FreeNAS Domain Failure on AD
-
Found this. Repeats a lot, but the first one seems to be from when the problem started:
[2017/02/09 15:15:44.578796, 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send) Kinit for SERVER$@DOMAIN.COM to access cifs/adserver.domain.com@DOMAIN.COM failed: Clients credentials have been revoked -
Is there any type of machine account for this NAS?
My Buffalo actually joined the domain just like a PC. I wonder if your NAS has a bad computer account that needs reset.
-
@Dashrender said in FreeNAS Domain Failure on AD:
Is there any type of machine account for this NAS?
My Buffalo actually joined the domain just like a PC. I wonder if your NAS has a bad computer account that needs reset.
It's been rejoined even.
-
@scottalanmiller said in FreeNAS Domain Failure on AD:
@Dashrender said in FreeNAS Domain Failure on AD:
Is there any type of machine account for this NAS?
My Buffalo actually joined the domain just like a PC. I wonder if your NAS has a bad computer account that needs reset.
It's been rejoined even.
OH duh.. sorry you did say that already.
-
@scottalanmiller Have you removed it from the domain, and deleted the computer record for it before rejoining?
Or did you only remove it from the domain, and then immediately rejoin it?
-
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller Have you removed it from the domain, and deleted the computer record for it before rejoining?
Or did you only remove it from the domain, and then immediately rejoin it?
I'm only on the FreeNAS side, didn't see how it was done.
-
@scottalanmiller I'd ask that the FreeNAS be removed from the domain and then have the AD computer record removed as well.
Once that is done, reboot the NAS, and rejoin it to the domain.
Or at least confirm what process was done.
-
I'm waiting on my access to be restored after a reboot. No responses on email now.
-
I'm back in, and yes the computer account was blown away before rejoining.
-
The behaviour is that it shows the share but you can't actually connect in and browse the share. You see them listed. But when you hit them to open them it asks for a username and password. And those, of course, don't work.
-
@scottalanmiller said in FreeNAS Domain Failure on AD:
The behaviour is that it shows the share but you can't actually connect in and browse the share. You see them listed. But when you hit them to open them it asks for a username and password. And those, of course, don't work.
So the FreeNAS isn't accepting other domain users as they access the share? Is that correct? Has anyone attempted to access the share using a local account to the NAS?
-
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller said in FreeNAS Domain Failure on AD:
The behaviour is that it shows the share but you can't actually connect in and browse the share. You see them listed. But when you hit them to open them it asks for a username and password. And those, of course, don't work.
So the FreeNAS isn't accepting other domain users as they access the share? Is that correct? Has anyone attempted to access the share using a local account to the NAS?
Yes, a local NAS account will work.
-
@scottalanmiller said in FreeNAS Domain Failure on AD:
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller said in FreeNAS Domain Failure on AD:
The behaviour is that it shows the share but you can't actually connect in and browse the share. You see them listed. But when you hit them to open them it asks for a username and password. And those, of course, don't work.
So the FreeNAS isn't accepting other domain users as they access the share? Is that correct? Has anyone attempted to access the share using a local account to the NAS?
Yes, a local NAS account will work.
Ok so we know the share is operable.. . . . . I likely missed this, but what version of FreeNAS is this?
-
Just as a simple test, from the NAS are you able to ping the domain controller using the DC's name?
-
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller said in FreeNAS Domain Failure on AD:
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller said in FreeNAS Domain Failure on AD:
The behaviour is that it shows the share but you can't actually connect in and browse the share. You see them listed. But when you hit them to open them it asks for a username and password. And those, of course, don't work.
So the FreeNAS isn't accepting other domain users as they access the share? Is that correct? Has anyone attempted to access the share using a local account to the NAS?
Yes, a local NAS account will work.
Ok so we know the share is operable.. . . . . I likely missed this, but what version of FreeNAS is this?
Latest. Only installed weeks ago.
-
@DustinB3403 said in FreeNAS Domain Failure on AD:
Just as a simple test, from the NAS are you able to ping the domain controller using the DC's name?
Yes.
-
Current errors from log.smbd
[2017/02/09 17:52:59.841916, 1] ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/nas.domain.com@DOMAIN.COM(kvno 17) in keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] [2017/02/09 17:52:59.841973, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE -
@scottalanmiller is only 1 users account attempting to access this share?
Just checking here, the error message seems to indicate that the domain user account is expired or locked.
So the followup question, do you have access to the DC to determine if this user account is active and unlocked?
-
And this works...
# wbinfo -t checking the trust secret for domain DOMAIN via RPC calls succeeded -
@DustinB3403 said in FreeNAS Domain Failure on AD:
@scottalanmiller is only 1 users account attempting to access this share?
Many
