Symptoms
- Everything has been working fine for a long time, and we have had no recent changes to any infrastructure
- Last Friday (4 days ago), users were unable to connect to \\freenas
- Users cannot connect to \\freenas, but it works fine when connecting to the IP
- When connecting to \\freenas, it will continually prompt for credentials on some clients, on others it works
- Some users are able to connect just fine to \\freenas, others it only works if you use \\ip
- the same user might work fine on one workstation, but they'll have to use the \\ip on another
- Permissions haven't changed, and when a user uses \\IP, everything works fine
- Rebooted the FreeNAS server several times (the final reboot didn't produce the "active directory failed to relaod" issue)
- Confirmed DNS was working correctly
- Pinged the DNS servers from the FreeNAS box with great response times and no dropped packets
- Tried connecting to the server using \\freenas from multiple computers using the same credentials (some worked, some didn't)
- Rebooted domain controllers
- Restarted DNS services on both domain controllers
- Confirmed time seems to be accurate on all boxes
- Confirmed DNS resolutions were working correctly on all clients, even those having issues
- Attempted to rebuild cache for active directory
- in /var/db/system/syslog-2cf8bd0eb1d742db9c1d9f9e6d30a105/log/samba4/log.smbd this gets repeated over and over again
- ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/name@FQDN kvno 22) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
[2019/06/28 10:32:31.416373, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
- ../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token)
- Couldn't connect to active directory: [middleware.exceptions:36] [MiddlewareError: Active Directory failed to reload.]
- After rebooting the FreeNAS box, it finally worked correctly
- I've added machine password timeout = 0 to /usr/local/etc/smb4.conf, which might help in the future and changed the mapped drive on user's computer to use the IP instead of name, so nobody is blocked now
- SMB shares
- Active directory integration for permissions and authentication
- Mixed client environment (Windows, *nix, Mac)
- Running version FreeNAS-11.1-U7
- 2 NIC / Lagg groups
- 1 used by servers
- 1 used by clients
Last edited: