Cannot join FreeNAS 11.3-U2 to Windows Active Directory, and some troubleshooting commands fail

Description

I need to join a FreeNAS 11.3-U2 to a Windows AD Domain however, it is failing. Following the troubleshoot commands in the user manual, some commands in particular also fail.

Top Right area of the UI (Directory Services Monitor) shows that the AD is Faulted, and LDAP & NIS disabled.

Can you please let me know what else I need to provide in the way of logs, etc?

root@freenas/var/log/samba4# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"

root@freenas/var/log/samba4# echo $? 
0

root@freenas/var/log/samba4# service ix-kerberos start 
ix-kerberos does not exist in /etc/rc.d or the local startup 
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable

root@freenas/var/log/samba4# service ix-nsswitch start 
root@freenas/var/log/samba4#

root@freenas/var/log/samba4# service ix-kinit start 
root@freenas/var/log/samba4#  
root@freenas/var/log/samba4# service ix-kinit status 
root@freenas/var/log/samba4# echo $?                                                                                
0 
root@freenas/var/log/samba4# klist 
Credentials cache: FILE:/tmp/krb5cc_0 
        Principal: user@###.NET.MT

Issued                Expires               Principal 
May  5 12:22:23 2020  May  5 22:22:23 2020  krbtgt/redacted.NET.MT@redacted.NET.MT 
root@freenas/var/log/samba4# python /usr/local/www/freenasUI/middleware/notifier.py start cifs 
True 
root@freenas/var/log/samba4# service ix-activedirectory start 
ix-activedirectory does not exist in /etc/rc.d or the local startup 
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable 
root@freenas/var/log/samba4# service ix-activedirectory status 
ix-activedirectory does not exist in /etc/rc.d or the local startup 
directories (/etc/ix.rc.d /usr/local/etc/rc.d), or is not executable

root@freenas/var/log/samba4#

Problem/Justification

None

Impact

None

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Show:

Andrew Walker May 14, 2020 at 11:03 AM

Information in ticket is slightly incorrect. It is already merged for U3. Issue is with reconfiguring kerberos to be site-specific. The FreeBSD system kerberos is not AD site aware, which can be problematic in a large AD domain because all the DCs may have similar weighting. During the AD join we detect if there are multiple DCs in our site and if our site is not the default one in AD. In this case, we add up to three of the DCs in our site to our kerberos configuration.

If you need the fix sooner than U3, you can try manually hot-patching your server.
1) Clone boot environment (so that you can roll back if you need to)
2) replace /usr/local/lib/python3.7/site-packages/middlewared/plugins/activedirectory.py with the version here: https://github.com/freenas/freenas/blob/freenas/11.3-stable/src/middlewared/middlewared/plugins/activedirectory.py
3) restart middlewared "service middlewared onerestart"

After you do this, you may need to clean up some stale state if you've already joined AD. First try leaving the domain by clicking "Advanced-> Leave" in the AD form. If this fails for some reason, you should be able to delete the computer object for FreeNAS in the AD-side, disable on AD on the FreeNAS side, remove any kerberos keytabs, and then re-join.

Nicholas May 14, 2020 at 5:43 AM

Hello folks,

Thanks for the fix!

Is there a workaround for this fix, prior to the U4 release by any chance?

Cheers,

Nich

Bug Clerk May 7, 2020 at 5:16 PM

12.0 PR: https://github.com/freenas/freenas/pull/4746

Bug Clerk May 7, 2020 at 1:50 PM

11.3 PR: https://github.com/freenas/freenas/pull/4745

Nicholas May 7, 2020 at 8:27 AM

Small update. To ensure the system was not somehow dirty due to my troubleshooting. The previous install was actually an upgrade from 11.3 > U2, so this time I installed 11.3-U2.1. A coupe configuration changes related to email and enabled NFS/SMB. On trying to join to the domain, the same errors cropped up

Directory Services Mpnitor - Active Directory Faulted

Task Manager - activedirectory.start

Status: FAILED
Start Time: Thu May 7, 2020, 9:52:01 (Europe/Malta)
Finished Time: Thu May 7, 2020, 9:52:01
Error: 'ActiveDirectoryService' object has no attribute 'middleawre'

NTP is configured to the domain NTP Servers directly, and there is no apparent skew

*root@freenas/var/log/samba4# midclt call activedirectory.check_clockskew
{"pdc": "redacted", "timestamp": "2020-05-07 10:14:17.252510", "clockskew": "0:00:00.070745"}*

Service states

*root@freenas/var/log/samba4# midclt call directoryservices.get_state
{"activedirectory": "FAULTED", "ldap": "DISABLED", "nis": "DISABLED"}*

And for some reason, credentials check returns null.

*root@freenas/var/log/samba4# midclt call activedirectory.validate_credentials
null*

Any insight would be appreciated

Cheers,

Nich

Complete

Pinned fields

Click on the next to a field label to start pinning.

Details

Assignee

Andrew Walker

Reporter

Nicholas

Components

Fix versions

12.0-ALPHA2

11.3-U4

Affects versions

11.3-U2

11.3-U2.1

Due date

Jul 01, 2020

Priority

Low

More fields

Katalon Platform

Created May 5, 2020 at 10:47 AM

Updated July 1, 2022 at 3:31 PM

Resolved May 7, 2020 at 5:16 PM

Configure