FreeNAS 11u1 Active Directory join lost on reboot - Bug # 21244

[MrDave2017]

Need some help with my FreeNAS 11.0 U1 install and joining it to my Active Directory.

There has to be something I'm missing that I can't find.

I can join the domain with no issues. Then after reboot the "testjoin" fails and it tries to rejoin and fails to join. Then if the AD connection is enabled again in the web ui or if the troubleshooting steps located here http://doc.freenas.org/11/directoryservice.html#if-the-system-will-not-join-the-domain and run joins the domain just fine.

The AD Object is being created in my AD. When i have to force it to rejoin the object is moved back to the default OU

Very confused on why this is happening any help would be great.

I have some log snipits below to try to explain better what is happening.

Result of setting up the AD section in the web UI, joins domain w/o issue:

Code:

Jul 21 12:15:52 FreeNAS ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Jul 21 12:15:53 FreeNAS ActiveDirectory: /usr/sbin/service ix-kerberos quietstart default MYDOMAIN
Jul 21 12:15:55 FreeNAS ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Jul 21 12:15:55 FreeNAS ActiveDirectory: /usr/sbin/service ix-ldap quietstart
Jul 21 12:15:55 FreeNAS ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Jul 21 12:15:56 FreeNAS ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable --password-file=/tmp/tmp.KS4LJ91c FreenasUser@MYDOMAIN
Jul 21 12:15:58 FreeNAS ActiveDirectory: kerberos_start: Successful
Jul 21 12:15:58 FreeNAS ActiveDirectory: /usr/sbin/service ix-kinit status
Jul 21 12:15:58 FreeNAS ActiveDirectory: kerberos_status: klist -t
Jul 21 12:15:58 FreeNAS ActiveDirectory: kerberos_status: Successful
Jul 21 12:15:58 FreeNAS ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jul 21 12:16:03 FreeNAS ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Jul 21 12:16:05 FreeNAS ActiveDirectory: activedirectory_start: checking if we are joined already
Jul 21 12:16:05 FreeNAS ActiveDirectory: AD_testjoin_domain: net -k ads testjoin MyDomain -S MyDomain-dc-1.MyDomain -p 389
Jul 21 12:16:06 FreeNAS ActiveDirectory: AD_testjoin_domain: Failed
Jul 21 12:16:06 FreeNAS ActiveDirectory: activedirectory_start: trying to join domain
Jul 21 12:16:06 FreeNAS ActiveDirectory: AD_join_domain: net -k ads join MyDomain -S MyDomain-dc-1.MyDomain -p 389
Jul 21 12:16:08 FreeNAS ActiveDirectory: AD_join_domain: Successful
Jul 21 12:16:08 FreeNAS ActiveDirectory: /usr/sbin/service ix-activedirectory status
Jul 21 12:16:09 FreeNAS ActiveDirectory: activedirectory_status: checking status
Jul 21 12:16:09 FreeNAS ActiveDirectory: AD_status_domain: net -k ads status MyDomain
Jul 21 12:16:10 FreeNAS ActiveDirectory: AD_status_domain: Okay
Jul 21 12:16:10 FreeNAS ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jul 21 12:16:12 FreeNAS ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jul 21 12:16:17 FreeNAS ActiveDirectory: /usr/sbin/service ix-pam quietstart
Jul 21 12:16:18 FreeNAS ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Jul 21 12:16:39 FreeNAS ActiveDirectory: kerberos_status: klist -t
Jul 21 12:16:39 FreeNAS ActiveDirectory: kerberos_status: Successful
Jul 21 12:16:40 FreeNAS ActiveDirectory: activedirectory_status: checking status
Jul 21 12:16:40 FreeNAS ActiveDirectory: AD_status_domain: net -k ads status MyDomain
Jul 21 12:16:41 FreeNAS ActiveDirectory: AD_status_domain: Okay

After a reboot the join is lost:

Code:

Jul 21 12:22:44 FreeNAS ActiveDirectory: activedirectory_start: checking if we are joined already
Jul 21 12:22:44 FreeNAS ActiveDirectory: AD_testjoin_domain: net -k ads testjoin MyDomain -S MyDomain-dc-b.MyDomain -p 389
Jul 21 12:22:49 FreeNAS ActiveDirectory: AD_testjoin_domain: Failed
Jul 21 12:22:49 FreeNAS ActiveDirectory: activedirectory_start: trying to join domain
Jul 21 12:22:49 FreeNAS ActiveDirectory: AD_join_domain: net -k ads join MyDomain -S MyDomain-dc-b.MyDomain -p 389
Jul 21 12:22:50 FreeNAS ActiveDirectory: AD_join_domain: Failed
Jul 21 12:22:50 FreeNAS ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jul 21 12:22:52 FreeNAS ActiveDirectory: /usr/sbin/service ix-kerberos quietstop
Jul 21 12:22:52 FreeNAS ActiveDirectory: /usr/sbin/service ix-nsswitch quietstop
Jul 21 12:22:52 FreeNAS ActiveDirectory: /usr/sbin/service ix-pam quietstop
Jul 21 12:22:53 FreeNAS ActiveDirectory: /usr/sbin/service ix-activedirectory forcestop
Jul 21 12:22:58 FreeNAS ActiveDirectory: activedirectory_stop: leaving domain
Jul 21 12:23:02 FreeNAS /adtool: [common.pipesubr:66] Popen()ing: /usr/bin/kinit --renewable --password-file=/tmp/tmpmnyiaekk FreenasUser@MYDOMAIN
Jul 21 12:23:02 FreeNAS ActiveDirectory: /usr/sbin/service ix-cache quietstop &
Jul 21 12:23:06 FreeNAS ActiveDirectory: /usr/sbin/service samba_server forcestop
Jul 21 12:23:06 FreeNAS ActiveDirectory: /usr/sbin/service ix-pre-samba start
Jul 21 12:23:09 FreeNAS ActiveDirectory: /usr/sbin/service ix-kinit forcestop
Jul 21 12:23:09 FreeNAS ActiveDirectory: /usr/sbin/service ix-hostname quietstart

 

[dlavigne]

Is the Enable Monitoring box checked in Directory Services -> Active Directory?

 

[MrDave2017]

It is not checked.

 

[dlavigne]

That feature tells the system to try to recontact the AD server if the join fails (otherwise, it only tries once at reboot and that's it). Checking the box should resolve the issue.

 

[MrDave2017]

let me give it a shot and i will report back my findings

 

[MrDave2017]

Here are my findings. Setting the monitoring option does cause the NAS to be bound to the domain after a reboot and 11 retries, but the join is a fresh join. The computer object in AD is moved to the default computers container and the NAS is rejoined to the domain as a computer object. It does not appear that freenas is doing a standard computer domain join on setup, rather every time on startup it does a fresh new join of the domain. I verified this by changing the password of the user that was entered to do the initial join then restarting, the join then failed after reboot.

 

[razor1299]

I have the same problem with the FreeNAS 11.0 U2

 

[razor1299]

I have the same problem with the FreeNAS 11.0 U2

• WARNING: July 26, 2017, 10:36 p.m. - attempt 4 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 5 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 29 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 21 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - tried 10 attempts to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 1 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 3 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 11 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 22 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 5 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 6 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 24 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 14 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 3 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 14 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 70 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 16 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 66 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 34 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 1 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 6 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 5 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 5 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 18 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 10 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 19 to recover service activedirectory
• WARNING: July 26, 2017, 10:36 p.m. - attempt 72 to recover service activedirectory

 

[MrDave2017]

going to need some insight from IX guys on why it is attempting a new join every time, either I'm not seeing something right in front of my face or something odd is happening here.

 

[MrDave2017]

Not looking good for a solution to this problem.

 

[HoboJ]

I have a vaguely similar issue after upgrading from 11.0 to 11u2 where active directory won't successfully join our domain anymore. Though the testjoin part of the process doesn't fail like it does for you, mine fails later on when it checks AD status.

 

[MrDave2017]

Looks like there is an open bug for this issue that has been around for 6 months

https://bugs.freenas.org/issues/21244