Failed to join Windows AD - LdapErr: DSID-0C09079A

Status
Not open for further replies.

niki_k

Cadet
Joined
Jul 3, 2018
Messages
3
Hello

I have FreeNAS-11.1-U5 and try to join it to the Windows Server Essentials 2012 AD.
I follow User Manual section "9.1. Active Directory". The NTP and DNS services are configured and working. I can resolve names from AD domain and DNS records for AD services.
When I enter domain name, user name and password to Active Directory UI and try to enable it I receive this error in UI:

{'desc': 'Operations error', 'info': '000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0'}

I try to execute commands from section 9.1.2 from User Guide:
  1. sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;" return 0
  2. service ix-kerberos start return:

ERROR: {'desc': 'Operations error', 'info': '000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0'}
Traceback (most recent call last):
File "/usr/local/libexec/nas/generate_krb5_conf.py", line 549, in <module>
main()
File "/usr/local/libexec/nas/generate_krb5_conf.py", line 480, in main
timeout=fs().directoryservice.kerberos.timeout.start))
File "/usr/local/lib/python3.6/site-packages/middlewared/client/client.py", line 434, in call
raise ClientException(c.error, c.errno, c.trace, c.extra)
middlewared.client.client.ClientException: {'desc': 'Operations error', 'info': '000004DC: LdapErr: DSID-0C09079A, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v23f0'}


As I understand from Internet search about this error, there is a missing user authentication before connecting to AD.
I check /data/freenas-v1.db and the user name and password is present in directoryservice_activedirectory table.

When I try with wrong username or password I receive the same error - LdapErr: DSID-0C09079A.

Is it possible to remove all AD related settings and try again, or to enable some debug functions to check what is read from database? I try to set verbose flag in AD configuration but noting happen, there is no additional messages in /var/log/messages.

I create a bug for this issue 36488

Best Regards
Nikolay Kanchev
 

niki_k

Cadet
Joined
Jul 3, 2018
Messages
3
Some new result after packet capture of LDAP communication between FreeNAS and AD.
The communication session start with DNS queries that seems OK.
After DNS start LDAP communication:
  • bindRequest -> with proper username and domain with simple authentication
  • bindResponse -> result code 0 success
  • unbindRequest from FreeNAS to AD
  • session closed

After this new DNS query is started and new LDAP session:
  • bindRequest -> with proper username and domain with simple authentication
  • bindResponse -> result code 0 success
  • searchRequest <ROOT> baseObject
  • searchResDone -> result code 1 operationsError and LdapErr: DSID-0c09079A

I'm not expert of LDAP but the strange thing is that I have the same results from packet capture even if I use wrong password in FreeNAS UI.

Perhaps there is something wrong with AD settings and anonymous access.
 

niki_k

Cadet
Joined
Jul 3, 2018
Messages
3
New results.
After some new unsuccessful attempts to join FreeNAS box to AD I try to revert Windows server to state before first attempt to join FreeNAS.
Now FreeNAS successfully join AD and I can use users and groups.
I don't have more time to investigate the reason for this issue - it seams that there was a problem with Windows server configuration.
 
Status
Not open for further replies.
Top