Henning Kessler
Contributor
- Joined
- Feb 10, 2015
- Messages
- 143
Okay I tried a couple of things and I was kind of successful ;-).
I set my setting to this:
and the did a kinit on the command line to receive a ticket and then enabled the active directory.
Log output is:
I now get correct response from
I set my setting to this:
Code:
{ "id": 1, "domainname": "DOMAIN", "bindname": "administrator", "bindpw": "PASSWORD", "ssl": "OFF", "certificate": null, "validate_certificates": false, "verbose_logging": true, "allow_trusted_doms": false, "use_default_domain": false, "allow_dns_updates": true, "disable_freenas_cache": false, "site": "Default-First-Site-Name", "kerberos_realm": 1, "kerberos_principal": "NAS$@AD.WAF.BERLIN", "createcomputer": "", "timeout": 60, "dns_timeout": 10, "idmap_backend": "RID", "nss_info": null, "ldap_sasl_wrapping": "PLAIN", "enable": true, "netbiosname": "nas", "netbiosalias": [] }
and the did a kinit on the command line to receive a ticket and then enabled the active directory.
Log output is:
Code:
[2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_n_working_servers():154 - Request for [1] of server type [PDC] returned: [{'host': 'dc02.DOMAIN', 'port': 389}] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.start():917 - Starting Active Directory service for [DOMAIN] [2020/07/09 15:52:17] (DEBUG) EtcService.generate():275 - No new changes for /etc/hosts [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_n_working_servers():154 - Request for [3] of server type [DOMAINCONTROLLER] returned: [{'host': 'dc02.DOMAIN', 'port': 389}, {'host': 'dc01.DOMAIN', 'port': 389}] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc02.DOMAIN:389] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():307 - Successfully bound to [ldap://dc02.DOMAIN:389] using SASL GSSAPI. [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():454 - initialized naming context: rootDN:[DC=ad,DC=waf,DC=berlin] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():455 - baseDN:[DC=ad,DC=waf,DC=berlin], config:[CN=Configuration,DC=ad,DC=waf,DC=berlin] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._get_subnets():432 - ipv4_subnet_info: [] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._get_subnets():433 - ipv6_subnet_info: [] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():204 - Successfully initialized LDAP server: [ldap://dc02.DOMAIN:389] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._open():307 - Successfully bound to [ldap://dc02.DOMAIN:389] using SASL GSSAPI. [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():454 - initialized naming context: rootDN:[DC=ad,DC=waf,DC=berlin] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService._initialize_naming_context():455 - baseDN:[DC=ad,DC=waf,DC=berlin], config:[CN=Configuration,DC=ad,DC=waf,DC=berlin] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_netbios_name():478 - Query for nETBIOSName from LDAP returned: [AD] [2020/07/09 15:52:17] (DEBUG) ActiveDirectoryService.get_netbios_domain_name():1391 - Updating SMB workgroup to match the short form of the AD domain [AD] [2020/07/09 15:52:18] (DEBUG) ActiveDirectoryService._net_ads_testjoin():1269 - net ads testjoin failed with error: [INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 smb2: 5 smb2_credits: 5 dsdb_audit: 5 dsdb_json_audit: 5 dsdb_password_audit: 5 dsdb_password_json_audit: 5 dsdb_transaction_audit: 5 dsdb_transaction_json_audit: 5 dsdb_group_audit: 5 dsdb_group_json_audit: 5 lp_load_ex: refreshing parameters Initialising global parameters INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 smb2: 5 smb2_credits: 5 dsdb_audit: 5 dsdb_json_audit: 5 dsdb_password_audit: 5 dsdb_password_json_audit: 5 dsdb_transaction_audit: 5 dsdb_transaction_json_audit: 5 dsdb_group_audit: 5 dsdb_group_json_audit: 5 Processing section "[global]" doing parameter dns proxy = No doing parameter aio max threads = 2 doing parameter max log size = 51200 doing parameter allocation roundup size = 0 doing parameter load printers = No doing parameter printing = bsd doing parameter disable spoolss = Yes doing parameter dos filemode = Yes doing parameter kernel change notify = No doing parameter directory name cache size = 0 doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g doing parameter unix charset = UTF-8 doing parameter log level = 1 doing parameter obey pam restrictions = False doing parameter enable web service discovery = True doing parameter logging = file doing parameter server min