Active Directory, Didn't find the ldap server!

**NethServer Version: 8
Module: your_module

Hi,
I’m struggeling with this one…

For testing purposes I installed NS 8 and TrueNAS Scale on Proxmox.
On NS8 I setup a DC with AD (Samba) according
https://docs.nethserver.org/projects/ns8/en/latest/user_domains.html

Now I try to connect TrueNAS Scale to the AD, but I get the error

[2024/11/27 13:22:48] (WARNING) ActiveDirectoryService.ipaddresses_to_register():111 - Reverse lookup of fd0b:59a:8dc2:0:be24:11ff:fef3:7c35 failed, omitting from list of addresses to use for Active Directory purposes.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/dns.py", line 87, in ipaddresses_to_register
    result = await self.middleware.call('dnsclient.reverse_lookup', {
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1626, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1457, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/dns_client.py", line 214, in reverse_lookup
    results = await asyncio.gather(*[
              ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/dns_client.py", line 35, in resolve_name
    ans = await r.resolve_address(
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/asyncresolver.py", line 152, in resolve_address
    return await self.resolve(
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/asyncresolver.py", line 120, in resolve
    (answer, done) = resolution.query_result(response, None)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 768, in query_result
    raise NoAnswer(response=answer.response)
dns.resolver.NoAnswer: The DNS response does not contain an answer to the question: 5.3.c.7.3.f.e.f.f.f.1.1.4.2.e.b.0.0.0.0.2.c.d.8.a.9.5.0.b.0.d.f.ip6.arpa. IN PTR

[2024/11/27 13:23:01] (ERROR) middlewared.job.run():503 - Job <bound method accepts.<locals>.wrap.<locals>.nf of <middlewared.plugins.activedirectory.ActiveDirectoryService object at 0x7f4bf7e7bbd0>> failed
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 418, in do_update
    domain_info = await self.domain_info(new['domainname'])
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 722, in domain_info
    raise CallError(netads.stderr.decode())
middlewared.service_exception.CallError: [EFAULT] ads_connect: No logon servers are currently available to service the logon request.
Didn't find the ldap server!

I suspected an issue with DNS, but TrueNas can reach the AD and the AD can reach TrueNAS (checked with ping <mydomain.de>)

I have no idea where to start to figure this one out?

Regards Pete

Hi @Pete

You’re probably running in the issue of the AD Details needed - which are NOT shown in the Web-GUI of NS8 anywhere.

See my post here about this:

I had similiar issues joining an OpenMediaVault to the AD of NS8.

I joined a simple Win10 VM I had set up to administrate the AD, installed RSAT AD Tools, DNS and GroupPolicys, and checked the DC and DNS names for AD.

These names worked. Often you wll see something like NSDC-xxxx-xxxxx or DC1.
These Hostnames are not visible in the AD GUI of NS8.

Maybe this info helps!

In any case:

  • Set the NTP of your TrueNAS server to point to your AD, using the full name of the AD DC as shown in the AD RSAT tools.
  • Set the DNS of your TrueNAS to point to your AD.
  • Having not only the ad.domain.tld entry, but also the full hostname / fqdn of the AD host in DNS helps.
  • On your TrueNAS: Set Hostname as the short (max 15 CHR) NetBIOS name in caps.
  • On your TrueNAS: Set domain as the full ad name in small caps.
  • On your TrueNAS: Set static IP and DNS (your ad)

Edit krb5.conf

nano /etc/krb5.conf

Delete everything and paste this (adapt as needed):

[libdefaults]
default_realm = HOMELAB.PRIV


[realms]
HOMELAB.PRIV = {
kdc = DC0.HOMELAB.PRIV
default_domain = HOMELAB.PRIV
}


[domain_realm]
.homelab.priv = HOMELAB.PRIV
homelab.priv = HOMELAB.PRIV

Edit samba config

netbios name = OMV
realm = HOMELAB.PRIV
server string =
security = ads
encrypt passwords = yes
preferred master = False
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes

Edit nsswitch.conf

Just change the following to show as below:

passwd:         files winbind
group:          files winbind
shadow:         files winbind

Then join the AD, reboot and check!

