FreeNAS-11.3-U2 not joining active directory

kurtis.uk

Cadet
Joined
Apr 8, 2020
Messages
3
Hi, first time posting here. Have a newly installed FreeNAS 11.3 U2 and am trying to join it to my also recently installed Univention Corporate Server that has Samba AD installed and have windows pc's connected to its domain successfully. I have imported Univentions CA file into Freenas and filled out the active directory settings as follows:

Domain Name: mydomain.local
Domain Account Name: administrator
Domain Account Password: **************
Encryption Mode: ON
Certificate: the certificate that I imported
Validate Certificates: Checked
Allow DNS Updates: Checked
Disable FreeNAS Cache: Checked
AD Timeout: 60
DNS Timeout: 10
Idmap backend: AUTORID
SASL wrapping: SIGN
Enable: Checked

After I enabled active directory, the status in the Directory Services tab, shows 'Faulted' and in Task Manager it shows
that activedirectory.start has a red cross and stopped on 20% progress and the details show:

Status: FAILEDStart Time: Wed Apr 8, 2020, 17:27:30 (Europe/London)Finished Time: Wed Apr 8, 2020, 17:27:31Error: [EFAULT] {'desc': 'Operations error', 'info': 'SASL: Failed to start authentication system: NT_STATUS_INVALID_PARAMETER'}

I have tried checking all the settings including DNS settings, which all resolve to my domain controllers. Have also tried a mixtire of trial and error with the settings but no success. I have also tried a fresh install of FreeNAS but the problem persists.

I'm not sure what logs I need to upload, but if they are needed then I can get these and upload.

Thank you in advance :)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hi, first time posting here. Have a newly installed FreeNAS 11.3 U2 and am trying to join it to my also recently installed Univention Corporate Server that has Samba AD installed and have windows pc's connected to its domain successfully. I have imported Univentions CA file into Freenas and filled out the active directory settings as follows:

Domain Name: mydomain.local
Domain Account Name: administrator
Domain Account Password: **************
Encryption Mode: ON
Certificate: the certificate that I imported
Validate Certificates: Checked
Allow DNS Updates: Checked
Disable FreeNAS Cache: Checked
AD Timeout: 60
DNS Timeout: 10
Idmap backend: AUTORID
SASL wrapping: SIGN
Enable: Checked

After I enabled active directory, the status in the Directory Services tab, shows 'Faulted' and in Task Manager it shows
that activedirectory.start has a red cross and stopped on 20% progress and the details show:

Status: FAILEDStart Time: Wed Apr 8, 2020, 17:27:30 (Europe/London)Finished Time: Wed Apr 8, 2020, 17:27:31Error: [EFAULT] {'desc': 'Operations error', 'info': 'SASL: Failed to start authentication system: NT_STATUS_INVALID_PARAMETER'}

I have tried checking all the settings including DNS settings, which all resolve to my domain controllers. Have also tried a mixtire of trial and error with the settings but no success. I have also tried a fresh install of FreeNAS but the problem persists.

I'm not sure what logs I need to upload, but if they are needed then I can get these and upload.

Thank you in advance :)
Can you PM me a debug? System->Advanced->Save Debug
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Actually, univention is a Samba DC, which means that it doesn't allow SASL over TLS by default. Either turn off encryption or set SASL to plain.
 

kurtis.uk

Cadet
Joined
Apr 8, 2020
Messages
3
Actually, univention is a Samba DC, which means that it doesn't allow SASL over TLS by default. Either turn off encryption or set SASL to plain.

