FreeNAS-11.3-U2 not joining active directory

H

Henning Kessler

Contributor
Joined
Feb 10, 2015
Messages
143
Okay I tried a couple of things and I was kind of successful ;-).

I set my setting to this:
Code:
{
  "id": 1,
  "domainname": "DOMAIN",
  "bindname": "administrator",
  "bindpw": "PASSWORD",
  "ssl": "OFF",
  "certificate": null,
  "validate_certificates": false,
  "verbose_logging": true,
  "allow_trusted_doms": false,
  "use_default_domain": false,
  "allow_dns_updates": true,
  "disable_freenas_cache": false,
  "site": "Default-First-Site-Name",
  "kerberos_realm": 1,
  "kerberos_principal": "NAS$@AD.WAF.BERLIN",
  "createcomputer": "",
  "timeout": 60,
  "dns_timeout": 10,
  "idmap_backend": "RID",
  "nss_info": null,
  "ldap_sasl_wrapping": "PLAIN",
  "enable": true,
  "netbiosname": "nas",
  "netbiosalias": []
}


and the did a kinit on the command line to receive a ticket and then enabled the active directory.

Log output is:
Code:
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_n_working_servers():154 - Request for [1] of server type [PDC] returned: [{'host': 'dc02.DOMAIN', 'port': 389}]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.start():917 - Starting Active Directory service for [DOMAIN]
[2020/07/09 15:52:17] (DEBUG) EtcService.generate():275 - No new changes for /etc/hosts
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_n_working_servers():154 - Request for [3] of server type [DOMAINCONTROLLER] returned: [{'host': 'dc02.DOMAIN', 'port': 389}, {'host': 'dc01.DOMAIN', 'port': 389}]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc02.DOMAIN:389]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():307 - Successfully bound to [ldap://dc02.DOMAIN:389] using SASL GSSAPI.
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():454 - initialized naming context: rootDN:[DC=ad,DC=waf,DC=berlin]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():455 - baseDN:[DC=ad,DC=waf,DC=berlin], config:[CN=Configuration,DC=ad,DC=waf,DC=berlin]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._get_subnets():432 - ipv4_subnet_info: []
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._get_subnets():433 - ipv6_subnet_info: []
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc02.DOMAIN:389]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():307 - Successfully bound to [ldap://dc02.DOMAIN:389] using SASL GSSAPI.
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():454 - initialized naming context: rootDN:[DC=ad,DC=waf,DC=berlin]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():455 - baseDN:[DC=ad,DC=waf,DC=berlin], config:[CN=Configuration,DC=ad,DC=waf,DC=berlin]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_netbios_name():478 - Query for nETBIOSName from LDAP returned: [AD]
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_netbios_domain_name():1391 - Updating SMB workgroup to match the short form of the AD domain [AD]
[2020/07/09 15:52:18] (DEBUG) ActiveDirectoryService._net_ads_testjoin():1269 - net ads testjoin failed with error: [INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter dns proxy = No
doing parameter aio max threads = 2
doing parameter max log size = 51200
doing parameter allocation roundup size = 0
doing parameter load printers = No
doing parameter printing = bsd
doing parameter disable spoolss = Yes
doing parameter dos filemode = Yes
doing parameter kernel change notify = No
doing parameter directory name cache size = 0
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter unix charset = UTF-8
doing parameter log level = 1
doing parameter obey pam restrictions = False
doing parameter enable web service discovery = True
doing parameter logging = file
doing parameter server min protocol = SMB2_02
doing parameter unix extensions = No
doing parameter restrict anonymous = 2
doing parameter server string = FreeNAS Server
doing parameter interfaces = 127.0.0.1 192.168.1.83
doing parameter bind interfaces only = Yes
doing parameter netbios name = nas
doing parameter netbios aliases =
doing parameter server role = member server
doing parameter kerberos method = secrets and keytab
doing parameter workgroup = AD
doing parameter realm = DOMAIN
doing parameter security = ADS
doing parameter local master = No
doing parameter domain master = No
doing parameter preferred master = No
doing parameter winbind cache time = 7200
doing parameter winbind max domain connections = 10
doing parameter winbind status fifo = Yes
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter ads dns update = Yes
doing parameter allow trusted domains = No
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter include = /usr/local/etc/smb4_share.conf
pm_process() returned Yes
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
Registering messaging pointer for type 51 - private_data=0x0
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter dns proxy = No
doing parameter aio max threads = 2
doing parameter max log size = 51200
doing parameter allocation roundup size = 0
doing parameter load printers = No
doing parameter printing = bsd
doing parameter disable spoolss = Yes
doing parameter dos filemode = Yes
doing parameter kernel change notify = No
doing parameter directory name cache size = 0
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter unix charset = UTF-8
doing parameter log level = 1
doing parameter obey pam restrictions = False
doing parameter enable web service discovery = True
doing parameter logging = file
doing parameter server min protocol = SMB2_02
doing parameter unix extensions = No
doing parameter restrict anonymous = 2
doing parameter server string = FreeNAS Server
doing parameter interfaces = 127.0.0.1 192.168.1.83
doing parameter bind interfaces only = Yes
doing parameter netbios name = nas
doing parameter netbios aliases =
doing parameter server role = member server
doing parameter kerberos method = secrets and keytab
doing parameter workgroup = AD
doing parameter realm = DOMAIN
doing parameter security = ADS
doing parameter local master = No
doing parameter domain master = No
doing parameter preferred master = No
doing parameter winbind cache time = 7200
doing parameter winbind max domain connections = 10
doing parameter winbind status fifo = Yes
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%D/%U
doing parameter ads dns update = Yes
doing parameter allow trusted domains = No
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter include = /usr/local/etc/smb4_share.conf
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="NAS"
added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface lagg0 ip=192.168.1.83 bcast=192.168.1.255 netmask=255.255.255.0
Opening cache file at /var/run/samba4/gencache.tdb
sitename_fetch: No stored sitename for realm 'DOMAIN'
ads_dc_name: domain=AD
sitename_fetch: No stored sitename for realm 'DOMAIN'
saf_fetch: failed to find server for "DOMAIN" domain
get_dc_list: preferred server list: ", *"
no entry for DOMAIN#1C found.
resolve_ads: Attempting to resolve DCs for DOMAIN using DNS
namecache_store: storing 2 addresses for DOMAIN#1c: 192.168.1.38,192.168.1.39
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.1.38:389 192.168.1.39:389
ads_try_connect: sending CLDAP request to 192.168.1.38 (realm: DOMAIN)
Successfully contacted LDAP server 192.168.1.38
sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name"
sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name"
ads_dc_name: domain=AD
sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name"
saf_fetch: failed to find server for "DOMAIN" domain
get_dc_list: preferred server list: ", *"
no entry for DOMAIN#1C found.
resolve_ads: Attempting to resolve DCs for DOMAIN using DNS
namecache_store: storing 2 addresses for DOMAIN#1c: 192.168.1.39,192.168.1.38
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.1.39:389 192.168.1.38:389
ads_try_connect: sending CLDAP request to 192.168.1.39 (realm: DOMAIN)
Successfully contacted LDAP server 192.168.1.39
sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name"
saf_fetch: failed to find server for "DOMAIN" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for DOMAIN using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.1.39:88 192.168.1.38:88
saf_fetch: failed to find server for "DOMAIN" domain
get_dc_list: preferred server list: ", *"
resolve_ads: Attempting to resolve KDCs for DOMAIN using DNS
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.1.38:88 192.168.1.39:88
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf.AD with realm DOMAIN KDC list =         kdc = 192.168.1.39
        kdc = 192.168.1.38

