Before you setup AD authentication PLEASE READ!!!

Status
Not open for further replies.

Cwhitmore

Cadet
Joined
Sep 17, 2011
Messages
7
I made the mistake of entering my PDC in the space where the NAS server name should have gone in Active Directory settings. After rebooting my NAS I started getting calls about Windows users who couldn't access network resources.

This mistake caused my PDC to stop authenticating. Please read SourceForge post before you start messing with AD settings in FreeNAS:

http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=75&t=11612
 

Milkwerm

Dabbler
Joined
Jun 26, 2011
Messages
40
I had the same thing. used ADSI edit as per sourceforge posts to reset to domain controller, also had to reset the secure channel key for the 2k8r2 DC as well (NLTEST & NETDOM reset commands). Posted an earlier thread about it here.
 

mr_mike_m

Dabbler
Joined
Jul 22, 2011
Messages
16
Me too!

I also did the same thing... That box's description isn't clear enough!
 
J

James

Guest
Just to be clear for the docs: which field should you not enter the PDC name into? The Domain Controller Name field or the Host Name field?
 

Cwhitmore

Cadet
Joined
Sep 17, 2011
Messages
7
The AD settings are under Services -> Active Directory, it's third box down (Host Name).

I've also attached a screen shot.
 

Attachments

  • ADSettings.jpg
    ADSettings.jpg
    15.8 KB · Views: 1,271

mr_mike_m

Dabbler
Joined
Jul 22, 2011
Messages
16
The AD settings are under Services -> Active Directory, it's third box down (Host Name).

I've also attached a screen shot.

If you could change the pop-up to read something like "the hostname of this freenas server", I think that would do it.

If you put a domain controller in there, very bad things happen to the real DC!:eek:
 

LinuxTracker

Cadet
Joined
Oct 28, 2011
Messages
2
I'll resurrect this thread to mention that I was another user caught in this trap.
Your instructions were vital, but I had some other hoops to jump through on my Server 2008 R2.

I'll detail them here in case it helps someone else out.

I had originally created a FreeNAS entry in the Active Directory Computers and in WINS.
I deleted them both.

I was getting the following errors in the Event Logs
Active Directory Web Services was unable to determine if the computer is a global catalog server.

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server servername$. The target name used was LDAP/SERVERNAME.domainname.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account.

That certainly sounds like a corrupted SCK.
Unfortunately, I wasn't able to use Netdom to reset the Secure Channel Key.

The Command:
Code:
netdom resetpwd /s:server /ud:domainname\username /pd:*

Gave me:
Code:
The machine account password for the local machine could not be reset.
Logon Failure: The target account name is incorrect.
The command failed to complete successfully.


(I had entered my correct servername, username and password BTW)

After trying a whole lot of other stuff, I came across a post where someone had substituted their 2008 server's IP for the servername.

DoH! said I. Why didn't I think of that?

This time, the command:
Code:
netdom resetpwd /s:192.168.100.1 /ud:domainname\username /pd:*

gave me:
Code:
The machine account password for the local machine has been successfully reset.
The command completed successfully.


Ah HA!
I was certain before that DNS wasn't an issue - Looks like that wasn't the case

I checked out my DNS zones and discovered that the _msdcs record was corrupted in my DNS server's forward lookup zone.
The icon was grey and had a single text record as an entry. It wasn't a folder icon and had no subfolders under it.

I've run into that problem before. The solution is to right-click the _msdcs entry and delete it.
Next - restart the Netlogon service. After that restart the DNS Server (or DNS Server Service) and _msdcs is recreated properly (subfolders and all).

By this time the event log errors had ceased; likely when I was finally able to recreate the Secure Channel Key.

I wiped and reloaded FreeNAS as well. Time to see if I can finally get a list of usernames from the AD controller.

Thanks much for pointing me in the right direction.

(Any hope of the Devs assigning a better descriptor to that field?)
 

justchil

Cadet
Joined
Mar 2, 2012
Messages
2
Greetings!

I did this very same thing today and I can't figure out how to get it fixed. Can someone please help?

my userAccountControl was set to 69632 by FreeNas. I changed this to 532480 and rebooted. Still having the problem and DNS zones are missing/wont load.

This is 2003 server. We only have 1 domain controller.
 

justchil

Cadet
Joined
Mar 2, 2012
Messages
2
Whew! Lessons learned the hard way. Had to reset the secure channel key as mentioned above and a few other random things.

Wasted 4 hours I could have been using to play with Freenas :P I won't make that mistake again ;)
 

tcrichton

Cadet
Joined
Apr 18, 2012
Messages
1
Thanks for putting together this post... I made this mistake and luckily with your notes I managed to get the DC back into its usual role nice and quick.

