SOLVED Joining an AD (Samba 4) from another network/DNS domain?

[CDuv]

Hello,

TL;DR: A TrueNAS SCALE server won't join an Active Directory domain that have different name than it's own.

Context:​

I have a working Samba Domain setup where a Samba 4 (v4.13) server (named "DC1") acts as a Domain Controller for domain "sd.int.company-1.com".

I have 2 TrueNAS servers (a SCALE and a CORE, named "NAS1" and "NAS2") running on the same LAN and member of this domain and working just fine (the Domain users are available in TrueNAS's ACL configuration pages and users authenticate on theses TrueNAS server using their domain credentials).

This is on LAN1 (say 192.168.1.0/24) which is used by Company 1 that also has a DNS domain (not SD/AD) "int.company-1.com" (meaning "domain int.company-1.com" in "/etc/resolv.conf" on Linux computers and in DHCP's configuration)

​

New stuff I need to do:​

I have another LAN: LAN2 (say 192.168.2.0/24), for Company 2's staff, that has no Samba/Windows domain, nor Domain Controller but:

• the staff of Company 2 do have credentials on sd.int.company-1.com
  (Both company 1 and 2 have separate network in mutual building but are kind of sister-companies)
• they need a NAS server running TrueNAS SCALE: say "NAS3"
• their existing DNS domain is "int.company-2.com"

Basically I need my DC1 Domain Controller to be available on both LAN 1 and LAN 2 and capable of accepting domain joins from both LANs.

​

What I did:​

• Added DC1 on LAN 2: new NIC, plugged on LAN2's switch, configured a LAN2 IP
• Installed TrueNAS SCALE 23.10.1 on NAS3 (internal FQDN, as returned by hostname -f: nas3.int.company-2.com), on LAN2
• Can ping DC1 from NAS3 using it's LAN2 IP. And vice-versa.
• Configured Active Directory in "Directory Services" with the settings I usually use for this kind of operation:
  • Domain Name: SD.INT.COMPANY-1.COM
  • Domain Account Name: Administrator
  • Domain Account Password: (Password)
  • NetBIOS Name: NAS3
  • Enable (requires password or Kerberos principal): [X] (checked)
  • Verbose Logging: [ ] (unchecked)
  • Allow Trusted Domains: [ ] (unchecked)
  • Use Default Domain: [ ] (unchecked)
  • Allow DNS Updates: [ ] (unchecked)
  • Disable AD User / Group Cache: [ ] (unchecked)
  • Restrict PAM: [ ] (unchecked)
  • Site Name: (empty)
  • Kerberos Realm: (empty)
  • Kerberos Principal: (empty)
  • Computer Account OU: Machines
  • Winbind NSS Info: RFC2307
  • NetBIOS Alias: (empty)

Issue:​

Submitting the configuration form fails with:

ads_connect: No logon servers are currently available to service the logon request. Didn't find the ldap server!

I see no related log message/error in /var/log/messages even if I check "Verbose Logging".

Questions:​

Can what I'm trying to do be done?
What tool(s) can I use to debug the issue and find the root cause?
Since I know that:

• Samba 4 listens on both NIC of DC1 (both LAN1 and LAN2)
• and DC1 can ping and resolve NAS3, and vice-versa

Is there anything else I should check?

Thanks

 

[CDuv]

I've checked and tcpdump confirms DC1 do get some network traffic from NAS3 (via LAN2).

Also: DNS resolution as advised by the doc looks OK:

Code:

$ host -t srv _ldap._tcp.sd.int.company-1.com
_ldap._tcp.sd.int.company-1.com has SRV record 0 100 389 dc1.sd.int.company-1.com.

 

[Patrick M. Hausen]

For joining an AD domain it is mandatory that the system joining has these settings:

• DNS domain name matches AD domain
• DNS servers are either identical with the domain controllers or some secondary of the same domain
• NTP is active or the system time is synced with the domain controllers by some other means

AD is all about DNS, that's where the magic happens. Then Kerberos is used for authentication - that's why correct system time is mandatory.

 

[CDuv]

I've changed the domain (in /ui/network) to "int.company-1.com" (instead of "int.company-2.com") but the issue remains.

Do you know any method to debug AD join (log files and/or CLI tools/commands)?

 

[Patrick M. Hausen]

Is your TrueNAS using the domain controllers of int.company-1.com as name servers? Is the clock of your TrueNAS synced via NTP and the timezone configured correctly?

 

[CDuv]

All clocks of DC1, NAS1, NAS2 and NAS3 are in sync (*.debian.pool.ntp.org NTP servers).

Regarding DNS servers:

Each LAN has it's own DNS server (software is Unbound DNS, running in OPNsense servers): I have a DNS1 running on LAN1 and DNS2 running on LAN2.
Both are setup to query DC1 for any DNS request on "sd.int.company-1.com" (Unbound DNS settings says; « Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain. »)

• NAS1 (TrueNAS CORE, on LAN1) has :
  • Domain: sd.int.company-1.com
  • DNS server: DNS1
• NAS2 (TrueNAS SCALE, on LAN1) has :
  • Domain: int.company-1.com
  • DNS server: DNS1
• NAS3 (TrueNAS SCALE, on LAN2) has :
  • Domain: int.company-1.com
    (initially had "int.company-2.com")
    Additional Domains : int.company-2.com
    (added today)
  • DNS server: DNS2

As you can see, I have 2 NAS working just fine (from day 1) using either the SD/AD domain ("sd.int.company-1.com") or not ("int.company-1.com") and using a DNS server other than the Domain Controller (but configured to forward queries to it).


I have determined the (first?) command ran when attempting to join AD from the UI is:

Code:

net -S sd.int.company-1.com --json --option realm=sd.int.company-1.com ads info

It (obviously) outputs the same error message, but with "-v -d 3" I get useful informations (emphasis is mine)

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[GLOBAL]"
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eno3 ip=192.168.2.23 bcast=192.168.2.255 netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eno3 ip=192.168.2.23 bcast=192.168.2.255 netmask=255.255.255.0
ads_cldap_netlogon: did not get a reply
ads_try_connect: ads_cldap_netlogon_5(192.168.1.26, (null)) failed.
get_dc_list: preferred server list: ", *"
cldap_ping_list: realm[(null)] no valid response num_requests[1] for count[1] - NT_STATUS_NO_LOGON_SERVERS
ads_find_dc: name resolution for realm '' (domain 'COMPANY-1') failed: NT_STATUS_NO_LOGON_SERVERS
ads_connect: No logon servers are currently available to service the logon request.
Didn't find the ldap server!
return code = -1

So it looks it tried to netlogon using a LAN1 IP.

 

[CDuv]

The issue was resolved by fixing a configuration issue in Samba: having DC1 on two LAN required to add the following setting (in [Globa] of /etc/samba/smb.conf):

Code:

interfaces = 192.168.1.0/24 192.168.2.0/24

Note: I kept the changes you advised me to do (setting Domain to "int.company-1.com" in Network configuration). Don't know if it would have worked without or not.

 

[Patrick M. Hausen]

Great to read - thanks for the update.