[SOLVED] - Active Directory Missing Username and Password fields after joining failure TrueNAS-SCALE-23.10.2

[m3ki]

Hi All,
I am hoping someone could guide me in the right direction.

After entering wrong credentials to join Active Directory username and password fields seem to be gone from the UI and I am unable to rejoin the AD.

What I've done:

1. Tried joining AD and input the wrong credentials.
2. After the failure (unfortunately I don't remember what the error was.) I deleted the REALM and KEYTAB.
3. When enabling AD there is no Username and password field so I am unable to rejoin the AD

The manual does say if you leave the domain or if DC is gone you have to clean up the configuration manually, however there are no steps to do so.

Screenshot of the screen:

Advanced page:

Any help would be greatly appreciated.
This is on TrueNAS-SCALE-23.10.2

 

[anodos]

It looks like your AD form is still referencing the kerberos principle that you deleted. Try running following command from shell midclt call activedirectory.update '{"kerberos_principal": ""}'

This should clear out the stale kerberos principal and allow you to try to rejoin AD.

 

[m3ki]

Thanks for the reply!
I am getting the following error:

Code:

# midclt call activedirectory.update '{"kerberos_principal": ""}'
'bindpw'
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 201, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/service/config_service.py", line 83, in update
    rv = await self.middleware._call(
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 44, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 589, in do_update
    elif not new['enable'] and new['bindpw']:
                               ~~~^^^^^^^^^^
KeyError: 'bindpw'

 

[anodos]

Thanks for the reply!
I am getting the following error:

Code:

# midclt call activedirectory.update '{"kerberos_principal": ""}'
'bindpw'
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 201, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/service/config_service.py", line 83, in update
    rv = await self.middleware._call(
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 44, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 589, in do_update
    elif not new['enable'] and new['bindpw']:
                               ~~~^^^^^^^^^^
KeyError: 'bindpw'

Okay. That was an issue fixed for DragonFish, but not in Cobia. midclt call activedirectory.update '{"domainame": "", "bindpw": "", "kerberos_principal": ""}'

 

[m3ki]

Alright getting somewhere i think.

Getting this error now:

Code:

midclt call activedirectory.update '{"domainame": "", "bindpw": "", "kerberos_principal": ""}'
[EINVAL] activedirectory_update.domainame: Field was not expected

 

[m3ki]

Alright getting somewhere i think.

Getting this error now:

Code:

midclt call activedirectory.update '{"domainame": "", "bindpw": "", "kerberos_principal": ""}'
[EINVAL] activedirectory_update.domainame: Field was not expected

Nevermind, just realised it's domainname (2 NN)

Code:

 midclt call activedirectory.update '{"domainname": "", "bindpw": "", "kerberos_principal": ""}'
{"id": 1, "domainname": "", "bindname": "administrator", "verbose_logging": false, "allow_trusted_doms": false, "use_default_domain": false, "allow_dns_updates": true, "disable_freenas_cache": false, "restrict_pam": false, "site": "", "timeout": 60, "dns_timeout": 10, "nss_info": null, "enable": false, "kerberos_principal": "", "createcomputer": "", "kerberos_realm": null, "netbiosname": "--", "netbiosalias": [], "job_id": null}

 

[m3ki]

Ok so that worked and I was able to enter the credentials.
However, I believe this was the error I got initially when joining the domain:
I had no trouble joining domains on other machines at another location.
Do you think you could point me in the right direction?

