Host Is Not Configured As A Member Server : Samba Joining Windows 2003 Ad

+access +cache +disk +nfs +shares +smb +subdoer +supermicro +webdav +zilstat 10GB 11.1-U6 winbindd 11.1-u6 11.2 11.2-RC1 11.2-RC2 11.2-RELEASE 11.2-U1 11.2-u2 2.93 75648 9.2.1.9. Active Directory access accessibility acl acpi shutdown ad afp afs

I have 9.2.7 running fine in my environment. Loaded 9.3 Stable and lost conductivity to my domain. Saw several bugs on this issue, so I updated to the latest stable version and tried again. I can ping domain server. Added windows shares and enabled cifs. I can see the server and view share via windows, but can"t authenticate. Trying to load active directory service fails to start. I"m in mixed 2003/2008 mode and changed the gp info accordingly with no help. I followed the troubleshooting info and can see the srv records for the domain controllers. I tried the manual commands at the bottom and receive the error below.

You are watching: Host is not configured as a member server

FreeNAS-9.3-STABLE-201412312006

Welcome to FreeNASfreenas> ~# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;" freenas> ~# echo $?0freenas> ~# service ix-kerberos startfreenas> ~# service ix-nsswitch startfreenas> ~# service ix-kinit startfreenas> ~# service ix-kinit statusfreenas> ~# klistCredentials cache: FILE:/tmp/krb5cc_0 Principal: tsradmin
BENSON-FAMILY.LOCAL

Issued Expires PrincipalJan 5 15:24:57 Jan 6 01:24:57 krbtgt/BENSON-FAMILY.LOCAL
BENSON-FAMILY.LOCALfreenas> ~# python /usr/local/www/freenasUI/middleware/notifier.py start cifsTruefreenas> ~# service ix-activedirectory startFalseFailed to leave domain: Unable to fetch domain sid: are we joined?winbindd not running? (check /var/run/samba/winbindd.pid).smbd not running? (check /var/run/samba/smbd.pid).nmbd not running? (check /var/run/samba/nmbd.pid).freenas> ~# service ix-activedirectory statusfreenas> ~# echo $?1freenas> ~# python /usr/local/www/freenasUI/middleware/notifier.py restart cifsFalsefreenas> ~# service ix-pam startfreenas> ~# service ix-cache start &<1> 10338Any help on this situation would be appreciated.

History

Updated by Jordan Hubbard over 6 years earlier Category set to 36 Assignee set to John Hixson Target version set to Unmentioned
#2

Updated by John Hixson over 6 years back Status changed from Unscreened to Screened
#3

Updated by Stephen Benson over 6 years back

#4

Updated by John Hixson over 6 years earlier Status changed from Screened to 15

Can you try to enable AD from the UI, then attach /var/log/messages and /var/log/debug.log to this ticket please?

Updated by Stephen Benson over 6 years ago File debug.log added File messages included

Attached are log files you requested.

Updated by John Hixson over 6 years earlier

Stephen Benson wrote:

Attached are log files you requested.

It"s failing at ix-activedirectory. Can you modify /etc/ix.rc.d/ix-activedirectory to have "set -x" at the top? (right after #!/bin/sh). Afterwards, run this from the command line:

sh /etc/directoryservice/ActiveDirectory/ctl start

Post the results to this ticket.

Updated by Stephen Benson over 6 years earlier File test.log added

Attached is the file with the output from above command.

Updated by John Hixson over 6 years back

Stephen Benson wrote:

Attached is the file with the output from above command.

The join is timing out. Can you bump up the timeout values in your AD config? try setting them at 60 and let me know if that fixes this.

Updated by Stephen Benson over 6 years back File test.log included

Looks like same result with 60 sec. timeout.

#10

Updated by John Hixson over 6 years earlier

Stephen Benson wrote:

Looks like same result with 60 sec. timeout.

The file you"ve attached is still set to 10 seconds. Can you verify that both "AD timeout" and "DNS timeout" in your Active Directory configuration are set to 60?

#11

Updated by John Hixson over 6 years ago

John Hixson wrote:

Stephen Benson wrote:

Looks like same result with 60 sec. timeout.

The file you"ve attached is still set to 10 seconds. Can you verify that both "AD timeout" and "DNS timeout" in your Active Directory configuration are set to 60?

And just in case, crank these up to 60, then click "Save" but without "enable" being clicked. Once it saves, then try and click "enable" and "save".

