeBSD box around (at least one that doesn't like to cooperate on Active Directory) is making less sense. I really hope the folks over at IX get their nagging Active Directory issues fixed otherwise they will struggle to keep their market share. QNAP storage devices are easily and readily authenticating to this same AD domain without a hiccup (as well as hundreds of Windows systems). Maybe I'll explore Ubuntu solutions before I throw in the towel on Open Source.

 

[cyberjock]

In all honesty, 99% of AD problems I work with iXsystems customers with are related to their AD environment. They often have plaguing problems that when we explain to them the problem they don't have a clue where to go or what to do. Of course it's not our purview to explain how to fix it since we don't want to be responsible for their environment.

The DNS issue you listed above clearly isn't a problem with FreeNAS. But what the problem is precisely would require deeper troubleshooting.

In any case, I have yet to have a case where I couldn't get a customer's AD environment to work properly with a given AD environment, with the exception of a bug that is immediately fixed (haven't had one in a while), entering wrong info in the fields of the FreeANS WebGUI, and customer's AD environment is just so broken that it will never work without them fixing their AD environment.

I will say that many, many people are unwilling to accept that their AD environment has problems, even when shown the evidence firsthand of the problems they are experiencing.

 

[Nick Lutz]

Added a secondary AD to my directory services, pointed FreeNAS to it, now it authenticates correctly to AD, LDAP, and Kerberos. Not sure what was fixed by adding a secondary AD domain controller, but it's working. Now more trouble; the drop downs menus don't work (only show local users).