Note:
As always: make a backup and double check!
The above worked for me with OpenMediaVault - and should work with TrueNAS (Depending on Core or Scale some tweaking might be needed…)
On OMV i additionally needed the following:

apt install -y krb5-config krb5-user winbind libnss-winbind libpam-winbind

Good Luck!

My 2 cents
Andy

2 Likes

Hi Andy, thanks a lot for your reply.

Ok, I will setup a Windows VM to install the RSAT AD Tools to check the hostnames out.

To make sure that I get you right, some questions:

Do you mean the NTP-Timeserver of TrueNAS should point to the AD?

TrueNAS is configured to use the AD as Nameserver (nameserver1:IPofAD). Should I set the hostname/fqdn as second nameserver?

As DNS I have Unbound running on opnsense, there I entered ad.mydomain.tld. I should set the hostname/fqdn which I have to figure out with the RSAT AD Tools, right?

I’ll try with Uppercase/Lowercase

TrueNAS has a static IP. The IP of the AD is set as a nameserver in the network settings.

Regards Pete

1 Like

Hi @Pete

I’m a well known Proxmox and also a very longtime OPNsense user on this platform / forum.

To all your questions above: yes.

NTP is more critical than one thinks, especially as AD uses Kerberos.

DNS: IP is usually sufficient.
Using AD, I usually make an entry for most stuff

This should look familiar, Unbound in the latest OPNsense version in Dark Mode with Rebellion Theme… :slight_smile:

Note also the CNAMEs…


Hope this helps!

My 2 cents
Andy

RSAT on Win10

2 Likes

Is AD DNS really working? Check out Setting up Samba as a Domain Member - SambaWiki for DNS testing.

From the logs you posted it’s complaining about missing reverse DNS but there’s no reverse zone in Samba by default, see Setting up Samba as a Domain Member - SambaWiki how to configure a reverse zone.

It’s about missing IPv6 reverse DNS so maybe it’s possible to disable IPv6 in TrueNAS?

If you want to use your firewall as DNS server, it’s possible to setup DNS conditional forwarding so all queries to the AD domain will be sent to the NS8 DNS.

Here is the documentation for OPNsense or as example for NethSec.

This way client devices will get correct responses from AD DNS without needing an A record for the AD on the firewall.

AFAIK dc1 is the default value for new instances, you can define it when creating the file server in the web UI.
The “NSDC-xxxx” is from migrated NS7.

It’s possible to get the Samba DC hostname using following command.
You may need to replace “samba1” with your samba instance name.

runagent -m samba1 podman exec samba-dc hostname

1 Like

I think I’m a step further… what I did:

For info:
DC: 192.168.1.10
DNS (my opnsense): 192.168.1.1

dc1.ad.mydomain.de

nslookup 192.168.1.10
10.1.168.192.in-addr.arpa      name = ad.mydomain.de.
10.1.168.192.in-addr.arpa      name = ns.mydomain.de.
10.1.168.192.in-addr.arpa      name = dc1.mydomain.de.
nslookup 192.168.64.10
10.1.168.192.in-addr.arpa      name = ad.mydomain.de.
10.1.168.192.in-addr.arpa      name = ns.mydomain.de.
10.1.168.192.in-addr.arpa      name = dc1.mydomain.de.

So far it looks ok

I created a reverse zone with this command

samba-tool dns zonecreate dc1.mydomain.de 168.192.in-addr.arpa -U mysambadmin
Password for [WORKGROUP\mysambadmin]:
Zone 168.192.in-addr.arpa created successfully