Code:

[EFAULT] kinit with principal [MACHINE$@DOMAIN.NET] failed: Using specified cache: /var/run/middleware/krb5cc_0 Using principal: MACHINE$@DOMAIN.NET kinit: Preauthentication failed while getting initial credentials

Code:

Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 427, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 465, in __run_body
    rv = await self.method(*([self] + args))
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 857, in start
    await self.middleware.call('kerberos.do_kinit', {
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1399, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/kerberos.py", line 472, in do_kinit
    raise CallError(f"kinit with principal [{creds['kerberos_principal']}] "
middlewared.service_exception.CallError: [EFAULT] kinit with principal [MACHINE$@DOMAIN.NET] failed: Using specified cache: /var/run/middleware/krb5cc_0
Using principal: MACHINE$@DOMAINNET
kinit: Preauthentication failed while getting initial credentials

 

 

[anodos]

Ok so that worked and I was able to enter the credentials.
However, I believe this was the error I got initially when joining the domain:
I had no trouble joining domains on other machines at another location.
Do you think you could point me in the right direction?

Code:

[EFAULT] kinit with principal [MACHINE$@DOMAIN.NET] failed: Using specified cache: /var/run/middleware/krb5cc_0 Using principal: MACHINE$@DOMAIN.NET kinit: Preauthentication failed while getting initial credentials

Code:

Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 427, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 465, in __run_body
    rv = await self.method(*([self] + args))
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 857, in start
    await self.middleware.call('kerberos.do_kinit', {
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1399, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/kerberos.py", line 472, in do_kinit
    raise CallError(f"kinit with principal [{creds['kerberos_principal']}] "
middlewared.service_exception.CallError: [EFAULT] kinit with principal [MACHINE$@DOMAIN.NET] failed: Using specified cache: /var/run/middleware/krb5cc_0
Using principal: MACHINE$@DOMAINNET
kinit: Preauthentication failed while getting initial credentials

 

Looks like kerberos library error. Check time and DNS.

 

[m3ki]

So odd! It worked!
AD status showed as "FAULTED" all I had to do is to disable and reenable and it's now HEALTHY!

So to whomever has the same issue on TrueNAS-SCALE-23.10.2


Here is what I did to rejoin domain:

1. Leave the domain if you can (since my joining the domain was "FAULTED" there was no LEAVE button.
2. Delete Kerberos realm and kerberos keytab in gui.
3. run this script to clear out domain, pw and the principal via CLI
   Code:

   midclt call activedirectory.update '{"domainname": "", "bindpw": "", "kerberos_principal": ""}'

4. In my case rejoining faulted, so I had to disable and reenable AD via GUI

After that you should be able to see username and password fields again to rejoin.

Please mark this thread as solved.

thanks @anodos

 

[anodos]

So odd! It worked!
AD status showed as "FAULTED" all I had to do is to disable and reenable and it's now HEALTHY!

So to whomever has the same issue on TrueNAS-SCALE-23.10.2


Here is what I did to rejoin domain:

1. Leave the domain if you can (since my joining the domain was "FAULTED" there was no LEAVE button.
2. Delete Kerberos realm and kerberos keytab in gui.
3. run this script to clear out domain, pw and the principal via CLI
   Code:

   midclt call activedirectory.update '{"domainname": "", "bindpw": "", "kerberos_principal": ""}'

4. In my case rejoining faulted, so I had to disable and reenable AD via GUI

After that you should be able to see username and password fields again to rejoin.

Please mark this thread as solved.

thanks @anodos

You should review /var/log/middlewared.log to see why it got marked as faulted in case there is some outstanding issue with server configuration (such as an invalid nameserver).

 

[m3ki]

I am not really seeing what it could possibly be
Here is the last of my log:

Code:

[2024/03/11 12:32:20] (WARNING) DirectoryServices.get_state():176 - ACTIVEDIRECTORY: setting service to DISABLED due to invalid config
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices.py", line 166, in get_state
    return await self.middleware.call(f'{svc}.get', 'DS_STATE')
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1399, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1353, in _call
    return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1251, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 181, in nf
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/cache.py", line 217, in get
    self.get_timeout(key)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/cache.py", line 257, in get_timeout
    raise KeyError(f'{key} has expired')
KeyError: 'DS_STATE has expired'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/health.py", line 174, in started
    verrors.check()
  File "/usr/lib/python3/dist-packages/middlewared/service_exception.py", line 70, in check
    raise self
middlewared.service_exception.ValidationErrors: [EINVAL] activedirectory_update.bindname: Bind credentials or kerberos keytab are required to join an AD domain.