ads_dc_name: using server='DC02.DOMAIN' IP=192.168.1.39
sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name"
ads_dc_name: domain=WORKGROUP
sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name"
saf_fetch: failed to find server for "DOMAIN" domain
get_dc_list: preferred server list: ", *"
name DOMAIN#1C found.
get_dc_list: returning 2 ip addresses in an ordered list
get_dc_list: 192.168.1.39:389 192.168.1.38:389
ads_try_connect: sending CLDAP request to 192.168.1.39 (realm: DOMAIN)
Successfully contacted LDAP server 192.168.1.39
sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name"
ads_dc_name: using server='DC02.DOMAIN' IP=192.168.1.39
ads_try_connect: sending CLDAP request to 192.168.1.39 (realm: DOMAIN)
Successfully contacted LDAP server 192.168.1.39
Connected to LDAP server dc02.DOMAIN
KDC time offset is 0 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[MEMORY:net_ads] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
gensec_update_done: spnego[0x814e56e60]: NT_STATUS_INVALID_PARAMETER
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc02.DOMAIN with user[NAS$] realm=[DOMAIN]: Cannot read password
Join to domain is not valid: NT code 0xfffffff6
return code = -1]
[2020/07/09 15:52:18] (DEBUG) ActiveDirectoryService.start():969 - Test join to DOMAIN failed. Performing domain join.
[2020/07/09 15:52:22] (DEBUG) ActiveDirectoryService.start():995 - Successfully generated keytab for computer account. Clearing bind credentials
[2020/07/09 15:52:22] (DEBUG) ServiceService._simplecmd():287 - Calling: restart(cifs)
[2020/07/09 15:52:22] (DEBUG) EtcService.generate():275 - No new changes for /etc/local/smb4_share.conf
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/kde
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/pam.inc
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/sudo
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/imap
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/atrun
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/telnetd
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/other
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/xdm
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/passwd
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/system
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/rsh
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/pop3
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/README
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/cron
[2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/local/nslcd.conf
[2020/07/09 15:52:26] (DEBUG) ActiveDirectoryService.get_cache():1716 - cache fill is in progress.
[2020/07/09 15:52:26] (DEBUG) ActiveDirectoryService.start():1020 - Successfully started AD service for [DOMAIN].


I now get correct response from wbinfo -u or wbinfo -g. Hope this stay stable ;-)
 
You must log in or register to reply here.

Similar threads

L
  • Locked
Joining to Active Directory
Replies
13
Views
4K
anodos
anodos
G
  • Locked
FreeNAS 9.10 Error joining to Active Directory
Replies
5
Views
2K
James8562
James8562
R
FreeNAS 11.3 & Active Directory domain (WinSrv2012r2). Help...
Replies
2
Views
1K
root31337
R
F
  • Locked
FreeNAS being flaky when connecting to my (Active Directory) domain
Replies
1
Views
1K
Fongaboo
F
A
Active Directory - MiddlewareError Timeout
Replies
4
Views
2K
ABoehm
A
Top