#12

Updated by Stephen Benson over 6 years earlier File test.log included

According to the gui it shows 60 for each. Here"s the output again.

#13

Updated by Stephen Benson over 6 years earlier

I have left site name blank in the advanced settings, could these be looking for a site name? I have a home domain setup using default-first-site-name in AD Sites and Services. Also don"t have a Kerberos Keytab set in advanced. Just checking other configs, in 9.2.1.7 I use the basic setup and everything clicks just fine.

#14

Updated by John Hixson over 6 years earlier

Stephen Benson wrote:

What the file shows is still 10 seconds. Can you run this from the command line and post the output to this ticket please?

sqlite3 /data/freenas-v1.db "select ad_timeout, ad_dns_timeout from directoryservice_activedirectory;"

#15

Updated by Stephen Benson over 6 years ago

Comes back 60|60

#16

Updated by John Hixson over 6 years back

Stephen Benson wrote:

Comes back 60|60

Can you attach /etc/directoryservice/ActiveDirectory/config to this ticket?

#17

Updated by Stephen Benson over 6 years back

Config is empty - 0B when opened in notepad.

#18

Updated by John Hixson over 6 years ago

Stephen Benson wrote:

Config is empty - 0B when opened in notepad.

Do this from the command line:

adtool get config_file

Post output to this ticket please.

#19

Updated by Stephen Benson over 6 years ago

ad_bindname=tsradminad_domainname=benson-family.localad_netbiosname=BENSON-FAMILYad_basedn=DC=benson-family,DC=localad_binddn=tsradmin
BENSON-FAMILY.LOCALad_site=ad_dcname=tsr-dc8r2.benson-family.localad_dchost=tsr-dc8r2.benson-family.localad_dcport=389ad_gcname=tsr-dc8r2.benson-family.localad_gchost=tsr-dc8r2.benson-family.localad_gcport=3268ad_krbname=tsr-dc8r2.benson-family.local:88ad_krbhost=tsr-dc8r2.benson-family.localad_krbport=88ad_kpwdname=tsr-dc8r2.benson-family.local:464ad_kpwdhost=tsr-dc8r2.benson-family.localad_kpwdport=464ad_krb_realm=BENSON-FAMILY.LOCALad_krb_kdc=tsr-dc8r2.benson-family.localad_krb_admin_server=tsr-dc8r2.benson-family.localad_krb_kpasswd_server=tsr-dc8r2.benson-family.localad_keytab_name=ad_keytab_principal=ad_keytab_file=ad_timeout=60ad_dns_timeout=60ad_ssl=offad_unix_extensions=0

#20

Updated by John Hixson over 6 years ago

Stephen Benson wrote:

Okay. Everything looks good. Can you do this:

rm -f /etc/directoryservice/ActiveDirectory/configsh /etc/directoryservice/ActiveDirectory/ctl stopsh /etc/directoryservice/ActiveDirectory/ctl start

Post the results here

ad_gcname=tsr-dc8r2.benson-family.localad_gchost=tsr-dc8r2.benson-family.localad_gcport=3268ad_krbname=tsr-dc8r2.benson-family.local:88ad_krbhost=tsr-dc8r2.benson-family.localad_krbport=88ad_kpwdname=tsr-dc8r2.benson-family.local:464ad_kpwdhost=tsr-dc8r2.benson-family.localad_kpwdport=464ad_krb_realm=BENSON-FAMILY.LOCALad_krb_kdc=tsr-dc8r2.benson-family.localad_krb_admin_server=tsr-dc8r2.benson-family.localad_krb_kpasswd_server=tsr-dc8r2.benson-family.localad_keytab_name=ad_keytab_principal=ad_keytab_file=ad_timeout=60ad_dns_timeout=60ad_ssl=offad_unix_extensions=0

#21

Updated by Stephen Benson over 6 years ago File start.log added File stop.log added

Attached logs for each command

#22

Updated by John Hixson over 6 years earlier

Stephen Benson wrote:

Attached logs for each command

Even at 60 seconds, it"s timing out. More commands for you to run ;-)

sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1" service ix-kerberos startservice ix-nsswitch startservice ix-kinit startklist # you should have a kerberos ticket granting ticket

/usr/local/bin/net -k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389echo $? # this should be 0

I"m curious what the net ads join does. That appears to be where things are failing here.