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices.py", line 171, in get_state
    res = await self.middleware.call(f'{srv.value}.started')
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1399, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/health.py", line 177, in started
    raise CallError('Automatically disabling ActiveDirectory service due to invalid configuration',
middlewared.service_exception.CallError: [EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration
[2024/03/11 12:32:21] (DEBUG) ActiveDirectoryService.start():804 - Updating SMB workgroup to DOMAIN_NAME
[2024/03/11 12:32:22] (DEBUG) ActiveDirectoryService.start():820 - Test join to DOMAIN_NAME.NET failed. Performing domain join.
[2024/03/11 12:32:23] (ERROR) middlewared.job.run():440 - Job <bound method ActiveDirectoryService.start of <middlewared.plugins.activedirectory.ActiveDirectoryService object at 0x7f4ac6667490>> failed: CallError('kinit with principal [HOST_NAME$@DOMAIN_NAME.NET] failed: Using specified cache: /var/run/middleware/krb5cc_0\nUsing principal: HOST_NAME$@DOMAIN_NAME.NET\nkinit: Preauthentication failed while getting initial credentials\n')
[2024/03/11 12:42:27] (DEBUG) EtcService.generate():433 - No new changes for /etc/avahi/avahi-daemon.conf
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-account
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-auth
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-password
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-session-noninteractive
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-session
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/security/pam_winbind.conf
[2024/03/11 12:42:29] (ERROR) ServiceService.stop():252 - Service 'dscache' running after stop
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/smb4.conf
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/avahi/avahi-daemon.conf
[2024/03/11 12:42:38] (DEBUG) EtcService.generate():433 - No new changes for /etc/security/pam_winbind.conf
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/nfs.conf.d/local.conf
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/default/rpcbind
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/idmapd.conf
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/exports
[2024/03/11 12:42:41] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/sshd
[2024/03/11 12:53:08] (DEBUG) EtcService.generate():433 - No new changes for /etc/hosts
[2024/03/11 12:53:08] (DEBUG) EtcService.generate():433 - No new changes for /etc/nscd.conf
[2024/03/11 12:53:09] (DEBUG) EtcService.generate():433 - No new changes for /etc/avahi/avahi-daemon.conf

The only thing I could think of is that I had 3 DNS servers listed in my network options
DC01, DC02, and a backup one which is a pihole.

 

[anodos]

I am not really seeing what it could possibly be
Here is the last of my log:

Code:

[2024/03/11 12:32:20] (WARNING) DirectoryServices.get_state():176 - ACTIVEDIRECTORY: setting service to DISABLED due to invalid config
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices.py", line 166, in get_state
    return await self.middleware.call(f'{svc}.get', 'DS_STATE')
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1399, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1353, in _call
    return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1251, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 181, in nf
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/cache.py", line 217, in get
    self.get_timeout(key)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/cache.py", line 257, in get_timeout
    raise KeyError(f'{key} has expired')
KeyError: 'DS_STATE has expired'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/health.py", line 174, in started
    verrors.check()
  File "/usr/lib/python3/dist-packages/middlewared/service_exception.py", line 70, in check
    raise self
middlewared.service_exception.ValidationErrors: [EINVAL] activedirectory_update.bindname: Bind credentials or kerberos keytab are required to join an AD domain.


