FreeNAS Domain Failure on AD
-
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller is only 1 users account attempting to access this share?
Many
-
@scottalanmiller Are there AD account expirations (not password expiration, but actually the user account) in this domain?
-
It can't be user accounts. All users, hundreds of them, all stopped working at the same time.
-
From Microsoft
Clients’ credentials have been revoked while getting initial credentials
Application/Function: kinit
Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
UNIX System Log File (syslog) Error Messages
CROND[11772]: GSSAPI Error: The context has expired (No error)
Application/Function: Message appearing in syslog related to Kerberos authentication for the LDAP authorization connection to the Active Directory server.
Potential Cause and Solution: The Kerberos credential used to make the LDAP connection to the Active Directory server has expired and has not or could not be renewed. Confirm that the cron job to acquire the credential for the proxy/service user is correct. Confirm that the key table containing the stored key for the proxy/service user is correct. Attempt to manually acquire a credential for the proxy/service user using this command (where /etc/proxy.keytab is the key table containing the key for the proxy user and proxy/service is the name of the proxy user):
/usr/bin/kinit -k -t /etc/proxy.keytab proxy/service
(Only applicable to 2B open source solutions)
-
@DustinB3403 said in FreeNAS Domain Failure on AD:
From Microsoft
Clients’ credentials have been revoked while getting initial credentials
Application/Function: kinit
Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
UNIX System Log File (syslog) Error Messages
CROND[11772]: GSSAPI Error: The context has expired (No error)
Application/Function: Message appearing in syslog related to Kerberos authentication for the LDAP authorization connection to the Active Directory server.
Potential Cause and Solution: The Kerberos credential used to make the LDAP connection to the Active Directory server has expired and has not or could not be renewed. Confirm that the cron job to acquire the credential for the proxy/service user is correct. Confirm that the key table containing the stored key for the proxy/service user is correct. Attempt to manually acquire a credential for the proxy/service user using this command (where /etc/proxy.keytab is the key table containing the key for the proxy user and proxy/service is the name of the proxy user):
/usr/bin/kinit -k -t /etc/proxy.keytab proxy/service
(Only applicable to 2B open source solutions)
So did someone update the domain account used in FreeNAS with a new password?
-
@DustinB3403 said in FreeNAS Domain Failure on AD:
@DustinB3403 said in FreeNAS Domain Failure on AD:
From Microsoft
Clients’ credentials have been revoked while getting initial credentials
Application/Function: kinit
Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
UNIX System Log File (syslog) Error Messages
CROND[11772]: GSSAPI Error: The context has expired (No error)
Application/Function: Message appearing in syslog related to Kerberos authentication for the LDAP authorization connection to the Active Directory server.
Potential Cause and Solution: The Kerberos credential used to make the LDAP connection to the Active Directory server has expired and has not or could not be renewed. Confirm that the cron job to acquire the credential for the proxy/service user is correct. Confirm that the key table containing the stored key for the proxy/service user is correct. Attempt to manually acquire a credential for the proxy/service user using this command (where /etc/proxy.keytab is the key table containing the key for the proxy user and proxy/service is the name of the proxy user):
/usr/bin/kinit -k -t /etc/proxy.keytab proxy/service
(Only applicable to 2B open source solutions)
So did someone update the domain account used in FreeNAS with a new password?
Seems unlikely since it was just joined in the middle of testing. How could that be? That would have made sense for the initial problem. But not now, right?
-
@scottalanmiller While you can join a system to a domain using any domain admin credentials, but within freeNAS you have a field for set credentials to use for domain functions.
Can you confirm those credentials? Domain Account Name and Domain Account Password
https://doc.freenas.org/9.3/freenas_directoryservice.html
Edit: of course, I assume the join and removal is all taking place from within FreeNAS.... so ignore me....
-
Interesting, makes sense. Okay, checking on that.
-
It's the keytab user you are thinking of?
-
@scottalanmiller said in FreeNAS Domain Failure on AD:
It's the keytab user you are thinking of?
It's been a while, the domain username and password get stored in a few fields. I believe keytab is the record to check.
-
@scottalanmiller any update?
-
@scottalanmiller said in FreeNAS Domain Failure on AD:
Found this. Repeats a lot, but the first one seems to be from when the problem started:
[2017/02/09 15:15:44.578796, 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send) Kinit for [email protected] to access cifs/[email protected] failed: Clients credentials have been revokedSo it was working, for how long? 30 days?
To me this sounds as if the computer pw between freenas and ad cant be updated.
Like the old one is still on freenas, even after removing/rejoining, the servers are unable to do an exchangeThrowing this out there:
How many IPs on this server? Did someone add a cname for this server in DNS?
Are you using port 389 or 636? Did someone change this? -
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller any update?
Looks like it is fixed. Awaiting details.
-
@scottalanmiller any news yet?
-
