FreeNAS 9.3-STABLE Won't Join Server 2012R2 Domain

[mdrisser]

I am currently unable to join a FreeNAS 9.3 server to a Server 2012R2 domain.

Running a command I found in a similar problem in the bug tracker: net -k ads join domain.local -d 9
results in the following output:

INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 9
tdb: 9
printdrivers: 9
lanman: 9
smb: 9
rpc_parse: 9
rpc_srv: 9
rpc_cli: 9
passdb: 9
sam: 9
auth: 9
winbind: 9
vfs: 9
idmap: 9
quota: 9
acls: 9
locking: 9
msdfs: 9
dmapi: 9
registry: 9
scavenger: 9
dns: 9
ldb: 9
params.c:pm_process() - Processing configuration file "/usr/local/etc/smb4.conf"
Processing section "[global]"
doing parameter server max protocol = SMB3
doing parameter encrypt passwords = yes
doing parameter dns proxy = no
doing parameter strict locking = no
doing parameter oplocks = yes
doing parameter deadtime = 15
doing parameter max log size = 51200
doing parameter max open files = 235154
doing parameter load printers = no
doing parameter printing = bsd
doing parameter printcap name = /dev/null
doing parameter disable spoolss = yes
doing parameter getwd cache = yes
doing parameter guest account = nobody
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter directory name cache size = 0
doing parameter kernel change notify = no
doing parameter panic action = /usr/local/libexec/samba/samba-backtrace
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter server string = FreeNAS Test Server
doing parameter ea support = yes
doing parameter store dos attributes = yes
doing parameter lm announce = yes
doing parameter hostname lookups = yes
doing parameter acl allow execute always = true
doing parameter acl check permissions = true
doing parameter dos filemode = yes
doing parameter multicast dns register = yes
doing parameter domain logons = no
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 90000001-100000000
doing parameter server role = member server
doing parameter netbios name = FREENAS
doing parameter workgroup = PD
doing parameter realm = DOMAIN.LOCAL
doing parameter security = ADS
doing parameter client use spnego = yes
doing parameter cache directory = /var/tmp/.cache/.samba
doing parameter local master = no
doing parameter domain master = no
doing parameter preferred master = no
doing parameter winbind cache time = 7200
doing parameter winbind offline logon = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind nested groups = yes
doing parameter winbind use default domain = yes
doing parameter winbind refresh tickets = yes
doing parameter idmap config PD: backend = rid
doing parameter idmap config PD: range = 20000-90000000
doing parameter allow trusted domains = no
doing parameter client ldap sasl wrapping = plain
doing parameter template shell = /bin/sh
doing parameter template homedir = /home/%U
doing parameter pid directory = /var/run/samba
doing parameter create mask = 0666
doing parameter directory mask = 0777
doing parameter client ntlmv2 auth = yes
doing parameter dos charset = CP437
doing parameter unix charset = UTF-8
doing parameter log level = 1
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Netbios name list:-
my_netbios_names[0]="FREENAS"
added interface em0 ip=192.168.3.52 bcast=192.168.3.255 netmask=255.255.255.0
added interface em1 ip=192.168.3.53 bcast=192.168.3.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=0x0
Registering messaging pointer for type 9 - private_data=0x0
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=0x0
Registering messaging pointer for type 12 - private_data=0x0
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=0x0
Registering messaging pointer for type 5 - private_data=0x0
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'FREENAS'
domain_name : *
domain_name : 'domain.local'
account_ou : NULL
admin_account : 'root'
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x00 (0)
upn : NULL
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
Opening cache file at /var/tmp/.cache/.samba/gencache.tdb
Opening cache file at /var/db/samba4/gencache_notrans.tdb
sitename_fetch: No stored sitename for pd.local
ads_dns_lookup_srv: 2 records returned in the answer section.
sitename_fetch: Returning sitename for DOMAIN.LOCAL: "Default-First-Site-Name"
no entry for DC01.domain.local#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name DC01.domain.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name DC01.domain.local<0x20>
startlmhosts: Can't open lmhosts file /usr/local/etc/lmhosts. Error was No such file or directory
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name DC01.domain.local<0x20>
namecache_store: storing 1 address for DC01.domain.local#20: 192.168.3.109
Connecting to 192.168.3.109 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 4
Could not test socket option TCP_KEEPCNT.
Could not test socket option TCP_KEEPIDLE.
Could not test socket option TCP_KEEPINTVL.
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 33304
SO_RCVBUF = 66608
SO_SNDLOWAT = 2048
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain 'domain.local' over rpc: NT_STATUS_CONNECTION_RESET'
domain_is_ad : 0x00 (0)
result : WERR_NETNAME_DELETED
Failed to join domain: failed to lookup DC info for domain 'domain.local' over rpc: NT_STATUS_CONNECTION_RESET
return code = -1


