Odd AD Behavior

icsy7867 · Jun 3, 2019

I have a pretty simple AD forest and I have Freenas connected to it.

What has worked in the past was pretty simple. I would make SMB shares and have a local users and group own it through the Freenas GUI. I would then connect to the share and change the permissions and add my AD users and accounts to various shares. I usually prefer leaving a local account as owner in the Freenas GUI and updating from there.

However, recently I have been having some trouble. I always get a "You do not have permission to access \\dns.name.com\Share".

I have tried disconnecting the AD domain and reconnecting in Freenas and I have tried with and without encryption. When mounting the SMB share using the local credentials and viewing the permission list everything looks normal. AD Accounts are listed correctly with the correct permissions. not quite sure what's going on. Any ideas?

Currently running Freenas 11.1 U7.

dlavigne · Jun 10, 2019

Were you able to resolve this?

icsy7867 · Jun 12, 2019

I havent been able to yet. I need to spend some more time on it and take a look. Work unfortunately got a little busy. I am going to try and rejoin to AD soon.

*EDIT*
Oddly enough it is almost exactly as described here:
https://www.youtube.com/watch?v=hvH7UZBD3EI

icsy7867 · Jun 24, 2019

So I decided to upgrade to 11.2 from 11.1

Everything went quite smoothly. I am liking most of the new UI. However, the same odd AD behavior exists.

I have the share permissioned to a local user and group, and set to Windows. I then connect to the SMB share using the local freenas credentials and add my domain acount with full permissions. This goes through and adds fine. I can browse to the sub folders and see my username successfully on the users access list.

However, when I try to connect to the SMB share, I always get a "You do not have permissions". It is quite bizarre.

Is there a way to reset all the AD settings back to the defaults and start over? I think I have everything back to the default settings, but I would like to verify.

However, it would seem that the SMB share works on Linux/Ubuntu/Centos without issue. Definitely something going on with my Windows VM.

dlavigne · Jun 30, 2019

Were you able to resolve this?

icsy7867 · Jun 30, 2019

Unfortunately not. Updated to the latest version but same issue.

However,. My Linux vms and nextcloud instance have no trouble using the smb shares. It is only my windows boxes.

dlavigne · Jul 1, 2019

Which version of Windows?

icsy7867 · Jul 9, 2019

Windows 10 (1809) as well as windows server 2016.

Couple interesting errors in the logs. Cant really find a cause. Seems to follow SMB service restarts or AD rejoins.

Code:

Jul  9 14:56:41 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.cachetool fill
undefinedJul  9 14:57:59 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jul  9 14:58:00 freenas smbd: in openpam_check_error_code(): pam_sm_setcred(): unexpected return value 12
Jul  9 14:58:00 freenas smbd: in openpam_check_error_code(): pam_sm_setcred(): unexpected return value 12
Jul  9 14:58:01 freenas ActiveDirectory: /usr/sbin/service samba_server forcestop
Jul  9 14:58:01 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jul  9 14:58:06 freenas ActiveDirectory: /usr/sbin/service ix-kinit forcestop
Jul  9 14:58:06 freenas ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Jul  9 14:58:07 freenas ActiveDirectory: /usr/sbin/service ix-kerberos restart
Jul  9 14:58:07 freenas ActiveDirectory: /usr/sbin/service ix-nsswitch quietstop
Jul  9 14:58:07 freenas ActiveDirectory: /usr/sbin/service ix-pam quietstop
Jul  9 14:58:07 freenas ActiveDirectory: /usr/sbin/service ix-cache quietstop &

Code:

Jul  9 14:54:56 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jul  9 14:55:00 freenas ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Jul  9 14:55:03 freenas ActiveDirectory: /usr/sbin/service ix-activedirectory status
Jul  9 14:55:04 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jul  9 14:55:05 freenas kernel: Failed to fully fault in a core file segment at VA 0x8014d6000 with size 0xd000 to be written at offset 0x37e000 for process winbindd
Jul  9 14:55:05 freenas kernel: Failed to fully fault in a core file segment at VA 0x8014d6000 with size 0xd000 to be written at offset 0x37e000 for process winbindd
Jul  9 14:55:05 freenas kernel: pid 77692 (winbindd), uid 0: exited on signal 6 (core dumped)
Jul  9 14:55:05 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jul  9 14:55:09 freenas ActiveDirectory: /usr/sbin/service ix-pam quietstart
Jul  9 14:55:09 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.cachetool fill
Jul  9 14:56:21 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jul  9 14:56:22 freenas ActiveDirectory: /usr/sbin/service ix-hostname quietstart

anodos · Jul 9, 2019

Can you PM me a debug (system->advanced->save debug)?

icsy7867 · Jul 11, 2019

anodos said:
Can you PM me a debug (system->advanced->save debug)?

I think this is fixed now! (Thank you anodos for your help!)

It looks like my tank lost the "execute" bit in its ACL...

Code:

sudo chmod +x /mnt/tank

I can traverse my shares again!

Important Announcement for the TrueNAS Community.

Odd AD Behavior

icsy7867

Contributor

dlavigne

Guest

icsy7867

Contributor

icsy7867

Contributor

dlavigne

Guest

icsy7867

Contributor

dlavigne

Guest

icsy7867

Contributor

anodos

Sambassador

icsy7867

Contributor

Similar threads