[TrueNAS 12.0-U2] - Impossible to join AD domain?

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Sorry for beeing unclear about the applied process but YES thats the one I used. After I used that it looks like this (with the domain I left as xxx.yyy.com ??):
View attachment 45647


Its not asking for USER and PW of the domain and it remebers the domain I left... When i mark enable i get the errors as stated in previous post
Might be failing to kinit because of lack of kerberos config. Lack of ability to get onto AD to cleanly leave. Clear form fields, remove kerberos realm and principal, and "rm /var/db/system/samba4/private/secrets.tdb".
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Thank you...
With keberos realm you mean the old xx.yy.com
I do not know how to remove them I am afraid. Can this be done through kadmin

kadmin delete_principal -force xxx.yyy.COM

Keberos realm and principal?
form fields?

Can you point me to a place where I can educate myself on these issues?
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Thank you...
With keberos realm you mean the old xx.yy.com
I do not know how to remove them I am afraid. Can this be done through kadmin

kadmin delete_principal -force xxx.yyy.COM

Keberos realm and principal?
form fields?

Can you point me to a place where I can educate myself on these issues?
There is a form for kerberos realms. You can delete them.
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
There is a form for kerberos realms. You can delete them.
Thanks again ....

I am afraid it does not help me as I do not know were to find them and how to access them. I have never worked with keberos related issues on anything else than windows server so I lack the basic knowledge
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Thanks again ....

I am afraid it does not help me as I do not know were to find them and how to access them. I have never worked with keberos related issues on anything else than windows server so I lack the basic knowledge
On the left panel of the webui for TrueNAS there is a button for Directory Services. If you click on it, you can expand and see a button for kerberos realms and kerberos principals. If you have entries there, delete them.
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Thank you for your patience......Sorry did not understand that that was what you did mean. Realms, Keytabs and Settings are empty. I will try to remove /var/db/system/samba4/private/secrets.tdb as pr. your suggestion. (Pleas note that I have both Linux (Mint) and several W10 machines connectet to the ADC without problem.

If t is not sucessfull perhaps its most easy to reinstal fresh and upload a settings backup + import the Jails

Did not help (see attached)
Perhaps it most easy to make a fresh instal and upload a config backup pluss Export/import the Jails...

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/activedirectory.py", line 769, in validate_credentials
self.middleware.call_sync('kerberos.do_kinit', data)
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1254, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1294, in run_coroutine
return fut.result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 432, in result
return self.__get_result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 388, in __get_result
raise self._exception
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/kerberos.py", line 269, in do_kinit
raise CallError(f"kinit for domain [{data['domainname']}] "
middlewared.service_exception.CallError: [EFAULT] kinit for domain [XXX.YYY.COM] with principal [OB-NAS-MAIN$@XXX.YYY.COM] failed: kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/activedirectory.py", line 520, in do_update
await self.middleware.run_in_thread(self.validate_credentials, new)
File "/usr/local/lib/python3.8/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.8/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/activedirectory.py", line 771, in validate_credentials
realm = self.middleware.call_sync(
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1254, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1294, in run_coroutine
return fut.result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 432, in result
return self.__get_result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 388, in __get_result
raise self._exception
File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/middlewared/service.py", line 445, in query
return await self.middleware.run_in_thread(
File "/usr/local/lib/python3.8/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.8/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.8/site-packages/middlewared/utils/__init__.py", line 203, in filter_list
raise MatchNotFound()
middlewared.service_exception.MatchNotFound

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method
result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.8/site-packages/middlewared/service.py", line 356, in update
rv = await self.middleware._call(
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
return await methodobj(*prepared_call.args)
File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/activedirectory.py", line 522, in do_update
raise ValidationError(

middlewared.service_exception.ValidationError: [EFAULT] activedirectory_update.bindpw: Failed to validate bind credentials:
 
Last edited:

ColbySilver

Cadet
Joined
Aug 29, 2019
Messages
5
Sorry for beeing unclear about the applied process but YES thats the one I used. After I used that it looks like this (with the domain I left as xxx.yyy.com ??):
View attachment 45647


Its not asking for USER and PW of the domain and it remembers the domain I left... When i mark enable i get the errors as stated in previous post

I was able to get the Domain Account and Password fields to re-appear. I did few things, not sure which helped...

1) Set the Domain Name to TMP and removed the Enable check mark.
2) "EDIT IDMAP" - erased the value in the DNS Domain Name (this also cleared the IDMAP cache as per pop-up).
3) Changed the Kerberos Realm entry to be TMP.