Then came the DNS and thanks to LinuxTracker for taking the time to detail his fixes for that...

A quick reboot out of hours and it seems everything is back to normal!

I won't be making that mistake again!
 

tmstone835

Cadet
Joined
Aug 8, 2011
Messages
5
More than one DC entry?

This seems to be a serious flaw in this design. I am surprised that this only authenticates to a single domain controller. What if that goes offline for maintenance or a reboot? No one can access the NAS via AD authentication.
 

noprobs

Explorer
Joined
Aug 12, 2012
Messages
53
This seems to be a serious flaw in this design. I am surprised that this only authenticates to a single domain controller. What if that goes offline for maintenance or a reboot? No one can access the NAS via AD authentication.

I agree this is a significant issue. I just rebooted freeNAS when the listed DC was down for maintenance and the startup stalled. Recommended best practice is to have multiple DCs - is there any way to set multiple DCs in FreeNAS (i tried adding a comma between DCs in FreeNAS - this didn't generate any errors in 8.3-beta1 however it also did not work).

Jon
 

ServerBabon

Cadet
Joined
Apr 9, 2012
Messages
1
I have put the domain name in the dc box which seems to work, although I haven't got around to shutting down a dc and rebooting yet, I still get my ldap cache rebuilding after a reboot. The dns servers will round robin an ip address of a DC to a request for the domain name. Not sure of SAMBA's requirements for Global Catalogues but in my small home domain with all my domain controllers are Global Catalogs anyway, this doesn't seem to be the issue it once was.

This isn't the ideal solution as Freenas is not trying DC's in a list but it increases the probability of finding a working DC.
 

aae

Cadet
Joined
Jan 2, 2013
Messages
4
i just did this! hosed an SDC

problem is, i can't get to the sourceforge post to see what i'm supposed to do to fix it!

help!
 

aae

Cadet
Joined
Jan 2, 2013
Messages
4
i just did this! hosed an SDC

problem is, i can't get to the sourceforge post to see what i'm supposed to do to fix it!

help!

anybody else have the original information?

i've got 6 SDC and a PDC, and now users everywhere are starting to fail to connect to DFS shares throughout the company... the SDC info i had put into freenas was hosting a couple DFS shares... now i'm getting "Logon Failure: The target account name is incorrect." en masse in my active directory
 

aae

Cadet
Joined
Jan 2, 2013
Messages
4
i was able to reset the keys and that looks like it sorted some of the issues out for about a day, now it's gone back to the same issue... i found a microsoft KB article on the subject

http://support.microsoft.com/kb/325850

i followed the directions including stopping the service, but i was a little unclear on how i was supposed to do it... i have a PDC and 6 SDCs, so i just stopped the KDC service on all of them, ran the netdom commands on the PDC only, reboot, re-enabled kdc, and that got me going for a little while, but i was still coming up with those kerberos errors in event log...

now the "account name incorrect" errors are coming back when trying to access stuff over my DFS shares...

my forward lookup zones in DNS look OK though...
 

noprobs

Explorer
Joined
Aug 12, 2012
Messages
53
Unfortunately I made the same error a while back but was (finally) able to correct. Regrettably I did not document what I did (quite a lot of trial and error and snapshot restroes) however the actions included resetting machine password account (as above). Resetting permission on DC computer object (ADSIedit UserAccountControl to 532480). I then used dcdiag /v to work through final errors. I know I had a DNS error and then I had a replication error in the forest which required manual editing.

Sorry I cant be more specific.

Jon
 

aae

Cadet
Joined
Jan 2, 2013
Messages
4
Resetting permission on DC computer object (ADSIedit UserAccountControl to 532480).

Sorry I cant be more specific.

Jon

any details on how you do this?

i found this article: http://support.microsoft.com/kb/305144 is that the same thing?


EDIT:
http://webcache.googleusercontent.c...countcontrol-issue/+&cd=3&hl=en&ct=clnk&gl=us
followed these directions.... my SDC that i had put into the freenas field + my pdc were both not 532480... fixed those... hopefully that does it for me...
 

drzoidberg33

Cadet
Joined
Aug 15, 2013
Messages
6
I wish I had seen this thread before breaking things. I'm just glad we only have one DC and not very many users but was still stressing huge over this especially because of the fact that it broke our Exchange server too.

Somebody should really put a warning on that entry box! Took me a few days to get everything running properly again (I'm still busy now, but basically just waiting for files to copy to the NAS).

Please FreeNAS, prevent others from falling into this trap.
 
Status
Not open for further replies.
Top