The really interesting part is that it fails to lookup DC info for the domain.

If I run host -t srv _ldap._tcp.domain.local it returns:
_ldap._tcp.domain.local has SRV record 0 100 389 dc01.domain.local.
_ldap._tcp.domain.local has SRV record 0 100 389 dc02.domain.local.

So the SRV records are there and are accessible.

Just in case anyone asks ;)

• DNS is working fine, names are resolving properly
• NTP servers on the FreeNAS box are pointing to the DCs and the times are in sync (less than a minute difference)
• I have tried manually adding the domain controller and the global catalog server in the web interface
• I have run through the troubleshooting steps in the manual

I'm stumped on this one. Any help is greatly appreciated.

 

[dlavigne]

Follow the instructions in http://doc.freenas.org/9.3/freenas_directoryservice.html#if-the-system-will-not-join-the-domain. If you do end up filing a bug, post the issue number here.

 

[solarisguy]

[...] NTP servers on the FreeNAS box are pointing to the DCs and the times are in sync (less than a minute difference) [...]

Did you mean under 1 second ? With NTP, they should have the same time.

 

[Nick Lutz]

For what it's worth, I had similar problems, everything looked good, but I was unable to get the FreeNAS box to join the domain. I fixed this by adding a SDC (Secondary Domain Controller) with a secondary DNS to my forest. I pointed FreeNAS to the secondary domain controller and secondary DNS and things magically started working. I can only assume something that only FreeNAS cares about was not in a state that FreeNAS was happy about on the PDC. I hope this can help you as there seems to be little support when it comes to active directory and FreeNAS.

 

[mdrisser]

Did you mean under 1 second ? With NTP, they should have the same time.

Yes, they should have, but without delving too far into time and date commands, the times shown on the clocks are pretty close to being in sync, hence the less than a minute that I posted. The take away is that the clocks are well within the 5 minutes allowed for by kerberos, thus eliminating that as a culprate.

 

[mdrisser]

For what it's worth, I had similar problems, everything looked good, but I was unable to get the FreeNAS box to join the domain. I fixed this by adding a SDC (Secondary Domain Controller) with a secondary DNS to my forest. I pointed FreeNAS to the secondary domain controller and secondary DNS and things magically started working. I can only assume something that only FreeNAS cares about was not in a state that FreeNAS was happy about on the PDC. I hope this can help you as there seems to be little support when it comes to active directory and FreeNAS.

Hmmmm, interesting. I'll have to give that a try and see, as we already have a BDC in the domain.

 

[mdrisser]

Follow the instructions in http://doc.freenas.org/9.3/freenas_directoryservice.html#if-the-system-will-not-join-the-domain. If you do end up filing a bug, post the issue number here.

Thanks, but those are the troubleshooting steps I was referring to. I'm thinking that it is, perhaps, something about Server 2012; as I have another FreeNAS box running in a 2008 domain with no issues.

