FreeNAS 11 not working any more with LDAP Auth

[Mouftik]

Hi all,

I come to a little issue where my SMB share won't start anymore since I upgraded from a stable 9.10 to stable 11.
I use LDAP authentication with TLS encryption to my LDAP Server. Before anything was working good, I was able to set permissions with user/groups from the LDAP and sign in through Windows (also with AFP/Mac OS).

But now I have a Warning saying "LDAP did not bind to the domain" and my SMB share won't start anymore.

What have been changed to FreeNAS 11 which don't allow me to use SMB anymore ?

BTW I didn't changed anything from LDAP, I have samba schema installed and working.

 

[Ericloewe]

I believe 11.0-U1 has some fixes for this, so try that out first.

 

[Mouftik]

I installed the 11.0-U1 yesterday and nothing changed, I am not able to start the SMB share.
With the same warning on LDAP which can not bind to the domain.

I scrubbed the FreeNAS Bug and nothing related to that AFAIK.

 

[dlavigne]

Anything in /var/log/messages?

 

[Mouftik]

Nothing in /var/log/messages but in /var/log/samba4/log.smbd I have:

Code:

pdb backend ldapsam:ldaps://****LDAP Server FQDN**** did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

[2017/07/06 19:22:29.716161,  1] ../source3/profile/profile_dummy.c:30(set_profile_level)

  INFO: Profiling support unavailable in this build.

[2017/07/06 19:22:29.742909,  0] ../source3/lib/smbldap.c:998(smbldap_connect_system)

  failed to bind to server ldaps://****LDAP Server FQDN**** with dn="cn=admin,dc=ldap,dc=com" Error: Can't contact LDAP server

	  error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)

[2017/07/06 19:22:29.743028,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 1 try!

[2017/07/06 19:22:30.795902,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 2 try!

[2017/07/06 19:22:31.868446,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 3 try!

[2017/07/06 19:22:32.884008,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 4 try!

[2017/07/06 19:22:33.909306,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 5 try!

[2017/07/06 19:22:34.930015,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 6 try!

[2017/07/06 19:22:35.957787,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 7 try!

[2017/07/06 19:22:36.975747,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 8 try!

[2017/07/06 19:22:37.999158,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 9 try!

[2017/07/06 19:22:39.014178,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 10 try!

[2017/07/06 19:22:40.039332,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 11 try!

[2017/07/06 19:22:41.057464,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 12 try!

[2017/07/06 19:22:42.073800,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 13 try!

[2017/07/06 19:22:43.093733,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 14 try!

[2017/07/06 19:22:44.119211,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 15 try!

[2017/07/06 19:22:45.145195,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)

  Connection to LDAP server failed for the 16 try!

[2017/07/06 19:22:46.147521,  0] ../source3/passdb/pdb_ldap.c:6540(pdb_ldapsam_init_common)

  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.

[2017/07/06 19:22:46.147646,  0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)

  pdb backend ldapsam:ldaps://****LDAP Server FQDN**** did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

I effectively have a self-sign certificate but internally, didn't cause any issue before, is it about that ?

 

[dlavigne]

Yeah, it's possible that that is a regression.

Please create a report at bugs.freenas.org that includes your system debug (System -> Advanced -> Save Debug) and post the issue number here. Note that the bug won't be visible to others until the dev has a chance to review your debug.

 

[Mouftik]

Thanks @dlavigne I create a bug in the bug tracker: https://bugs.freenas.org/issues/25026
I will hope to get a fix soon in next releases, to be able to use my SMB shares again.

 

[Wizermil]

@dlavigne I have godaddy wildcard cert setup in 11U1. I can send you my logs or even do live debugging over irc or slack or skype or hangout ...

 

[dkusek]

I have the same errors running 11.0-U3. Has anyone been able to get this running on 11.0-U3? I also get an error when trying to add the Kerberos Keytab. GUI says "error occurred" but nothing is generated in logs. So im pretty lost here. I can run getent passwd and get all of my directory users to populate and the user group is available when changing the permissions on the dataset. But the main issue is that SMB will not start. If it does start, it quickly goes down again.
Any help on this is greatly appreciated.

 

[dlavigne]

Does updating to 11.1 fix it? If not, please create a bug report at bugs.freenas.org that includes a debug (System -> Advanced -> Save Debug) from the updated system, and post the issue number here.

 

[dkusek]

This particular instance is in a prod env. I am waiting til 11.1 comes out of release status to do that. At that time, I will try again and report. Thank you for the response.