SOLVED SMB for randomly stops authenticating

Status
Not open for further replies.

Caleb Surface

Dabbler
Joined
May 11, 2016
Messages
16
I have a bunch of FreeNAS datasets that I am sharing via SMB on my AD environment, and it keeps losing the ability to authenticate users that connect on Windows. We have a mostly Mac environment, so thankfully it doesn't completely shut us down, but the few machines that do get affected by this are critical (finance machines for Quickbooks). I can't for the life of me figure out what is going on to cause this. It always works fine from OS X, but just randomly stops from Windows.

Any thoughts on this? Any other information I need to share?
 

bigphil

Patron
Joined
Jan 30, 2014
Messages
486
Please post your FreeNAS server specs and version, your SMB settings, dataset settings and permissions, windows client version...all the relevant info. What do you do to get it to work again or does it just start working again by itself? At this point, we have nothing to go by to start helping you out.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I have a bunch of FreeNAS datasets that I am sharing via SMB on my AD environment, and it keeps losing the ability to authenticate users that connect on Windows. We have a mostly Mac environment, so thankfully it doesn't completely shut us down, but the few machines that do get affected by this are critical (finance machines for Quickbooks). I can't for the life of me figure out what is going on to cause this. It always works fine from OS X, but just randomly stops from Windows.

Any thoughts on this? Any other information I need to share?

What version of QuickBooks? Enterprise? QuickBooks data files can only be hosted by Windows systems (or Linux if you're using 'Enterprise' - but I still recommend windows). If you don't have a license for windows server, then host the file on a windows client system and back it up to freenas. I've found Veeam's free windows backup client to work very well with samba shares.

When there are auth problems, are all users affected? If not, look for common traits between those affected. (For instance, pull complete networking details of client and look at DNS, subnet, IPv6 vs IPv4, time server, etc).

Are all clients joined to the domain? Do all users authenticate through AD? When it happens, check output of wbinfo -u and wbinfo -t. This will let you know if the freenas server is still joined to the domain.

Provide details of your AD environment (how many DCs, OS version of DCs).

If you don't mind, send me a debug file in a private message 'system' -> 'advanced' -> 'save debug'.
 
Last edited:

Caleb Surface

Dabbler
Joined
May 11, 2016
Messages
16
Please post your FreeNAS server specs and version, your SMB settings, dataset settings and permissions, windows client version...all the relevant info. What do you do to get it to work again or does it just start working again by itself? At this point, we have nothing to go by to start helping you out.

Up until this point, I've always tried restarting the box and/or rebuilding the directory cache. I'm not entirely sure if that has ever actually helped, though. With this time, I can't get it to work again no matter what I do. Below is some of the information you requested.

Hardware
  • FreeNAS-9.10.2 (a476f16)
  • Intel(R) Xeon(R) CPU X5570 @ 2.93GHz
  • 98261MB Memory
SMB Settings (anything not listed is empty/not checked)
  • Netbios name - [Server name]
  • Workgroup - [Domain]
  • Description - FreeNAS Server
  • DOS charset - CP437
  • UNIX charset - UTF-8
  • Log Level - Normal
  • Guest account - nobody
  • Unix extensions - checked
  • Zeroconf share discovery - checked
  • Hostnames lookups - checked
  • Server maximum protocol - SMB3_00
  • Allow execute always - checked
  • Obey pam restrictions - checked
  • Bind IP Addresses - [IP of LACP interface]
  • Idmap Range Low - 90000001
  • Idmap Range High - 100000000
Dataset Settings (same for all datasets)
  • Compression level - Inherit (off)
  • Share type - Windows
  • Enable atime - Inherit (on)
  • ZFS Deduplication - Inherit (off)
Dataset Permissions (same for all datasets)
  • Apply Owner (user) - checked
  • Owner (user) - administrator
  • Apply Owner (group) - checked
  • Owner (group) - domain users
  • Apply Mode - checked
  • Mode - (options greyed out) Read[Owner | Group | Other], Write[Group], Execute[Owner | Group | Other]
  • Permission Type - Windows
Windows Client Versions
  • Windows 7
  • Windows 10
  • Windows Server 2016
 

Caleb Surface

Dabbler
Joined
May 11, 2016
Messages
16
What version of QuickBooks? Enterprise? QuickBooks data files can only be hosted by Windows systems (or Linux if you're using 'Enterprise' - but I still recommend windows). If you don't have a license for windows server, then host the file on a windows client system and back it up to freenas. I've found Veeam's free windows backup client to work very well with samba shares.

When there are auth problems, are all users affected? If not, look for common traits between those affected. (For instance, pull complete networking details of client and look at DNS, subnet, IPv6 vs IPv4, time server, etc).

Are all clients joined to the domain? Do all users authenticate through AD? When it happens, check output of wbinfo -u and wbinfo -t. This will let you know if the freenas server is still joined to the domain.

Provide details of your AD environment (how many DCs, OS version of DCs).

If you don't mind, send me a debug file in a private message 'system' -> 'advanced' -> 'save debug'.


I don't think Quickbooks was really relevant information to this problem, honestly. That computer is self-contained when it comes to Quickbooks work, but the FreeNAS box being down keeps it from backing up the QB data as well as those users from accessing other finances data. Just a headache for them when this happens.

All users are affected by the authentication problems as best I can tell (Not all users are on Windows systems. Most never have a need to be).

All Windows clients are joined to the domain and all users authenticate through AD. Currently, wbinfo -u is yielding no output and wbinfo -t returns
"checking the trust secret for domain OBCHURCH via RPC calls succeeded".

As for the domain, I have two DC, both of which are Windows Server 2016.

I will send you the debug file.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I don't think Quickbooks was really relevant information to this problem, honestly. That computer is self-contained when it comes to Quickbooks work, but the FreeNAS box being down keeps it from backing up the QB data as well as those users from accessing other finances data. Just a headache for them when this happens.

All users are affected by the authentication problems as best I can tell (Not all users are on Windows systems. Most never have a need to be).

All Windows clients are joined to the domain and all users authenticate through AD. Currently, wbinfo -u is yielding no output and wbinfo -t returns
"checking the trust secret for domain OBCHURCH via RPC calls succeeded".

As for the domain, I have two DC, both of which are Windows Server 2016.

I will send you the debug file.

If you untar / unzip the debug tarball, you can look under "ixdiagnose/log/samba4" and open "log.wb-OBCHURCH", you will see entries like this:
Code:
[2017/02/07 13:42:21.218356,  0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
  gss_init_sec_context failed with [ Miscellaneous failure (see text): Clock skew too great]

This means that there is too much time difference between your DCs, your FreeNAS server, and/or your client computer. Make sure that all systems are pointed at the same authoritative time source (or manually set their clocks so that they are the same), and everything should be good.
 

Caleb Surface

Dabbler
Joined
May 11, 2016
Messages
16
Okay, yeah. The FreeNAS server was quite a bit off. It's weird because the only NTP server I have set in it is my primary DC. I got the time manually updated and it's working now. Any thoughts on why it won't keep itself in sync with the set NTP server?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Okay, yeah. The FreeNAS server was quite a bit off. It's weird because the only NTP server I have set in it is my primary DC. I got the time manually updated and it's working now. Any thoughts on why it won't keep itself in sync with the set NTP server?

It might be that the time offset was too great. It also might be a windows NTP server configuration issue. Check to see if it starts working once the offset is fixed.

I've periodically kicked around the idea of using a raspberry pi with a GPS module as a stratum-1 time server for my network. You could always do that :D
 
Status
Not open for further replies.
Top