I've just tried settings it to plain and disableding and then reenabling active directory but I'm still getting the Error: [EFAULT] {'desc': 'Operations error', 'info': 'SASL: Failed to start authentication system: NT_STATUS_INVALID_PARAMETER'} message in the task manager
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
I've just tried settings it to plain and disableding and then reenabling active directory but I'm still getting the Error: [EFAULT] {'desc': 'Operations error', 'info': 'SASL: Failed to start authentication system: NT_STATUS_INVALID_PARAMETER'} message in the task manager
You shouldn't see a SASL message if SASL wrapping is plain. STATUS_INVALID_PARAMETER means we're probably still trying to do SASL over TLS. Run command midclt call activedirectory.config | jq and verifiy that your config looks correct.
 

kurtis.uk

Cadet
Joined
Apr 8, 2020
Messages
3
You shouldn't see a SASL message if SASL wrapping is plain. STATUS_INVALID_PARAMETER means we're probably still trying to do SASL over TLS. Run command midclt call activedirectory.config | jq and verifiy that your config looks correct.

It all looks okay to me, apart some there are some values that are empty? SASL is set to plain on it



{
"id": 1,
"domainname": "NETCONNECT.LOCAL",
"bindname": "administrator",
"bindpw": "***************",
"ssl": "ON",
"certificate": 1,
"validate_certificates": true,
"verbose_logging": true,
"allow_trusted_doms": false,
"use_default_domain": false,
"allow_dns_updates": true,
"disable_freenas_cache": true,
"site": "",
"kerberos_realm": 1,
"kerberos_principal": "",
"createcomputer": "",
"timeout": 60,
"dns_timeout": 10,
"idmap_backend": "AUTORID",
"nss_info": null,
"ldap_sasl_wrapping": "PLAIN",
"enable": true,
"netbiosname": "netconnect-fs1",
"netbiosalias": []
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Empty values are typically fine, but some of our auto-detection didn't succeed because middleware was trying to do SASL_EXTERNAL bind rather than a SASL_GSSAPI or simple bind to your AD LDAP server.
 

jackivan88

Cadet
Joined
Apr 15, 2020
Messages
2
Has there been any progress with this issue? My current config is:

This is my current AD config output:

{
"id": 1,
"domainname": "********",
"bindname": "********",
"bindpw": "********",
"ssl": "START_TLS",
"certificate": 2,
"validate_certificates": true,
"verbose_logging": true,
"allow_trusted_doms": false,
"use_default_domain": false,
"allow_dns_updates": false,
"disable_freenas_cache": false,
"site": "",
"kerberos_realm": 1,
"kerberos_principal": "",
"createcomputer": "",
"timeout": 60,
"dns_timeout": 10,
"idmap_backend": "RID",
"nss_info": null,
"ldap_sasl_wrapping": "PLAIN",
"enable": true,
"netbiosname": "nas-01",
"netbiosalias": [
"NAS-01"
]
}

I had attempted to match the one above without success. I am running UCS 4.4 and FreeNAS 11.3-U2.
 

jackivan88

Cadet
Joined
Apr 15, 2020
Messages
2
I went ahead and made the suggested change via the GUI and it worked, but when I export the config it still claims the cert is in use. Not sure why. The working config is below.

{
"id": 1,
"domainname": "********",
"bindname": "********",
"bindpw": "********",
"ssl": "OFF",
"certificate": 2,
"validate_certificates": true,
"verbose_logging": true,
"allow_trusted_doms": false,
"use_default_domain": false,
"allow_dns_updates": true,
"disable_freenas_cache": false,
"site": "Default-First-Site-Name",
"kerberos_realm": 1,
"kerberos_principal": "",
"createcomputer": "",
"timeout": 60,
"dns_timeout": 10,
"idmap_backend": "RID",
"nss_info": null,
"ldap_sasl_wrapping": "PLAIN",
"enable": true,
"netbiosname": "nas-01",
"netbiosalias": [
"NAS-01"
]
}
 

Henning Kessler

Contributor
Joined
Feb 10, 2015
Messages
143
I am as well desperate about this.

