Won't connect to AD after upgrade from 9.2.18 to 9.3

[jacinf]

I was hoping to be able to figure this out by myself, but I'm getting frustrated and desperate at this point and need help.

I had a FreeNAS 9.2.X setup working nicely with Windows2008R2 Active Directory for the past year with no / minimal issues. Of course, today is Sunday, and users will be in the office tomorrow morning.

Last night, after updating to FreeNAS 9.3, I can no longer authenticate to Active Directory. The clients on the network can see the shares, but no credentials work.

I've read every forum post, all the bugs and documentation and I've tried nearly everything I could find to tune or switch and I am getting nowhere.

I have the feeling its some sort of Kerberos or DNS type of issue. Here are some of the commands I have run to attempt to troubleshoot.

I get the following errors:
[root@anthony] ~# wbinfo -t
checking the trust secret for domain SHDSJ via RPC calls failed
error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

[root@anthony] ~# wbinfo -u
ANTHONY\root
ANTHONY\postmaster

[root@anthony] ~# net ads join -S SHDSJ -U Administrator
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

[root@anthony] ~# net ads join -S nicholas.sacredheartsaratoga.org -U Administrator
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

root@anthony] ~# host -t srv _ldap._tcp.nicholas.sacredheartsaratoga.org
_ldap._tcp.nicholas.sacredheartsaratoga.org has SRV record 0 100 389 nicholas.nicholas.sacredheartsaratoga.org.

Debug and /var/log/messages output attached.

 

[dlavigne]

Please create a bug report at bugs.freenas.org and post the issue number here.

 

[Boss]

I've got just about the identical issue, did a bug report get created?

I've got 3 DC's in my setup, two are completely standalone with local disk. The third is a VM which has it's datastore off iscsi in this freenas setup. When I have to reboot the freenas box, I suspend the various VMs in ESXi and then reboot the storage. When it comes back online I experience this issue. Once I bring up the VM for the DC, I have to rejoin the domain to get AD to start working (although there is most likely some better way to do that).

 

[Au_Squirrel]

I am getting a similar, if not the same problem.

[root@freenas] ~# wbinfo -t
checking the trust secret for domain <my domain> via RPC calls failed
error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
[root@freenas] ~# wbinfo -u
FREENAS\<user 1>
FREENAS\<user 2>

Freenas debug -a give me

+--------------------------------------------------------------------------------+
+ Active Directory Domain Status +
+--------------------------------------------------------------------------------+
ads_connect: No logon servers
ads_connect: No logon servers
Didn't find the ldap server!


+--------------------------------------------------------------------------------+
+ Active Directory Trust Secret +
+--------------------------------------------------------------------------------+
error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
checking the trust secret for domain<my domain> via RPC calls failed

klist shows a ticket is being recieved. All the DNS tests are showing the correct results.

net ads join -S <pdc.mydomain> -U Administrator
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

[root@freenas] ~# host -t srv _ldap._tcp.<my domain>
_ldap._tcp.squires.id.au has SRV record 0 100 389 <pdc.my domain>.
_ldap._tcp.squires.id.au has SRV record 0 100 389 <bdc.my domain>.

 

[jkh]

We are going to assume that this is solved unless someone files a bug report and cites the bug # here. :)

 

[Boss]

I've opened bug #7326 on this (first time opening a ticket so forgive me if I left anything out).

 

[Au_Squirrel]

Bug #7327 also raised as I use Samba for my DC's

 

[cholzhauer]

"me too" joining the thread to watch.

 

[macxs]

I had a similar problem. Nothing I did in the last 4-5 days helped.

In Directory Services -> Active Directory -> Advanced....

What helped me was using another user than "adminitrator" to join and bind to the AD.
Also you should use the SASL wrapping option "sign"
I could see that sometimes the service could not find my site name. I entered the "Deault-First-Site-Name".

Now it works.

 

[cholzhauer]

I had a similar problem. Nothing I did in the last 4-5 days helped.

In Directory Services -> Active Directory -> Advanced....

What helped me was using another user than "adminitrator" to join and bind to the AD.
Also you should use the SASL wrapping option "sign"
I could see that sometimes the service could not find my site name. I entered the "Deault-First-Site-Name".

Now it works.

No go here

 

[Harrison]

Thanks macxs,

I had a similar problem. Nothing I did in the last 4-5 days helped.

In Directory Services -> Active Directory -> Advanced....

What helped me was using another user than "adminitrator" to join and bind to the AD.
Also you should use the SASL wrapping option "sign"
I could see that sometimes the service could not find my site name. I entered the "Default-First-Site-Name".

Now it works.

saved my bacon