 

[Nick Lutz]

Not sure if this is the right place for this and if we can even post a link on this forum, but this is a link for a recipe on setting up a secondary domain controller (aka backup domain controller): http://blog.hyperexpert.com/how-to-...r-with-integrated-dns-in-windows-server-2012/

I used this to finally and successfully connect FreeNAS to a Windows 2012r2 domain.

 

[Nick2253]

I have successfully join FreeNAS as a member server to Server 2012 and 2012R2 domains without problems, FWIW, so there isn't anything special about 2012.

 

[mdrisser]

I tried Nick Lutz's suggestion with no change in the results.

Playing around with the net command, if I run net ads user I get a list of the users in the domain; if I run net ads lookup I get the expected information about the PDC

 

[mdrisser]

I have successfully join FreeNAS as a member server to Server 2012 and 2012R2 domains without problems, FWIW, so there isn't anything special about 2012.

Thanks for that info, that certainly helps to narrow things down. I know that Microsoft changed some stuff with the SMB protocol in Server 2012, it's causing a lot of problems with network scanners, so I thought it might be playing a role in what I'm seeing, but glad to know that it isn't.

 

[Nick Lutz]

One other suggestion/check; is your DNS configured to do reverse lookups? Initially my DNS on Win2012r2 was not configured for reverse lookups and as one of the troubleshooting steps I set it up with a reverse lookup zone. Since my systems are not on the Internet at large, I removed all of the Internet authoritative DNS hosts from the DNS configuration under Windows. Things still didn't work until I setup a secondary domain controller, but the reverse lookups were transferred over to the secondary DNS server as well. I also updated Windows 2012r2 on both domain controller hosts to October 2015 patch levels. Also, my PDC and BDC/SDC are Hyper-V virtualized hosts.

Note: I was very shocked when I first saw the domain users/groups show up in the FreeNAS dropdowns when creating shares, but I never went backward to find out what actually fixed the issue (due to time/funding constraints).

Hope this helps.

 

[acog]

Did you ever see a resolution on this? I'm tearing around in a Lab I've set up in preparation to introduce into our production environment. I have not been able to get FreeNAS to join the domain UNLESS I have a 2008R2 domain controller present. I have a 2012R2 DC and I have been Promoting and Demoting a 2008R2 DC as well. When 08R2 is a DC, I am able to get FreeNAS to Join. When 08R2 is NOT a CD, I get "The service cannot be restarted".

 

[HotelOscar]

I have had also seen some of those issues with some of the Synology NAS we have currently in production use. They use an older Samba version (4.1, IIRC), and require at least one DC with 2008R2 and AD level 47 in the Domain.
A pure 2012 Server or 2012R2 Server AD with appropriate AD function level higher that 47 probably will or would trigger some issues- the samba team explicitly states in their documentation, that for Samba as a member DC domain level is max 47/2008R2 level or things will break.

As for a domain member only, I haven't found concise documentation yet, but I suspect similar issues with that- we have had some trouble with nested user/groups and permissions on shares with a Synology NAS running Samba 4.1.x ...

 

[anodos]

I have had also seen some of those issues with some of the Synology NAS we have currently in production use. They use an older Samba version (4.1, IIRC), and require at least one DC with 2008R2 and AD level 47 in the Domain.
A pure 2012 Server or 2012R2 Server AD with appropriate AD function level higher that 47 probably will or would trigger some issues- the samba team explicitly states in their documentation, that for Samba as a member DC domain level is max 47/2008R2 level or things will break.

As for a domain member only, I haven't found concise documentation yet, but I suspect similar issues with that- we have had some trouble with nested user/groups and permissions on shares with a Synology NAS running Samba 4.1.x ...

The synology device may have problems with nss/winbind configuration. Nested groups work fine on my FreeNAS server. Server 2012R2 seems to work fine, but my production domain is at a 2008R2 functional level so I can't comment as to samba / winbind behavior at a 2012R2 functional level. I suspect it will work fine.

 

[Tom Murphy]

https://forums.freenas.org/index.ph...oined-2012-r2-ad-after-days-of-stuggle.44334/