I trying to join a FreeNAS 11.3-U3.2 to a domain with two Samba DCs while two other FreeNAS systems (Version FreeNAS-11.1-U5 and FreeNAS-11.3-U3.1) are already joined. But I can't make it happen.
this is the config from the working one (11.3-U3.1):
Code:
{
  "id": 1,
  "domainname": "DOMAIN",
  "bindname": "administrator",
  "bindpw": "PASSWORD",
  "ssl": "START_TLS",
  "certificate": 2,
  "validate_certificates": true,
  "verbose_logging": true,
  "allow_trusted_doms": false,
  "use_default_domain": false,
  "allow_dns_updates": true,
  "disable_freenas_cache": false,
  "site": "",
  "kerberos_realm": 1,
  "kerberos_principal": "",
  "createcomputer": "",
  "timeout": 60,
  "dns_timeout": 10,
  "idmap_backend": "RID",
  "nss_info": null,
  "ldap_sasl_wrapping": "SIGN",
  "enable": true,
  "netbiosname": "WAF-33-002",
  "netbiosalias": []
}

if I export the used certificate named "dc01 migrate for activedirectory..." to the new one I get a key mismatch warning. So I exported the automatically created cert and key from one of the DCs and made this configuration:

Code:
{
  "id": 1,
  "domainname": "DOMAIN",
  "bindname": "administrator",
  "bindpw": "PASSWORD",
  "ssl": "START_TLS",
  "certificate": 6,
  "validate_certificates": true,
  "verbose_logging": true,
  "allow_trusted_doms": false,
  "use_default_domain": false,
  "allow_dns_updates": true,
  "disable_freenas_cache": false,
  "site": "",
  "kerberos_realm": 1,
  "kerberos_principal": "",
  "createcomputer": "",
  "timeout": 60,
  "dns_timeout": 10,
  "idmap_backend": "RID",
  "nss_info": "RFC2307",
  "ldap_sasl_wrapping": "SIGN",
  "enable": true,
  "netbiosname": "nas",
  "netbiosalias": []
}


If I try to join I am getting this errors:
Code:
[2020/07/07 17:08:05] (DEBUG) EtcService.generate():275 - No new changes for /etc/krb5.conf
[2020/07/07 17:08:06] (DEBUG) ActiveDirectoryService.get_n_working_servers():154 - Request for [1] of server type [PDC] returned: [{'host': 'dc02.DOMAIN', 'port': 389}]
[2020/07/07 17:08:06] (DEBUG) ActiveDirectoryService.start():917 - Starting Active Directory service for [DOMAIN]
[2020/07/07 17:08:06] (DEBUG) EtcService.generate():275 - No new changes for /etc/hosts
[2020/07/07 17:08:06] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc01.DOMAIN:636]
[2020/07/07 17:08:06] (DEBUG) ActiveDirectoryService._open():245 - Failed to initialize start_tls: {'desc': "Can't contact LDAP server", 'errno': 54, 'info': 'Connection reset by peer'}
[2020/07/07 17:08:06] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc02.DOMAIN:636]
[2020/07/07 17:08:06] (DEBUG) ActiveDirectoryService._open():245 - Failed to initialize start_tls: {'desc': "Can't contact LDAP server", 'errno': 54, 'info': 'Connection reset by peer'}


Any ideas?
 

Henning Kessler

Contributor
Joined
Feb 10, 2015
Messages
143
Hi Anodos, thanks for helping.

these are the outputs:
Code:
nas% sudo midclt call activedirectory.update '{"nss_info": "", "enable": false}'
{"id": 1, "domainname": "DOMAIN", "bindname": "administrator", "bindpw": "PASSWORD", "ssl": "OFF", "certificate": null, "validate_certificates": false, "verbose_logging": true, "allow_trusted_doms": false, "use_default_domain": false, "allow_dns_updates": true, "disable_freenas_cache": false, "site": "", "kerberos_realm": 1, "kerberos_principal": "", "createcomputer": "", "timeout": 60, "dns_timeout": 10, "idmap_backend": "RID", "nss_info": "RFC2307", "ldap_sasl_wrapping": "SIGN", "enable": false, "netbiosname": "nas", "netbiosalias": [], "job_id": null}

