Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Thanks for using the TrueNAS Community Edition issue tracker! TrueNAS Enterprise users receive direct support for their reports from our support portal.

AD/SMB fails after U5.1 -> U6

Description

Truenase Core 12.0-U5.1 was joined to AD via Directory Services/GUI, sharing an SMB share/dataset using modern ACL interface, not running as root, and working correctly. After upgrading to U6 received winbindd error:

  • Attempt to connect to netlogon share failed with error: [EFAULT] could not obtain winbind interface details: Winbind daemon is not available.
    could not obtain winbind domain name!
    failed to call wbcPingDc: Winbind daemon is not available..

Current alerts:

  • Domain validation failed with error: [EFAULT] Netlogon connection to [dc02.ad.midstateconstruction.com] failed with error: {Access Denied} A process has requested access to an object but has not been granted those access rights.

...and wbinfo -t failed. Used Directory Services> Active Directory to leave and rejoin domain, which has solved this problem in the past. wbinfo -t still failed. service winbindd onestart acted as if it was working, but it didn't. Active Directory had green checkmark and 'HEALTHY' in gui.

midclt call activedirectory.get_state
HEALTHY

root@freenas[~]# midclt call activedirectory.domain_info | jq
{
"LDAP server": "10.100.100.5",
"LDAP server name": "DC01.ad.foo.com",
"Realm": "AD.FOO.COM",
"Bind Path": "dc=AD,dc=FOO,dc=COM",
"LDAP port": 389,
"Server time": 1633547748,
"KDC server": "10.100.100.5",
"Server time offset": 0,
"Last machine account password change": 1633547570
}

root@freenas[~]# wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret

root@freenas[~]# service winbindd status
winbindd is not running.

Rebooted to U5.1 and was able to leave/rejoin domain with below, leave/rejoin did not work.

Used this CLI to rejoin domain on U5.1:

Shell:

sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
net -k -d 5 ads join -U user
service samba_server restart
service ix-nsswitch start
service winbindd start

Rebooted to U6 and was not able to leave/rejoin domain as expected or with above CLI.

Rebooted to U5.1 for a second time, rejoined per above and re-set ACL permissions.

AD is run on two 2012R2 DC servers. NTP on truenas hits those servers, and DNS points at them and resolves domain machines correctly.

Truenas machine appeared/disappeared from Computers OU as expected. Tried manually defining a different OU and that didn't solve issue.

I understand the CLI above is not recommended, but AD does not work otherwise. I rebuilt this machine from scratch with 12.0 not importing any config and rebuilt everything manually. Same results.

Every update seems to introduce an AD/SMB rejoin dance. Typically leave/rejoin from GUI is all that is required.

Problem/Justification

None

Impact

None

Activity

Bug Clerk 
October 15, 2021 at 3:12 AM

Bug Clerk 
October 15, 2021 at 3:12 AM

Bug Clerk 
October 14, 2021 at 9:04 PM

Eric Bostrom 
October 14, 2021 at 8:32 PM

Not to my knowledge as I typically leave/rejoin to resolve AD issues. Great idea, thanks!

Andrew Walker 
October 14, 2021 at 8:08 PM

>/var/db/system/samba4/winbindd_privilege

Interesting. We don't touch permissions on this file. Did you ever make permissions changes manually on /var/db/system/samba4? I'll add it to the list of samba state directories that we check permissions of on boot. Thanks.

Complete

Details

Assignee

Reporter

Labels

Impact

Time remaining

0m

Fix versions

Affects versions

Priority

Katalon Platform

Created October 7, 2021 at 6:08 PM
Updated July 1, 2022 at 5:42 PM
Resolved October 15, 2021 at 2:35 PM

Flag notifications