Then I tried to connect, I get this message

 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 488, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 533, in __run_body
    rv = await self.method(*args)
         ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 576, in do_update
    raise e
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 565, in do_update
    await self.__start(job)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 607, in __start
    join_resp = await job.wrap(await self.middleware.call(
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 692, in wrap
    return await subjob.wait(raise_error=True)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 436, in wait
    raise self.exc_info[1]
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 488, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 535, in __run_body
    rv = await self.middleware.run_in_thread(self.method, *args)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1364, in run_in_thread
    return await self.run_in_executor(io_thread_pool_executor, method, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1361, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/utils/directoryservices/krb5.py", line 331, in check_ticket
    return fn(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices_/join.py", line 244, in join_domain
    do_join_fn(job, ds_type, domain)
  File "/usr/lib/python3/dist-packages/middlewared/utils/directoryservices/krb5.py", line 331, in check_ticket
    return fn(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices_/activedirectory_join_mixin.py", line 359, in _ad_join
    self._ad_join_impl(job, ad_config)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices_/activedirectory_join_mixin.py", line 285, in _ad_join_impl
    raise CallError(err_msg)
middlewared.service_exception.CallError: [EFAULT]  Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
  auth_audit: 5
  auth_json_audit: 5
  kerberos: 5
  drs_repl: 5
  smb2: 5
  smb2_credits: 5
  dsdb_audit: 5
  dsdb_json_audit: 5
  dsdb_password_audit: 5
  dsdb_password_json_audit: 5
  dsdb_transaction_audit: 5
  dsdb_transaction_json_audit: 5
  dsdb_group_audit: 5
  dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter disable spoolss = True
doing parameter dns proxy = False
doing parameter load printers = False
doing parameter max log size = 5120
doing parameter printcap = /dev/null
doing parameter bind interfaces only = True
doing parameter fruit:nfs_aces = False
doing parameter fruit:zero_file_id = False
doing parameter restrict anonymous = 2
doing parameter winbind request timeout = 60
doing parameter passdb backend = tdbsam:/var/run/samba-cache/private/passdb.tdb
doing parameter workgroup = mydomain
doing parameter netbios name = TNAS
doing parameter netbios aliases =
doing parameter guest account = nobody
doing parameter obey pam restrictions = False
doing parameter create mask = 0664
doing parameter directory mask = 0775
doing parameter ntlm auth = False
doing parameter server multichannel support = False
doing parameter unix charset = UTF-8
doing parameter local master = False
doing parameter server string = TrueNAS Server
doing parameter log level = 1
doing parameter logging = file
doing parameter server smb encrypt = default
doing parameter server role = member server
doing parameter kerberos method = secrets and keytab
doing parameter security = ADS
doing parameter domain master = False
doing parameter preferred master = False
doing parameter winbind cache time = 7200
doing parameter winbind max domain connections = 10
doing parameter winbind use default domain = False
doing parameter client ldap sasl wrapping = seal
doing parameter template shell = /bin/sh
doing parameter allow trusted domains = False
doing parameter realm = AD.mydomain.DE
doing parameter ads dns update = False
Unknown parameter encountered: "ads dns update"
Ignoring unknown parameter "ads dns update"
doing parameter winbind nss info = template
doing parameter template homedir = /var/empty
doing parameter winbind enum users = True
doing parameter winbind enum groups = True
doing parameter idmap config mydomain : backend = rid
doing parameter idmap config mydomain : range = 100000001 - 200000000
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 90000001 - 100000000
doing parameter registry shares = True
doing parameter include = registry
doing parameter registry shares = yes
process_registry_service: service name global
pm_process() returned Yes
added interface enp6s18 ip=fd0b:59a:8dc2:0:be24:11ff:fef3:7c35 bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp6s18 ip=fdb3:74c4:a1c6:0:be24:11ff:fef3:7c35 bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp6s18 ip=192.168.1.18 bcast=192.168.1.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
register_msg_pool_usage: Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Registering messaging pointer for type 51 - private_data=(nil)
added interface enp6s18 ip=fd0b:59a:8dc2:0:be24:11ff:fef3:7c35 bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp6s18 ip=fdb3:74c4:a1c6:0:be24:11ff:fef3:7c35 bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp6s18 ip=192.168.1.18 bcast=192.168.1.255 netmask=255.255.255.0
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'TNAS'
            domain_name              : *
                domain_name              : 'AD.mydomain.DE'
            domain_name_type         : JoinDomNameTypeDNS (1)
            account_ou               : NULL
            admin_account            : 'smbadmin'
            admin_domain             : NULL
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            os_servicepack           : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            dnshostname              : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x01 (1)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
            desired_encryption_types : 0x0000001c (28)
            provision_computer_account_only: 0x00 (0)
            odj_provision_data       : NULL
            request_offline_join     : 0x00 (0)
Opening cache file at /var/run/samba-lock/gencache.tdb
sitename_fetch: Returning sitename for realm 'AD.mydomain.DE': "Default-First-Site-Name"
dns_rr_srv_fill_done: async DNS A lookup for dc1.ad.mydomain.de [0] got dc1.ad.mydomain.de -> 192.168.1.10
dns_rr_srv_fill_done: async DNS AAAA lookup for dc1.ad.mydomain.de returned 0 addresses.
saf_fetch: Returning "dc1.ad.mydomain.de" for "AD.mydomain.DE" domain
get_dc_list: preferred server list: "dc1.ad.mydomain.de, *"
resolve_ads: Attempting to resolve KDCs for AD.mydomain.DE using DNS
dns_rr_srv_fill_done: async DNS A lookup for dc1.ad.mydomain.de [0] got dc1.ad.mydomain.de -> 192.168.1.10
dns_rr_srv_fill_done: async DNS AAAA lookup for dc1.ad.mydomain.de returned 0 addresses.
sitename_fetch: Returning sitename for realm 'AD.mydomain.DE': "Default-First-Site-Name"
namecache_fetch: name dc1.ad.mydomain.de#20 found.
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.1.10
saf_fetch: Returning "dc1.ad.mydomain.de" for "AD.mydomain.DE" domain
get_dc_list: preferred server list: "dc1.ad.mydomain.de, *"
resolve_ads: Attempting to resolve KDCs for AD.mydomain.DE using DNS
dns_rr_srv_fill_done: async DNS A lookup for dc1.ad.mydomain.de [0] got dc1.ad.mydomain.de -> 192.168.1.10
dns_rr_srv_fill_done: async DNS AAAA lookup for dc1.ad.mydomain.de returned 0 addresses.
sitename_fetch: Returning sitename for realm 'AD.mydomain.DE': "Default-First-Site-Name"
namecache_fetch: name dc1.ad.mydomain.de#20 found.
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.1.10
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba-lock/smb_krb5/krb5.conf._JOIN_ with realm AD.mydomain.DE KDC list:
		kdc = 192.168.1.10