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices.py", line 171, in get_state
    res = await self.middleware.call(f'{srv.value}.started')
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1399, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1342, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/health.py", line 177, in started
    raise CallError('Automatically disabling ActiveDirectory service due to invalid configuration',
middlewared.service_exception.CallError: [EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration
[2024/03/11 12:32:21] (DEBUG) ActiveDirectoryService.start():804 - Updating SMB workgroup to DOMAIN_NAME
[2024/03/11 12:32:22] (DEBUG) ActiveDirectoryService.start():820 - Test join to DOMAIN_NAME.NET failed. Performing domain join.
[2024/03/11 12:32:23] (ERROR) middlewared.job.run():440 - Job <bound method ActiveDirectoryService.start of <middlewared.plugins.activedirectory.ActiveDirectoryService object at 0x7f4ac6667490>> failed: CallError('kinit with principal [HOST_NAME$@DOMAIN_NAME.NET] failed: Using specified cache: /var/run/middleware/krb5cc_0\nUsing principal: HOST_NAME$@DOMAIN_NAME.NET\nkinit: Preauthentication failed while getting initial credentials\n')
[2024/03/11 12:42:27] (DEBUG) EtcService.generate():433 - No new changes for /etc/avahi/avahi-daemon.conf
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-account
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-auth
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-password
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-session-noninteractive
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/common-session
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/security/pam_winbind.conf
[2024/03/11 12:42:29] (ERROR) ServiceService.stop():252 - Service 'dscache' running after stop
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/smb4.conf
[2024/03/11 12:42:29] (DEBUG) EtcService.generate():433 - No new changes for /etc/avahi/avahi-daemon.conf
[2024/03/11 12:42:38] (DEBUG) EtcService.generate():433 - No new changes for /etc/security/pam_winbind.conf
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/nfs.conf.d/local.conf
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/default/rpcbind
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/idmapd.conf
[2024/03/11 12:42:39] (DEBUG) EtcService.generate():433 - No new changes for /etc/exports
[2024/03/11 12:42:41] (DEBUG) EtcService.generate():433 - No new changes for /etc/pam.d/sshd
[2024/03/11 12:53:08] (DEBUG) EtcService.generate():433 - No new changes for /etc/hosts
[2024/03/11 12:53:08] (DEBUG) EtcService.generate():433 - No new changes for /etc/nscd.conf
[2024/03/11 12:53:09] (DEBUG) EtcService.generate():433 - No new changes for /etc/avahi/avahi-daemon.conf

The only thing I could think of is that I had 3 DNS servers listed in my network options
DC01, DC02, and a backup one which is a pihole.

Is pihole able to resolve requests for SRV records for your domain? Generally non-AD nameservers are a potential source of failure.

 

[m3ki]

Actually it does :)

Maybe maybe it's an error from earlier, something got cached?

10.10.10.10 -- DC01
10.10.10.11 -- DC02
10.10.10.21 -- pihole

Code:

root@host[~]# nslookup -type=SRV _ldap._tcp.domain_name.net 10.10.10.22
Server:        10.10.10.22
Address:    10.10.10.22#53

_ldap._tcp.domain_name.net    service = 0 100 389 dc02.domain_name.net.
_ldap._tcp.domain_name.net    service = 0 100 389 dc01.domain_name.net.

 

[Patrick M. Hausen]

Does the pihole DNS server use the DCs as forwarders and is it configured with forward-only option either globally or for your domain? Or does it have your domain as a secondary zone? One of the two must be true. In a Windows domain all recursive DNS servers used by clients must be authoritative for the domain or transparently forward to an authoritative server. You must not have inconsistent DNS ever.

 

[m3ki]

So in my environment all clients are issued pihole dns servers.
Piholes forward anything for my local domain to DCs for local queries.
Otherwise all queries go to 1.1.1.1 etc...

In case of freenas i just set it up to go directly to DC1,DC2, and Pihole 3 as a backup.

 

[Patrick M. Hausen]

That looks ok. AD breaks if clients use a recursive DNS server that will search for "yourdomain.com" on the Internet. As long as every request ends at one of the DCs you are fine.

Still with your particular occurrence of that failure it might be worthwhile to investigate if that condition actually applies to your Pihole 3.