Static IP breaks Directory Services

[jason56k]

I have a new freenas mini and I have had the worst time trying to get Directory Services to work. I ended up setting it to factory defaults and then upgrading to 9.2.1.3 to finally get it working! However, if I set a static IP up on the box then directory services doesnt work anymore. Directory Services still doesn't work when I put it back to DHCP. I did set a default gateway and nameservers but still no luck. I also ensured there was an A Record in the domain and I am able to ping the domain from the freenas and ping the freenas by name from domain computers. I am a BSD and FreeNas noob using this box to teach myself and I'm realizing I might have bit off a little too much.

When I try to start directory services here is the output I get:

Apr 7 16:33:42 IT00495 ActiveDirectory: /usr/sbin/service ix-kerberos quietstart
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: krbhost=, kpwdhost=, domainname=DOMAIN.LOCAL
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: verify_krb5_conf:
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: /realms/DOMAIN.LOCAL/kdc:
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: hostname
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: nor
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: servname
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: provided,
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: or
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: not
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: known
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: ()
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: verify_krb5_conf:
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: /realms/DOMAIN.LOCAL/admin_server:
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: hostname
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: nor
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: servname
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: provided,
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: or
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: not
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: known
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: ()
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: verify_krb5_conf:
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: /realms/DOMAIN.LOCAL/kpasswd_server:
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: hostname
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: nor
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: servname
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: provided,
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: or
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: not
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: known
Apr 7 16:33:42 IT00495 ix-kerberos: generate_krb5_conf: ()
Apr 7 16:12:48 IT00495 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Apr 7 16:12:48 IT00495 ActiveDirectory: /usr/sbin/service ix-pam quietstart
Apr 7 16:12:49 IT00495 ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Apr 7 16:13:00 IT00495 ActiveDirectory: /usr/sbin/service ix-kinit status
Apr 7 16:13:05 IT00495 ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
Apr 7 16:13:08 IT00495 notifier: winbindd not running? (check /var/run/samba/winbindd.pid).
Apr 7 16:13:08 IT00495 notifier: smbd not running? (check /var/run/samba/smbd.pid).
Apr 7 16:13:08 IT00495 notifier: nmbd not running? (check /var/run/samba/nmbd.pid).
Apr 7 16:13:08 IT00495 ActiveDirectory: /usr/sbin/service ix-kerberos quietstop
Apr 7 16:13:08 IT00495 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstop
Apr 7 16:13:08 IT00495 ActiveDirectory: /usr/sbin/service ix-pam quietstop
Apr 7 16:13:09 IT00495 ActiveDirectory: /usr/sbin/service ix-kinit forcestop
Apr 7 16:13:09 IT00495 ActiveDirectory: /usr/sbin/service ix-activedirectory forcestop
Apr 7 16:13:10 IT00495 ActiveDirectory: /usr/sbin/service ix-cache quietstop &
Apr 7 16:13:11 IT00495 ActiveDirectory: /usr/sbin/service samba_server forcestop
Apr 7 16:13:11 IT00495 ActiveDirectory: /usr/sbin/service ix-samba start
Apr 7 16:13:13 IT00495 generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmp2M7oE2 -e tdbsam:/var/etc/private/passdb.tdb -s /usr/local/etc/smb4.conf

 

[jason56k]

So after some reading it appears krb5.conf isn't being generated correctly (or something). I used VI and saw the following under [realms]

DOMAIN.LOCAL = {
kdc = :88
admin_server = :88
default_domain = domain.local
kpasswd_server = :88

Now I'm not sure what the deal is with that so I used vi and replaced :88 with the hostname to one of my domain controllers. When I went to start directory services I got the same output in my original post. So I checked /etc/krb5.conf and the changes I made were reverted back to :88. My domain controllers all have hyphens in their names if it matters. Any one have a clue?

 

[jason56k]

I manually set my servers in the Directory Services GUI and now it shows correctly in the krb5.conf file. However I still cant start Directory Services and I get the following:

Apr 7 16:12:48 IT00495 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Apr 7 16:12:48 IT00495 ActiveDirectory: /usr/sbin/service ix-pam quietstart
Apr 7 16:12:49 IT00495 ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Apr 7 16:13:00 IT00495 ActiveDirectory: /usr/sbin/service ix-kinit status
Apr 7 16:13:05 IT00495 ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
Apr 7 16:13:08 IT00495 notifier: winbindd not running? (check /var/run/samba/winbindd.pid).
Apr 7 16:13:08 IT00495 notifier: smbd not running? (check /var/run/samba/smbd.pid).
Apr 7 16:13:08 IT00495 notifier: nmbd not running? (check /var/run/samba/nmbd.pid).
Apr 7 16:13:08 IT00495 ActiveDirectory: /usr/sbin/service ix-kerberos quietstop
Apr 7 16:13:08 IT00495 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstop
Apr 7 16:13:08 IT00495 ActiveDirectory: /usr/sbin/service ix-pam quietstop
Apr 7 16:13:09 IT00495 ActiveDirectory: /usr/sbin/service ix-kinit forcestop
Apr 7 16:13:09 IT00495 ActiveDirectory: /usr/sbin/service ix-activedirectory forcestop
Apr 7 16:13:10 IT00495 ActiveDirectory: /usr/sbin/service ix-cache quietstop &
Apr 7 16:13:11 IT00495 ActiveDirectory: /usr/sbin/service samba_server forcestop
Apr 7 16:13:11 IT00495 ActiveDirectory: /usr/sbin/service ix-samba start
Apr 7 16:13:13 IT00495 generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/pdbedit -d 0 -i smbpasswd:/tmp/tmp2M7oE2 -e tdbsam:/var/etc/private/passdb.tdb -s /usr/local/etc/smb4.conf

 

[cyberjock]

Yeah.. editing the files yourself won't work well(as you have seen). FreeNAS generates it's own files, so your edits get trashed immediately.