sitename_fetch: Returning sitename for realm 'AD.mydomain.DE': "Default-First-Site-Name"
namecache_fetch: name dc1.ad.mydomain.de#20 found.
Connecting to 192.168.1.10 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
cli_session_setup_spnego_send: Connect to dc1.ad.mydomain.de as smbadmin@AD.mydomain.DE using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
Bind RPC Pipe: host dc1.ad.mydomain.de auth_type 0, auth_level 1
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 236
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
signed SMB2 message (sign_algo_id=2)
saf_fetch: Returning "dc1.ad.mydomain.de" for "ad.mydomain.de" domain
get_dc_list: preferred server list: "dc1.ad.mydomain.de, *"
resolve_ads: Attempting to resolve KDCs for ad.mydomain.de using DNS
dns_rr_srv_fill_done: async DNS A lookup for dc1.ad.mydomain.de [0] got dc1.ad.mydomain.de -> 192.168.1.10
dns_rr_srv_fill_done: async DNS AAAA lookup for dc1.ad.mydomain.de returned 0 addresses.
sitename_fetch: Returning sitename for realm 'AD.mydomain.DE': "Default-First-Site-Name"
namecache_fetch: name dc1.ad.mydomain.de#20 found.
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.1.10
saf_fetch: Returning "dc1.ad.mydomain.de" for "ad.mydomain.de" domain
get_dc_list: preferred server list: "dc1.ad.mydomain.de, *"
resolve_ads: Attempting to resolve KDCs for ad.mydomain.de using DNS
dns_rr_srv_fill_done: async DNS A lookup for dc1.ad.mydomain.de [0] got dc1.ad.mydomain.de -> 192.168.1.10
dns_rr_srv_fill_done: async DNS AAAA lookup for dc1.ad.mydomain.de returned 0 addresses.
sitename_fetch: Returning sitename for realm 'AD.mydomain.DE': "Default-First-Site-Name"
namecache_fetch: name dc1.ad.mydomain.de#20 found.
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: 192.168.1.10
create_local_private_krb5_conf_for_domain: wrote file /var/run/samba-lock/smb_krb5/krb5.conf.mydomain with realm AD.mydomain.DE KDC list:
		kdc = 192.168.1.10