#23

Updated by Stephen Benson over 6 years earlier

freenas> /# service ix-kerberos startfreenas> /# service ix-nsswitch startfreenas> /# service ix-kinit startfreenas> /# klistCredentials cache: FILE:/tmp/krb5cc_0 Principal: tsradmin
BENSON-FAMILY.LOCAL

Issued Expires PrincipalJan 7 22:36:40 Jan 8 08:36:40 krbtgt/BENSON-FAMILY.LOCAL
BENSON-FAMILY.LOCALfreenas> /# /usr/local/bin/net -k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389Host is not configured as a member server.Invalid configuration. Exiting....Failed to join domain: This operation is only allowed for the PDC of the domain.freenas> /#
#24

Updated by John Hixson over 6 years ago
Stephen Benson wrote:

I goofed. Run these commands again:sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1" service ix-kerberos startservice ix-nsswitch startservice ix-kinit startklist # you should have a kerberos ticket granting ticket

service ix-pre-samba start

/usr/local/bin/net -k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389echo $? # this should be 0

#25

Updated by Stephen Benson over 6 years ago

Worked this time..freenas> /# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1" freenas> /# service ix-kerberos startfreenas> /# service ix-nsswitch startfreenas> /# service ix-kinit startfreenas> /# klistCredentials cache: FILE:/tmp/krb5cc_0 Principal: tsradmin
BENSON-FAMILY.LOCAL

Issued Expires PrincipalJan 7 22:36:40 Jan 8 08:36:40 krbtgt/BENSON-FAMILY.LOCAL
BENSON-FAMILY.LOCALfreenas> /# service ix-pre-samba startfreenas> /# /usr/local/bin/net k ads join benson-family.local -S tsr-dc8r2.benson-family.local -p 389Using short domain name - BENSON-FAMILYJoined "FREENAS" to dns domain "benson-family.local"freenas> /# echo $?0freenas> /#
#26

Updated by John Hixson over 6 years ago
Stephen Benson wrote:

If it"s working from the command line, it should be working from the UI. Can you try from the UI now? Before doing so, run this from the command line:

sh /etc/directoryservice/ActiveDirectory/ctl stop

Let me know if it works from the UI

#27

Updated by Stephen Benson over 6 years ago

Thanks John. Worked from UI as well. wbinfo -u gets usernames fine as well. All go now.

Did you find anything specific that was to blame or was it user error on my side?

I am on a test VM doing this bug fixing and I"m looking at upgrading my home server, but want to make sure it will work before I do. I tried 9.3 Stable on that server last week, as I had a drive issue, but had same problem joining.

Thanks again.

#28

Updated by John Hixson over 6 years ago

Stephen Benson wrote:

Thanks John. Worked from UI as well. wbinfo -u gets usernames fine as well. All go now.

Did you find anything specific that was to blame or was it user error on my side?

The only thing that I saw was the join timing out. Once you bumped up the timeout to 60 seconds, it makes everything work ;-)

What problems? Was it the same issue? Have you tried to bump up the timeouts to 60 seconds on that as well ?

Thanks again.

#29

Updated by Stephen Benson over 6 years back

Yes I had the same issue on my production machine, reverted back to 9.2.1.7 on that. I will start a fresh vm and try again to duplicate with timeouts at 10 using basic UI settings. If it fails to start I will bump up time outs and see if it fixes it.

Thanks again for the time.

#30

Updated by John Hixson over 6 years ago Status changed from 15 to Refixed

Stephen Benson wrote:

Thanks again for the time.

See more: Palace Interior La Casa De Las Cortinas, Window Treatment Services In Florida

No problem. Since this was a timeout issue, I"m closing this ticket out. If you have any new issues please open a new ticket ;-).

#31

Updated by Kris Moore about 5 years earlier Target version changed from Unspecified to N/A
#32

Updated by Dru Lavigne almost 4 years ago File deleted (messages)
#33

Updated by Dru Lavigne almost 4 years back File deleted (debug.log)
#34

Updated by Dru Lavigne almost 4 years earlier File deleted (test.log)
#35

Updated by Dru Lavigne almost 4 years earlier File deleted (test.log)
#36

Updated by Dru Lavigne almost 4 years ago File deleted (test.log)
#37

Updated by Dru Lavigne almost 4 years earlier File deleted (stop.log)
#38

Updated by Dru Lavigne almost 4 years back File deleted (start.log)

Also available in: Atom PDF

22/09/2021

Host is not configured as a member server

History