FreeNAS Domain Failure on AD

scottalanmiller

FreeNAS box, joined to the domain. wbinfo tells us that it is good, but if I test an account, this is the error that we get. No known changes made to the box before this started happening.

# net ads join -S 192.168.0.1 -U scott.miller
Enter scott.miller's password:
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received
Failed to join domain: failed to connect to AD: Unexpected information received

scottalanmiller

A getent shows that the account is there and populating from AD.

scottalanmiller

This is happening to all accounts.

Dashrender

Any kind of AD prep (forest/domain prep) get done it AD?

scottalanmiller

@Dashrender said in FreeNAS Domain Failure on AD:

Any kind of AD prep (forest/domain prep) get done it AD?

No idea. Are you thinking that some sort of prep would have broken the existing connection? This worked a few hours ago and has been working for two months.

momurda

One possibility is Time.
service --status-all returns all good on the services required?

scottalanmiller

@momurda said in FreeNAS Domain Failure on AD:

One possibility is Time.
service --status-all returns all good on the services required?

Yeah, time is spot on. We checked that right away.

scottalanmiller

We rejoined it, no change.

Feb  9 16:33:48 server ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Feb  9 16:33:49 server ActiveDirectory: activedirectory_start: trying to join domain
Feb  9 16:33:49 server ActiveDirectory: AD_join_domain: net -k ads join domcain.com -S ad1.domain.com -p 389
Feb  9 16:33:50 server ActiveDirectory: AD_join_domain: Successful
Feb  9 16:33:50 server ActiveDirectory: /usr/sbin/service ix-activedirectory status
Feb  9 16:33:51 server ActiveDirectory: activedirectory_status: checking status
Feb  9 16:33:51 server ActiveDirectory: AD_status_domain: net -k ads status domain.com
Feb  9 16:33:52 server ActiveDirectory: AD_status_domain: Okay
Feb  9 16:33:52 server ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs

Dashrender

@scottalanmiller said in FreeNAS Domain Failure on AD:

@Dashrender said in FreeNAS Domain Failure on AD:

Any kind of AD prep (forest/domain prep) get done it AD?

No idea. Are you thinking that some sort of prep would have broken the existing connection? This worked a few hours ago and has been working for two months.

Yeah I was thinking if someone ran a ADprep /forestsprep or ADprep /domain prep that might have changed something the NAS doesn't like... new security requirements, or something.. I'm grasping at straws.

scottalanmiller

Found this. Repeats a lot, but the first one seems to be from when the problem started:

[2017/02/09 15:15:44.578796,  0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send)
  Kinit for [email protected] to access cifs/[email protected] failed: Clients credentials have been revoked

Dashrender

Is there any type of machine account for this NAS?

My Buffalo actually joined the domain just like a PC. I wonder if your NAS has a bad computer account that needs reset.

scottalanmiller

@Dashrender said in FreeNAS Domain Failure on AD:

Is there any type of machine account for this NAS?

My Buffalo actually joined the domain just like a PC. I wonder if your NAS has a bad computer account that needs reset.

It's been rejoined even.

Dashrender

@scottalanmiller said in FreeNAS Domain Failure on AD:

@Dashrender said in FreeNAS Domain Failure on AD:

Is there any type of machine account for this NAS?

My Buffalo actually joined the domain just like a PC. I wonder if your NAS has a bad computer account that needs reset.

It's been rejoined even.

OH duh.. sorry you did say that already.

DustinB3403

@scottalanmiller Have you removed it from the domain, and deleted the computer record for it before rejoining?

Or did you only remove it from the domain, and then immediately rejoin it?

scottalanmiller

@DustinB3403 said in FreeNAS Domain Failure on AD:

@scottalanmiller Have you removed it from the domain, and deleted the computer record for it before rejoining?

Or did you only remove it from the domain, and then immediately rejoin it?

I'm only on the FreeNAS side, didn't see how it was done.

DustinB3403

@scottalanmiller I'd ask that the FreeNAS be removed from the domain and then have the AD computer record removed as well.

Once that is done, reboot the NAS, and rejoin it to the domain.

Or at least confirm what process was done.

scottalanmiller

I'm waiting on my access to be restored after a reboot. No responses on email now.

scottalanmiller

I'm back in, and yes the computer account was blown away before rejoining.

scottalanmiller

The behaviour is that it shows the share but you can't actually connect in and browse the share. You see them listed. But when you hit them to open them it asks for a username and password. And those, of course, don't work.

DustinB3403

@scottalanmiller said in FreeNAS Domain Failure on AD:

The behaviour is that it shows the share but you can't actually connect in and browse the share. You see them listed. But when you hit them to open them it asks for a username and password. And those, of course, don't work.

So the FreeNAS isn't accepting other domain users as they access the share? Is that correct? Has anyone attempted to access the share using a local account to the NAS?