sitename_fetch: Returning sitename for realm 'AD.mydomain.DE': "Default-First-Site-Name"
namecache_fetch: name dc1.ad.mydomain.de#20 found.
ads_try_connect: ads_try_connect: sending CLDAP request to 192.168.1.10 (realm: ad.mydomain.de)
Successfully contacted LDAP server 192.168.1.10
Connecting to 192.168.1.10 at port 389
Connected to LDAP server dc1.ad.mydomain.de
KDC time offset is 1 seconds
Found SASL mechanism GSS-SPNEGO
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
ads_gen_add: AD LDAP: Adding cn=TNAS,CN=Computers,dc=AD,dc=mydomain,dc=DE
ads_print_error: AD LDAP ERROR: 50 (Insufficient access): acl: unable to get access to CN=TNAS,CN=Computers,DC=ad,DC=mydomain,DC=de

libnet_join_precreate_machine_acct: Failed to create machine account
libnet_DomainJoin: Failed to pre-create account in OU CN=Computers,dc=AD,dc=mydomain,dc=DE: Insufficient access
signed SMB2 message (sign_algo_id=2)
Bind RPC Pipe: host dc1.ad.mydomain.de auth_type 0, auth_level 1
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 40
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
rpc_api_pipe: host dc1.ad.mydomain.de
signed SMB2 message (sign_algo_id=2)
rpc_read_send: data_to_read: 32
signed SMB2 message (sign_algo_id=2)
signed SMB2 message (sign_algo_id=2)
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            odj_provision_data       : NULL
            account_name             : 'TNAS$'
            netbios_domain_name      : 'mydomain'
            dns_domain_name          : 'ad.mydomain.de'
            forest_name              : 'ad.mydomain.de'
            dn                       : NULL
            domain_guid              : 3c94e9a0-d8c1-46ed-bc42-7e1f402215ed
            domain_sid               : *
                domain_sid               : S-1-5-21-3826593470-3054354668-3598288492
            modified_config          : 0x00 (0)
            error_string             : 'User specified does not have administrator privileges'
            domain_is_ad             : 0x01 (1)
            set_encryption_types     : 0x00000000 (0)
            krb5_salt                : NULL
            dcinfo                   : *
                dcinfo: struct netr_DsRGetDCNameInfo
                    dc_unc                   : *
                        dc_unc                   : '\\dc1.ad.mydomain.de'
                    dc_address               : *
                        dc_address               : '\\192.168.1.10'
                    dc_address_type          : DS_ADDRESS_TYPE_INET (1)
                    domain_guid              : 3c94e9a0-d8c1-46ed-bc42-7e1f402215ed
                    domain_name              : *
                        domain_name              : 'ad.mydomain.de'
                    forest_name              : *
                        forest_name              : 'ad.mydomain.de'
                    dc_flags                 : 0xe00013fd (3758101501)
                           1: NBT_SERVER_PDC
                           1: NBT_SERVER_GC
                           1: NBT_SERVER_LDAP
                           1: NBT_SERVER_DS
                           1: NBT_SERVER_KDC
                           1: NBT_SERVER_TIMESERV
                           1: NBT_SERVER_CLOSEST
                           1: NBT_SERVER_WRITABLE
                           1: NBT_SERVER_GOOD_TIMESERV
                           0: NBT_SERVER_NDNC
                           0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
                           1: NBT_SERVER_FULL_SECRET_DOMAIN_6
                           0: NBT_SERVER_ADS_WEB_SERVICE
                           0: NBT_SERVER_DS_8
                           0: NBT_SERVER_DS_9
                           0: NBT_SERVER_DS_10
                           1: NBT_SERVER_HAS_DNS_NAME
                           1: NBT_SERVER_IS_DEFAULT_NC
                           1: NBT_SERVER_FOREST_ROOT
                    dc_site_name             : *
                        dc_site_name             : 'Default-First-Site-Name'
                    client_site_name         : *
                        client_site_name         : 'Default-First-Site-Name'
            account_rid              : 0x00000000 (0)
            result                   : WERR_ACCESS_DENIED
return code = -1
Freeing parametrics:

I think this line is relevant

'User specified does not have administrator privileges'

I’ve thought that I have to use my user shown under NS8->Domains & Users → Bind DN and Bind Passwort, but it doesn’t work?
I tried mysambaadmin & serveradmin as well, no success either.
Which user do I have to use for connection?

Usually it should work to join the domain with the user ldapservice.
It seems TrueNAS scale wants a reverse zone and admin permissions, I don’t know why…

Please check the users and groups page in the NS8 cluster-admin web UI.
Usually admin or administrator are domain admins and therefore they should be able to join the domain but maybe they’re disabled or locked?