Code:
nas% sudo midclt call activedirectory.update '{"enable": true}'
{"id": 1, "domainname": "DOMAIN", "bindname": "administrator", "bindpw": "PASSWORD", "ssl": "OFF", "certificate": null, "validate_certificates": false, "verbose_logging": true, "allow_trusted_doms": false, "use_default_domain": false, "allow_dns_updates": true, "disable_freenas_cache": false, "site": "", "kerberos_realm": 1, "kerberos_principal": "", "createcomputer": "", "timeout": 60, "dns_timeout": 10, "idmap_backend": "RID", "nss_info": "RFC2307", "ldap_sasl_wrapping": "SIGN", "enable": true, "netbiosname": "nas", "netbiosalias": [], "job_id": 1202}

output of midclt call activedirectory.config | jq changed to
Code:
{
  "id": 1,
  "domainname": "DOMAIN",
  "bindname": "administrator",
  "bindpw": "PASSWORD",
  "ssl": "OFF",
  "certificate": null,
  "validate_certificates": false,
  "verbose_logging": true,
  "allow_trusted_doms": false,
  "use_default_domain": false,
  "allow_dns_updates": true,
  "disable_freenas_cache": false,
  "site": "",
  "kerberos_realm": 1,
  "kerberos_principal": "",
  "createcomputer": "",
  "timeout": 60,
  "dns_timeout": 10,
  "idmap_backend": "RID",
  "nss_info": "RFC2307",
  "ldap_sasl_wrapping": "SIGN",
  "enable": true,
  "netbiosname": "nas",
  "netbiosalias": []
}


but unfortunately the system has still not joined the domain:

Code:
nas% wbinfo -u
Error looking up domain users
 

Henning Kessler

Contributor
Joined
Feb 10, 2015
Messages
143
this is the output for the last id
Code:
  {
    "id": 1225,
    "method": "activedirectory.start",
    "arguments": [],
    "logs_path": null,
    "logs_excerpt": null,
    "progress": {
      "percent": 20,
      "description": "Detecting Active Directory Site.",
      "extra": null
    },
    "result": null,
    "error": "[EFAULT] {'desc': \"Can't contact LDAP server\", 'errno': 54, 'info': 'Connection reset by peer'}",
    "exception": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/job.py\", line 349, in run\n    await self.future\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/job.py\", line 386, in __run_body\n    rv = await self.method(*([self] + args))\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 947, in start\n    new_site = await self.middleware.call('activedirectory.get_site')\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/main.py\", line 1141, in call\n    app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/main.py\", line 1098, in _call\n    return await run_method(methodobj, *args)\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py\", line 10, in run_in_thread\n    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py\", line 25, in run\n    result = self.fn(*self.args, **self.kwargs)\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 1487, in get_site\n    site = AD_LDAP.locate_site()\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 493, in locate_site\n    self._open()\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 317, in _open\n    raise CallError(saved_bind_error)\nmiddlewared.service_exception.CallError: [EFAULT] {'desc': \"Can't contact LDAP server\", 'errno': 54, 'info': 'Connection reset by peer'}\n",
    "exc_info": {
      "type": "CallError",
      "extra": null
    },
    "state": "FAILED",
    "time_started": {
      "$date": 1594149227938
    },
    "time_finished": {
      "$date": 1594149228720
    }
  }
 

Henning Kessler

Contributor
Joined
Feb 10, 2015
Messages
143
By turning off SSL you mean turning it off server side (Samba DC)? or on the FreeNAS side?