After above I was able to re-join AD successfully. I reviewed the Kerberos Realm list and removed the TMP entry as a new entry for my domain was created.

You could try each step above independently to see which ones are actually necessary.

Good luck!
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
I was able to get the Domain Account and Password fields to re-appear. I did few things, not sure which helped...

1) Set the Domain Name to TMP and removed the Enable check mark.
2) "EDIT IDMAP" - erased the value in the DNS Domain Name (this also cleared the IDMAP cache as per pop-up).
3) Changed the Kerberos Realm entry to be TMP.

After above I was able to re-join AD successfully. I reviewed the Kerberos Realm list and removed the TMP entry as a new entry for my domain was created.

You could try each step above independently to see which ones are actually necessary.

Good luck!

THANK YOU.. no it did not help... Not able to get the Domain Account and PW to re-appear...
Not Shure I understand the reasoning ....

  1. Why set the Domain Name to TMP ?
  2. This I was able to do but had no effect
  3. Were did you do this? Under Keberos Realms button under the Active Directory button? On the far left
Please explain in a little more detail if you can...
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
THANK YOU.. no it did not help... Not able to get the Domain Account and PW to re-appear...
Not Shure I understand the reasoning ....

  1. Why set the Domain Name to TMP ?
  2. This I was able to do but had no effect
  3. Were did you do this? Under Keberos Realms button under the Active Directory button? On the far left
Please explain in a little more detail if you can...
Those steps are not required. What is output of command midclt call kerberos.realm.query? What is output of klist? what is output of ktutil list? what is output of midclt call kerberos.keytab.query '[]' '{"count":true}'?
 

ColbySilver

Cadet
Joined
Aug 29, 2019
Messages
5
Hey Elo,

I strongly suggest you follow anodos' suggestions to resolve your issues.

I was setting the value to TMP in an attempt to ensure it had no settings related to my Domain saved anywhere. As I said I'm not sure which step actually made a difference if any at all. To your question #3 - Yes.

Also, I did miss a step in my previous post...I also hit ADVANCED OPTIONS and cleared out the values under "Kerberos Realm" and "Kerberos Principal" when I was disabling Active Directory. After this the Domain Account Name and Domain Account Password fields re-appeared and I was able to join AD again. If I had to guess, when these Kerberos fields are filled in it will not Display the Domain Account Name and Password fields even if you have left the domain. Perhaps this was the only important step...?

1614972736649.png


All of this happened after I upgraded from FreeNAS-11.x to TrueNAS-12.0-U2.1 and the Active Directory was not working. In the past I found the simplest was to resolve AD issues was the Leave and Rejoin (I understand it's probably not the 'best' way, just the simplest). With the U2.1 update the Domain Account Name and Password fields are hidden even after leaving the domain. I think this might be new in the U2.1 update..? Perhaps these fields should not be hidden after leaving a domain...just a thought.

Thanks,
Colby
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Those steps are not required. What is output of command midclt call kerberos.realm.query? What is output of klist? what is output of ktutil list? what is output of midclt call kerberos.keytab.query '[]' '{"count":true}'?

Output as follows:

midclt call kerberos.realm.query
[{"id": 1, "realm": "xxx.yyy.COM", "kdc": [], "admin_server": [], "kpasswd_server": []}]

klist
klist: No ticket file: /tmp/krb5cc_0

ktutil list
ktutil: krb5_kt_start_seq_get FILE:/etc/krb5.keytab: keytab /etc/krb5.keytab open failed: No such file or directory

midclt call kerberos.keytab.query '[]' '{"count":true}'
0
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Output as follows:

midclt call kerberos.realm.query
[{"id": 1, "realm": "xxx.yyy.COM", "kdc": [], "admin_server": [], "kpasswd_server": []}]

klist
klist: No ticket file: /tmp/krb5cc_0

ktutil list
ktutil: krb5_kt_start_seq_get FILE:/etc/krb5.keytab: keytab /etc/krb5.keytab open failed: No such file or directory

midclt call kerberos.keytab.query '[]' '{"count":true}'
0
Now you can run midclt call kerberos.realm.delete 1 (though it's recommended generally to do such things through the webui.

Once you have done this, fill out the AD form in the GUI with the correct domain info and enable. You may also want to ensure that nameservers 1-3 are appropriate for your new domain.
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Hey Elo,

I strongly suggest you follow anodos' suggestions to resolve your issues.