User ‘Administrator’ was marked deactivated, I activated it.
As I remember it was deactivated automatically by creation of the user ‘admin’

Now I got the message

Traceback (most recent call last):
  File "/var/lib/nethserver/cluster/actions/list-domain-users/50list_users", line 33, in <module>
    users = Ldapclient.factory(**domain).list_users()
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/agent/pypkg/agent/ldapclient/__init__.py", line 29, in factory
    return LdapclientAd(**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/agent/pypkg/agent/ldapclient/base.py", line 37, in __init__
    self.ldapconn = ldap3.Connection(self.ldapsrv,
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/agent/pyenv/lib/python3.11/site-packages/ldap3/core/connection.py", line 363, in __init__
    self._do_auto_bind()
  File "/usr/local/agent/pyenv/lib/python3.11/site-packages/ldap3/core/connection.py", line 389, in _do_auto_bind
    self.bind(read_server_info=True)
  File "/usr/local/agent/pyenv/lib/python3.11/site-packages/ldap3/core/connection.py", line 607, in bind
    response = self.post_send_single_response(self.send('bindRequest', request, controls))
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/agent/pyenv/lib/python3.11/site-packages/ldap3/strategy/sync.py", line 160, in post_send_single_response
    responses, result = self.get_response(message_id)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/agent/pyenv/lib/python3.11/site-packages/ldap3/strategy/base.py", line 370, in get_response
    raise LDAPSessionTerminatedByServerError(self.connection.last_error)
ldap3.core.exceptions.LDAPSessionTerminatedByServerError: session terminated by server

I think I’ll restore a snapshot and try again.

Did you customize the Samba app?

Hi @Pete , @mrmarkuz

I can confirm TrueNAS (Core) can connect to a current NS8 AD.
The same is probably true also for TrueNAS (Scale).

We replaced the TrueNAS with OMV (Performance: TrueNAS uses twice as much CPU & RAM) a week ago.

But AD connection worked.

My 2 cents
Andy

I intended to use OMV as well, but I followed the general recommendation to use ZFS as filesystem. That’s why I’m installed TrueNAS Scale.
The increased load on your system might be caused by ZFS.

The only thing I changed was the name of the samba admin. I think that’s the reason why ‘Administrator’ was deactivated.

However, I restored a snapshot NethServer8 ( A fresh installtion of Debian 12 + NS8). I went through the initial process of NS8 ( create cluster, set admin password, set fqdn), installed available updates and after a reboot I created a internal samba domain with the standard values.
To have the samba-tool available to create a reverse zone I installed samba on my debian system and did:

samba-tool dns zonecreate dc1.ad.mydomain.de 0.168.192.in-addr.arpa -U administrator
Password for [WORKGROUP\administrator]:
Zone 0.168.192.in-addr.arpa created successfully

And now I get this message

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 488, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 533, in __run_body
    rv = await self.method(*args)
         ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 361, in do_update
    await self.common_validate(new, old, verrors)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 148, in common_validate
    if not (await self.middleware.call(
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1626, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1457, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory_/dns.py", line 294, in netbiosname_is_ours
    dns_addresses = set([x['address'] for x in await self.middleware.call('dnsclient.forward_lookup', {
                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1626, in call
    return await self._call(
           ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1457, in _call
    return await methodobj(*prepared_call.args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/dns_client.py", line 182, in forward_lookup
    raise failuresPerHost[h][0]
  File "/usr/lib/python3/dist-packages/middlewared/plugins/dns_client.py", line 40, in resolve_name
    ans = await r.resolve(
          ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/asyncresolver.py", line 89, in resolve
    timeout = self._compute_timeout(start, lifetime, resolution.errors)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 988, in _compute_timeout
    raise LifetimeTimeout(timeout=duration, errors=errors)
dns.resolver.LifetimeTimeout: The resolution lifetime expired after 10.404 seconds: Server 192.168.64.10 UDP port 53 answered The DNS operation timed out after 4.000 seconds; Server 192.168.64.10 UDP port 53 answered The DNS operation timed out after 4.000 seconds; Server 192.168.64.10 UDP port 53 answered The DNS operation timed out after 1.688 seconds

