FreeNAS 9.10 Intermittent Active Directory Connection Issues



  • Posting on behalf of @HelloWill

    We have a FreeNAS (9.10.2) box that is connected to Windows Active Directory.

    We've been having issues such that users are unable to connect to CIFS shares. When they attempt to login, they get an "access denied" error and are prompted to re-enter credentials. The credentials entered are correct, and the user has permissions to access the shares.

    It started with one user, and we were able to replicate the problem on every computer we tested using her credentials. However, on the same machines, logging in with another user's login and password worked fine.

    Now the issue is affecting more than 1 user an becoming a big issue. It has been happening off and on for a week now.

    Originally, we discovered the time was out of sync and fixed that issue by fixing NTP and disconnecting / rejoining the FreeNAS box to the domain which fixed the issue but it seems it was temporary.

    Current error:

    [2017/02/17 09:20:39.762291,  1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
    [2017/02/17 09:20:41.168736,  1] ../source3/auth/token_util.c:430(add_local_groups)
    SID S-1-5-21-1393113601-3259814849-2442191995-1246 -> getpwuid(21246) failed
    [2017/02/17 09:20:41.168841,  1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
    [2017/02/17 09:20:42.361410,  1] ../source3/auth/token_util.c:430(add_local_groups)
    SID S-1-5-21-1393113601-3259814849-2442191995-1246 -> getpwuid(21246) failed
    [2017/02/17 09:20:42.361484,  1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) 
    


  • Is this the same issue you posted last week?
    What is the domain level?
    Not sure if freebsd has getent
    what does
    getent group "domain\\Domain Users" or getent group "domain\\groupthataccessesshare"
    return?



  • Same system, different issue. In theory, at least.



  • FreeBSD does have getent.