TrueNAS looses Active Directory join

[truenasinterested]

Hello,
i can successfully join my home Active Directory (hosted on a Samba 4.15.13) each time and my effort upon the failure i want to describe is limited to enter the domain admin password + tick the enable box for reconnection + ok, but it's still impacting:
TrueNAS looses the join to the domain after a few minutes. First, upon join, it will say "HEALTHY". After a few minutes, it will say "FAULTED" and one or two minutes more, the configuration appears no longer unter Credentials-Directory Services (but all required fields are pre-filled when clicking "Configure Active Directory" button).

I will also get a mail illustrating the behaviior:

TrueNAS @ truenas

New alerts:

• Attempt to connect to netlogon share failed with error: [EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration..

Current alerts:

• Attempt to connect to netlogon share failed with error: [EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration..

A clearing mail is sent later (i suppose that's not really cleared; it just means the AD service was stopped):

TrueNAS @ truenas

The following alert has been cleared:

• Attempt to connect to netlogon share failed with error: [EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration..

I can successfully make a connect to SMB shares while the AD configuration is HEALTHY. The connections will also stay up. But once the problem described above occurs, one cannot connect anymore if credential checks need to be performed.

Time sync is ok and the same on all hosts (the ADC is a VM in Proxmox 7.6.4). All other systems that connect to the ADC work fine, even this TrueNAS box, except that it does not retain its AD connection.

Question:
Is this a known bug?
What logs can i check, any specific ones?
Any idea of what may be causing this and how to get rid of it?

Thankyou vey much!

 

[RROBINSON18]

Hello,
i can successfully join my home Active Directory (hosted on a Samba 4.15.13) each time and my effort upon the failure i want to describe is limited to enter the domain admin password + tick the enable box for reconnection + ok, but it's still impacting:
TrueNAS looses the join to the domain after a few minutes. First, upon join, it will say "HEALTHY". After a few minutes, it will say "FAULTED" and one or two minutes more, the configuration appears no longer unter Credentials-Directory Services (but all required fields are pre-filled when clicking "Configure Active Directory" button).

I will also get a mail illustrating the behaviior:

A clearing mail is sent later (i suppose that's not really cleared; it just means the AD service was stopped):

I can successfully make a connect to SMB shares while the AD configuration is HEALTHY. The connections will also stay up. But once the problem described above occurs, one cannot connect anymore if credential checks need to be performed.

Time sync is ok and the same on all hosts (the ADC is a VM in Proxmox 7.6.4). All other systems that connect to the ADC work fine, even this TrueNAS box, except that it does not retain its AD connection.

Question:
Is this a known bug?
What logs can i check, any specific ones?
Any idea of what may be causing this and how to get rid of it?

Thankyou vey much!

Were you able to make any progress with this currently having the same issue.

 

[razexzzz]

Adding to this as I am getting the same issue. I can connect just fine, then just randomly I get the same error. It seems to go to faulted, then just disables itself but I can not say for certain as this is the first time I have seen it go to faulted. Normally I just login and AD is disabled.
I am using a local Windows server 2022.
Following things from this post post

Code:

 midclt call activedirectory.started
[EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/health.py", line 174, in started
    verrors.check()
  File "/usr/lib/python3/dist-packages/middlewared/service_exception.py", line 70, in check
    raise self
middlewared.service_exception.ValidationErrors: [EINVAL] activedirectory_update.bindname: Bind credentials or kerberos keytab are required to join an AD domain.


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 201, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1341, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 177, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/health.py", line 177, in started
    raise CallError('Automatically disabling ActiveDirectory service due to invalid configuration.',
middlewared.service_exception.CallError: [EINVAL] Automatically disabling ActiveDirectory service due to invalid configuration.

root@lilnas[~]#  midclt call activeidirectory.check_clocksew
[ENOMETHOD] Service 'activeidirectory' not found
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/utils/service/call.py", line 25, in _method_lookup
    serviceobj = self.get_service(service)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/utils/plugins.py", line 162, in get_service
    return self._services_aliases[name]
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^
KeyError: 'activeidirectory'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 340, in on_message
    serviceobj, methodobj = self.middleware._method_lookup(message['method'])
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/utils/service/call.py", line 27, in _method_lookup
    raise CallError(f'Service {service!r} not found', CallError.ENOMETHOD)
middlewared.service_exception.CallError: [ENOMETHOD] Service 'activeidirectory' not found

root@lilnas[~]# midclt call activedirectory.validate_credentials
null

Created a new admin on AD, AD was healthy and ran the commands again

Code:

root@lilnas[~]# midclt call activedirectory.validate_credentials
null
root@lilnas[~]# midclt call activedirectory.started
False
root@lilnas[~]#  midclt call activeidirectory.check_clocksew
[ENOMETHOD] Service 'activeidirectory' not found
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/utils/service/call.py", line 25, in _method_lookup
    serviceobj = self.get_service(service)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/utils/plugins.py", line 162, in get_service
    return self._services_aliases[name]
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^
KeyError: 'activeidirectory'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 340, in on_message
    serviceobj, methodobj = self.middleware._method_lookup(message['method'])
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/utils/service/call.py", line 27, in _method_lookup
    raise CallError(f'Service {service!r} not found', CallError.ENOMETHOD)
middlewared.service_exception.CallError: [ENOMETHOD] Service 'activeidirectory' not found

I followed a guide on setting up logging active directory on windows but either I did something wrong (highly likely) or its not logging any issues. Only logs are from when I set it up 2 months ago.

Code:

midclt call activedirectory.domain_info | jq
{
  "LDAP server": "10.0.2.199",
  "LDAP server name": "WIN-7K299S32T80.MYDOMAIN.io",
  "Realm": "MYDOMAIN.IO",
  "Bind Path": "dc=MYDOMAIN,dc=IO",
  "LDAP port": 389,
  "Server time": 1701573654,
  "KDC server": "10.0.2.199",
  "Server time offset": -1,
  "Last machine account password change": 1698695541
}

Also attached a screenshot of advanced settings. There is nothing in syslog about any errors for when it either faults or just disables.

 

[RROBINSON18]

So got ours working a bit ago. Our error was that the Truenas server couldn't find the correct credentials to use, basically it does a health check on the domain and tries to reauthenticate but will fail and cause the fault.

On the initial domain join it adds a keytab which is an encrypted password file essentially. Try pointing to that so it knows to use that file. And make sure to fill out the Kerberos principal option as well it is the domain computer object in the keytab that was generated on the first time joining the domain.

Anyways that seemed to work for us hope that helps!

 

[razexzzz]

I had truenas leave the domain, then rejoin. So far it has not disabled itself. If it does I will give yours a try.

Update:
Dec 20. still going strong. Seems like something funky happened and leaving/rejoining the domain cleared it up. I also double checked after I had it leave the domain that nothing left of the server was there.