My first thought was that a setting in my firewall is blocking the port 53, but I checked my opnsense, the firewall of Proxmox is not activated, and the firewall of NS8 shows

The firewall settings look fine, I did

sudo nmap -sU -v 192.168.1.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-29 10:28 CET
Initiating ARP Ping Scan at 10:28
Scanning 192.168.1.10 [1 port]
Completed ARP Ping Scan at 10:28, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:28
Completed Parallel DNS resolution of 1 host. at 10:28, 0.00s elapsed
Initiating UDP Scan at 10:28
Scanning ad.mydomain.de (192.168.1.10) [1000 ports]
Increasing send delay for 192.168.1.10 from 0 to 50 due to max_successful_tryno increase to 4
Increasing send delay for 192.168.1.10 from 50 to 100 due to max_successful_tryno increase to 5
Increasing send delay for 192.168.1.10 from 100 to 200 due to max_successful_tryno increase to 6
...


It seems that the ports of NS8 are not available for whatever reason?

By the way, I’m not sure if I configure the reverse zone for samba correctly.

To have the command samba-tool available, I have to install the samba package. Is that correct, might it cause some problems if I install samba “outside” of NS8?

To use the samba-tool in the samba-dc container on NS8 you can use following command, see also Agent | NS8 dev manual
It’s not necessary to install samba-tool elsewhere.

runagent -m samba1 podman exec -ti samba-dc samba-tool

EDIT:

Strange, it should look like that (this is nmap example of my AD server)

[root@server2 ~]# nmap 192.168.3.31
Starting Nmap 6.40 ( http://nmap.org ) at 2024-11-29 11:07 CET
Nmap scan report for ad.mrmarkuz.com (192.168.3.31)
Host is up (0.00042s latency).
Not shown: 929 filtered ports, 55 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown

EDIT2:

It seems you’re checking UDP ports, please try following command without options:

nmap <YOURSERVERIP>

1 Like

Thanks Proxmox it is easy to start with a fresh installation again… :wink:
It seems to work now, the output is

nmap 192.168.1.10
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-29 11:22 CET
Nmap scan report for ad.mydomain.de (192.168.1.10)
Host is up (0.000092s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
20000/tcp open  dnp
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

I did

sudo runagent -m samba1 podman exec -ti samba-dc samba-tool dns zonecreate dc1.ad.mydomain.de 0.168.192.in-addr.arpa -U mysambaadmin

But now I get the complaint concerning the reverse zone update again

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 488, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 533, in __run_body
    rv = await self.method(*args)
         ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 363, in do_update
    verrors.check()
  File "/usr/lib/python3/dist-packages/middlewared/service_exception.py", line 72, in check
    raise self
middlewared.service_exception.ValidationErrors: [EINVAL] activedirectory_update.allow_dns_updates: No server IP addresses passed DNS validation. This may indicate an improperly configured reverse zone. Review middleware log files for details regarding errors encountered.


Shouldn’t it be -U admin or -U administrator?

It’s really strange that a reverse zone is needed.
Maybe the issue was that the ports were closed.
Did you try to join to AD again after the ports of the NS8 were open?

I tried it with the custom adminuser for samba like yesterday, that’s why.

But again I tried it with a domain setup using default settings (the adminuser for samba is ‘administrator’). I didn’t set a zone yet, but TrueNAS shows the mentioned issue again and with the reverse zone set (using -U administrator) I get the same.

Are the data I’m using for TrueNAS correct?

I think the netbios name is wrong.
To get the right value, you can execute following command on NS8:

runagent -m samba1 podman exec -ti samba-dc testparm -s -v | grep -i "netbios name"

As domain account name you could also try admin or administrator. Another thing to try is to append the domain like ldapservice@ad.mydomain.de. The ? tooltip should explain what needs to be entered.

@mrmarkuz , @Pete

AFAIK:

The NetBIOS is the name the TrueNAS should use in the Windows Networking, not the NetBIOS of the AD server.

The ldapservice@ad.mydomain.de needs the AD domain ending.

Under advance there might be an option to NOT check / verify the SSL cert.
This can help!

→ Generally, JAVA and PHP programmed Apps are quite fussy about the SSL verification.

My 2 cents
Andy

1 Like

In advanced options it’s also possible to disable DNS updates, maybe it helps.