I was setting the value to TMP in an attempt to ensure it had no settings related to my Domain saved anywhere. As I said I'm not sure which step actually made a difference if any at all. To your question #3 - Yes.

Also, I did miss a step in my previous post...I also hit ADVANCED OPTIONS and cleared out the values under "Kerberos Realm" and "Kerberos Principal" when I was disabling Active Directory. After this the Domain Account Name and Domain Account Password fields re-appeared and I was able to join AD again. If I had to guess, when these Kerberos fields are filled in it will not Display the Domain Account Name and Password fields even if you have left the domain. Perhaps this was the only important step...?

View attachment 45658

All of this happened after I upgraded from FreeNAS-11.x to TrueNAS-12.0-U2.1 and the Active Directory was not working. In the past I found the simplest was to resolve AD issues was the Leave and Rejoin (I understand it's probably not the 'best' way, just the simplest). With the U2.1 update the Domain Account Name and Password fields are hidden even after leaving the domain. I think this might be new in the U2.1 update..? Perhaps these fields should not be hidden after leaving a domain...just a thought.

Thanks,
Colby

For me it was the same and like you I thought to leave and rejoin would solve the problem and I am now on U2.1. I will follow Anodos advice and potentialy make a fresh instal as it is limited how long the DOMAIN Users can be without access to various data (I have given access to the most important data by tweaking permissions)
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Now you can run midclt call kerberos.realm.delete 1 (though it's recommended generally to do such things through the webui.

Once you have done this, fill out the AD form in the GUI with the correct domain info and enable. You may also want to ensure that nameservers 1-3 are appropriate for your new domain.

Did that. The Domain Account and PW did not re-appear .. Entering my Domain , checking DNS Servers:

nslookup ob-msserv-2016 192.168.111.36
Server: OB-MSSERV-2016.xxx.yyy.com
Address: 192.168.111.36

Name: ob-msserv-2016.xxx.yyy.com
Addresses: fd2e:3343:e38f:1:0:5efe:192.168.111.36
192.168.111.36


nslookup ob-msserv-2019 192.168.111.45
Server: OB-MSSERV-2019.xxx.yyy.com
Address: 192.168.111.45

Name: ob-msserv-2019.xxx.yyy.com
Address: 192.168.111.45

enabling and submit :

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/activedirectory.py", line 769, in validate_credentials
self.middleware.call_sync('kerberos.do_kinit', data)
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1254, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1294, in run_coroutine
return fut.result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 432, in result
return self.__get_result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 388, in __get_result
raise self._exception
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/kerberos.py", line 269, in do_kinit
raise CallError(f"kinit for domain [{data['domainname']}] "

middlewared.service_exception.CallError: [EFAULT] kinit for domain [xxx.yyy.COM] with principal [OB-NAS-MAIN$@xxx.yyy.COM] failed: kinit: krb5_get_init_creds: Already tried ENC-TS-info, loopin

You may also want to ensure that nameservers 1-3 are appropriate for your new domain. I am not creating a NEW domain but attempt to connect to a existing one. The DNS servers servicing that domain is up and reachable and is working fine for current W10 machines and some Linux Mint machinines in the domain. The third DNS server is a fallback on the WB and i think 1.1.1.1 and set up in the ADC runing undere W Server 2016 & w Server 2019
 
Last edited:

Sûmi

Dabbler
Joined
Mar 5, 2021
Messages
13
Hello everybody,

unfortunately I am one of those who have problems joining TrueNAS 12.0U2.1 in the domain.
I have 2 Server 2019 DCs in the domain, so far I have no problems etc.

When I join, I also get the computer object created in the domain, but the join does not work completely.

I discovered several bugs in the domain.

1. Error: [EFAULT] Failed to join domain: Failed to set machine spn: Constraint violation Do you have sufficient permissions to create machine accounts?

2. Attempt to connect to netlogon share failed with error: [EFAULT] could not obtain winbind interface details: Winbind daemon is not available. could not obtain winbind domain name! failed to call wbcPingDc: Winbind daemon is not available ..
March 5, 2021 19:42:19 (Europe / Berlin)
Dismiss
warning
WARNING
Domain validation failed with error: [EFAULT] Netlogon connection to [dc02.xxx.yyy] failed with error: An invalid parameter was passed to a service or function.
March 5, 2021 19:42:19 (Europe / Berlin)
Dismiss

Then I saw an event on the domain controller that said a computer with invalid parameters tried to authenticate.

In addition, I discovered that on the console there is something wrong with the domain join. Here I get an error message that no login server is available.

