Cannot Complete Active Directory Join

twitchfidelis · Jun 24, 2023

Hello,

My TrueNAS Scale server cannot join my Active Directory Domain. Every time I try I get an error and then it is stuck in a JOINING status for a while and then changes to FAULTED on the Active Directory configuration page in TrueNAS. Can anyone please help? I tried Googling this error too and not much came up.

MOBO: Supermicro X10DRI-T4+
CPU: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz x2
RAM: 128GB DDR4 PC4-21300
SSD: 500 GB SAMSUNG 970 PRO x2 <-- OS installed here
HDD: WD RED Pro NAS Drives x12 <---Various Sizes

FAILED

[EINVAL] lookup_data.dns_client_options.lifetime: Not an integer

More info...
Error: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 428, in run
await self.future
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 463, in __run_body
rv = await self.method(*([self] + args))
File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 675, in start
await self.middleware.call('activedirectory.set_kerberos_servers', ad)
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1395, in call
return await self._call(
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1344, in _call
return await methodobj(*prepared_call.args)
File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/krb5.py", line 130, in set_kerberos_servers
site_indexed_kerberos_servers = await self.get_kerberos_servers(ad)
File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/krb5.py", line 113, in get_kerberos_servers
res = await self.middleware.call(
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1395, in call
return await self._call(
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1355, in _call
return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1258, in run_in_executor
return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
File "/usr/lib/python3.9/concurrent/futures/thread.py", line 52, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/dns.py", line 257, in get_n_working_servers
servers = self.middleware.call_sync('dnsclient.forward_lookup', {
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1414, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1454, in run_coroutine
return fut.result()
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 433, in result
return self.__get_result()
File "/usr/lib/python3.9/concurrent/futures/_base.py", line 389, in __get_result
raise self._exception
File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1377, in nf
args, kwargs = clean_and_validate_args(args, kwargs)
File "/usr/lib/python3/dist-packages/middlewared/schema.py", line 1371, in clean_and_validate_args
raise verrors
middlewared.service_exception.ValidationErrors: [EINVAL] lookup_data.dns_client_options.lifetime: Not an integer

beisser · Jun 26, 2023

i have the exact same error message an behavior when im trying to join our active directory domain.
any possible advice is appreciated

Davide Zanon · Jun 26, 2023

Hi, I'm having the same problem joining a freshly installed SCALE system to my AD.

anodos · Jun 26, 2023

This was a regression in 22.12.3 for case where TrueNAS is in a non-default site. NAS-122570. There are workaround steps in the ticket.

Davide Zanon · Jun 26, 2023

Thanks @anodos,
I never had to browse in the ticketing system and it seems I'm unable/too dumb to look for that ticket,
if I try to access it directly from the url it asks me to login... it this correct?

anodos · Jun 26, 2023

Davide Zanon said:
Thanks @anodos,
I never had to browse in the ticketing system and it seems I'm unable/too dumb to look for that ticket,
if I try to access it directly from the url it asks me to login... it this correct?

It was private. I made ticket public.

Davide Zanon · Jun 26, 2023

anodos said:
It was private. I made ticket public.

Thanks but I still can't access it, maybe it takes a moment to make it public.
Is that link I posted correct?

anodos · Jun 26, 2023

Davide Zanon said:
Thanks but I still can't access it, maybe it takes a moment to make it public.
Is that link I posted correct?

Gist of workaround is as follows:

This may be worked around by running the following command:

midclt call activedirectory.lookup_dc <domain name>

And input what you get as Client Site Name as your Site Name in active directory form. This will bypass auto-detection of KDCs during the domain join which is where the issue occurs.

Davide Zanon · Jun 26, 2023

anodos said:
Gist of workaround is as follows:

This may be worked around by running the following command:

midclt call activedirectory.lookup_dc <domain name>

And input what you get as Client Site Name as your Site Name in active directory form. This will bypass auto-detection of KDCs during the domain join which is where the issue occurs.

It worked! Thanks for posting here the content of the ticket.

anodos · Jun 26, 2023

Davide Zanon said:
It worked! Thanks for posting here the content of the ticket.

Great. We'll add this to known impacts in 22.12.3.

beisser · Jun 26, 2023

interestingly, when i use that command it gives me this result:

Code:

[EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 204, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1344, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 1027, in lookup_dc
    raise CallError("Failed to look up Domain Controller information: "
middlewared.service_exception.CallError: [EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!

that is odd though as other machines (not necessarily linux) dont have that issue and can join the AD just fine.
any more ideas?

anodos · Jun 26, 2023

beisser said:

interestingly, when i use that command it gives me this result:

Code:

[EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 204, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1344, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 1027, in lookup_dc
    raise CallError("Failed to look up Domain Controller information: "
middlewared.service_exception.CallError: [EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!

that is odd though as other machines (not necessarily linux) dont have that issue and can join the AD just fine.
any more ideas?