tried the settings on the FreeNAS system:
current settings:
Code:
  "id": 1,
  "domainname": "DOMAIN",
  "bindname": "administrator",
  "bindpw": "PASSWORD",
  "ssl": "OFF",
  "certificate": null,
  "validate_certificates": false,
  "verbose_logging": true,
  "allow_trusted_doms": false,
  "use_default_domain": false,
  "allow_dns_updates": true,
  "disable_freenas_cache": false,
  "site": "",
  "kerberos_realm": 1,
  "kerberos_principal": "",
  "createcomputer": "",
  "timeout": 60,
  "dns_timeout": 10,
  "idmap_backend": "RID",
  "nss_info": null,
  "ldap_sasl_wrapping": "SEAL",
  "enable": true,
  "netbiosname": "nas",
  "netbiosalias": []
}


result is unfortunately:
Code:
 {
    "id": 1493,
    "method": "activedirectory.start",
    "arguments": [],
    "logs_path": null,
    "logs_excerpt": null,
    "progress": {
      "percent": 20,
      "description": "Detecting Active Directory Site.",
      "extra": null
    },
    "result": null,
    "error": "[EFAULT] {'desc': \"Can't contact LDAP server\", 'errno': 54, 'info': 'Connection reset by peer'}",
    "exception": "Traceback (most recent call last):\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/job.py\", line 349, in run\n    await self.future\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/job.py\", line 386, in __run_body\n    rv = await self.method(*([self] + args))\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 947, in start\n    new_site = await self.middleware.call('activedirectory.get_site')\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/main.py\", line 1141, in call\n    app=app, pipes=pipes, job_on_progress_cb=job_on_progress_cb, io_thread=True,\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/main.py\", line 1098, in _call\n    return await run_method(methodobj, *args)\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/utils/run_in_thread.py\", line 10, in run_in_thread\n    return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/utils/io_thread_pool_executor.py\", line 25, in run\n    result = self.fn(*self.args, **self.kwargs)\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 1487, in get_site\n    site = AD_LDAP.locate_site()\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 493, in locate_site\n    self._open()\n  File \"/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py\", line 317, in _open\n    raise CallError(saved_bind_error)\nmiddlewared.service_exception.CallError: [EFAULT] {'desc': \"Can't contact LDAP server\", 'errno': 54, 'info': 'Connection reset by peer'}\n",
    "exc_info": {
      "type": "CallError",
      "extra": null
    },
    "state": "FAILED",
    "time_started": {
      "$date": 1594157207974
    },
    "time_finished": {
      "$date": 1594157207694
    }
  }

in the middleware.log
Code:
[2020/07/07 23:26:46] (DEBUG) ActiveDirectoryService.get_n_working_servers():154 - Request for [1] of server type [PDC] returned: [{'host': 'dc02.DOMAIN', 'port': 389}]
[2020/07/07 23:26:47] (DEBUG) ActiveDirectoryService.start():917 - Starting Active Directory service for [DOMAIN]
[2020/07/07 23:26:47] (DEBUG) EtcService.generate():275 - No new changes for /etc/hosts
[2020/07/07 23:26:47] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc01.DOMAIN:636]
[2020/07/07 23:26:47] (DEBUG) ActiveDirectoryService._open():312 - SASL GSSAPI bind failed.
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 305, in _open
    self._handle.sasl_gssapi_bind_s()
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 487, in sasl_gssapi_bind_s
    self.sasl_non_interactive_bind_s('GSSAPI',serverctrls,clientctrls,sasl_flags,authz_id)
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 475, in sasl_non_interactive_bind_s
    self.sasl_interactive_bind_s('',auth,serverctrls,clientctrls,sasl_flags)
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 465, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/local/lib/python3.7/site-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 54, 'info': 'Connection reset by peer'}
[2020/07/07 23:26:47] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc02.DOMAIN:636]
[2020/07/07 23:26:47] (DEBUG) ActiveDirectoryService._open():312 - SASL GSSAPI bind failed.
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py", line 305, in _open
    self._handle.sasl_gssapi_bind_s()
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 487, in sasl_gssapi_bind_s
    self.sasl_non_interactive_bind_s('GSSAPI',serverctrls,clientctrls,sasl_flags,authz_id)
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 475, in sasl_non_interactive_bind_s
    self.sasl_interactive_bind_s('',auth,serverctrls,clientctrls,sasl_flags)
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 465, in sasl_interactive_bind_s
    return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/local/lib/python3.7/site-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/local/lib/python3.7/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 54, 'info': 'Connection reset by peer'}
 
Top