Somehow it seems to me that there are still really big problems here with the TrueNas with the domain join.

Are there any other solutions than the ones described here that you can try or do you have nothing more than to wait for the next update?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Did that. The Domain Account and PW did not re-appear .. Entering my Domain , checking DNS Servers:

nslookup ob-msserv-2016 192.168.111.36
Server: OB-MSSERV-2016.xxx.yyy.com
Address: 192.168.111.36

Name: ob-msserv-2016.xxx.yyy.com
Addresses: fd2e:3343:e38f:1:0:5efe:192.168.111.36
192.168.111.36


nslookup ob-msserv-2019 192.168.111.45
Server: OB-MSSERV-2019.xxx.yyy.com
Address: 192.168.111.45

Name: ob-msserv-2019.xxx.yyy.com
Address: 192.168.111.45

enabling and submit :

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/activedirectory.py", line 769, in validate_credentials
self.middleware.call_sync('kerberos.do_kinit', data)
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1254, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1294, in run_coroutine
return fut.result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 432, in result
return self.__get_result()
File "/usr/local/lib/python3.8/concurrent/futures/_base.py", line 388, in __get_result
raise self._exception
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/kerberos.py", line 269, in do_kinit
raise CallError(f"kinit for domain [{data['domainname']}] "

middlewared.service_exception.CallError: [EFAULT] kinit for domain [xxx.yyy.COM] with principal [OB-NAS-MAIN$@xxx.yyy.COM] failed: kinit: krb5_get_init_creds: Already tried ENC-TS-info, loopin

You may also want to ensure that nameservers 1-3 are appropriate for your new domain. I am not creating a NEW domain but attempt to connect to a existing one. The DNS servers servicing that domain is up and reachable and is working fine for current W10 machines and some Linux Mint machinines in the domain. The third DNS server is a fallback on the WB and i think 1.1.1.1 and set up in the ADC runing undere W Server 2016 & w Server 2019
Run command midclt call activedirectory.update '{"kerberos_principal": "", "enable": false}' then refresh the AD GUI and re-enter username and password.
 
  • Like
Reactions: Elo

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
Run command midclt call activedirectory.update '{"kerberos_principal": "", "enable": false}' then refresh the AD GUI and re-enter username and password.
Thank you very very much for your help and patience. It seems to work OK although the join process was superfast. When done the AD User and the Pasw fields are still visible ..

I have acess from the Domain PC's / users to the shares..

How can I truly verify that its sucessfully has joined the domain?


I did run:

midclt call activedirectory.get_state
HEALTHY

wbinfo -t
checking the trust secret for domain HJEMME via RPC calls succeeded

wbinfo -m
BUILTIN
OB-NAS-MAIN
HJEMME
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Thank you very very much for your help and patience. It seems to work OK although the join process was superfast. When done the AD User and the Pasw fields are still visible ..

I have acess from the Domain PC's / users to the shares..

How can I truly verify that its sucessfully has joined the domain?


I did run:

midclt call activedirectory.get_state
HEALTHY

wbinfo -t
checking the trust secret for domain HJEMME via RPC calls succeeded

wbinfo -m
BUILTIN
OB-NAS-MAIN
HJEMME
Yeah, that looks healthy.
 

Sûmi

Dabbler
Joined
Mar 5, 2021
Messages
13
For me that not work.

midclt call activedirectory.get_state
FAULTED

wbinfo -t
checking the trust secret for domain domain.com via RPC calls failed
wbcCheckTrustCredentials(domain.com): error code was NT_STATUS_NO_SUCH_DOMAIN (0xc0 0000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret


wbinfo -m
BUILTIN
STORAGE03
 

Elo

Contributor
Joined
Mar 11, 2012
Messages
122
For me that not work.

midclt call activedirectory.get_state
FAULTED

wbinfo -t
checking the trust secret for domain domain.com via RPC calls failed
wbcCheckTrustCredentials(domain.com): error code was NT_STATUS_NO_SUCH_DOMAIN (0xc0 0000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret


wbinfo -m
BUILTIN
STORAGE03

Hi I am no expert as you can see from previous posts. I got the following advice from Anodos which I think did reset everything and worked for me (use on your own risk Follow the thread of advice from Anodos to see what was done prior to this). Except for this i am not able to give any advice as I have no deep knowledge on these issues....

Run command midclt call activedirectory.update '{"kerberos_principal": "", "enable": false}' then refresh the AD GUI and re-enter username and password.
 
Top