For the last few days I have been taking a butt whooping trying to get a FreeNAS server to reconnect to Active Directory. We have 2 FreeNAS 9.3 servers, both fully upgraded, one in the corporate office and one at our replication site. We have a single domain controller in the corporate site. I initially setup both FreeNAS servers here at the corporate office and everything worked fine including the connection to active directory for the CIFS shares. Once I moved one of the FreeNAS servers to the replication site, it could no longer fully connect to the domain controller.
The replication site is connected to corporate using an IPSEC tunnel. I have a 2012 R2 server core and a Win 7 client, which both connected to the domain controller just fine. I was able to join the domain from the replication site on both. The FreeNAS server can also join the domain from the replication site. The problem is, when I try to connect with FreeNAS’ “Active Directory” settings, it times out and I get a “Cannot contact any KDC for requested realm”.
I only see errors on the FreeNAS side. There are no errors I can find on the domain controller. I do see successful Kerberos authentication ticket TGT requests on the DC. Which I can also see the TGT on the FreeNAS server doing a ‘klist’ command. What I fail to see is the next step of Kerberos (I believe) where FreeNAS requests a Kerberos Service ticket. The FreeNAS in corporate does this after the TGT, but there is nothing in the Event viewer showing the replication site FreeNAS attempts this.
I have read many posts on here and other sites and have tried a lot of things. Here are the main ones I can think of.
Here is my krb5.conf file, I have tried both using IP entries as well as setting ‘dns_lookup_kdc = false’:
The replication site is connected to corporate using an IPSEC tunnel. I have a 2012 R2 server core and a Win 7 client, which both connected to the domain controller just fine. I was able to join the domain from the replication site on both. The FreeNAS server can also join the domain from the replication site. The problem is, when I try to connect with FreeNAS’ “Active Directory” settings, it times out and I get a “Cannot contact any KDC for requested realm”.
I only see errors on the FreeNAS side. There are no errors I can find on the domain controller. I do see successful Kerberos authentication ticket TGT requests on the DC. Which I can also see the TGT on the FreeNAS server doing a ‘klist’ command. What I fail to see is the next step of Kerberos (I believe) where FreeNAS requests a Kerberos Service ticket. The FreeNAS in corporate does this after the TGT, but there is nothing in the Event viewer showing the replication site FreeNAS attempts this.
I have read many posts on here and other sites and have tried a lot of things. Here are the main ones I can think of.
- If I type a bad password in, I get an Invalid Credentials error.
- I can ping the DC by name, FQDN, and IP, as well as ping the domain itself from the replication FreeNAS server. I can also ping the replication FreeNAS from the DC using name and FQDN.
- I have shut down all firewalls for testing, and can telnet from the replication FreeNAS to the domain controller on all the ports Kerberos uses when the firewalls are up.
- I have the subnet of the replication site setup as a site in AD.
- I am using the DC as the NTP server for the FreeNAS and time is accurate.
- I have manually created the FreeNAS object in AD, as well as let FreeNAS auto-create it. I can also disable the AD object from FreeNAS.
- I can manually do a ‘kinit’ command and get a successful ticket.
Here is my krb5.conf file, I have tried both using IP entries as well as setting ‘dns_lookup_kdc = false’:
Code:
[appdefaults] pam = { forwardable = true ticket_lifetime = 86400 renew_lifetime = 86400 } [libdefaults] dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h clockskew = 300 forwardable = yes [domain_realm] xyz.local = XYZ.LOCAL .xyz.local = XYZ.LOCAL XYZ.LOCAL = XYZ.LOCAL .XYZ.LOCAL = XYZ.LOCAL [realms] XYZ.LOCAL = { kdc = xyz-dc.xyz.local:88 admin_server = xyz-dc.xyz.local:88 kpasswd_server = xyz-dc.xyz.local:464 default_domain = XYZ.LOCAL } [logging] default = SYSLOG:INFO:LOCAL7