protocol = SMB2_02 doing parameter unix extensions = No doing parameter restrict anonymous = 2 doing parameter server string = FreeNAS Server doing parameter interfaces = 127.0.0.1 192.168.1.83 doing parameter bind interfaces only = Yes doing parameter netbios name = nas doing parameter netbios aliases = doing parameter server role = member server doing parameter kerberos method = secrets and keytab doing parameter workgroup = AD doing parameter realm = DOMAIN doing parameter security = ADS doing parameter local master = No doing parameter domain master = No doing parameter preferred master = No doing parameter winbind cache time = 7200 doing parameter winbind max domain connections = 10 doing parameter winbind status fifo = Yes doing parameter client ldap sasl wrapping = plain doing parameter template shell = /bin/sh doing parameter template homedir = /home/%D/%U doing parameter ads dns update = Yes doing parameter allow trusted domains = No doing parameter winbind enum users = Yes doing parameter winbind enum groups = Yes doing parameter idmap config *: backend = tdb doing parameter idmap config *: range = 90000001-100000000 doing parameter include = /usr/local/etc/smb4_share.conf pm_process() returned Yes Registering messaging pointer for type 2 - private_data=0x0 Registering messaging pointer for type 9 - private_data=0x0 Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=0x0 Registering messaging pointer for type 12 - private_data=0x0 Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=0x0 Registering messaging pointer for type 5 - private_data=0x0 Registering messaging pointer for type 51 - private_data=0x0 lp_load_ex: refreshing parameters Freeing parametrics: Initialising global parameters INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 smb2: 5 smb2_credits: 5 dsdb_audit: 5 dsdb_json_audit: 5 dsdb_password_audit: 5 dsdb_password_json_audit: 5 dsdb_transaction_audit: 5 dsdb_transaction_json_audit: 5 dsdb_group_audit: 5 dsdb_group_json_audit: 5 Processing section "[global]" doing parameter dns proxy = No doing parameter aio max threads = 2 doing parameter max log size = 51200 doing parameter allocation roundup size = 0 doing parameter load printers = No doing parameter printing = bsd doing parameter disable spoolss = Yes doing parameter dos filemode = Yes doing parameter kernel change notify = No doing parameter directory name cache size = 0 doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g doing parameter unix charset = UTF-8 doing parameter log level = 1 doing parameter obey pam restrictions = False doing parameter enable web service discovery = True doing parameter logging = file doing parameter server min protocol = SMB2_02 doing parameter unix extensions = No doing parameter restrict anonymous = 2 doing parameter server string = FreeNAS Server doing parameter interfaces = 127.0.0.1 192.168.1.83 doing parameter bind interfaces only = Yes doing parameter netbios name = nas doing parameter netbios aliases = doing parameter server role = member server doing parameter kerberos method = secrets and keytab doing parameter workgroup = AD doing parameter realm = DOMAIN doing parameter security = ADS doing parameter local master = No doing parameter domain master = No doing parameter preferred master = No doing parameter winbind cache time = 7200 doing parameter winbind max domain connections = 10 doing parameter winbind status fifo = Yes doing parameter client ldap sasl wrapping = plain doing parameter template shell = /bin/sh doing parameter template homedir = /home/%D/%U doing parameter ads dns update = Yes doing parameter allow trusted domains = No doing parameter winbind enum users = Yes doing parameter winbind enum groups = Yes doing parameter idmap config *: backend = tdb doing parameter idmap config *: range = 90000001-100000000 doing parameter include = /usr/local/etc/smb4_share.conf pm_process() returned Yes Netbios name list:- my_netbios_names[0]="NAS" added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0 added interface lagg0 ip=192.168.1.83 bcast=192.168.1.255 netmask=255.255.255.0 Opening cache file at /var/run/samba4/gencache.tdb sitename_fetch: No stored sitename for realm 'DOMAIN' ads_dc_name: domain=AD sitename_fetch: No stored sitename for realm 'DOMAIN' saf_fetch: failed to find server for "DOMAIN" domain get_dc_list: preferred server list: ", *" no entry for DOMAIN#1C found. resolve_ads: Attempting to resolve DCs for DOMAIN using DNS namecache_store: storing 2 addresses for DOMAIN#1c: 