Firstly, this screams of user error to me. I'd go back and check and make sure all of your network settings are filled out and correct. 9 times out of 10 problems like what you are explaining are because your DHCP gave the right settings but when you set up static settings you didn't complete every field properly. Usually I recommend to people that you set a static IP reservation on your server and let the server run in DHCP mode. Then there's no user error from trying to setup static over DHCP in FreeNAS. Also, if something happens and you suddenly need to use the box elsewhere, it's already in DHCP mode so it'll grab an IP on any network you connect it to. Your server may be rack mounted and not likely to end up in your living room, there's always that chance that it might end up in your living room while you troubleshoot the issue or something. And setting a static IP will add more steps to getting access to the box.

Second, I'd try 9.2.1.4-beta. I don't think there's a bug complaining about your exact issue, but 9.2.1.4 is supposed to be the final fixed up of "what 9.2.1 should have been". Of course, when 9.2.1 came out we didn't know how bad 9.2.1.x would be. But 9.2.1.x has been a real problem because of all of the Samba4 changes and people needing to adjust to it.

 

[dlavigne]

Adding to cyberjock's advice, if the issue persists, create a bug report at bugs.freenas.org and post the issue number here.

 

[jason56k]

Yeah.. editing the files yourself won't work well(as you have seen). FreeNAS generates it's own files, so your edits get trashed immediately.

Firstly, this screams of user error to me. I'd go back and check and make sure all of your network settings are filled out and correct. 9 times out of 10 problems like what you are explaining are because your DHCP gave the right settings but when you set up static settings you didn't complete every field properly. Usually I recommend to people that you set a static IP reservation on your server and let the server run in DHCP mode. Then there's no user error from trying to setup static over DHCP in FreeNAS. Also, if something happens and you suddenly need to use the box elsewhere, it's already in DHCP mode so it'll grab an IP on any network you connect it to. Your server may be rack mounted and not likely to end up in your living room, there's always that chance that it might end up in your living room while you troubleshoot the issue or something. And setting a static IP will add more steps to getting access to the box.

Second, I'd try 9.2.1.4-beta. I don't think there's a bug complaining about your exact issue, but 9.2.1.4 is supposed to be the final fixed up of "what 9.2.1 should have been". Of course, when 9.2.1 came out we didn't know how bad 9.2.1.x would be. But 9.2.1.x has been a real problem because of all of the Samba4 changes and people needing to adjust to it.

I am new to FreeNas and BSD so I figured it was user error as well. However, this is a brand new box that I set to factory defaults and successfully got Directory Services working. I then set a static IP and it broke. So I changed it back to DHCP and its still broke. No other changes have been made. Is there anything I need to set networking-wise besides IP, SM, Default Route, Name Servers?

 

[cyberjock]

That depends on your network configuration, so I can't really answer your question. But that's all I have at home.

But, what you just posted makes it sound like the problem isn't with your network config if it's broke on DHCP and static IP. At this point you are conflicting with yourself since your fist post said that switching from DHCP to static IP is what broke it. So I'd say you need to actually find out what the limitation is so we can start helping you with the *real* problem.

 

[jason56k]

Cyberjock

Brand new out of the box I set it up with static IP with no luck. I restored to factory defaults and upgraded to 9.2.1.3 and directory services worked with DHCP. I then changed it to a static IP and directory services stopped working. Figuring it was something with the static IP, I changed it back to DHCP where it still doesnt work.

Here's the kicker. I just got it working with both static and DHCP and I dont know how (or for how long). All I did was add a static route (which is a duplicate of the default gateway set in Global Configurations). It didn't work immediately but I spent about 15 minutes researching and when I went back to Freenas to try something it was magically working. This is a real head scratcher. While I am new to BSD and Freenas I have years of expereince with networking and the windows side of things. There really isn't that much difference between a static IP and DHCP. I'm not sure what the deal is.

 

[cyberjock]

Typically, when directory services don't work right it's an admin error. Usually they setup weird security policies or enable features not supported by FreeNAS' directory service implementation. Unfortunately I can't really provide much more advice because your domain admin should be able to run tests and using the output from the logs determine what isn't working. One person a month or two ago found out that he had enabled a feature that had blocked FreeNAS. It took him like 18 months to figure it out because his domain admin was... we'll say "less than clueless".

Sorry, but this is where I get off the train. I don't have any more recommendations except to examine the logs and the manual to see what isn't working or isn't compatible. :(

 

[mauirixxx]

I have a serious suggestion:

Test it out in a VM before you do anything with your production AD servers. FreeNAS run just fine in a VM *for testing purposes only*, and you can snag 180 day trials of Windows Server 2012 (and 2008, and their R2 variants). I run ESXi in production, but for testing VirtualBox works just dandy. If you can repro your issues above, file a bug report.

To help, I'm setting up a Server 2008 (non-R2, because that happened to be the ISO I had handy) and FreeNAS v9.2.1.4 beta, with FreeNAS hooked into AD, using Windows based file permissions, to see if I can repro your issue. Will keep you posted, if you're still interested.