- Joined
- Mar 6, 2014
- Messages
- 9,553
Some quick checks you can do to see where things are breaking down are as follows:Had the exact same issue, attempted TheUsD's process and didn't work for me with the same error.
I loaded 12.0-u1 and was able to join then updated to 12.0-u2 and all the reports are healthy but I am trying to now diagnose an issue where I can't assign AD users and groups into the ACLs. I didn't test on u1 (d'oh) before jumping ahead.
1.
wbinfo -t
- verify trust relationship with DCif this succeeds:
2.
wbinfo -u
- verify that winbindd can enumerate users in ADif this succeeds:
3.
getent passwd
- verify that your AD users and groups have proper passwd entriesIf (3) fails, but (1)-(2) succeed, then you probably have an issue with idmap configuration or nsswitch configuration. /etc/nsswitch.conf should have `winbind` present in it. If it doesn't, then run command
midclt call etc.generate nss
.If (1) or (2) fail, then either winbindd is not running, samba is misconfigured, our time offset from KDC is too great, or our trust password is bad.
If (1)-(3) succeed, but you're getting errors setting an ACL with a user/group visible in "getent passwd" or "getent group" output, then there's a chance that the webui is passing invalid values to the setacl API. You can run the command
midclt call core.get_jobs|jq
to view the parameters being passed to the filesystem.setacl API.