That's unrelated to the the timeout issue. Perhaps make sure that you don't have stale info cached (and also make sure your DNS is configured correctly) net cache flush.

twitchfidelis · Jun 26, 2023

Thank you everyone for your responses. I ran the command as suggested:

midclt call activedirectory.lookup_dc MYDOMAIN.LOCAL

and received the following error:

[EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 204, in call_method
result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1344, in _call
return await methodobj(*prepared_call.args)
File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 1027, in lookup_dc
raise CallError("Failed to look up Domain Controller information: "
middlewared.service_exception.CallError: [EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!

So as suggested I ran this command to clear the cash and try again, but no luck.

sudo net cache flush

I checked the DNS settings, and they look correct to me. I only have one DNS server at 192.68.2.20, and that's what's in the network DNS settings on TrueNAS. Is there something else besides the IP address on the DNS server I need to put in the TrueNAS network settings.

Just FYI, I have several Windows machines already joined to this domain as well as an old FreeNAS 11 server that connect just fine. I am trying to replace the FreeNAS 11 server with the new TrueNAS Scale server.

Thank you all for your help!

beisser · Jun 26, 2023

in my case its the same. i have a truenas core 13U4 connected to the domain (just recently) which didnt fail.
i only have 2 dns servers on the network which are the two domain controllers.
flushing the cache did not help for me either.

just for fun i set up a brand new truenas core 13u4 on a seperate machine and tried to join it and it worked, so something is definitely off with truenas scale here.

beisser · Jun 27, 2023

to add further info this is what the comman output looks like on the truenas core 13u4 after i joined that 2 hours ago:

Code:

root@truenas[~]# midclt call activedirectory.lookup_dc arrowlab.local
{"Information for Domain Controller": "172.16.10.200", "Response Type": "LOGON_SAM_LOGON_RESPONSE_EX", "GUID": "49a10027-2abf-425d-a7eb-d82d6930c088", "Forest": "arrowlab.local", "Domain": "arrowlab.local", "Domain Controller": "AD-1.arrowlab.local", "Pre-Win2k Domain": "ARROWLAB", "Pre-Win2k Hostname": "AD-1", "Server Site Name": "ARROWLAB", "Client Site Name": "ARROWLAB", "NT Version": 5, "LMNTToken": 65535, "LM20 Token": 65535, "Flags": {"Is a PDC": true, "Is a GC of theforest": true, "Is an LDAP server": true, "Supports DS": true, "Is running a KDC": true, "Is running time services": true, "Is the closest DC": true, "Is writable": true, "Has a hardware clock": true, "Is a non-domain NC serviced by LDAP server": false, "Is NT6 DC that has some secrets": false, "Is NT6 DC that has allsecrets": true, "Runs Active Directory Web Services": true, "Runs on Windows 2012 or later": true}}

on truenas scale this simply fails with the error above:

Code:

root@ibm-truenas:/home/admin# midclt call activedirectory.lookup_dc arrowlab.local
[EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 204, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1344, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 1027, in lookup_dc
    raise CallError("Failed to look up Domain Controller information: "
middlewared.service_exception.CallError: [EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!

beisser · Jun 27, 2023

thinking that this may be caused by the different vlans those machines reside in i deployed another truenas core in the same vlan and subnet as the failing truenas scale but that one also joins just fine.

twitchfidelis · Jun 27, 2023

Well I only have one DC/DNS Server and both it and the Free/TrueNAS servers are on the same primary LAN.

beisser · Jun 28, 2023

another update from me. i updated my (failing to join) truenas scale to the latest nightly of truenas scale 23.10 and tried the same thing again and it worked fine.
to me that proves that something is broken in the current productionversion of truenas scale.
next test will be to roll back the version to 22.12.2 and see if i can join on that one as well.

edit: joining domain on 22.12.2 worked as well.

something_amusing · Aug 13, 2023

anodos said:
That's unrelated to the the timeout issue. Perhaps make sure that you don't have stale info cached (and also make sure your DNS is configured correctly) net cache flush.

I'm seeing this same thing on 22.12.3.3. The flush command doesn't help. DNS is correct. I can run NSLOOKUP on the domain without issue. Is there an open ticket I should be watching?

anodos · Aug 15, 2023

something_amusing said:
I'm seeing this same thing on 22.12.3.3. The flush command doesn't help. DNS is correct. I can run NSLOOKUP on the domain without issue. Is there an open ticket I should be watching?

Can you dig the KRB and LDAP SRV records? That's more relevant here.

Important Announcement for the TrueNAS Community.

Cannot Complete Active Directory Join

Cadet

Cadet

Dabbler

Sambassador

Dabbler

Sambassador

Dabbler

Sambassador

Dabbler

Sambassador

Cadet

Sambassador

Cadet

Cadet

Cadet

Cadet

Cadet

Cadet

Cadet

Sambassador

Similar threads