192.168.1.38,192.168.1.39 get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.1.38:389 192.168.1.39:389 ads_try_connect: sending CLDAP request to 192.168.1.38 (realm: DOMAIN) Successfully contacted LDAP server 192.168.1.38 sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name" sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name" ads_dc_name: domain=AD sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name" saf_fetch: failed to find server for "DOMAIN" domain get_dc_list: preferred server list: ", *" no entry for DOMAIN#1C found. resolve_ads: Attempting to resolve DCs for DOMAIN using DNS namecache_store: storing 2 addresses for DOMAIN#1c: 192.168.1.39,192.168.1.38 get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.1.39:389 192.168.1.38:389 ads_try_connect: sending CLDAP request to 192.168.1.39 (realm: DOMAIN) Successfully contacted LDAP server 192.168.1.39 sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name" saf_fetch: failed to find server for "DOMAIN" domain get_dc_list: preferred server list: ", *" resolve_ads: Attempting to resolve KDCs for DOMAIN using DNS get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.1.39:88 192.168.1.38:88 saf_fetch: failed to find server for "DOMAIN" domain get_dc_list: preferred server list: ", *" resolve_ads: Attempting to resolve KDCs for DOMAIN using DNS get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.1.38:88 192.168.1.39:88 create_local_private_krb5_conf_for_domain: wrote file /var/run/samba4/smb_krb5/krb5.conf.AD with realm DOMAIN KDC list = kdc = 192.168.1.39 kdc = 192.168.1.38 ads_dc_name: using server='DC02.DOMAIN' IP=192.168.1.39 sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name" ads_dc_name: domain=WORKGROUP sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name" saf_fetch: failed to find server for "DOMAIN" domain get_dc_list: preferred server list: ", *" name DOMAIN#1C found. get_dc_list: returning 2 ip addresses in an ordered list get_dc_list: 192.168.1.39:389 192.168.1.38:389 ads_try_connect: sending CLDAP request to 192.168.1.39 (realm: DOMAIN) Successfully contacted LDAP server 192.168.1.39 sitename_fetch: Returning sitename for realm 'DOMAIN': "Default-First-Site-Name" ads_dc_name: using server='DC02.DOMAIN' IP=192.168.1.39 ads_try_connect: sending CLDAP request to 192.168.1.39 (realm: DOMAIN) Successfully contacted LDAP server 192.168.1.39 Connected to LDAP server dc02.DOMAIN KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[MEMORY:net_ads] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request gensec_update_done: spnego[0x814e56e60]: NT_STATUS_INVALID_PARAMETER ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc02.DOMAIN with user[NAS$] realm=[DOMAIN]: Cannot read password Join to domain is not valid: NT code 0xfffffff6 return code = -1] [2020/07/09 15:52:18] (DEBUG) ActiveDirectoryService.start():969 - Test join to DOMAIN failed. Performing domain join. [2020/07/09 15:52:22] (DEBUG) ActiveDirectoryService.start():995 - Successfully generated keytab for computer account. Clearing bind credentials [2020/07/09 15:52:22] (DEBUG) ServiceService._simplecmd():287 - Calling: restart(cifs) [2020/07/09 15:52:22] (DEBUG) EtcService.generate():275 - No new changes for /etc/local/smb4_share.conf [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/kde [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/pam.inc [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/sudo [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/imap [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/atrun [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/telnetd [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/other [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/xdm [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/passwd [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/system [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/rsh [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/pop3 [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/README [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/pam.d/cron [2020/07/09 15:52:26] (DEBUG) EtcService.generate():275 - No new changes for /etc/local/nslcd.conf [2020/07/09 15:52:26] (DEBUG) ActiveDirectoryService.get_cache():1716 - cache fill is in progress. [2020/07/09 15:52:26] (DEBUG) ActiveDirectoryService.start():1020 - Successfully started AD service for [DOMAIN].
I now get correct response from
wbinfo -u
or wbinfo -g
. Hope this stay stable ;-)